Wireshark and tcpdump packet capture analysis experiences

Source: Internet
Author: User

Wireshark and tcpdump packet capture analysis experiences

1. Wireshark and tcpdump Introduction

Wireshark is a network protocol detection tool that supports windows and UNIX platforms. I generally only use Wireshark on Windows platforms. If it is Linux, I directly use tcpdump, in my work environment, Linux generally only has a character interface. Generally, Linux uses tcpdump, or uses tcpdump to capture packets and then use Wireshark to open the analysis.

On Windows, Wireshark uses Winpcap to capture packets, which is encapsulated well and easy to use. It can easily create a packet capture filter or display filter. The details are described below. Wireshark is a free tool. You can easily find the download location by Google.

Tcpdump is a command-line Packet sniffing Tool Based on UNIX systems. If you want to use tcpdump to capture packets from MAC addresses of other hosts, you must enable the NIC hybrid mode. The so-called hybrid mode allows the NIC to capture any packets passing through it in the simplest language, no matter whether the packet is sent to it or not, click [http://en.wikipedia.org/wiki/promiscuous_mode.pdf to obtain more information with different types of information. In general, Unix does not allow common users to set the mixed mode, because this allows users to see other people's information, such as the Telnet user name and password, which may cause some security problems, therefore, only the root user can enable the hybrid mode. The command to enable the hybrid mode is ifconfigeth0.
Promisc, eth0 is the network adapter you want to enable in hybrid mode. Someone must ask if you want to enable the hybrid mode in windows. In Windows, there is no hybrid mode and no non-hybrid mode for the NIC, because the application itself, for example, when using Wireshark to capture packets, you can set it to capture packets in hybrid mode (that is why the damn ARP spoofing virus is rampant ). Tcpdump can also specify a packet capture filter, which is well-known as the Berkeley Packet filtering language (BPF.

2. Simple Example

Visit www.google.com.hk to check the packet capture results.

2.1 tcpdump

Previously said that the general Linux has built-in tcpdump, but if a small probability event, found that no tcpdump, you can download the source code to the http://www.tcpdump.org, compile and install.

Log on as the root user and run the tcpdump command to capture packets. If you use SSH to log on to remote Linux and run tcpdump directly, you will find that a large number of packets are captured, and the speed is not clear clearly, this is because the packet captured by tcpdump is sent to the remote terminal for display. At the same time, the packet is captured, then displayed, and then captured, resulting in loop capturing. Of course, it makes no sense to capture packets, except to prove that your network is connected.

Because the network adapter is not enabled in the hybrid mode, if the local machine does not have any process to access the network, it cannot catch the package. If you access the website using wgethttp: // www.google.com.hk on the Character interface, if there is a GUI, you can open the Firefox browser to access http://www.google.com.hk.

By default, tcpdump will select the first network card, that is, eth0, to capture packets. Each line displays a captured packet, for example:

0.003183 TCP 38039> HTTP [SYN] seq = 0 win = 5840len = 0 mss = 1460 sack_perm = 1 TSV = 36941509 tser = 0 Ws = 6

0.011707 HTTP> 38039 [SYN, ack] seq = 0 ACK = 1 win = 64240 Len = 0 mss = 1460

0.011770 TCP 38039> HTTP [ack] seq = 1 ACK = 1win = 5840 Len = 0

The preceding three data packets are the well-known TCP three-way handshake data packets. 38039 indicates the TCP port of the client, and the default http port is 80, if tcpdump finds the service name corresponding to the port in/etc/services, it is automatically converted to the name, so HTTP is displayed here. TCP three-way handshake between the client port 38039 and the http port on the server.

As mentioned above, tcpdump uses the first network card for packet capture by default. We can use the-I parameter to specify which network card to capture packets. For example, (# indicates the command I entered, in Linux, the root user prompt is #):

# Tcpdump-I eth1


# Tcpdump-I any

If you want to know which network adapters can be used to capture packets, you can use the-D parameter, for example:

# Tcpdump-d

1. eth0

2. Any

3. Lo

Because my machine only has one Nic, so there is only eth0. If there are multiple NICs active, there will be eth1 and eth2 in turn. Any means to capture packets through any network card, and lo is the loopback interface. (For network problems such as TCP three-way handshake and loopback interface, please refer to "TCP/IP protocol details").

By default, the tcpdump packet capture result is displayed on the screen (strict, professional, or standard output). Obviously, this is not conducive to further data analysis, therefore, we need to store the packet capture results in the file. However, use the-W command to save the result to a file, for example:

# Tcpdump-W Google. Cap

This command stores the packet capture results in the Google. Cap file. You can use Wireshark to open and view the results. Colleagues, tcpdump out of the packet capture, you can also use the-R parameter to develop the packet capture data file, combined with the filter for packet capture data analysis, such:

# Tcpdump-r Google. Cap HTTP

This command allows tcpdump to read the Google. Cap file and filter out all HTTP data packets. Filters are described in detail below.

