Wireshark Basic introduction and learning TCP three-time handshake

Source: Internet
Author: User
Tags ack types of filters

This article introduces another handy grab kit Wireshark, used to get network packets, including HTTP, TCP, UDP and other network protocol packets.

Remember when the University of the three-time TCP handshake protocol, then just know, although in the book read a lot of TCP and UDP data, but never really see these packets, always feel in the cloud, like drifting, learning is not practical. With Wireshark, you can intercept these network packets and see each field in the packet clearly. More to deepen our understanding of the network protocol. For me, Wireshark is the best tool for learning network protocols.

Read Catalogue

    1. Wireshark Introduction
    2. Wireshark can't do.
    3. Wireshark VS Fiddler
    4. Other tools of the same kind
    5. Who's going to use Wireshark?
    6. Wireshark starts to grab the bag
    7. Wireshark Window Introduction
    8. Wireshark Display Filter
    9. Save Filter
    10. Filter an expression
    11. Package list (Packet list Pane)
    12. Packet Details (Packet details Pane)
    13. Wireshark and corresponding OSI seven-layer model
    14. Specific contents of TCP packets
    15. Example analysis of TCP three-time handshake process
Wireshark Introduction

Wireshark's official download site: http://www.wireshark.org/

Wireshark is a very popular network packet analysis software, the function is very powerful. Various network packets can be intercepted to display details of network packets.

Wireshark is open source software and can be used with confidence. Can run on Windows and Mac OS.

People who use Wireshark must understand the network protocol, otherwise they can not understand Wireshark.

Wireshark can't do.

For security reasons, Wireshark can only view packets, not modify the contents of the package, or send packets.

Wireshark VS Fiddler

Fiddler is a program that runs on Windows and is designed to capture Http,https.

Wireshark can get HTTP, but also can get HTTPS, but can not decrypt HTTPS, so wireshark do not understand the contents of HTTPS

Summary, if it is to deal with Http,https or fiddler, other protocols such as TCP,UDP with Wireshark

Other tools of the same kind

Microsoft's Network Monitor


Who's going to use Wireshark?

1. The network administrator will use Wireshark to check for network problems

2. Software Test engineers use Wireshark capture package to analyze their own test software

3. The engineer who is engaged in socket programming will use Wireshark to debug

4. It is said that most of ZTE's engineers will use Wireshark.

In short, the network-related things, may use the Wireshark.

Wireshark starts to grab the bag

Start interface

Wireshark is a network packet that captures a NIC on a machine, and when you have multiple NICs on your machine, you need to select a NIC.

Click Caputre->interfaces. The following dialog box appears and selects the correct network card. Then click on the "Start" button to start grabbing the bag

Wireshark Window Introduction

WireShark is mainly divided into these interfaces

1. Display filter (show filters) for filtering

2. Packet list Pane (packet list), displays the captured packets, the source address and destination address, and the port number. Different colors, representing

3. Packet details Pane (packet detail), showing the fields in the package

4. Dissector Pane (16 binary data)

5. Miscellanous (Address bar, miscellaneous)

Wireshark Display Filter

The use of filtering is very important, when beginners use Wireshark, will get a lot of redundant information, in thousands of or even tens of thousands of records, so that it is difficult to find the part of their own. Got dizzy.

Filters help us quickly find the information we need in a large amount of data.

There are two types of filters,

One is the display filter, which is the one on the main interface, which is used to find the required records in the captured records.

One is the capture filter, which filters the captured packets to avoid capturing too many records. Set in Capture Filters

Save Filter

On the filter bar, after filling in the filter expression, click the Save button and take a name. For example, "Filter 102″,

There is a "filter 102″" button on the filter bar.

Filter the rules of an expression

An expression rule

1. Protocol filtering

TCP, for example, shows only the TCP protocol.

2. IP filtering

For example IP.SRC == display source address is,

IP.DST==, the target address is

3. Port filtering

Tcp.port ==80 with a port of 80

Tcp.srcport = = 80, only the TCP protocol's wish port is 80.

4. HTTP Mode filtering

http.request.method== "Get", showing only the HTTP GET method.

5. Logical operator is and/or

Commonly used filter expressions

Filter an expression Use
http View only the records of the HTTP protocol
IP.SRC == or ip.dst== Source address or Destination address is
Package list (Packet list Pane)

The list of packets is displayed in the panel, number, timestamp, source address, destination address, protocol, length, and packet information. You can see that different protocols are displayed in different colors.

You can also modify these display color rules, View->coloring.

Packet Details (Packet details Pane)

This panel is the most important one for us to view each of the fields in the protocol.

Each line information is

Frame: Data Frame overview of the physical layer

Ethernet II: Data Link Layer Ethernet frame header information

Internet Protocol Version 4: Internet Layer IP packet header information

Transmission Control Protocol: Data segment header information for the Transport layer T, here is the TCP

Hypertext Transfer Protocol: Application layer information, here is the HTTP protocol

Wireshark and corresponding OSI seven-layer model

Specific contents of TCP packets

Each field in the TCP package that you can see from the Wireshark capture.

Example analysis of TCP three-time handshake process

See this, basically have a preliminary understanding of Wireshak, now we look at a TCP three-time handshake instance

The three-time handshake process is

I have seen this picture many times, this time we use Wireshark practical analysis of the three times the process of shaking hands.

Open Wireshark, open browser input Http://www.cnblogs.com/tankxiao

Enter the HTTP filter in Wireshark, then select the record Get/tankxiao http/1.1, right-click on "Follow TCP Stream",

The purpose of this is to get the data packets associated with the Web browser opening, which will be

In the figure, you can see that the Wireshark intercepted three packets of three handshakes. The fourth package is HTTP, which means that HTTP is indeed a connection using TCP.

First-time handshake packet

The client sends a TCP, the flag bit is SYN, the sequence number is 0, which represents the client request to establish a connection. Such as

Data packet for the second handshake

The server sends back a confirmation package with the flag bit syn,ack. Set the confirmation sequence number (acknowledgement numbers) to the customer's I S n plus 1. That is, 0+1=1, as

The third handshake Packet

The client sends the confirmation packet again (ACK) to the SYN flag bit for the 0,ACK flag bit of 1. and sends the server an ACK to the ordinal field +1, which is sent to the other party in the OK field. and write +1 of isn in the data segment, such as:

This way, the TCP three handshake is passed, and the connection is established.

Extended reading:
    • One-stop learning Wireshark (i): Wireshark basic usage
    • One-stop learning Wireshark (ii): Application Wireshark observing basic network protocols
    • One-Stop learning Wireshark (iii): Analyze data flow using Wireshark IO graphical tools
    • One-stop learning Wireshark (iv): TCP retransmission and duplicate ACK for network performance troubleshooting
    • One-stop learning Wireshark (v): TCP window and congestion processing
    • One-stop learning Wireshark (vi): Sniper Network High latency Point
    • One-Stop learning Wireshark (vii): Statistics statistical tools function and application
    • One-stop learning Wireshark (eight): Apply Wireshark filter conditions to crawl specific data streams

Wireshark Basic introduction and learning TCP three-time handshake

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.