the capture session could not be initiated on interface"\Device\NPF_(78032B7E-4968-42D3-9F37-287EA86C0AAA)" (failed to set hardware filter to promiscuous mode).
please check to make sure you have sufficient permissions and that you have the proper interface or pipe specified
解決方法:
打開菜單項“Capture”下的子菜單“Capture Options”選項;
找到設置面板中有一項“Capture all in promiscuous mode”選項;
“Capture all in promiscuous mode”選項默認是選中狀態,修改該狀態爲未選中狀態;
/////////////////////////////////////////////使用////////////////////////////////////
1)ip.addr==192.168.5.6,只顯示192.168.5.6這個地址相關數據包
2)frame.len<=128,只查看長度小於128字節的數據包
3)http,只顯示http數據包
4)ip.addr==192.168.5.6 && tcp.port==15566,只顯示與192.168.5.6有關且與tcp端口15566有關的數據包
ip.src eq 192.168.1.107 or ip.dst eq 192.168.1.107
或者ip.addr eq 192.168.1.107 // 都能顯示來源IP和目標IP
tcp.port eq 80 // 不管端口是來源的還是目標的都顯示
tcp.port == 80
tcp.port eq 2722
tcp.port eq 80 or udp.port eq 80
tcp.dstport == 80 // 只顯tcp協議的目標端口80
tcp.srcport == 80 // 只顯tcp協議的來源端口80
udp.port eq 15000
過濾端口範圍
tcp.port >= 1 and tcp.port <= 80
tcp udp arp icmp http smtp ftp dns msnms ip ssl oicq bootp等等排除arp如!arp not arp
太以網頭過濾
eth.dst == A0:00:00:04:C5:84 // 過濾目標mac
eth.src eq A0:00:00:04:C5:84 // 過濾來源mac
eth.dst==A0:00:00:04:C5:84
eth.dst==A0-00-00-04-C5-84
eth.addr eq A0:00:00:04:C5:84 // 過濾來源MAC和目標MAC都等於A0:00:00:04:C5:84的less than 小於 < lt 小於等於 le等於 eq大於 gt大於等於 ge不等 ne
udp.length == 26 這個長度是指udp本身固定長度8加上udp下面那塊數據包之和
tcp.len >= 7 指的是ip數據包(tcp下面那塊數據),不包括tcp本身
ip.len == 94 除了以太網頭固定長度14,其它都算是ip.len,即從ip本身到最後
frame.len == 119 整個數據包長度,從eth開始到最後
eth —> ip or arp —> tcp or udp —> data
http.request.method == “GET”
http.request.method == “POST”
http.request.uri == “/img/logo-edu.gif”
http contains “GET”
http contains “HTTP/1.”
// GET包
http.request.method == “GET” && http contains “Host: “
http.request.method == “GET” && http contains “User-Agent: “
// POST包
http.request.method == “POST” && http contains “Host: “
http.request.method == “POST” && http contains “User-Agent: “
// 響應包
http contains “HTTP/1.1 200 OK” && http contains “Content-Type: “
http contains “HTTP/1.0 200 OK” && http contains “Content-Type: “
一定包含如下
Content-Type:
tcp.flags 顯示包含TCP標誌的封包。
tcp.flags.syn == 0x02 顯示包含TCP SYN標誌的封包。
tcp.window_size == 0 && tcp.flags.reset != 1
tcp[20]表示從20開始,取1個字符
tcp[20:]表示從20開始,取1個字符以上
tcp[20:8]表示從20開始,取8個字符
tcp[offset,n]
udp[8:3]==81:60:03 // 偏移8個bytes,再取3個數,是否與==後面的數據相等?
