動機

很常用,整理一下

條件式語法(大概整理一下)

與網路有關的部分

  1. [not]
  2. protocol a. ether, fddi, ip, ip6, ppp, radio, rarp, slip, tcp, udp, wlan
  3. attr a. [src | dst] [port | portrange | port range | net | host] (要自己接到對應的proto,像ip src port就不對) b. broadcast | multicast (只有ip, ether有用)
  4. values (8080, 22-25, 1.2.3.4, 1.2.3.0/24)

組成: 1 2 3 4

與封包大小有關的部分

  1. [not]
  2. less | greater | <= | >= | < | > |
  3. values (123, 456 …)

組成: 1 2 3

邏輯

and(&&) , or(||) , not(!)

取某個byte

就是python的list

{protocol}[nthBytes] {protocol}[a:len] : 從arr[a]取len個

位元運算 與 比較

位元運算: &, |, » , «

比較: =, !=

例子:

  • 'tcp[13] & 4 = 1''tcp[13] & 4!=0''tcp[tcpflags] == tcp-rst'
  • 'tcp[(tcp[12]>>2):4] = 0x5353482D'

好用的命令列參數

  • -s : Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.
  • -A : Print each packet (minus its link level header) in ASCII. Handy for capturing web pages.
  • -X : Show the packet’s contents in both hex and ASCII.
  • -D : Show the list of available interfaces
  • -l : Line-readable output (for viewing as you save, or sending to other commands)
  • -q : Be less verbose (more quiet) with your output.
  • -t : Give human-readable timestamp output.
  • -i eth0 : Listen on the eth0 interface.
  • -vv : Verbose output (more v’s gives more output).
  • -c : Only get x number of packets and then stop.
  • -S : Print absolute sequence numbers.
  • -e : Get the ethernet header as well.
  • -q : Show less protocol information.
  • -E : Decrypt IPSEC traffic by providing an encryption key.

Ref

A tcpdump Tutorial with Examples — 50 Ways to Isolate Traffic tcpdump Cheat Sheet wireshark-filter (注意wireshark的filter能做的比tcpdump多,會多一些語法)