The following is a network packet capture tutorial in Ubuntu.
1. Install Wireshark
Terminal run: sudo apt-Get install Wireshark
2. Modify init. Lua
If Wireshark is run directly, an error is reported:
Lua: error during loading:
[String "/usr/share/Wireshark/init. Lua"]: 45: dofile has been disabled
To modify it, run the terminal
Sudo gedit/usr/share/Wireshark/init. Lua
Change the last row to -- dofile (data_dir .. "console. Lua ")
3. Start the software
Terminal running: sudo Wireshark
Click the icon in the upper-left corner. Next, you will be prompted to select a network port. I am using a wired network and select eth0.
4. Analyze the TCP three-way handshake process
We all know that under normal circumstances, TCP connections are established through the three-way handshake process, as shown below:
The specific description is as follows:
First handshake: when a connection is established, the client sends the SYN Packet (SYN = J) to the server and enters the syn_send status. Wait for the server to confirm;
The second handshake: when the server receives the SYN packet, it must confirm the customer's Syn (ACK = J + 1) and send a SYN Packet (SYN = K), that is, the SYN + ACK packet, the server enters the syn_recv status;
The third handshake: the client receives the server's SYN + ACK package and sends the ACK (ACK = k + 1) Confirmation package to the server. After the package is sent, the client and server enter the established status, complete three handshakes. After three handshakes are completed, the client and the server start to transmit data.
After Wireshark is enabled, the software starts to listen. When we click a website in the browser, the computer will establish an understanding with other servers and then generate three-way handshake packets.
The following are some of the packages I caught. Check the red lines:
First handshake: ACK = 0, SYN = 1; client requests to the server.
The second handshake: ACK = 1, SYN = 1. The server replies.
Third handshake: ACK = 1, SYN = 0. confirmed by the customer.
A deep understanding of TCP protocol (TCP packet format + three-way handshake instance)-http://blog.chinaunix.net/uid-9112803-id-3212041.html Based on Wireshark capture group