It is the signature of the welchia worm just before it tries to compromise a system. The filter looks for an icmp echo request that is 92 bytes long and has an icmp payload that begins with 4 bytes of A’s (hex). icmp=icmp-echo and ip=92 and icmp=0xAAAAAAAA.dst port 135 and tcp port 135 and ip=48.ones that describe or show the actual payload?) port 80 and tcp & 0xf0) > 2):4] = 0x47455420īlaster and Welchia are RPC worms.From Jefferson Ogata via the tcpdump-workers mailing list. (tcp > 1500 and tcp 1500 and tcp > 2" figures out the TCP header length.host and not (port 80 or port 25) host and not port 80 and not port 25.
If you need a capture filter for a specific protocol, have a look for it at the ProtocolReference.Ĭapture only traffic to or from IP address 172.18.5.4:Ĭapture traffic to or from a range of IP addresses:Ĭapture traffic from a range of IP addresses:Ĭapture traffic to a range of IP addresses:Ĭapture non-HTTP and non-SMTP traffic on your server (both are equivalent): Wireshark uses the same syntax for capture filters as tcpdump, WinDump, Analyzer, and any other program that uses the libpcap/WinPcap library.
WIRESHARK PORT FILTER MANUAL
A complete reference can be found in the expression section of the tcpdump manual page. An overview of the capture filter syntax can be found in the User’s Guide.
0 kommentar(er)
