Basic Commands For Frames With Passwords:
1️⃣ tcp.srcport == 22
2️⃣ http.host
3️⃣ dns.qry.name
4️⃣ ip contains google
5️⃣ ip contains .gov
6️⃣ tcp contains password
7️⃣ tcp contains "GET /"
8️⃣ tcp contains "POST /"
9️⃣ ip.src == <ip>
1️⃣0️⃣ ip.dst == <ip>
1️⃣1️⃣ ip.addr == <ip>
1️⃣2️⃣ tcp.port 80
1️⃣3️⃣ tcp.dstport == 22
1️⃣4️⃣ tcp.srcport == 22
Show only FTP and DNS traffic:
ftp || dns
Show all traffic except ARP and ICMP:
! arp &&! icmp
Show only HTTP to or from 192.168.0.1:
ip.addr == 192.168.0.1 && http
(can change to ur)
Search for zip or exe files:
tcp matches "zip" or tcp matches "exe"
Search for an ASCII string containing "PASS":
tcp contains "PASS"
Search for a specific ip address:
ip.addr == 192.168.0.1
IP address may not be:
note ip.addr == 192.168.0.1
Search for MAC address:
eth.addr == 00: 11: 11: 35: 11: 14
Search by port:
tcp.port == 139
Search for DNS port:
udp.dstport == 53
Search for HTTP POST request: Expression filter.
http.request.method == "POST"
POP3 USER request:
pop.request.command == "USER"
pop.request.command == "PASS"
FTP USER request:
ftp.request.command == "USER"
ftp.request.command == "PASS"
FTND FTP Data Channel:
ftp.response.code == 227 || ftp.request.command == "PORT"
SMTP Search for email recipient:
smtp.req.parameter == "TO: <mail@blop.dk>"
(change to ur target)
Search for Sender:
smtp.req.parameter == "FROM: <mail@blop.dk>"
(change to ur target)
SMTP Find all email recipients:
smtp.req.command == "RCPT"
Find windows client names:
browser.server
Browser Host Annoucement:
browser.command == 0x1
Hacking search string on http:
http.request.method == "GET" && frame contains "hacking"
Search for specific URI:
http.request.uri == "<website>"
Search for all where a connection has been created SYN + ACK (TCP connection was Successful):
tcp.flags == 0x12
SSL / TLS handshake - Shows all SSL / TLS handshakes:
ssl.record.content_type == 22
Search for HTTPS Server Helo - See if DH or DHE is used to encrypt connections.
ssl.handshake.certificate
Search for HTTP GET that contains index.php:
http.request.method == "GET" && http.request.full_uri matches "index \ .php \?. * ="
http.request.method == "GET" && http.request.full_uri contains "index.php?"
Look after . CN or .RU in HTTP:
http.host matches "(? i) [.] (ru | cn) $"
DNS:
dns.qry.name matches "(? i) [.] (cn | ru) $"
Filter on ports: This filter captures traffic on port 80 and 3128 only:
tcp dst port 80 or tpp dst port 3128
This filter captures all traffic to the 192,168 network:
dst net 192.168
This filter captures all traffic from the 192,168 network:
src net 192.168
This filter captures all traffic to or from the 192,168 network:
just 192.168
This filter captures all traffic to or from the following wlan (Wireless):
wlan host 00: 25: 64: 8c: 9f: 75
This filter only captures traffic to and from 192.168.10.1:
host 192.168.10.1
This filter captures traffic all traffic to or from the following networks with net masks:
just 192.168.10 mask 255.255.255.0
Filter out (port 80 traffic and DNS traffic):
! tcp.port == 80 and! udp.port == 53
This filter only looks at traffic on the follow port range 6881 to 6999 (BitTorrent):
portrange 6881-6999
Operatores:
1️⃣ Negation - (! Or not)
2️⃣ Concatenation (AND)
3️⃣ Alternation (or)
Comparison Operators:
Description Symbol Text
equal to == eq
or || or
and && and
greater than > gt
less than < lt
greater than or equal to > = ge
less than or equal to <= le
not ! groove
not equal to != ne
contains contains
matches matches
This filter will take all traffic to and from 192.168.10.1 and sent to port 53 TCP.
AND ensures that both sides of an operator must match before traffic is captured.
host 192.168.10.1 and tpp dst 53
This filter will capture all traffic end to 192.168.10.1 or match tcp port 53
192.168.10.1 or tpp dst 53
This merge captures all traffic that is to or from ip addresses that do not start with the 10.2 network.
not src net 10.2.0.0/16
Enjoy! Follow us for more...
No comments:
Post a Comment