the capture session could not be initiated on interface"\Device\NPF_(78032B7E-4968-42D3-9F37-287EA86C0AAA)" (failed to set hardware filter to promiscuous mode).
please check to make sure you have sufficient permissions and that you have the proper interface or pipe specified
解决方法:
打开菜单项“Capture”下的子菜单“Capture Options”选项;
找到设置面板中有一项“Capture all in promiscuous mode”选项;
“Capture all in promiscuous mode”选项默认是选中状态,修改该状态为未选中状态;
/////////////////////////////////////////////使用////////////////////////////////////
1)ip.addr==192.168.5.6,只显示192.168.5.6这个地址相关数据包
2)frame.len<=128,只查看长度小于128字节的数据包
3)http,只显示http数据包
4)ip.addr==192.168.5.6 && tcp.port==15566,只显示与192.168.5.6有关且与tcp端口15566有关的数据包
ip.src eq 192.168.1.107 or ip.dst eq 192.168.1.107
或者ip.addr eq 192.168.1.107 // 都能显示来源IP和目标IP
tcp.port eq 80 // 不管端口是来源的还是目标的都显示
tcp.port == 80
tcp.port eq 2722
tcp.port eq 80 or udp.port eq 80
tcp.dstport == 80 // 只显tcp协议的目标端口80
tcp.srcport == 80 // 只显tcp协议的来源端口80
udp.port eq 15000
过滤端口范围
tcp.port >= 1 and tcp.port <= 80
tcp udp arp icmp http smtp ftp dns msnms ip ssl oicq bootp等等排除arp如!arp not arp
太以网头过滤
eth.dst == A0:00:00:04:C5:84 // 过滤目标mac
eth.src eq A0:00:00:04:C5:84 // 过滤来源mac
eth.dst==A0:00:00:04:C5:84
eth.dst==A0-00-00-04-C5-84
eth.addr eq A0:00:00:04:C5:84 // 过滤来源MAC和目标MAC都等于A0:00:00:04:C5:84的less than 小于 < lt 小于等于 le等于 eq大于 gt大于等于 ge不等 ne
udp.length == 26 这个长度是指udp本身固定长度8加上udp下面那块数据包之和
tcp.len >= 7 指的是ip数据包(tcp下面那块数据),不包括tcp本身
ip.len == 94 除了以太网头固定长度14,其它都算是ip.len,即从ip本身到最后
frame.len == 119 整个数据包长度,从eth开始到最后
eth —> ip or arp —> tcp or udp —> data
http.request.method == “GET”
http.request.method == “POST”
http.request.uri == “/img/logo-edu.gif”
http contains “GET”
http contains “HTTP/1.”
// GET包
http.request.method == “GET” && http contains “Host: “
http.request.method == “GET” && http contains “User-Agent: “
// POST包
http.request.method == “POST” && http contains “Host: “
http.request.method == “POST” && http contains “User-Agent: “
// 响应包
http contains “HTTP/1.1 200 OK” && http contains “Content-Type: “
http contains “HTTP/1.0 200 OK” && http contains “Content-Type: “
一定包含如下
Content-Type:
tcp.flags 显示包含TCP标志的封包。
tcp.flags.syn == 0x02 显示包含TCP SYN标志的封包。
tcp.window_size == 0 && tcp.flags.reset != 1
tcp[20]表示从20开始,取1个字符
tcp[20:]表示从20开始,取1个字符以上
tcp[20:8]表示从20开始,取8个字符
tcp[offset,n]
udp[8:3]==81:60:03 // 偏移8个bytes,再取3个数,是否与==后面的数据相等?
