Wireshark basic introduction and learning TCP three-way handshake
This article introduces wireshark, a useful packet capture tool, to obtain network data packets, including http, TCP, UDP, and other network protocol packets.
I remember that I learned the TCP three-way handshake protocol when I was in college. At that time, I only knew that although I had read a lot of TCP and UDP materials in the book, I never really saw these packets, I always feel the same as floating on the cloud, and I am not steadfast in learning. With wireshark, You can intercept these network packets and clearly view each field in the packets. We can better understand network protocols.
Wireshark is the best tool for me to learn network protocols.
Wireshark official download site: http://www.wireshark.org/
Wireshark is a very popular network packet analysis software with powerful functions. You can intercept various network packets to display the details of network packets.
Wireshark is an open-source software that can be safely used. It can run on Windows and Mac OS.
Wireshark users must understand the network protocol. Otherwise, wireshark cannot be understood.Wireshark cannot do
For security considerations, wireshark can only view packets, but cannot modify the contents of the packets or send packets.Wireshark VS Fiddler
Fiddler is a program running on windows. It is specially used to capture HTTP and HTTPS.
Wireshark can obtain HTTP and HTTPS, but cannot decrypt HTTPS, so wireshark cannot understand the content in HTTPS
To sum up, if HTTP and HTTPS are processed, or Fiddler is used, other protocols such as TCP and UDP use wireshark.Other similar tools
Microsoft network monitor
SnifferWho will use wireshark?
1. The network administrator will use wireshark to check network problems
2. Software Testing engineers use wireshark to capture packets and analyze the software they test.
3. engineers engaged in socket programming will use wireshark for debugging
4. I heard that most engineers of Huawei and ZTE will use wireshark.
In short, wireshark may be used for network-related things.Wireshark starts packet capture
Wireshark is a network package that captures a certain network card on the machine. When there are multiple network cards on your machine, you need to select a network card.
Click Caputre-> Interfaces .. The following dialog box is displayed. Select the correct Nic. Click "Start" to Start packet capture.Wireshark window Introduction
WireShark is mainly divided into these interfaces
1. Display Filter, used for filtering
2. Packet List Pane (Packet List): displays the captured packets, source addresses, target addresses, and port numbers. Different colors, representing
3. Packet Details Pane (Packet Details) to display the fields in the Packet
4. Dissector Pane (hexadecimal data)
5. Miscellanous (Address Bar, miscellaneous)Wireshark display Filtering
Filtering is very important. When Beginners use wireshark, they will get a lot of redundant information, which is so difficult to find what they need in thousands or even tens of thousands of records. Confused.
Filters help us quickly find the information we need in a large amount of data.
There are two filters,
One is the display filter, which is the one on the main interface used to find the desired record in the captured record.
One is the capture filter, which is used to filter captured packets to avoid capturing too many records. Set in Capture-> Capture FiltersSave Filter
In the Filter column, fill in the Filter expression and click Save to get a name. For example, "Filter 102 ",
A "Filter 102" button is added to the Filter column.Filter expression rules
1. Protocol Filtering
For example, TCP only displays the TCP protocol.
2. IP address filtering
For example, ip. src = 192.168.1.102 indicates that the source address is 192.168.1.102,
Ip. dst = 192.168.1.102, Destination Address: 192.168.1.102
3. Port Filtering
Tcp. port = 80, port 80
Tcp. srcport = 80, only display the port of TCP protocol is 80.
4. Http mode filtering
Http. request. method = "GET", only the http get method is displayed.
5. The logical operator is AND/OR.
Common filter expressions
|Http||View Only HTTP protocol records|
|Ip. src = 192.168.1.102 or ip. dst = 192.168.1.102||The source address or target address is 192.168.1.102.|
The number, timestamp, source address, target address, protocol, length, and packet information are displayed on the panel of the package list. You can see that different protocols are displayed in different colors.
You can also modify the display color Rules, View-> Coloring Rules.Packet Details Pane)
This panel is the most important for us to view every field in the Protocol.
Each row information is
Frame: data Frame overview of the Physical Layer
Ethernet II: Ethernet frame header information at the data link layer
Internet Protocol Version 4: Internet layer IP packet header information
Transmission Control Protocol: information about the data segment header of transport layer T, which is TCP
Hypertext Transfer Protocol: information of the application layer. This is the HTTP Protocol.
Wireshark and corresponding OSI Layer-7 Model Specific content of the TCP package
Each field in the TCP packet captured by wireshark is displayed.Instance analysis TCP three-way handshake process
Now we have a preliminary understanding of wireshak.
The three-way handshake process is
I have read this picture many times. This time we used wireshark to analyze the three handshakes.
Open wireshark, open browser input http://www.cnblogs.com/tankxiao
Enter http filtering in wireshark, select the record of GET/tankxiao HTTP/1.1, right-click and click "Follow TCP Stream ",
The purpose of this operation is to obtain the data packets related to opening the website in a browser.
As shown in the figure, wireshark intercepts three data packets of three handshakes. The fourth packet is HTTP, which indicates that HTTP uses TCP to establish a connection.
First handshake packet
The client sends a TCP packet. The flag is SYN and the serial number is 0, indicating that the client requests to establish a connection. For example
The second handshake packet.
The server sends back the confirmation packet. The flag is SYN, and ACK. Sets Acknowledgement Number to the customer's I S N plus 1 to. 0 + 1 = 1, as shown in
Data packet for the third handshake
The client resends the ack syn flag to 0 and the ACK flag to 1. in addition, the serial number field + 1 sent from the server is placed in the confirmation field and sent to the other party. and put the ISN's + 1 in the data segment, for example:
In this way, the TCP three-way handshake is used to establish a connection.
Install Wireshark in Ubuntu 13.10
Simple use of Wireshark
Install Wireshark in Ubuntu 12.04
Starting Wireshark packet capture from common users in Linux
Install and run Wireshark in Linux
Wireshark details: click here
Wireshark: click here
This article permanently updates the link address: