Using a Sniffer 217
Table 9.1 lists the basic filters that you will most likely use (and may see on the exam).
As you review the examples used in the table, notice the structure or syntax of each state-
ment and how it relates to what the filter is doing. To see how each of these examples maps
to the syntax, refer to Table 9.2.
TABLE 9.2 Wireshark filter breakdownProtocol Field Operator Valueip Addr == 192.168.1.2tcp port eq 161ip addr != 192.168.1.2ip src ne 192.168.1.2http * contains http://www.site.comWireshark filters can look like literal strings of code, but keep the syntax in
mind and stick with what makes sense.Table 9.3 covers Wireshark’s command-line interface (CLI) tools.TABLE 9.3 Wireshark CLI toolsCommand Functiontshark A command-line version of Wireshark (similar to TCPdump)dumpcap Small program with the sole intent of capturing trafficcapinfos Reads a capture and returns statistics on that fileeditcap Edits or translates the format of capture filesmergecap Combines multiple capture files into onetext2cap Creates a capture file from an ASCII hexdump of packets