udp[8:1]==32 如果我猜的没有错的话,应该是udp[offset:截取个数]=nValue
eth.addr[0:3]==00:06:5B
例子:
判断upd下面那块数据包前三个是否等于0x20 0x21 0x22
我们都知道udp固定长度为8
udp[8:3]==20:21:22
判断tcp那块数据包前三个是否等于0x20 0x21 0x22
tcp一般情况下,长度为20,但也有不是20的时候
tcp[8:3]==20:21:22
如果想得到最准确的,应该先知道tcp长度
matches(匹配)和contains(包含某字符串)语法
ip.src==192.168.1.107 and udp[8:5] matches “\\x02\\x12\\x21\\x00\\x22″ ------???--------
ip.src==192.168.1.107 and udp contains 02:12:21:00:22
ip.src==192.168.1.107 and tcp contains “GET”
udp contains 7c:7c:7d:7d 匹配payload中含有0x7c7c7d7d的UDP数据包,不一定是从第一字节匹配。
得到本地qq登陆数据包(判断条件是第一个包==0x02,第四和第五个包等于0x00x22,最后一个包等于0x03)
0x02 xx xx 0x00 0x22 … 0x03
如何拼写过虑条件???
udp[11:2]==00:00 表示命令编号为00:00
udp[11:2]==00:80 表示命令编号为00:80
当命令编号为00:80时,QQ号码为00:00:00:00
得到msn登陆成功账号(判断条件是”USR 7 OK “,即前三个等于USR,再通过两个0x20,就到OK,OK后面是一个字符0x20,后面就是mail了)
USR xx OK [email protected]
正确
msnms and tcp and ip.addr==192.168.1.107 and tcp[20:] matches “^USR\\x20[\\x30-\\x39]+\\x20OK\\x20[\\x00-\\xff]+”
注意:DHCP协议的检索规则不是dhcp/DHCP, 而是bootp
以寻找伪造DHCP服务器为例,介绍Wireshark的用法。在显示过滤器中加入过滤规则,
显示所有非来自DHCP服务器并且bootp.type==0x02(Offer/Ack/NAK)的信息:
bootp.type==0x02 and not ip.src==192.168.1.1
常用捕获过滤器:
tcp[13]&32==32 (设置了URG位的TCP数据包)
tcp[13]&16==16 (设置了ACK位的TCP数据包)
tcp[13]&8==8 (设置了PSH位的TCP数据包)
tcp[13]&4==4 (设置了RST位的TCP数据包)
tcp[13]&2==2 (设置了SYN位的TCP数据包)
tcp[13]&1==1 (设置了FIN位的TCP数据包)
tcp[13]==18 (TCP SYN-ACK 数据包)
ether host 00:00:00:00:00:00 (流入或流出MAC地址的流量,替换为你的mac)
!ether host 00:00:00:00:00:00 (不流入或流出MAC地址的流量,替换为你的mac)
broadcast (仅广播流量)
icmp (ICMP流量)
icmp[0:2]==0x0301 (ICMP目标不可达、主机不可达)
ip (仅IPv4流量)
ip6 (仅IPv6流量)
udp (仅UDP流量)
常用显示过滤器:
!tcp.port==3389 (排除RDP流量)
tcp.flags.syn==1 (具有SYN标志位的TCP数据包)
tcp.flags.rst==1 (具有RST标志位的TCP数据包)
!arp (排除ARP流量)
http (所有HTTP流量)
tcp.port==23||tcp.port ==21 (FTP或telnet)
smtp||pop||imap (smtp、pop或imap)
混杂模式:开启混杂模式的网卡可以捕获所有流过该网卡的帧,不开启则只能捕获广播帧以及发给该网卡的帧。需要配合交换机端口镜像才能实现。
抓包过滤器:
1、ethernet过滤器,第二层的过滤器,根据mac地址来进行过滤
例:
ether host XX:抓取源和目的为指定的mac的以太网帧
ether dst XX:抓取目的为指定mac的以太网帧
ether src XX:抓取源为指定mac的以太网帧
ether broadcast:抓取所有以太网广播流量
ether multicast:抓取多播流量
ether proto <protocol>:抓取指定协议的以太网流量,比如以太网类型为0x0800,ether proto 0800。以太网类型指的是以太网帧帧头的ether-type字段,表示上层的协议类型。0x0800为ipv4、0x86dd为ipv6、0x0806为arp。
vlan <vlan_id>:抓取指定的vlan流量,也可以用and连接抓取多个vlan的流量,如:vlan <vlan_id> and vlan <vlan_id> and vlan <vlan_id>
要起反作用可以用!或者not,如:
! ether broadcast
not ether broadcast
2、主机和网络过滤器,第三层过滤器
ip或ipv6:抓取ipv4或ipv6流量
host <host>:抓取源或目的为指定主机名(网址)或ip的流量
dst host <host>:抓取目的为指定主机名(网址)或ip的流量
src host <host>:抓取源为指定主机名(网址)或ip的流量
gateway <host>:抓取穿越网关的流量,host必须是主机名。
net <net>:抓取源或目的为指定网络号的流量,如:net 192.168.1或net 192.168.1.0
dst net <net>:抓取目的为指定网络号的流量
src net <net>:抓取源为指定网络号的流量
net <net> mask <netmask>:抓取源或目的由net和mask共同指明的ipv4网络号的流量,ipv6流量无效。如:net 192.168.1.0 mask 255.255.255.0
dst net <net> mask <netmask>:抓取目的由net和mask共同指明的ipv4网络号的流量,ipv6流量无效。
src net <net> mask <netmask>:抓取源由net和mask共同指明的ipv4网络号的流量,ipv6流量无效。
net <net>/<len>:抓取源或目的为指定网络和长度的流量,如:net 192.168.1.0/24
dst net <net>/<len>:抓取目的为指定网络和长度的流量
src net <net>/<len>:抓取源为指定网络和长度的流量
broadcast:抓取ip广播包,通常如:ip broadcast
multicast: 抓取ip多播包
ip proto <protocol code>:抓取ip包头协议类型字段值等于特定值的数据包。如:tcp为6,udp为17,icmp为1
ip6 proto <protocol>: 抓取ipv6包头中下一个包头字段值等于特定值的ipv6数据包。无法用该原词根据ipv6扩展包头链中的相关字段值执行过滤。
icmp [icmptype]==<identifier>:抓取特定类型[icmptype]的icmp数据包,<identifier>表示的是icmp头部中的类型字段值,如,0(icmp echo reply数据包)或8(icmp echo request数据包)等。如:icmp[icmptype]==icmp-echo 或 icmp[icmptype]==8
ip[2:2]==<number>:抓取指定长度的ip数据包(number表示ip包头中的ip包总长度字段值)
ip[8]==<number>:抓取具有指定ttl的ip数据包(number表示ip包头中的ttl字段值)
ip[9]==<number>:抓取指定协议类型的ip数据包(number表示ip包头中的协议类型字段值)
ip[12:4]==ip[16:4]:表示数据包源和目的ip相同
注:中括号内的数字表示相关协议头部的内容,第一个数字指从协议头部的第几个字节开始关注,第二个数字表示所要关注的字节数。
3、tcp和udp及端口过滤,第四层
port <port>:匹配port指明的端口号,如:port 80或port http
dst port <port>:目的端口号为指定的端口号
src port <port>:源端口号为指定的端口号
tcp portrange <p1>-<p2>或udp portrange <p1>-<p2>:用来抓取端口范围介于p1和p2之间的tcp或udp数据包
tcp src portrange <p1>-<p2>或udp dst portrange <p1>-<p2>
tcp [tcpflags] & (tcp-syn|tcp-fin)!=0:抓取tcp连接中用来发起连接(syn标记位置1)或终止连接(FIN标记位置1)的数据包
tcp [tcpflags] &(tcp-rst)!=0:抓取所有RST标记位置1的TCP数据包,RST标记位用来立刻拆除连接,PSH用来表示将数据提交给末端进程处理。
less <length>:抓取不长于指定长度的数据包,写法等价于:len <= <length>
greater <length>:抓取不短于标识符指定的长度的数据包,写法等价于:len >= <length>
tcp portrange 2000-2500:抓取端口在这个范围内的tcp数据包
tcp[13] & 0x00=0:抓取所有标记位都未置1的tcp流量(在怀疑遭遇空扫描攻击时使用)
tcp[13] & 0x01=1:抓取FIN位置1,但ACK位置0的TCP流量
tcp[13] & 0x03=3:抓取SYN和FIN位同时置1的TCP流量
tcp[13] & 0x05=5:抓取RST和FIN位同时置1的TCP流量
tcp[13] & 0x06=6:抓取SYN和RST位同时置1的TCP流量
tcp[13] & 0x08=8:抓取PSH位置1,但ACK位置0的TCP流量
//13指代TCP头部中的标记字段,‘=’号后面数字表示tcp标记位的置位情况。0表示标记位都没置1,1表示FIN位置1,但ACK位置0,1+2表示SYN和FIN位同时置1,1+4表示RST和FIN同时置1,2+4表示SYN和RST同时置1,8表示PSH位置1,但ACK置0.