udp[8:1]==32 如果我猜的沒有錯的話,應該是udp[offset:截取個數]=nValue
eth.addr[0:3]==00:06:5B
例子:
判斷upd下面那塊數據包前三個是否等於0x20 0x21 0x22
我們都知道udp固定長度爲8
udp[8:3]==20:21:22
判斷tcp那塊數據包前三個是否等於0x20 0x21 0x22
tcp一般情況下,長度爲20,但也有不是20的時候
tcp[8:3]==20:21:22
如果想得到最準確的,應該先知道tcp長度
matches(匹配)和contains(包含某字符串)語法
ip.src==192.168.1.107 and udp[8:5] matches “\\x02\\x12\\x21\\x00\\x22″ ------???--------
ip.src==192.168.1.107 and udp contains 02:12:21:00:22
ip.src==192.168.1.107 and tcp contains “GET”
udp contains 7c:7c:7d:7d 匹配payload中含有0x7c7c7d7d的UDP數據包,不一定是從第一字節匹配。
得到本地qq登陸數據包(判斷條件是第一個包==0x02,第四和第五個包等於0x00x22,最後一個包等於0x03)
0x02 xx xx 0x00 0x22 … 0x03
如何拼寫過慮條件???
udp[11:2]==00:00 表示命令編號爲00:00
udp[11:2]==00:80 表示命令編號爲00:80
當命令編號爲00:80時,QQ號碼爲00:00:00:00
得到msn登陸成功賬號(判斷條件是”USR 7 OK “,即前三個等於USR,再通過兩個0x20,就到OK,OK後面是一個字符0x20,後面就是mail了)
USR xx OK [email protected]
正確
msnms and tcp and ip.addr==192.168.1.107 and tcp[20:] matches “^USR\\x20[\\x30-\\x39]+\\x20OK\\x20[\\x00-\\xff]+”
注意:DHCP協議的檢索規則不是dhcp/DHCP, 而是bootp
以尋找僞造DHCP服務器爲例,介紹Wireshark的用法。在顯示過濾器中加入過濾規則,
顯示所有非來自DHCP服務器並且bootp.type==0x02(Offer/Ack/NAK)的信息:
bootp.type==0x02 and not ip.src==192.168.1.1
常用捕獲過濾器:
tcp[13]&32==32 (設置了URG位的TCP數據包)
tcp[13]&16==16 (設置了ACK位的TCP數據包)
tcp[13]&8==8 (設置了PSH位的TCP數據包)
tcp[13]&4==4 (設置了RST位的TCP數據包)
tcp[13]&2==2 (設置了SYN位的TCP數據包)
tcp[13]&1==1 (設置了FIN位的TCP數據包)
tcp[13]==18 (TCP SYN-ACK 數據包)
ether host 00:00:00:00:00:00 (流入或流出MAC地址的流量,替換爲你的mac)
!ether host 00:00:00:00:00:00 (不流入或流出MAC地址的流量,替換爲你的mac)
broadcast (僅廣播流量)
icmp (ICMP流量)
icmp[0:2]==0x0301 (ICMP目標不可達、主機不可達)
ip (僅IPv4流量)
ip6 (僅IPv6流量)
udp (僅UDP流量)
常用顯示過濾器:
!tcp.port==3389 (排除RDP流量)
tcp.flags.syn==1 (具有SYN標誌位的TCP數據包)
tcp.flags.rst==1 (具有RST標誌位的TCP數據包)
!arp (排除ARP流量)
http (所有HTTP流量)
tcp.port==23||tcp.port ==21 (FTP或telnet)
smtp||pop||imap (smtp、pop或imap)
混雜模式:開啓混雜模式的網卡可以捕獲所有流過該網卡的幀,不開啓則只能捕獲廣播幀以及發給該網卡的幀。需要配合交換機端口鏡像才能實現。
抓包過濾器:
1、ethernet過濾器,第二層的過濾器,根據mac地址來進行過濾
例:
ether host XX:抓取源和目的爲指定的mac的以太網幀
ether dst XX:抓取目的爲指定mac的以太網幀
ether src XX:抓取源爲指定mac的以太網幀
ether broadcast:抓取所有以太網廣播流量
ether multicast:抓取多播流量
ether proto <protocol>:抓取指定協議的以太網流量,比如以太網類型爲0x0800,ether proto 0800。以太網類型指的是以太網幀幀頭的ether-type字段,表示上層的協議類型。0x0800爲ipv4、0x86dd爲ipv6、0x0806爲arp。
vlan <vlan_id>:抓取指定的vlan流量,也可以用and連接抓取多個vlan的流量,如:vlan <vlan_id> and vlan <vlan_id> and vlan <vlan_id>
要起反作用可以用!或者not,如:
! ether broadcast
not ether broadcast
2、主機和網絡過濾器,第三層過濾器
ip或ipv6:抓取ipv4或ipv6流量
host <host>:抓取源或目的爲指定主機名(網址)或ip的流量
