The basics of Wireshark data capture teaching Wireshark

Wireshark  Wireshark basic knowledge wireshark basic knowledge of the teaching and learning routines

In this network Information age, computer security is always a worrying problem, network security is more. Wireshark, as an internationally renowned network  and analysis tool, can be widely used in various fields, especially in the field of network security. With Wireshark, network security engineers can quickly identify potential security issues from . This chapter will explain in detail the simple use of wireshark.

Wireshark Introduction

Wireshark (formerly known as Ethereal) is a network packet analysis software. The function of the network packet analysis software is to intercept the network packet and display the most detailed network packet information as far as possible. Wireshark uses Winpcan as an interface to exchange data messages directly with the network card. The following describes its role and application.

The role of Wireshark

Wireshark is a security tool for the most well-known open source applications. Wireshark can run on Windows, MAC OS X, Linux and Unix operating systems, and it can even run as a portable app. The role of Wireshark is described here. Use Wireshark to complete the following tasks.

1. General Analysis Tasks

• Q Find the host that sends the most packets within a network.
• Q View network traffic.
• Q See which programs are used by a host.
• Q Understand basic normal network communication
• Q Verify the unique network operation.
• Q Understand who is trying to connect to the wireless network.
• Q captures data from multiple networks simultaneously.
• Q Implements unattended .
• Q captures and analyzes data to/from a specific host or subnet.
• Q View and reconfigure file transfers via FTP or HTTP.
• Q Import trace files from other capture tools.
• Q Capture data with the fewest resources.

2. Fault Tasks

• q   Create a custom analysis environment for the failure. The
• q   determines the path, client, and service latency. The
• q   determines the TCP problem.
• q   Check for HTTP proxy issues. The
• q   checks for application error responses.
• q   Identify the related network problems by looking at the results of the graphical display. The
• q   determines the overloaded buffer. The
• q   a baseline for slow communication to normal communication.
• q   Find the duplicate IP address. The
• q   determines the DHCP service or network proxy problem. The
• q   determines the WLAN signal strength issue.
• q   The number of times the WLAN connection was detected. The
• q   checks for various network configuration errors. The
• q   determines that the application is loading a network fragment.
• 3. Security Analysis (Network forensics) Task
• q   Create a custom analysis environment for network forensics. The
• q   examines applications that use non-standard ports. The
• q   determines the data to/from the suspect host.
• q   See which host is trying to get an IP address. The
• q   determines the "phone home" data. The
• q   determines the network detection process. The
• q   globally locates and maps remote destination addresses. The
• q   checks for suspicious data redirection. The
• q   checks the session between a single TCP or UDP client and server.
• q   Check for malformed frames. The
• q   identifies key elements of the attack signature in the network data.

4. Application Analysis Tasks

• Q Understand how applications and protocols work.
• Q The bandwidth usage of the graphics application.
• Q Determine if the link to the application will be supported.
• Q Update/upgrade check application performance.
• Q Check for error responses from a newly installed application.
• Q Determine which user is running a particular application.
• Q Check how the application uses the transport protocol, such as TCP or UDP.

Application of Wireshark

After understanding the role of Wireshark, it will be used according to the different roles of Wireshark, and the following describes its application.

• Q Network administrators can use Wireshark to detect network problems.
• Q Network Security Engineers can use Wireshark to check for issues related to security risks.
• Q Developers can use Wireshark to test the implementation of the Protocol.
• Q Ordinary users can use Wireshark to learn about network protocols.

Get Wireshark

In most operating systems, the Wireshark tool is not installed by default. If you want to use this tool, you first need to learn to install Wireshark. Before installing, you need to know how to get wireshark. The official website of Wireshark is http://www.wireshark.org. We can get to Wireshark from this website.

Related versions of Wireshark

Log in to the Wireshark official website listed above, as shown in 1.1:

Figure 1.1 Wireshark official website map 1.2 Wireshark Download interface

Click the download button in the diagram to go to the download page, shown in 1.2.

The relevant version of Wireshark can be seen from this interface. There is a stable version (currently the latest version is 1.12.6), the development version (currently the latest version is 1.99.7). You can see related versions of Wireshark after you click Stabilize and development. Only the stable version of the downloaded Wireshark are in English. There is a Chinese version in the development version. This book is mainly about the Chinese version of Wireshark. So take the development version as an example for everyone to explain. Click Expand Wireshark Development to view the relevant version, as shown in 1.3.

Figure 1.3 Wireshark Development Map 1.4 Windows 7 Operating system

From this interface, you can see that the Wireshark development version provides Windows (32-bit and 64-bit), OS x, and source packages. Download the appropriate package according to your operating system.

How to identify the operating system

The previous section of the study can download the appropriate wireshark, where OS X is used in the Apple system, the source packet in the Linux system. These two systems are better identified and are not introduced here. Here's a quick introduction to how to identify your Windows system to see whether it's 32-bit or 64-bit.

1.Windows 7 Operating system

Right-click the computer icon on the desktop, select Properties, and open the System window, shown in 1.4:

As you can see from the system type in this diagram, the system is a 64-bit operating system, so you can select the Windows Installer (64-bit) package to install Wireshark in Figure 1.3.

Tip: If there is no computer on the desktop, you can right-click on the desktop blank, select the "Personalization" command, in the left column of the popup screen click "Change Desktop Icon", Pop-up Desktop Icon setting interface, 1.5 shows

Figure 1.5 Desktop Icon settings

After you click the check box in front of computer, you can add the computer icon to your desktop.

2.Windows XP operating System

Right-click My Computer on the desktop, and select Properties as shown in 1.6. In the system, if "x64 Edition" is displayed, the computer is installing a 64-bit version of Windows XP. If "x64 Edition" is not displayed, the 32-bit version of Windows XP is installed. As you can see from this diagram, "x64 Edition" is not shown, indicating that the system is a 32-bit system. Therefore, you can select the Windows Installer (32-bit) package to install Wireshark in Figure 1.3.

Tip: If you don't have my computer on your desktop, you can right-click in the blank of the desktop, select Properties, switch to the Desktop tab in the Properties interface, and click the Customize Desktop (D) ... button to pop up the Desktop Project dialog box, shown in 1.7:

Figure 1.6 Windows XP Figure 1.7 Desktop options

Click the check box in front of my Computer (M) to add the My Computer icon to the desktop.