Академический Документы
Профессиональный Документы
Культура Документы
CONTENT:
View, edit and create display filters (main toolbar)
Display Filters button (another way to view, edit and create display filters)
Display Filter Area (includes auto-complete and error detection)
Last used display filter drop down list
Enable/disable all coloring rules
Launch the Coloring Rules window
Create or edit coloring rules (double-click on a coloring rule to open)
Enable/disable the selected coloring rule (line strikeout appears over rule)
Delete the selected coloring rule (select Clear to reload default coloring rules)
We typed http.request.method in the display filter area to display all packets that contain this
Field.
We applied this filter in Figure 59. Notice that the Status Bar indicates that this trace file,
httpbrowse101.
pcapng, contains 2011 packets and only 101 packets match our filter.
This is a great filter to determine what elements are requested by an HTTP client.
Display Filter Comparison Operators
You can expand your filter to look for a particular value in a field. Wireshark supports numerous
comparison operators for this purpose. The following lists Wireshark's seven comparison
operators.
1. == or eq
Example: ip.src == 10.2.2.2
Display all IPv4 traffic from 10.2.2.2
2. != or ne
Example: tcp.srcport != 80
Display all TCP traffic from any port except port 80[31]
3. > or gt
Example: frame.time_relative > 1
Display packets that arrived more than 1 second after the previous packet in the trace file
4. < or lt
Example: tcp.window_size < 1460
Display when the TCP receive window size is less than 1460 bytes
5. >= or ge
Example: dns.count.answers >= 10
Display DNS response packets that contain at least 10 answers
6. <= or lt
Example: ip.ttl < 10
Display any packets that have less than 10 in the IP Time to Live field
7. contains
Example: http contains "GET"
Display all the HTTP client GET requests sent to HTTP servers
Use comparison operators when filtering for TCP-based applications. For example, if you want
to see
your HTTP traffic that runs over port 80, use tcp.port==80.
Question 1.
Did you capture any ICMP traffic?
Question 2.
What protocols are listed for your browsing session to www.google.com?
Now configure Wireshark to capture all your ICMP traffic, and save your traffic to a file called
myicmp.pcapng. Again, ping and browse to www.google.com. Stop the capture and examine the
trace file contents.
Question 3.
How many ICMP packets did you capture?
Question 4.
What ICMP Type and Code numbers are listed in your trace file?
Task:
Question 1.
How many frames travel to or from 80.78.246.209?
Question 2.
How many DNS packets are in this trace file?
Question 3.
How many frames have the TCP SYN bit set to 1?
Question 4.
How many frames contain the string "set-cookie" in upper case or lower case?
Question 5.
How many frames contain a TCP delta time greater than 1 second?