过滤Wireshark报文列表

除非您在Wireshark中创建捕获文件时指定了过滤器，否则您将在包列表窗格中看到所有捕获的包。如果您选择执行“混杂模式”捕获，那么您可以看到来自多个来源的数据包。现在，尽管对所有内容都有一个概览是很有用的，通常在故障排除或试图理解网络“对话”时，您会希望在某些时候基于某些标准限制包列表。例如，您可能只对到给定主机或来自给定主机的流量感兴趣。事实证明这很简单。按钮栏下方有一个“filter”字段，您可以在其中输入一个过滤器表达式来限制显示。如果您只想看到进出10.10.1.20的数据包，只需输入ip。addr == 10.10.1.20，按“Enter”。(如果你只想看到来自这个地址的出站数据包，使用ip。SRC代替ip.addr。如果您只想要入站数据包，请使用ip.dst。)如果您只想看到特定协议的数据包，则更简单:只需在过滤字段中输入协议名称(ARP、DNS、HTTP等)。 There are 935 supported protocols, so you should be able to choose the one you want! To clear the filter, click the Clear button to the right of the filter field, and all your packets will reappear in the packet list. So how do you learn the syntax for Wireshark filter expressions? Click the Expression.. button next to the filter field. This brings up a dialog box showing and all possible field names and operators. You can construct a filter expression here and when you close the dialog box, it will appear in the filter field (although you still have to press Enter). One of the coolest design touches about Wireshark is that if you enter a filter expression that is syntactically invalid, the background of the filter field turns red. Once you’ve entered a valid expression (whether it’s going to have the desired effect or not!), the background turns green. Simple feedback mechanism but very effective. Why can’t we get something like this at the Windows command prompt?