2.2 Wireshark

I used Wireshark in windows. First, I got familiar with the interface. Figure 1 shows how to use Wireshark to open the Google. Cap file interface,

Figure 1 Wireshark Interface

Figure 1 shows the three fast regions. The R1 region is used to display simple packet information. When we use tcpdump to capture packets, this is also shown by default; the R2 area is used to display the detailed information of the selected data packet. You will find that it is displayed in the layer-4 Structure of TCP/IP. The first line is the information of the data link layer, the second line is the network layer information (IP protocol), the third line is the transport layer information (TCP protocol), and the fourth line is the application layer information (HTTP protocol). You can expand each line to observe the specific content; the R3 region is used to show the true face of this data packet. The information we see in R1 and R2 is what Wireshark will show us. The actual data of Packet Capturing is actually a bunch of binary sequences. Use ultraedit to Open google. the CAP file shows numbers, as shown in figure 2.

Figure 2 How the captured file looks long

It is very easy to use Wireshark to capture packets. click the button (the third button in the toolbar) (the first button in the toolbar) to start packet capture. You will find that you only need to click this button, the packet is captured immediately. This is because Wireshark captures packets in hybrid mode by default, as long as all packets pass through the network card are captured (of course, this machine must be connected to the network, if there is no data flow, there is no packet to capture), click the button to stop the packet capture.

If multiple NICs are installed on the machine, Wireshark selects the first Nic to capture packets by default. If packet capture is complete, it is extremely depressing to find that the NIC is selected incorrectly. Click the button to select the network card to be captured before packet capture.

Figure 3 network card selection

I only have one network card on my machine, and the other two are the virtual network card when VMware is installed. You can see that although data already exists in packets, you actually need to click Start to start packet capture.

After the problem of selecting the NIC is solved, if you want to filter the packet capture content, click "capture"> "options" on the menu bar to view the page for setting packet capture rules, as shown in figure 4.

Figure 4 configure packet capture rules

Figure 4 shows caputre packets inpromiscuous mode. The default mode is selected, indicating that Wireshark captures packets in hybrid mode by default. You can also select which Nic to capture packets, but these are not important. The most important thing is caupture fileter. Click this button to see some predefined filters. For example, if "http tcp port (80)" is selected, the following filter string: TCP port HTTP indicates the filter. Indicates the packet that captures the TCP protocol and port is 80 (the default port of the HTTP protocol is 80 ).

3. Use of filters (bpf language)

This article mainly introduces the use of filters in tcpdump, because you can use Wireshark with ease.

From the very beginning, BPF mainly consists of a flag, number, and qualified word. There are three types of qualified words:

First: specify the type

Host, which defines the IP address to capture (or the MAC address of it, in the format of 00: 00: 00: 00: 00: 00: 00) data packets, for example, if I want to capture data packets related to the IP address, I will write it as tcpdump host, host is a qualified word, and is a flag. This command captures the packets sent from or to

Net, which defines to capture packets from a network and gives the network number. It determines the Class A address based on the number of bytes given to the network number, which is 1, 2, and 3, class B address or Class C address, such as tcpdump net 10.1.1, it is considered as a class C address.

Port, specify the port, such as tcpdumphost and port 22. This is the packet that captures port 22, whether it is TCP or UDP. Here I gave the logical operation a little earlier, andj, if you only want to capture TCP, you can write tcpdump host TCP port 22.

Portrange, as its name implies, specifies the port range, with a hyphen (-), for example, tcpdump port 1025-8080.

Type 2: Specify the direction

In our previous commands, "This command will capture packets sent from or sent to". Therefore, if you point to the packets sent from the capture, you can use the qualified term SRC. command: tcpdumpsrc host, in turn, to capture the packet sent to, use the qualifier DST, command: tcpdumpdst host

Third: Specify the Protocol

We know that there are n kinds of network protocols... I will list several common types of items. Others can go to Google J.

Ether and FDDI, Ethernet protocol

Tr, TR Protocol

IP, IP protocol

Ip6, IPv6 protocol

ARP and ARP protocols

Well, we also need to pay attention to the logic operation, and, or, not (and, Or, rather). There is already an example above, and we will not be so arrogant here, it is no different from a common programming language.


In addition, there are more cool x functions, such as specifying the Identification Position in TCP. I usually seldom use such applications, so I will not be arrogant any more.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.