dst host <host>:抓取目的爲指定主機名(網址)或ip的流量
src host <host>:抓取源爲指定主機名(網址)或ip的流量
gateway <host>:抓取穿越網關的流量,host必須是主機名。
net <net>:抓取源或目的爲指定網絡號的流量,如:net 192.168.1或net 192.168.1.0
dst net <net>:抓取目的爲指定網絡號的流量
src net <net>:抓取源爲指定網絡號的流量
net <net> mask <netmask>:抓取源或目的由net和mask共同指明的ipv4網絡號的流量,ipv6流量無效。如:net 192.168.1.0 mask 255.255.255.0
dst net <net> mask <netmask>:抓取目的由net和mask共同指明的ipv4網絡號的流量,ipv6流量無效。
src net <net> mask <netmask>:抓取源由net和mask共同指明的ipv4網絡號的流量,ipv6流量無效。
net <net>/<len>:抓取源或目的爲指定網絡和長度的流量,如:net 192.168.1.0/24
dst net <net>/<len>:抓取目的爲指定網絡和長度的流量
src net <net>/<len>:抓取源爲指定網絡和長度的流量
broadcast:抓取ip廣播包,通常如:ip broadcast
multicast: 抓取ip多播包
ip proto <protocol code>:抓取ip包頭協議類型字段值等於特定值的數據包。如:tcp爲6,udp爲17,icmp爲1
ip6 proto <protocol>: 抓取ipv6包頭中下一個包頭字段值等於特定值的ipv6數據包。無法用該原詞根據ipv6擴展包頭鏈中的相關字段值執行過濾。
icmp [icmptype]==<identifier>:抓取特定類型[icmptype]的icmp數據包,<identifier>表示的是icmp頭部中的類型字段值,如,0(icmp echo reply數據包)或8(icmp echo request數據包)等。如:icmp[icmptype]==icmp-echo 或 icmp[icmptype]==8
ip[2:2]==<number>:抓取指定長度的ip數據包(number表示ip包頭中的ip包總長度字段值)
ip[8]==<number>:抓取具有指定ttl的ip數據包(number表示ip包頭中的ttl字段值)
ip[9]==<number>:抓取指定協議類型的ip數據包(number表示ip包頭中的協議類型字段值)
ip[12:4]==ip[16:4]:表示數據包源和目的ip相同
注:中括號內的數字表示相關協議頭部的內容,第一個數字指從協議頭部的第幾個字節開始關注,第二個數字表示所要關注的字節數。
3、tcp和udp及端口過濾,第四層
port <port>:匹配port指明的端口號,如:port 80或port http
dst port <port>:目的端口號爲指定的端口號
src port <port>:源端口號爲指定的端口號
tcp portrange <p1>-<p2>或udp portrange <p1>-<p2>:用來抓取端口範圍介於p1和p2之間的tcp或udp數據包
tcp src portrange <p1>-<p2>或udp dst portrange <p1>-<p2>
tcp [tcpflags] & (tcp-syn|tcp-fin)!=0:抓取tcp連接中用來發起連接(syn標記位置1)或終止連接(FIN標記位置1)的數據包
tcp [tcpflags] &(tcp-rst)!=0:抓取所有RST標記位置1的TCP數據包,RST標記位用來立刻拆除連接,PSH用來表示將數據提交給末端進程處理。
less <length>:抓取不長於指定長度的數據包,寫法等價於:len <= <length>
greater <length>:抓取不短於標識符指定的長度的數據包,寫法等價於:len >= <length>
tcp portrange 2000-2500:抓取端口在這個範圍內的tcp數據包
tcp[13] & 0x00=0:抓取所有標記位都未置1的tcp流量(在懷疑遭遇空掃描攻擊時使用)
tcp[13] & 0x01=1:抓取FIN位置1,但ACK位置0的TCP流量
tcp[13] & 0x03=3:抓取SYN和FIN位同時置1的TCP流量
tcp[13] & 0x05=5:抓取RST和FIN位同時置1的TCP流量
tcp[13] & 0x06=6:抓取SYN和RST位同時置1的TCP流量
tcp[13] & 0x08=8:抓取PSH位置1,但ACK位置0的TCP流量
//13指代TCP頭部中的標記字段,‘=’號後面數字表示tcp標記位的置位情況。0表示標記位都沒置1,1表示FIN位置1,但ACK位置0,1+2表示SYN和FIN位同時置1,1+4表示RST和FIN同時置1,2+4表示SYN和RST同時置1,8表示PSH位置1,但ACK置0.
4、複合過濾器
!或not
&&或and
||或or
例子:
not braodcast and not multicast 只抓單播
host www.youtube.com and port 80 抓取往來於youtube站點的http流量
tcp port 23 and host 192.180.1.1
tcp port 23 and not src host 192.168.1.1
5、配置字節偏移和淨載匹配型過濾器,更加靈活
格式: proto [offset:bytes],協議可以是ip、udp、tcp
