1. 打开 wireShark 过滤显示 协议
比如显示arp协议
过滤栏输入arp即可
支持的协议类型
TCP
UDP
HTTP
FTP
ICMP
SMTP
等等
2. 过滤ip地址
ip.addr eq 10.24.13.6 or ip.addr == 10.24.13.6 或者是区分 源地址或者是目标地址 ip.src == 10.24.13.6
或者目标地址
ip.dst eq 10.24.13.6
3. 过滤端口 以及增加 and 条件等.
tcp.port == || ip.src eq 10.24.13.97
4. mac地址过滤
eth.dst eth.src eth.addr
5. http 方法过滤
http.request.method == "GET"
http.request.method == "POST"
http.request.uri == "/img/logo-edu.gif"
http contains "GET"
http contains "HTTP/1." // GET包
http.request.method == "GET" && http contains "Host: "
http.request.method == "GET" && http contains "User-Agent: "
// POST包
http.request.method == "POST" && http contains "Host: "
http.request.method == "POST" && http contains "User-Agent: "
// 响应包
http contains "HTTP/1.1 200 OK" && http contains "Content-Type: "
http contains "HTTP/1.0 200 OK" && http contains "Content-Type: "