https://xiaohuatech.dpdns.org/koczkatamas/
https://xiaohuatech.dpdns.org/cyberchef/

Forensics-Wiki

https://kdocs.cn/l/ceK160ZwKrAe

转载于来自于微信公众号 电子取证wiki

基础操作

导航快捷键

• 查找: Ctrl+F
• 查找下一个: Ctrl+N
• 前往数据包: Ctrl+G
• 标记数据包: Ctrl+M
• 放大: Ctrl++
• 缩小: Ctrl+-

IP地址过滤

特定源IP

ip.src == 192.168.1.100

特定目标IP

ip.dst == 192.168.1.1

IP范围

ip.addr == 192.168.1.0/24

排除特定IP

!(ip.addr == 192.168.1.1)

端口过滤

特定端口

tcp.port == 80

端口范围

tcp.port >= 1000 and tcp.port <= 2000

常用端口

tcp.port == 22 # SSH

tcp.port == 25 # SMTP

tcp.port == 53 # DNS

tcp.port == 80 # HTTP

tcp.port == 443 # HTTPS

tcp.port == 3389 # RDP

过滤器详解

HTTP专用过滤器

HTTP方法

http.request.method == "GET"

http.request.method == "POST"

HTTP状态码

http.response.code == 200

http.response.code == 404

http.response.code == 500

HTTP主机

http.host == "www.example.com"

HTTP用户代理

http.user_agent contains "Chrome"

HTTP内容类型

http.content_type contains "json"

HTTP请求URI

http.request.uri contains "/api/"

HTTP响应时间

http.time > 1.0

高级过滤技巧

逻辑操作符

http and tcp.port == 80

http or https

not dns

括号分组

(tcp.port == 80 or tcp.port == 443) and ip.src == 192.168.1.100

字符串匹配

tcp contains "password"

http contains "admin"

正则表达式

http.host matches ".*\.com$"

时间过滤

frame.time >= "2024-01-01 00:00:00"

捕获过滤器 (Capture Filters)

基于Berkeley Packet Filter(BPF)语法：

捕获特定主机

host 192.168.1.1

捕获特定端口

port 80

组合条件

host 192.168.1.1 and port 80

not port 22

协议分析

TCP分析

• TCP流跟踪: 右键数据包 → Follow → TCP Stream
• TCP重传: tcp.analysis.retransmission
• TCP重复ACK: tcp.analysis.duplicate_ack
• TCP窗口满: tcp.analysis.zero_window
• TCP重置: tcp.flags.reset == 1

HTTP分析

查看完整HTTP对话

http.request or http.response

HTTP错误

http.response.code >= 400

大文件传输

http.content_length > 1000000

慢速响应

http.time > 2.0

DNS分析

DNS查询

dns.flags.response == 0

DNS响应

dns.flags.response == 1

DNS错误

dns.flags.rcode != 0

特定域名查询

dns.qry.name contains "example.com"

TLS/SSL分析

TLS握手

tls.handshake

TLS证书

tls.handshake.certificate

TLS警报

tls.alert

特定TLS版本

tls.record.version == 0x0303 # TLS 1.2

网络故障排查

连接问题诊断

1. TCP连接建立: 查找SYN, SYN-ACK, ACK三次握手
2. 连接重置: 过滤tcp.flags.reset == 1
3. 连接超时: 查找重传tcp.analysis.retransmission

性能问题分析

慢速查询

dns.time > 0.1

HTTP响应时间

http.time > 1.0

TCP窗口问题

tcp.analysis.zero_window

tcp.analysis.window_update

丢包分析

TCP重传

tcp.analysis.retransmission

乱序数据包

tcp.analysis.out_of_order

重复ACK

tcp.analysis.duplicate_ack

常用统计信息

• Statistics → Protocol Hierarchy: 协议分布
• Statistics → Conversations: 会话统计
• Statistics → Endpoints: 端点统计
• Statistics → I/O Graph: 流量图表

安全分析

恶意流量检测

可疑端口连接

tcp.port == 1337 or tcp.port == 31337

大量连接尝试

tcp.flags.syn == 1 and tcp.flags.ack == 0

DNS隧道检测

dns.qry.name.len > 50

异常用户代理

http.user_agent contains "bot" or http.user_agent contains "crawler"

常见攻击模式

SQL注入尝试

http.request.uri contains "union" or http.request.uri contains "select"

XSS尝试

http.request.uri contains "