Wireshark basic introduction and learning TCP three-way handshake

Wireshark basic introduction and learning TCP three-way handshake

This article introduces wireshark, a useful packet capture tool, to obtain network data packets, including http, TCP, UDP, and other network protocol packets.

I remember that I learned the TCP three-way handshake protocol when I was in college. At that time, I only knew that although I had read a lot of TCP and UDP materials in the book, I never really saw these packets, I always feel the same as floating on the cloud, and I am not steadfast in learning. With wireshark, You can intercept these network packets and clearly view each field in the packets. We can better understand network protocols.

Wireshark is the best tool for me to learn network protocols.

Reading directory

1. Wireshark Introduction
2. Wireshark cannot do
3. Wireshark VS Fiddler
4. Other similar tools
5. Who will use wireshark?
6. Wireshark starts packet capture
7. Wireshark window Introduction
8. Wireshark display Filtering
9. Save Filter
10. Filter expression
11. Packet List Pane)
12. Packet Details Pane)
13. Wireshark and corresponding OSI Layer-7 Model
14. Specific content of the TCP package
15. Instance analysis TCP three-way handshake process

Wireshark Introduction

Wireshark official download site: http://www.wireshark.org/

Wireshark is a very popular network packet analysis software with powerful functions. You can intercept various network packets to display the details of network packets.

Wireshark is an open-source software that can be safely used. It can run on Windows and Mac OS.

Wireshark users must understand the network protocol. Otherwise, wireshark cannot be understood.

Wireshark cannot do

For security considerations, wireshark can only view packets, but cannot modify the contents of the packets or send packets.

Wireshark VS Fiddler

Fiddler is a program running on windows. It is specially used to capture HTTP and HTTPS.

Wireshark can obtain HTTP and HTTPS, but cannot decrypt HTTPS, so wireshark cannot understand the content in HTTPS

To sum up, if HTTP and HTTPS are processed, or Fiddler is used, other protocols such as TCP and UDP use wireshark.

Other similar tools

Microsoft network monitor

Sniffer

Who will use wireshark?

1. The network administrator will use wireshark to check network problems

2. Software Testing engineers use wireshark to capture packets and analyze the software they test.

3. engineers engaged in socket programming will use wireshark for debugging

4. I heard that most engineers of Huawei and ZTE will use wireshark.

In short, wireshark may be used for network-related things.

Wireshark starts packet capture

Start Interface

Wireshark is a network package that captures a certain network card on the machine. When there are multiple network cards on your machine, you need to select a network card.

Click Caputre-> Interfaces .. The following dialog box is displayed. Select the correct Nic. Click "Start" to Start packet capture.

Wireshark window Introduction

WireShark is mainly divided into these interfaces

1. Display Filter, used for filtering

2. Packet List Pane (Packet List): displays the captured packets, source addresses, target addresses, and port numbers. Different colors, representing

3. Packet Details Pane (Packet Details) to display the fields in the Packet

4. Dissector Pane (hexadecimal data)

5. Miscellanous (Address Bar, miscellaneous)

Wireshark display Filtering

Filtering is very important. When Beginners use wireshark, they will get a lot of redundant information, which is so difficult to find what they need in thousands or even tens of thousands of records. Confused.

Filters help us quickly find the information we need in a large amount of data.

There are two filters,

One is the display filter, which is the one on the main interface used to find the desired record in the captured record.

One is the capture filter, which is used to filter captured packets to avoid capturing too many records. Set in Capture-> Capture Filters

Save Filter

In the Filter column, fill in the Filter expression and click Save to get a name. For example, "Filter 102 ",

A "Filter 102" button is added to the Filter column.

Filter expression rules

Expression rules

1. Protocol Filtering

For example, TCP only displays the TCP protocol.

2. IP address filtering

For example, ip. src = 192.168.1.102 indicates that the source address is 192.168.1.102,

Ip. dst = 192.168.1.102, Destination Address: 192.168.1.102

3. Port Filtering

Tcp. port = 80, port 80

Tcp. srcport = 80, only display the port of TCP protocol is 80.

4. Http mode filtering

Http. request. method = "GET", only the http get method is displayed.

5. The logical operator is AND/OR.

Common filter expressions

Filter expression	Purpose
Http	View Only HTTP protocol records
Ip. src = 192.168.1.102 or ip. dst = 192.168.1.102	The source address or target address is 192.168.1.102.

Packet List Pane)

The number, timestamp, source address, target address, protocol, length, and packet information are displayed on the panel of the package list. You can see that different protocols are displayed in different colors.

You can also modify the display color Rules, View-> Coloring Rules.

Packet Details Pane)

This panel is the most important for us to view every field in the Protocol.

Each row information is

Frame: data Frame overview of the Physical Layer

Ethernet II: Ethernet frame header information at the data link layer

Internet Protocol Version 4: Internet layer IP packet header information

Transmission Control Protocol: information about the data segment header of transport layer T, which is TCP

Hypertext Transfer Protocol: information of the application layer. This is the HTTP Protocol.

 

Wireshark and corresponding OSI Layer-7 Model

Specific content of the TCP package

Each field in the TCP packet captured by wireshark is displayed.

Instance analysis TCP three-way handshake process

Now we have a preliminary understanding of wireshak.

The three-way handshake process is

I have read this picture many times. This time we used wireshark to analyze the three handshakes.

Open wireshark, open browser input http://www.cnblogs.com/tankxiao

Enter http filtering in wireshark, select the record of GET/tankxiao HTTP/1.1, right-click and click "Follow TCP Stream ",

The purpose of this operation is to obtain the data packets related to opening the website in a browser.

As shown in the figure, wireshark intercepts three data packets of three handshakes. The fourth packet is HTTP, which indicates that HTTP uses TCP to establish a connection.

First handshake packet

The client sends a TCP packet. The flag is SYN and the serial number is 0, indicating that the client requests to establish a connection. For example

The second handshake packet.

The server sends back the confirmation packet. The flag is SYN, and ACK. Sets Acknowledgement Number to the customer's I S N plus 1 to. 0 + 1 = 1, as shown in

Data packet for the third handshake

The client resends the ack syn flag to 0 and the ACK flag to 1. in addition, the serial number field + 1 sent from the server is placed in the confirmation field and sent to the other party. and put the ISN's + 1 in the data segment, for example:

In this way, the TCP three-way handshake is used to establish a connection.

Install Wireshark in Ubuntu 13.10

Simple use of Wireshark

Install Wireshark in Ubuntu 12.04

Starting Wireshark packet capture from common users in Linux

Install and run Wireshark in Linux

Wireshark details: click here
Wireshark: click here

This article permanently updates the link address: