Analysis of Wireshark grasping bag

Source: Internet
Author: User
Tags ack
Wireshark Introduction

Wireshark's official download site:

Wireshark is a very popular network packet analysis software, the function is very powerful. You can intercept a variety of network packets, displaying the details of the network envelope.

Wireshark is open source software that can be used with ease. Can run on Windows and Mac OS.

The person who uses Wireshark must understand the network protocol, otherwise can not understand Wireshark. Wireshark can't do it.

For security reasons, Wireshark can only view the package, not the contents of the package, or send a packet.

Wireshark VS Fiddler

Fiddler is a program that runs on Windows and is designed to capture Http,https.

Wireshark can obtain HTTP, also can obtain HTTPS, but cannot decrypt https, so Wireshark can't understand the content in HTTPS

To sum up, if you are dealing with Http,https or using Fiddler, other protocols such as TCP,UDP are used Wireshark other tools of the same kind

Microsoft's Network Monitor


who's going to use Wireshark?

1. Network administrator will use Wireshark to check network problems

2. Software Test engineers use Wireshark to grasp the package to analyze their own test software

3. The engineer who engages in socket programming will use Wireshark to debug

4. It is said that Huawei, ZTE's most engineers will use the Wireshark.

In short, the network-related things may be used to Wireshark. Wireshark started grabbing the bag .

Start interface

Wireshark is a network packet that captures a certain NIC on the machine, and when you have more than one network card on your machine, you need to select a network card.

Click Caputre->interfaces ... The following dialog box appears, selecting the correct network card. Then click the "Start" button and start grabbing the bag.

Wireshark Window Introduction

WireShark are mainly divided into these interfaces

1. Display filter (show filters) for filtering

2. Packet list Pane (packet listing) showing captured packets, with source and destination addresses, port numbers. Different colors, representing

3. Packet details Pane (envelope detail) showing the fields in the packet

4. Dissector Pane (16 data)

5. Miscellanous (Address bar, miscellaneous)

Wireshark Display Filter

The use of filtering is very important, when beginners use Wireshark, will get a lot of redundant information, in thousands of or even tens of thousands of records, so difficult to find the part they need. Get dizzy.

The filter will help us quickly find the information we need in a large amount of data.

There are two kinds of filters,

One is the display filter, which is the one on the main interface that is used to find the record in the captured record.

One is the capture filter, which filters the captured packets to avoid capturing too many records. Set in Capture-> Capture Filters

Save Filter

On the filter bar, fill in the filter's expression, click the Save button, and take a name. Like "Filter 102",

The filter bar has more than one "filter 102" button on it.

Filter The rules of an expression

An expression rule

1. Protocol filtering

TCP, for example, shows only the TCP protocol.

2. IP filtering

For example IP.SRC == display source address is,

IP.DST==, the target address is

3. Port Filtration

Tcp.port ==80, Port 80

Tcp.srcport = 80, only displays the TCP protocol's willing port to 80.

4. HTTP Mode filtering

http.request.method== "Get" only shows the HTTP GET method.

5. Logical operator is and/or

Commonly used filter expressions

Filter an expression Use
http View only the records of the HTTP protocol
IP.SRC == or ip.dst== Source address or Destination address is

Package list (Packet list Pane)

The Package list panel displays, numbering, timestamp, source address, destination address, protocol, length, and packet information. You can see that different protocols are displayed in different colors.

You can also modify the rules for these display colors, View->coloring.

Envelope Details (Packet details Pane)

This panel is our most important and is used to view each of the fields in the protocol.

Each line of information is

Frame: Overview of data frames for physical layers

Ethernet II: Data Link Layer Ethernet frame header information

Internet Protocol Version 4: Internet Layer IP packet header information

Transmission Control Protocol: Data segment header information for Transport Layer T, here is TCP

Hypertext Transfer Protocol: Application layer information, here is the HTTP protocol

Wireshark and corresponding OSI seven-layer model

What the TCP packet is about

From the following figure you can see each field in the TCP package that Wireshark captures.

example Analysis of TCP three-time handshake process

See this, basically have a preliminary understanding of Wireshak, now we look at a TCP three times handshake instance

Three times the handshake process is

I have seen this picture many times, this time we use Wireshark actual analysis three times handshake process.

Open Wireshark, open browser input Http://

Enter the HTTP filter in the Wireshark, then select the record for Get/tankxiao http/1.1, right-click and click "Follow TCP Stream",

The purpose of this is to get a packet that is related to the browser's open Web site and will get the following figure

The figure can be seen Wireshark intercepted three handshake three packets. The fourth package is HTTP, which means that HTTP does use TCP to establish a connection.

Handshake packet for the first time

The client sends a TCP, the flag bit is SYN, the serial number is 0, and the connection is established on behalf of the client request. The following figure

The second handshake packet

The server sends back a confirmation packet with a flag bit of syn,ack. The confirmation ordinal (acknowledgement number) is set to the customer's I S n plus 1. That is, 0+1=1, as shown below

Data packet for the third handshake

The client again sends a confirmation packet (ACK) SYN flag bit for the 0,ACK flag bit of 1. and send the server to the ACK of the ordinal field +1, placed in the confirmation field sent to each other. and write the isn +1 in the data section, as shown in the following figure:

In this way, through TCP three times handshake, established the connection

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.