wireshark常用的过滤命令
过滤IP

ip.src(源地址) == 192.168.1.107 or ip.dst(目标地址) == 192.168.1.107
ip.addr == 192.168.1.107

过滤端口

tcp.port == 80
udp.port == 15000
tcp.port >= 1 and tcp.port <= 80 //范围

过滤协议

tcp udp arp icmp http smtp ftp dns msnms ip ssl oicq bootp ssh telnet ...

长度过滤

udp.length == 26     //这个长度是指udp本身固定长度8加上udp下面那块数据包之和
tcp.len >= 7         //指的是ip数据包(tcp下面那块数据),不包括tcp本身
ip.len == 94         //除了以太网头固定长度14,其它都算是ip.len,即从ip本身到最后
frame.len == 119     //整个数据包长度,从eth开始到最后

wireshark协议包下载
ftp:

https://sherry.cool/resource/wireshark/ftp.pcapng

telnet:

https://sherry.cool/resource/wireshark/telnet.pcapng

samba:

https://sherry.cool/resource/wireshark/samba.pcapng

tcp:

https://sherry.cool/resource/wireshark/tcp.pcapng

http:

https://sherry.cool/resource/wireshark/http.pcapng

mysql:

https://sherry.cool/resource/wireshark/mysql.pcapng

WIRESHARKPDF

https://sherry.cool/resource/wireshark/Wireshark 数据包分析实战详解.pdf

WIRESHARK

FRAME: 物理层的数据帧概况
ETHERNET II: 数据链路层以太网帧头信息
Internet Protocol Version 4: 互联网层IP包头部信息
Transmission Control Protocol: 传输层的数据段头部信息
HYPERTEXT TRANSFER PROTOCOL: 应用层的信息

FRAME:
Frame 5: 268 bytes on wire (2144 bits) ,268 bytes captrued (2144 bits)on interface 0:5号帧,线路268字节,实际捕获268字节
Interface id: 0 :接口ID
Encapsulation type: Ethernet (1):封装类型
Arrival Time:捕获的日期和时间
Epoch Time: ... seconds :此包与前一包的间隔---此包与前一帧的间隔
Frame Number: 5 :帧序号
Frame Length: 268 bytes (2144 bits):帧长度
Capture Length: 268 bytes (2144 bits):捕获长度

ETHERNET II:
Destination:目标MAC地址
Source: 源MAC地址
Type: IP(0X0800):协议

Internet Protocol Version 4:
Version: 4:互联网协议
Header length: 20 bytes :IP包头长度
Differentiated Service Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: NOT-ETC(Not ECN-Capable Transport)):差分服务字段
Total Length: 254:IP包的总长度
Identification: 0x5bb5 (23477):标志字段
Flags: 0x02 (Don't Fragment):标记字段
Fragment offset: 0:分的偏移量
Time to Live: 64:生存期ttl
Protocol: TCP (6):上层协议
Header checksum: 0x52ec [validation distabled]:头部数据校验和

Transmission Control Protocol:
Source prot: 51833 (51833):源端口号
Destination port: http (80):目标端口号
Sequence number: 1:序列号
Next sequence number: 215:下一个序列号
Acknowledgment number: 1:确认序列号
Header length: 20 bytes:头部长度
Flags: 0x018 (PSH, ACK) :TCP标记字段
Window size value: 64800:流量控制的窗口大小
Checksum: 0x677e:TCP数据段校验和

wireshark --- ftp

ftp追踪流指令转换

ls            list        
system        syst        
put           stor        
get           retr            
mkdir         mkd            
exit          quit            
cd            cwd            
mv            rnft            
delete        dele            
password      pass            
pwd           pwd            
restart       rest    
remove        rmd
ststus        stat
rename        rnto

查看服务登录
ftp:
ip.addr == 192.168.126.133 and ftp contains "230"
telnet:
ip.addr == 192.168.126.133 and telnet contains "Welcome"
http:
ip.addr == 192.168.126.133 and http contains "200 ok"
mysql:

ip.addr == 192.168.126.133 and mysql (长度为77)

查看系统版本
tcp
telnet
mysql
samba