--- tags: wireshark,pcap --- 最近剛好有需要分析pcap的需求，很久沒用wireshark了，做個筆記複習一下! # 懶人分析法 PCAP File Analysis online * A-Packets https://apackets.com/ 無須註冊，但上傳後analysis reports will become publicly visible to anyone  * DynamiteLab https://lab.dynamite.ai/ 需登入，檔案上限75MB，呈現的資訊跟A-Packets很不一樣?  # Wireshark Filters Tips 利用Wireshark過濾資訊，常用如下 1. ip.addr == 10.0.0.1 2. tcp or dns 3. tcp.port == 443 4. tcp.analysis.flags TCP Analysis flags會新增至「SEQ/ACK 分析」下的 TCP 協定樹。  5. !(arp or icmp or dns) 排除特定協定 6. follow tcp stream 7. tcp contains "facebook" 8. http.response.code == 200 9. http.request 或 http.request.code == 200 10. tcp.flags.syn == 1 11. tcp.flags.reset ==1 (代表可能被scan的ip) 12. tcp.port in {80,443,8000..8005} (多個port的表示方式) ## Threat Hunt ### 過濾正常封包 `!(arp or stp or lldp or cdp or eth.addr==ff:ff:ff:ff:ff:ff or dns or tcp.port in {443,80})` ### Packet loss `(tcp.analysis.flags) && !(tcp.analysis.window_update)` ### Slow DNS dns.time > 0.2 ### 特定國家IP ip.geoip.country_iso == "UK" --- ### Ref: Top 10 Real World Wireshark Filters you need to know https://www.youtube.com/watch?v=26MAaX2ldnI