Wireshark过滤所有当前数据包?
[英]Wireshark filter all current packets?
问题描述
Let's say I want to monitor [A] application and it's not running yet 
假设我要监视[A]应用程序,但该应用程序尚未运行
When I start Wireshark it will show me everything happening in my network adapter so then I filter these packets like this 当我启动Wireshark时,它将向我显示网络适配器中发生的所有事情,因此我像这样过滤这些数据包
(((((((((((((((((((((((((((((((((((((((((((((((((((((((((!(ip.addr == 192.168.2.3) && !(smb2)) && !(ip.addr == 192.168.2.1)) && .....
you can see from the number of parentheses how long my filter is 您可以从括号中看到我的过滤器多长时间
after that I see a clean view with almost no packets 之后,我看到一个干净的视图,几乎没有数据包
now I run [A] application and I will see almost only [A] traffic in the view 现在我运行[A]应用程序,并且视图中几乎只会看到[A]流量
is there a shorter way to achieve this without making all of these filters manually? 有没有一种较短的方法可以实现这一目标,而无需手动制作所有这些过滤器?
like add "everything" in the current view to the filter then I start [A] to monitor it alone 例如将当前视图中的“所有内容”添加到过滤器中,然后我开始[A]来单独监视它
1 个解决方案
解决方案1
-1 2019-02-28 15:00:34
You can go to the Packet-details pane and right-click on some value/s you wish to filter by and use Wireshark's built in "Prepare a Filter"/"Apply as Filter" to build a filter. 您可以转到“数据包详细信息”窗格,然后右键单击要过滤的某些值,然后使用Wireshark内置的“准备过滤器” /“应用为过滤器”来构建过滤器。
I'd suggest using more White list filtering (eg "protocol == XXX") instead of Black listing (eg "!(protocol == YYY) && !(protocol == ZZZ)" etc.). 我建议使用更多的白名单过滤(例如“协议== XXX”)而不是黑名单(例如“!(协议== YYY)&&!(协议== ZZZ)”等)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.