4、复合过滤器
!或not
&&或and
||或or
例子:
not braodcast and not multicast 只抓单播
host www.youtube.com and port 80 抓取往来于youtube站点的http流量
tcp port 23 and host 192.180.1.1
tcp port 23 and not src host 192.168.1.1
5、配置字节偏移和净载匹配型过滤器,更加灵活
格式: proto [offset:bytes],协议可以是ip、udp、tcp
协议 [从协议头部开始所偏移的字节数:抓包过滤器所要检查的字节数]
tcp[2:2]>50 and tcp[2:2]<100 //抓取目的端口范围为50~100的tcp数据包
tcp[14:2]<8192 //抓窗口大小字段值低于8192的tcp数据包
wireshark有字节偏移和净载匹配抓包过滤器生成工具:https://www.wireshark.org/tools/string-cf.html
也可以看这篇文章http://www.packetlevel.ch/html/txt/byte_offsets.txt
Intro
This document is meant to serve as a quick reference for points
of interest in IP, TCP, UDP and ICMP headers. I cobbled the
information from a variety of sources, all listed at the bottom
of this page. This information will (hopefully) be useful to
people building filters for network tools that use BPF, such
as tcpdump or snort. I was moved to collect all of this stuff
in one place after completing "Intrusion Detection In-Depth"
at a recent SANS conference. Yes, I'm aware that some of these
offsets are covered by tcpdump macros. So what? Use the byte
offsets instead and let them ph33r your [email protected] sk1lz. Corrections,
additions and so on are welcome. Send them to:
jquinby (at) node.to
Cheers,
JQ
IP byte offsets
ip[0] & 0x0f - protocol version
ip[0] & 0xf0 - protocol options
ip[0] & 0xff00 - internet header length
ip[1] - TOS
ip[2:2] - Total length
ip[4:2] - IP identification
ip[6] & 0xa - IP flags
ip[6:2] & 0x1fff - fragment offset area
ip[8] - TTL
ip[9] - protocol field
ip[10:2] - header checksum
ip[12:4] - src IP address
ip[16:4] - dst IP address
ip[20:3] - options
ip[24] - padding
Src IP = Dest IP (land attack)
(ip[12:4] = ip[16:4])
IP versions !=4
(ip[0] & 0xf0 != 0x40)
IP with options set:
(ip[0:1] & 0x0f > 5)
Broadcasts to x.x.x.255:
(ip[19] = 0xff)
Broadcasts to x.x.x.0
(ip[19] = 0x00)
TCP byte offsets, including anomalous TCP flag settings.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
tcp[0:2] - src port
tcp[2:2] - dst port
tcp[4:4] - seq number
tcp[8:4] - ack number
tcp[12] & 0x00ff - data offset
tcp[12] & 0xff00 - reserved
tcp[13] - tcp flags
tcp[13] & 0x3f = 0 - no flags set (null packet)
tcp[13] & 0x11 = 1 - FIN set and ACK not set
tcp[13] & 0x03 = 3 - SYN set and FIN set
tcp[13] & 0x05 = 5 - RST set and FIN set
tcp[13] & 0x06 = 6 - SYN set and RST set
tcp[13] & 0x18 = 8 - PSH set and ACK not set
tcp[13] & 0x30 = 0x20 - URG set and ACK not set
tcp[13] & 0xc0 != 0 - >= one of the reserved bits of tcp[13] is set
tcp[14:2] - window
tcp[16:2] - checksum
