1.
src 192.168.0.100 && port 80
capture source ip address is 192.168.0.100 and port is 80 packet.
2.
host 192.168.10.1
capture packet with host 192.168.10.1
3.
[ether host 00:30:ab:2f:7f:ea]
[!ether host 00:30:ab:2f:7f:ea]
4.
ip
IPV4 only.
5.
ip6
IPV6 only.
6.
tcp
TCP only.
7.
udp
UDP only.
8.
ipx
IPX only.
9.
[port 80]
TCP or UDP port 80 (HTTP)
[!port 80]
capture packet except port 80.
10.
tcp port http
HTTP TCP port(80)
11.
not http (error)
not port http (right)
not port 80 (right)
port not http (right)
port not 80 (right)
12.
not arp
NO ARP.
13.
not tcp
NO TCP.
14.
[not arp and port not 54]
NO ARP and no DNS.
15.
[not port 80 and not port 25 and host www.baidu.com]
NON-HTTP and NON-SMTP to/from www.baidu.com
16.
[ether proto 0x0806]
[arp]
Ethernet type 0x0806 (ARP)
17.
src host 172.17.92.110
18.
[dst host 172.17.92.110] is the same with [dst 172.17.92.110]
default use host.
19.
[icmp]
20.
[icmp[0]==3]
capture ICMP packet type is 3, it means destination can't reach.
21.
[icmp[0]==8||icmp[0]==0]
ping echo request and echo reply.
22.
[icmp[0:2]==0x0301]
offset is 0, has 2 bytes
23.
tcp[13]&32==32 URG
tcp[13]&16==16 ACK
tcp[13]&8==8 PSH
tcp[13]&4==4 RST
tcp[13]&2==2 SYN
tcp[13]&1==1 FIN
tcp[13]==18 SYN-ACK
24.
broadcast
25.
not broadcast and not multicast
1.
[!arp]
2.
[ip.addr==192.168.0.1]
3.
[frame.len <= 128]
display the packet len is less than 128 byte.
4.
[ip.addr==192.168.0.1 or ip.addr==192.168.0.2]
5.
[tcp.port==80]
6.
[!tcp.port==3389]
7.
[tcp.flags.syn==1]
8.
[tcp.flags.reset==1]
9.
[http]
10.
[tcp.port==23||tcp.port==21]
11.
[smtp||pop||imap]
