The matches, or ~, operator makes it possible to search for text in string fields and byte sequences using a regular expression, using Perl regular expression syntax. Match packets where SIP To-header contains the string "a1762" anywhere in the header: sip.To contains "a1762" Match packets that contains the 3-byte sequence 0x81, 0圆0, 0x03 anywhere in the UDP header or payload: udp contains 81:60:03 It is also possible to search for characters appearing anywhere in a field or protocol by using the contains operator. for DELL machines only: eth.addr=00:06:5B Thus you may restrict the display to only packets from a specific device manufacturer. The "slice" feature is also useful to filter on the vendor identifier part (OUI) of the MAC address, see the Ethernet page for details. ![]() (Useful for matching homegrown packet protocols.) udp=81:60:03 Note that the values for the byte sequence implicitly are in hexadecimal only. Match packets containing the (arbitrary) 3-byte sequence 0x81, 0圆0, 0x03 at the beginning of the UDP payload, skipping the 8-byte UDP header. Sasser worm: –What sasser really did– ls_ads.opnum=0x09 TCP buffer full – Source is instructing Destination to stop sending data tcp.window_size = 0 & != 1įilter on Windows – Filter out noise, while watching Windows Client - DC exchanges smb || nbns || dcerpc || nbss || dns Show only traffic in the LAN (.x), between workstations and servers – no Internet: ip.src=192.168.0.0/16 and ip.dst=192.168.0.0/16 Show only SMTP (port 25) and ICMP traffic: tcp.port eq 25 or icmp See also CaptureFilters: Capture filter is not a display filter. Capture filters (like tcp port 80) are not to be confused with display filters (like tcp.port = 80).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |