Wireshark: Difference between revisions

← Older edit

Wireshark (view source)

Revision as of 21:45, 5 June 2023

712 bytes added , 11 months ago

→‎Membership Operator

Amanjosan2008

Bureaucrats, Administrators

4,400

edits

Revision as of 21:17, 5 June 2023 (view source) Amanjosan2008 (talk \| contribs) (→‎Wireshark Common Filters) ← Older edit		Latest revision as of 21:45, 5 June 2023 (view source) Amanjosan2008 (talk \| contribs) (→‎Membership Operator)
(3 intermediate revisions by the same user not shown)
Line 13: == Wireshark Common Filters == === Operators: === {\| class="wikitable" ~~Equal (any if more than one)~~ \|- eq ! Description !! English !! Alias !! C-like !! Example ~~any_eq~~ \|- == \| Equal (any if more than one) \|\| eq \|\| any_eq \|\| == \|\| ip.src == 10.0.0.5 \|- \| Not equal (all if more than one) \|\| ne \|\| all_ne \|\| != \|\| ip.src != 10.0.0.5 \|- ne \| Equal (all if more than one) \|\| \|\| all_eq \|\| === \|\| ip.src === 10.0.0.5 ~~all_ne~~ \|- != \| Not equal (any if more than one) \|\| \|\| any_ne \|\| !== \|\| ip.src !== 10.0.0.5 \|- \| Greater than \|\| gt \|\| \|\| > \|\| frame.len > 10 ~~Equal (all if more than one)~~ \|- ~~all_eq~~ \| Less than \|\| lt \|\| \|\| < \|\| frame.len < 128 ~~===~~ \|- ~~ip.src === 10.0.0.5~~ \| Greater than or equal to \|\| ge \|\| \|\| >= \|\| frame.len ge 0x100 \|- ~~Not equal (any if more than one)~~ \| Less than or equal to \|\| le \|\| \|\| <= \|\| frame.len <= 0x20 ~~any_ne~~ \|- ~~!==~~ \| Protocol, field or slice contains a value \|\| contains \|\| \|\| \|\| sip.To contains "a1762" ~~ip.src !== 10.0.0.5~~ \|- \| Protocol or text field matches a Perl-compatible regular expression \|\| matches \|\| \|\| ~ \|\| <nowiki>http.host matches "acme\\.(org\|com\|net)"</nowiki> ~~Greater than~~ \|} gt > ~~frame.len > 10~~ ~~Less than~~ lt < ~~frame.len < 128~~ ~~Greater than or equal to~~ ge >= ~~frame.len ge 0x100~~ ~~Less than or equal to~~ le <= ~~frame.len <= 0x20~~ ~~Protocol, field or slice contains a value~~ ~~contains~~ ~~sip.To contains "a1762"~~ ~~Protocol or text field matches a Perl-compatible regular expression~~ ~~matches~~ ~ ~~http.host matches "acme\\.(org\|com\|net)"~~ Combining Expressions ~~Logical AND~~ ~~and~~ && ~~ip.src==10.0.0.5 and tcp.flags.fin~~ ~~Logical OR~~ or \|\| ~~ip.src==10.0.0.5 or ip.src==192.1.1.1~~ ~~Logical XOR~~ ~~xor~~ ^^ ~~tr.dst[0:3] == 0.6.29 xor tr.src[0:3] == 0.6.29~~ ~~Logical NOT~~ ~~not~~ ! ~~not llc~~ === Combining Expressions === {\| class="wikitable" !Description !! English !! C-like !! Example \|- \|Logical AND \|\| and \|\| && \|\| ip.src==10.0.0.5 and tcp.flags.fin \|- \| Logical OR \|\| or \|\| <nowiki>\|\|</nowiki> \|\| ip.src==10.0.0.5 or ip.src==192.1.1.1 \|- \| Logical XOR \|\| xor \|\| ^^ \|\| tr.dst[0:3] == 0.6.29 xor tr.src[0:3] == 0.6.29 \|- \| Logical NOT \|\| not \|\| ! \|\| not llc \|} === Membership Operator === * Below are equivalent: tcp.port in {80, 443, 8080} --> tcp.port == 80 \|\| tcp.port == 443 \|\| tcp.port == 8080 http.request.method in {"HEAD", "GET"} ip.addr in {10.0.0.5 .. 10.0.0.9, 192.168.1.1..192.168.1.9} tcp.port in {443,4430..4434} * More Details: [https://www.wireshark.org/docs/dfref/ Reference]