協議 [從協議頭部開始所偏移的字節數:抓包過濾器所要檢查的字節數]
tcp[2:2]>50 and tcp[2:2]<100 //抓取目的端口範圍爲50~100的tcp數據包
tcp[14:2]<8192 //抓窗口大小字段值低於8192的tcp數據包
wireshark有字節偏移和淨載匹配抓包過濾器生成工具:https://www.wireshark.org/tools/string-cf.html
也可以看這篇文章http://www.packetlevel.ch/html/txt/byte_offsets.txt
Intro
This document is meant to serve as a quick reference for points
of interest in IP, TCP, UDP and ICMP headers. I cobbled the
information from a variety of sources, all listed at the bottom
of this page. This information will (hopefully) be useful to
people building filters for network tools that use BPF, such
as tcpdump or snort. I was moved to collect all of this stuff
in one place after completing "Intrusion Detection In-Depth"
at a recent SANS conference. Yes, I'm aware that some of these
offsets are covered by tcpdump macros. So what? Use the byte
offsets instead and let them ph33r your m@d sk1lz. Corrections,
additions and so on are welcome. Send them to:
jquinby (at) node.to
Cheers,
JQ
IP byte offsets
ip[0] & 0x0f - protocol version
ip[0] & 0xf0 - protocol options
ip[0] & 0xff00 - internet header length
ip[1] - TOS
ip[2:2] - Total length
ip[4:2] - IP identification
ip[6] & 0xa - IP flags
ip[6:2] & 0x1fff - fragment offset area
ip[8] - TTL
ip[9] - protocol field
ip[10:2] - header checksum
ip[12:4] - src IP address
ip[16:4] - dst IP address
ip[20:3] - options
ip[24] - padding
Src IP = Dest IP (land attack)
(ip[12:4] = ip[16:4])
IP versions !=4
(ip[0] & 0xf0 != 0x40)
IP with options set:
(ip[0:1] & 0x0f > 5)
Broadcasts to x.x.x.255:
(ip[19] = 0xff)
Broadcasts to x.x.x.0
(ip[19] = 0x00)
TCP byte offsets, including anomalous TCP flag settings.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
tcp[0:2] - src port
tcp[2:2] - dst port
tcp[4:4] - seq number
tcp[8:4] - ack number
tcp[12] & 0x00ff - data offset
tcp[12] & 0xff00 - reserved
tcp[13] - tcp flags
tcp[13] & 0x3f = 0 - no flags set (null packet)
tcp[13] & 0x11 = 1 - FIN set and ACK not set
tcp[13] & 0x03 = 3 - SYN set and FIN set
tcp[13] & 0x05 = 5 - RST set and FIN set
tcp[13] & 0x06 = 6 - SYN set and RST set
tcp[13] & 0x18 = 8 - PSH set and ACK not set
tcp[13] & 0x30 = 0x20 - URG set and ACK not set
tcp[13] & 0xc0 != 0 - >= one of the reserved bits of tcp[13] is set
tcp[14:2] - window
tcp[16:2] - checksum
tcp[18:2] - urgent pointer
tcp[20:3] - options
tcp[23] - padding
tcp[24] - data
UDP byte offsets, header only
