Wireshark's official download site: http://www.wireshark.org/
Wireshark is a very popular network packet analysis software, the function is very powerful. You can intercept a variety of network packets, displaying the details of the network envelope.
Wireshark is open source software that can be used with ease. Can run on Windows and Mac OS.
The person who uses Wireshark must understand the network protocol, otherwise can not understand Wireshark. Wireshark can't do it.
For security reasons, Wireshark can only view the package, not the contents of the package, or send a packet.
Wireshark VS Fiddler
Fiddler is a program that runs on Windows and is designed to capture Http,https.
Wireshark can obtain HTTP, also can obtain HTTPS, but cannot decrypt https, so Wireshark can't understand the content in HTTPS
To sum up, if you are dealing with Http,https or using Fiddler, other protocols such as TCP,UDP are used Wireshark other tools of the same kind
Microsoft's Network Monitor
Sniffer
who's going to use Wireshark?
1. Network administrator will use Wireshark to check network problems
2. Software Test engineers use Wireshark to grasp the package to analyze their own test software
3. The engineer who engages in socket programming will use Wireshark to debug
4. It is said that Huawei, ZTE's most engineers will use the Wireshark.
In short, the network-related things may be used to Wireshark. Wireshark started grabbing the bag .
Start interface
Wireshark is a network packet that captures a certain NIC on the machine, and when you have more than one network card on your machine, you need to select a network card.
Click Caputre->interfaces ... The following dialog box appears, selecting the correct network card. Then click the "Start" button and start grabbing the bag.
Wireshark Window Introduction
WireShark are mainly divided into these interfaces
1. Display filter (show filters) for filtering
2. Packet list Pane (packet listing) showing captured packets, with source and destination addresses, port numbers. Different colors, representing
3. Packet details Pane (envelope detail) showing the fields in the packet
4. Dissector Pane (16 data)
5. Miscellanous (Address bar, miscellaneous)
Wireshark Display Filter
The use of filtering is very important, when beginners use Wireshark, will get a lot of redundant information, in thousands of or even tens of thousands of records, so difficult to find the part they need. Get dizzy.
The filter will help us quickly find the information we need in a large amount of data.
There are two kinds of filters,
One is the display filter, which is the one on the main interface that is used to find the record in the captured record.
One is the capture filter, which filters the captured packets to avoid capturing too many records. Set in Capture-> Capture Filters
Save Filter
On the filter bar, fill in the filter's expression, click the Save button, and take a name. Like "Filter 102",
The filter bar has more than one "filter 102" button on it.
Filter The rules of an expression
An expression rule
1. Protocol filtering
TCP, for example, shows only the TCP protocol.
2. IP filtering
For example IP.SRC ==192.168.1.102 display source address is 192.168.1.102,
IP.DST==192.168.1.102, the target address is 192.168.1.102
3. Port Filtration
Tcp.port ==80, Port 80
Tcp.srcport = 80, only displays the TCP protocol's willing port to 80.
4. HTTP Mode filtering
http.request.method== "Get" only shows the HTTP GET method.
5. Logical operator is and/or
Commonly used filter expressions
| Filter an expression | Use |
| http | View only the records of the HTTP protocol |
| IP.SRC ==192.168.1.102 or ip.dst==192.168.1.102 | Source address or Destination address is 192.168.1.102 |
Package list (Packet list Pane)
The Package list panel displays, numbering, timestamp, source address, destination address, protocol, length, and packet information. You can see that different protocols are displayed in different colors.
You can also modify the rules for these display colors, View->coloring.
Envelope Details (Packet details Pane)
This panel is our most important and is used to view each of the fields in the protocol.
Each line of information is
Frame: Overview of data frames for physical layers
Ethernet II: Data Link Layer Ethernet frame header information
Internet Protocol Version 4: Internet Layer IP packet header information
Transmission Control Protocol: Data segment header information for Transport Layer T, here is TCP
Hypertext Transfer Protocol: Application layer information, here is the HTTP protocol
Wireshark and corresponding OSI seven-layer model
What the TCP packet is about
From the following figure you can see each field in the TCP package that Wireshark captures.
example Analysis of TCP three-time handshake process
See this, basically have a preliminary understanding of Wireshak, now we look at a TCP three times handshake instance
Three times the handshake process is
I have seen this picture many times, this time we use Wireshark actual analysis three times handshake process.
Open Wireshark, open browser input Http://www.cnblogs.com/tankxiao
Handshake packet for the first time
Data packet for the third handshake
In this way, through TCP three times handshake, established the connection
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
