过滤 IP，如源 IP 或者目标 x.x.x.x
ip.src == x.x.x.x or ip.dst eq x.x.x.x 或者 ip.addr == x.x.x.x
过滤端口
tcp.port eq 80 or udp.port eq 80
过滤 MAC
eth.dst ==A0:00:00:04:C5:84
http 模式过滤 (就是一种模糊匹配)

http.request.method== "GET" 
http.request.method== "POST" 
http.request.uri =="/img/logo-edu.gif" 
http contains"GET" 
http contains"HTTP/1." 
http.request.method== "GET" && http contains "User-Agent:"

一些常见的自动化工具的指纹
Awvs（Acunetix Web Vulnerability Scanner ）

acunetix_wvs_security_test acunetix 
acunetix_wvs acunetix_test
Acunetix-Aspect-Password: Cookie: 
acunetix_wvs_security_test X-Forwarded-Host: 
acunetix_wvs_security_test X-Forwarded-For: 
acunetix_wvs_security_test Host: 
acunetix_wvs_security_test

感觉我们只需要 http contains “wvs” 或者是 http contains “acunetix” 就可以把包给筛选出来
Netsparker

X-Scanner: NetsparkerLocation: 
NetsparkerAccept: netsparker/checkCookie: 
netsparkerCookie: NETSPARKER

Appscan

Headers Content-Type: Appscan 
Content-Type: AppScanHeaderAccept: Appscan User-Agent:Appscan

Nessus

x_forwarded_for: nessus
referer: nessus
host: nessus

Sqlmap

User-Agent: sqlmap1.2.8#stable