analysis of Wireshark grasping bag
Wireshark is a very popular network packet analysis software, the function is very powerful. You can crawl various network packs and display the details of the network package. Start Interface
Wireshark is a network packet that captures a certain NIC on the machine, and when you have more than one network card on your machine, you need to select a network card.
Click Caputre->interfaces ... The following dialog box appears, selecting the correct network card. Then click the "Start" button and start grabbing the bag.
Wireshark Window Introduction
WireShark are mainly divided into these interfaces
1. Display filter (show filters) for filtering
2. Packet list Pane (packet listing) showing captured packets, with source and destination addresses, port numbers. Different colors, representing
3. Packet details Pane (envelope detail) showing the fields in the packet
4. Dissector Pane (16 data)
5. Miscellanous (Address bar, miscellaneous)
The use of filtering is very important, when beginners use Wireshark, will get a lot of redundant information, in thousands of or even tens of thousands of records, so difficult to find the part they need. Get dizzy.
The filter will help us quickly find the information we need in a large amount of data.
There are two kinds of filters,
One is the display filter, which is the one on the main interface that is used to find the record in the captured record.
One is the capture filter, which filters the captured packets to avoid capturing too many records. Set in Capture-> Capture Filters
Save Filter
On the filter bar, fill in the filter's expression, click the Save button, and take a name. Like "Filter 102",
The filter bar has more than one "filter 102" button on it.
Filter the rules of an expression
An expression rule
1. Protocol filtering
TCP, for example, shows only the TCP protocol.
2. IP filtering
For example IP.SRC ==192.168.1.102 display source address is 192.168.1.102,
IP.DST==192.168.1.102, the target address is 192.168.1.102
3. Port Filtration
Tcp.port ==80, Port 80
Tcp.srcport = 80, only displays the TCP protocol's willing port to 80.
4. HTTP Mode filtering
http.request.method== "Get" only shows the HTTP GET method.
5. Logical operator is and/or
Commonly used filter expressions
Filter an expression |
Use |
http |
View only the records of the HTTP protocol |
IP.SRC ==192.168.1.102 or ip.dst==192.168.1.102 |
Source address or Destination address is 192.168.1.102 |
|
|
|
|
Package list (Packet list Pane)
The Package list panel displays, numbering, timestamp, source address, destination address, protocol, length, and packet information. You can see that different protocols are displayed in different colors.
You can also modify the rules for these display colors, View->coloring.
Envelope Details (Packet details Pane)
This panel is our most important and is used to view each of the fields in the protocol.
Each line of information is
Frame: Overview of data frames for physical layers
Ethernet II: Data Link Layer Ethernet frame header information
Internet Protocol Version 4: Internet Layer IP packet header information
Transmission Control Protocol: Data segment header information for Transport Layer T, here is TCP
Hypertext Transfer Protocol: Application layer information, here is the HTTP protocol
ARP Package
IP Packet UDP packet TCP Packet
HTTP Package
Linux Grab Kit tool tcpdump
Options for Tcpdump
· -a--the network address and broadcast address into a name
· -d--the code for matching packets in an assembly format that people can understand
· -dd--the code for the matching packet in the C Language Program section
· -ddd--the code of the matching packet in decimal form
· -e--prints the header information of the data link layer on the output line
· -f--Print out the external Internet address as a digital form
· -l--the standard output into a buffered row form
· -n--does not convert the network address into a name
· -t--does not print timestamps on each line of output
· -v--output A slightly more detailed information, such as the TTL and service type information in an IP packet
· -vv--output Detailed message information
· -c--when the number of packets specified is received, Tcpdump stops
· -f--reads an expression from the specified file, ignoring the other expressions
· -i--Specifies the Listening network interface
· -r--reads packages from the specified file (these packages are typically generated by the-w option)
· -w--writes the package directly to the file and does not parse and print it
-t--the packets that are being heard directly into the specified type of message
Example
Grab the packet in the eth2, save the result in the Test.cap file, and then open the file directly with Wireshark to see the package contents.
You are welcome to pay attention to my blog. If you have questions, please add QQ Group: 135430763 study together.