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
udp[0:2] - src port
udp[2:2] - dst port
udp[4:2] - length
udp[6:2] - checksum
udp[8:4] - first 4 octets of data
Crafted packets with impossible UDP lengths:
udp[4:2] < 0) or (udp[4:2] > 1500
ICMP
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
icmp[0] - type
icmp[1] - code
icmp[3:2] - checksum
Destination Unreachable:
icmp[0] = 0x3 (3)
icmp[4:4] - unused (per RFC]
icmp[8:4] - internet header + 64 bits original data
icmp[1] - 0 = net unreachable;
- 1 = host unreachable;
- 2 = protocol unreachable;
- 3 = port unreachable;
- 4 = fragmentation needed and DF set;
- 5 = source route failed.
Time Exceeded:
icmp[0] = 0xB (11)
icmp[4:4] - unused (per RFC]
icmp[8:4] - internet header + 64 bits original data
icmp[1] - 0 = TTL exceeded intransit
- 1 = fragment reassembly time exceeded
Parameter Problem:
icmp[0] = 0xC (12)
icmp[1] - 0 = pointer indicates error
icmp[4] - pointer
icmp[5:3] - unused, per RFC
icmp[8:4] - internet header + 64 bits original data
Source Quench:
icmp[0] = 0x4 (4)
icmp[1] - 0 = may be received by gateway or host
icmp[4:4] - unused, per RFC
icmp[8:4] - internet header + 64 bits original data
Redirect Message:
icmp[0] = 0x5 (5)
icmp[1] - 0 = redirect for network
- 1 = redirect for host
- 2 = redirect for TOS & network
- 3 = redirect for TOS & host
icmp[4:4] - gateway internet address
icmp[8:4] - internet header + 64 bits original data
Echo/Echo Reply:
icmp[0] = 0x0 (0) (echo reply)
icmp[0] = 0x8 (8) (echo request)
icmp[4:2] - identifier
icmp[6:2] - sequence number
icmp[8] - data begins
Timestamp/Timestamp Reply:
icmp[0] = 0xD (13) (timestamp request)
icmp[0] = 0xE (14) (timestamp reply)
icmp[1] - 0
icmp[4:2] - identifier
icmp[6:2] - sequence number
icmp[8:4] - originate timestamp
icmp[12:4] - receive timestamp
icmp[16:4] - transmit timestamp
Information Request/Reply:
icmp[0] = 0xF (15) (info request)
icmp[0] = 0x10 (16) (info reply)
icmp[1] - 0
icmp[4:2] - identifier
icmp[6:2] - sequence number
Address Mask Request/Reply:
icmp[0] = 0x11 (11) (address mask request)
icmp[0] = 0x12 (12) (address mask reply)
Sources:
RFC768, "User Datagram Protocol Specification"
RFC791, "Internet Protocol Specification"
RFC792, "Internet Control Message Protocol Specification"
RFC793, "Transmission Control Protocol"
filter files from SHADOW-1.8 source distribution
man pages for tcpdump
"TCP/IP and tcpdump Pocket Reference Guide", SANS