tcp[18:2] - urgent pointer
tcp[20:3] - options
tcp[23] - padding
tcp[24] - data
UDP byte offsets, header only
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
udp[0:2] - src port
udp[2:2] - dst port
udp[4:2] - length
udp[6:2] - checksum
udp[8:4] - first 4 octets of data
Crafted packets with impossible UDP lengths:
udp[4:2] < 0) or (udp[4:2] > 1500
ICMP
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
icmp[0] - type
icmp[1] - code
icmp[3:2] - checksum
Destination Unreachable:
icmp[0] = 0x3 (3)
icmp[4:4] - unused (per RFC]
icmp[8:4] - internet header + 64 bits original data
icmp[1] - 0 = net unreachable;
- 1 = host unreachable;
- 2 = protocol unreachable;
- 3 = port unreachable;
- 4 = fragmentation needed and DF set;
- 5 = source route failed.
Time Exceeded:
icmp[0] = 0xB (11)
icmp[4:4] - unused (per RFC]
icmp[8:4] - internet header + 64 bits original data
icmp[1] - 0 = TTL exceeded intransit
- 1 = fragment reassembly time exceeded
Parameter Problem:
icmp[0] = 0xC (12)
icmp[1] - 0 = pointer indicates error
icmp[4] - pointer
icmp[5:3] - unused, per RFC
icmp[8:4] - internet header + 64 bits original data
Source Quench:
icmp[0] = 0x4 (4)
icmp[1] - 0 = may be received by gateway or host
icmp[4:4] - unused, per RFC
icmp[8:4] - internet header + 64 bits original data
Redirect Message:
icmp[0] = 0x5 (5)
icmp[1] - 0 = redirect for network
- 1 = redirect for host
- 2 = redirect for TOS & network
- 3 = redirect for TOS & host
icmp[4:4] - gateway internet address
icmp[8:4] - internet header + 64 bits original data
Echo/Echo Reply:
icmp[0] = 0x0 (0) (echo reply)
icmp[0] = 0x8 (8) (echo request)
icmp[4:2] - identifier
icmp[6:2] - sequence number
icmp[8] - data begins
Timestamp/Timestamp Reply:
icmp[0] = 0xD (13) (timestamp request)
icmp[0] = 0xE (14) (timestamp reply)
icmp[1] - 0
icmp[4:2] - identifier
icmp[6:2] - sequence number
icmp[8:4] - originate timestamp
icmp[12:4] - receive timestamp
icmp[16:4] - transmit timestamp
Information Request/Reply:
icmp[0] = 0xF (15) (info request)
icmp[0] = 0x10 (16) (info reply)
icmp[1] - 0
icmp[4:2] - identifier
icmp[6:2] - sequence number
Address Mask Request/Reply:
icmp[0] = 0x11 (11) (address mask request)
icmp[0] = 0x12 (12) (address mask reply)
Sources:
RFC768, "User Datagram Protocol Specification"
RFC791, "Internet Protocol Specification"
RFC792, "Internet Control Message Protocol Specification"
RFC793, "Transmission Control Protocol"
filter files from SHADOW-1.8 source distribution
man pages for tcpdump
"TCP/IP and tcpdump Pocket Reference Guide", SANS