WireShark Basic Introduction

The content of this article is mainly transferred from: http://www.cnblogs.com/TankXiao/archive/2012/10/10/2711777.html

First, Wireshark and Fiddler comparison:

Fiddler is a program that runs on Windows and is designed to capture Http,https. Wireshark can get HTTP, can also get HTTPS,

But can not decrypt HTTPS, so Wireshark can not understand the contents of HTTPS.

Summary, if it is to deal with Http,https or fiddler, other protocols such as TCP,UDP with Wireshark

Ii. Introduction to the use of Wireshark

1. Start interface:

2. Wireshark is a network packet that captures a NIC on a machine, and when you have multiple NICs on your machine, you need to select a NIC. Click Caputre->interfaces: The following dialog box appears,

Select the correct network card. Then click the "Start" button to start grabbing the package if the service and access are on a computer, it seems that access information cannot be captured.

3. Wireshark Window Description:

WireShark is mainly divided into the following interfaces:

1). Display filter (show filters) for filtering

2). Packet list Pane (packet list), displays the captured packets, the source address and destination address, and the port number. Different colors, representing

3). Packet details Pane (packet details), showing the fields in the package

4). Dissector Pane (16 binary data)

5). Miscellanous (Address bar, miscellaneous)

4. There are two types of filters:
1). Displays the filter that is used to locate the required record in the captured record. Click on the left filter to enter the filter settings screen. In the Select box to the right of the settings screen, you can click the rule name,

view specific filtering rules. the most important thing is that I can imitate the existing rules and create new filtering rules that are appropriate for my program. Create our own filter rules by clicking the New button on the left.

2). Capture filter to filter the captured packets to avoid capturing too many records. We can access the capture Options Settings screen via the options ... And then click inside

Capture Filter button to enter the capturing filters Settings screen. You can then mimic the existing rules and set up new filtering rules.

(The version I used is v1.12.1, some versions of the Capture Filter button may not be in the Capture Options Settings screen.) Find out exactly where you are. )

Note: When the settings are correctly over two rules, the filter box has a green background color. If the rule is wrong, the filter box background color is red.

5. Packet Details (Packet details Pane): This panel is our most important to view each field in the protocol. Each line of information is:

1). Frame: Data Frame overview of the physical layer

2). Ethernet II: Data Link Layer Ethernet frame header information

3). Internet Protocol Version 4: Internet Layer IP packet header information

4). Transmission Control Protocol: Data segment header information for the Transport layer T, here is the TCP

5). Hypertext Transfer Protocol: Application layer information, here is the HTTP protocol

Third, the relevant knowledge introduction:

1. Wireshark with the corresponding OSI seven-layer model:

2. Specific contents of TCP packet:

3. Example analysis of the TCP three-time handshake process:

4. We use Wireshark to actually analyze the process of three handshake. Open Wireshark, open Browser input Http://www.cnblogs.com/tankxiao. Enter in Wireshark

HTTP Filter, then select the Get/tankxiao http/1.1 record, right-click on "Follow TCP Stream", The purpose of this is to get the Web site open with the browser

The relevant packets will get as follows:

In the figure, you can see that the Wireshark intercepted three packets of three handshakes. The fourth package is HTTP, which means that HTTP is indeed a connection using TCP.

The first handshake packet. The client sends a TCP, the flag bit is SYN, the sequence number is 0, which represents the client request to establish a connection. Such as:

the second handshake of the packet. The server sends back a confirmation package with the flag bit syn,ack. Set the confirmation sequence number (acknowledgement numbers) to the customer's isn plus 1 for. That is, 0+1=1, such as:

The third handshake of the packet. The client sends a confirmation packet (ACK) again to the SYN flag bit for the 0,ACK flag bit of 1. and sends the server an ACK to the ordinal field +1,
Put it in the OK field and send it to the other party. Also write +1 of the isn in the data segment, such as:

WireShark Basic Introduction