This article introduces another handy grab kit Wireshark, used to get network packets, including HTTP, TCP, UDP and other network protocol packets.
Remember when the University of the three-time TCP handshake protocol, then just know, although in the book read a lot of TCP and UDP data, but never really see these packets, always feel in the cloud, like drifting, learning is not practical. With Wireshark, you can intercept these network packets and see each field in the packet clearly. More to deepen our understanding of the network protocol. For me, Wireshark is the best tool for learning network protocols.
Read Catalogue
- Wireshark Introduction
- Wireshark can't do.
- Wireshark VS Fiddler
- Other tools of the same kind
- Who's going to use Wireshark?
- Wireshark starts to grab the bag
- Wireshark Window Introduction
- Wireshark Display Filter
- Save Filter
- Filter an expression
- Package list (Packet list Pane)
- Packet Details (Packet details Pane)
- Wireshark and corresponding OSI seven-layer model
- Specific contents of TCP packets
- Example analysis of TCP three-time handshake process
Wireshark Introduction
Wireshark's official download site: http://www.wireshark.org/
Wireshark is a very popular network packet analysis software, the function is very powerful. Various network packets can be intercepted to display details of network packets.
Wireshark is open source software and can be used with confidence. Can run on Windows and Mac OS.
People who use Wireshark must understand the network protocol, otherwise they can not understand Wireshark.
Wireshark can't do.
For security reasons, Wireshark can only view packets, not modify the contents of the package, or send packets.
Wireshark VS Fiddler
Fiddler is a program that runs on Windows and is designed to capture Http,https.
Wireshark can get HTTP, but also can get HTTPS, but can not decrypt HTTPS, so wireshark do not understand the contents of HTTPS
Summary, if it is to deal with Http,https or fiddler, other protocols such as TCP,UDP with Wireshark
Other tools of the same kind
Microsoft's Network Monitor
Sniffer
Who's going to use Wireshark?
1. The network administrator will use Wireshark to check for network problems
2. Software Test engineers use Wireshark capture package to analyze their own test software
3. The engineer who is engaged in socket programming will use Wireshark to debug
4. It is said that most of ZTE's engineers will use Wireshark.
In short, the network-related things, may use the Wireshark.
Wireshark starts to grab the bag
Start interface
Wireshark is a network packet that captures a NIC on a machine, and when you have multiple NICs on your machine, you need to select a NIC.
Click Caputre->interfaces. The following dialog box appears and selects the correct network card. Then click on the "Start" button to start grabbing the bag
Wireshark Window Introduction
WireShark is mainly divided into these interfaces
1. Display filter (show filters) for filtering
2. Packet list Pane (packet list), displays the captured packets, the source address and destination address, and the port number. Different colors, representing
3. Packet details Pane (packet detail), showing the fields in the package
4. Dissector Pane (16 binary data)
5. Miscellanous (Address bar, miscellaneous)
Wireshark Display Filter
The use of filtering is very important, when beginners use Wireshark, will get a lot of redundant information, in thousands of or even tens of thousands of records, so that it is difficult to find the part of their own. Got dizzy.
Filters help us quickly find the information we need in a large amount of data.
There are two types of filters,
One is the display filter, which is the one on the main interface, which is used to find the required records in the captured records.
One is the capture filter, which filters the captured packets to avoid capturing too many records. Set in Capture Filters
Save Filter
On the filter bar, after filling in the filter expression, click the Save button and take a name. For example, "Filter 102″,
There is a "filter 102″" button on the filter bar.
Filter the rules of an expression
An expression rule
1. Protocol filtering
TCP, for example, shows only the TCP protocol.
2. IP filtering
For example IP.SRC ==192.168.1.102 display source address is 192.168.1.102,
IP.DST==192.168.1.102, the target address is 192.168.1.102
3. Port filtering
Tcp.port ==80 with a port of 80
Tcp.srcport = = 80, only the TCP protocol's wish port is 80.
4. HTTP Mode filtering
http.request.method== "Get", showing only the HTTP GET method.
5. Logical operator is and/or
Commonly used filter expressions
Filter an expression |
Use |
http |
View only the records of the HTTP protocol |
IP.SRC ==192.168.1.102 or ip.dst==192.168.1.102 |
Source address or Destination address is 192.168.1.102 |
Package list (Packet list Pane)
The list of packets is displayed in the panel, number, timestamp, source address, destination address, protocol, length, and packet information. You can see that different protocols are displayed in different colors.
You can also modify these display color rules, View->coloring.
Packet Details (Packet details Pane)
This panel is the most important one for us to view each of the fields in the protocol.
Each line information is
Frame: Data Frame overview of the physical layer
Ethernet II: Data Link Layer Ethernet frame header information
Internet Protocol Version 4: Internet Layer IP packet header information
Transmission Control Protocol: Data segment header information for the Transport layer T, here is the TCP
Hypertext Transfer Protocol: Application layer information, here is the HTTP protocol
Wireshark and corresponding OSI seven-layer model
Specific contents of TCP packets
Each field in the TCP package that you can see from the Wireshark capture.
Example analysis of TCP three-time handshake process
See this, basically have a preliminary understanding of Wireshak, now we look at a TCP three-time handshake instance
The three-time handshake process is
I have seen this picture many times, this time we use Wireshark practical analysis of the three times the process of shaking hands.
Open Wireshark, open browser input Http://www.cnblogs.com/tankxiao
Enter the HTTP filter in Wireshark, then select the record Get/tankxiao http/1.1, right-click on "Follow TCP Stream",
The purpose of this is to get the data packets associated with the Web browser opening, which will be
In the figure, you can see that the Wireshark intercepted three packets of three handshakes. The fourth package is HTTP, which means that HTTP is indeed a connection using TCP.
First-time handshake packet
The client sends a TCP, the flag bit is SYN, the sequence number is 0, which represents the client request to establish a connection. Such as
Data packet for the second handshake
The server sends back a confirmation package with the flag bit syn,ack. Set the confirmation sequence number (acknowledgement numbers) to the customer's I S n plus 1. That is, 0+1=1, as
The third handshake Packet
The client sends the confirmation packet again (ACK) to the SYN flag bit for the 0,ACK flag bit of 1. and sends the server an ACK to the ordinal field +1, which is sent to the other party in the OK field. and write +1 of isn in the data segment, such as:
This way, the TCP three handshake is passed, and the connection is established.
Extended reading:
- One-stop learning Wireshark (i): Wireshark basic usage
- One-stop learning Wireshark (ii): Application Wireshark observing basic network protocols
- One-Stop learning Wireshark (iii): Analyze data flow using Wireshark IO graphical tools
- One-stop learning Wireshark (iv): TCP retransmission and duplicate ACK for network performance troubleshooting
- One-stop learning Wireshark (v): TCP window and congestion processing
- One-stop learning Wireshark (vi): Sniper Network High latency Point
- One-Stop learning Wireshark (vii): Statistics statistical tools function and application
- One-stop learning Wireshark (eight): Apply Wireshark filter conditions to crawl specific data streams
Wireshark Basic introduction and learning TCP three-time handshake