В видео "Use Regex to Filter for a Group of Phrases" объясняется, что в строке фильтра можно использовать регулярные выражения типа http.request.uri matches "(attachment|tar|exe|zip)"
Ограничиваем область поиска и задаем фильтр...
Ограничиваем область поиска и задаем фильтр...
In []:
frame matches "(attachment|tar|exe|zip)"
http.request.uri matches "(attachment|tar|exe|zip)"
Здесь подборка видеоподсказок. When you want to search for a group of phrases, use Regular Expressions (the "matches" operator). You can even define case insensitivity using "(?i)" at the beginning of your phrase.
In []:
01hi this is Laura Chappell and this is where shirked
0:04number two now if you want to follow along with the Wireshark tips series
0:08you can follow me on twitter at Laura Chappell pressure to number two is to
0:13use group
0:15to find sets words for example
0:18frame matches and then in quotes and then in parentheses
0:21attachment pipe tar pipe EXE
0:25pipe zip and quote now in this example were using regular expressions inside
0:31Wireshark to look for these specific
0:35ASCII text values me take you out to trace Fallon show you how we can use
0:40this
0:41I think I'll just start with a basic
0:45regular expressions screen looking for
0:48the word attachment animal out onto that so in the display filter
0:53area going to type frame natchez and the money you put in the word matches
0:58where shirk knows that you're going to prove be providing a Perl compatible
1:02regular expression following map in quotes
1:06I'm just gonna start by saying attachment now I could have just simply
1:11done frame contains
1:13at this point that would have done the same exact thing
1:17but I'll be able to at onto this regular expression and have a look for
1:21multiple up traces apply this to the streets file and I can see that I have
1:27a total 7 packets that match my filter
1:31if I expand the pop section in any of these and scroll down
1:35there there's the word attachment
1:38using regular expressions is really nice because I can put in
1:41and 0 and open Princy question mark II
1:45close print see and that will look for that reason upper or lower case
1:49but the example this tip is showing how to use group to look for
1:54assertive different words so I put open parentheses after attachment
1:59and then I'll do pipe and let's say you want to look for txt
2:04or you want to look for zip or you can look for tar
2:08the order in which you place these names does not matter at all
2:12now go ahead and apply this
2:17to the tracfone and I can see that now I have a total of 25 packets that match
2:22this display filter
2:23I don't need to clear out this display filter
2:28I can simply open up another trace file so I have one called
2:31HTTP dash download on EXE
2:34and that this is already been applied to the stressful
2:38and gets see that these terms were found
2:42somewhere in all 94 these packets
2:45in some cases such as in the HTTP response code if I were to it
2:53XP and the HTTP section I can see
2:56content-disposition: attachment and maybe go down a little bit further
3:02content-disposition: attachment I mean really only be interested in the time
3:07that a user makes a
3:08get requests 4 attachment EXE
3:13zip or tar and that case I might wanna be a little bit more specific than using
3:18the term
3:18frame at the beginning I actually want to look for that value
3:23inside have the get request
3:27you are I field and here's the field remember when you highlight a field in
3:32Wireshark
3:33down below on the status bar it will give you the syntax you can use
3:37in a display filter so the syntax for this would be
3:41HTTP don't request I you are I someone to replace
3:45frame with HTTP doctorate quest you are I
3:49there now I would be able to see if someone is requesting
3:53a you are I the contains one of these values
3:57now apply that in there aren't any in this trace file
4:00let me open up a tracfone where we will see that I'll open up the trace file
4:08HTTP dash download dash bad now this is a tracfone the
4:12get out the Wireshark book website
4:15it's one the supplements that I use in the Wireshark
4:19study guide book which is the wear short network analysis book
4:22the big book we can see in the info column
4:26that get open office table inability down the end of the line
4:30there's a EXE in there and we got rid of a lot of those false positives because
4:34now we didn't care about other places in the file we were really
4:38her in the packet we really cared about did the user ask
4:414 who something having to do with one
4:45up these phrases
4:48again if you'd like to follow along with the Wireshark tips that I release on
4:51Twitter
4:52you can follow me outdoor chapel and for more Wireshark training and tips
4:58is a chapel you dot com
Посты чуть ниже также могут вас заинтересовать
Комментариев нет:
Отправить комментарий