A Free Trial That Lets You Build Big!
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
When using Wireshark to capture Ethernet data, you can capture the analysis to your own packets, or you can capture the same LAN and capture the other person's packets in case you know the IP address of the other.
If the client is connected directly to the Internet via a router, 1.28 shows. In this diagram, pc a installs Wireshark, which can capture its own data directly on the host computer.
Figure 1.28 Capturing data on the host
If you are in a LAN, and know someone else's IP address, you can also use Wireshark to capture other people's packets. Here's how:
1. Port mapping
Within the LAN, the PC that works under the same switch, 1.29 shows. PC A and PC B work under the same switch, when PC a installs Wireshark, the data port of any PC on the switch is mirrored, and the switch is set to replicate all the data to the Wireshark port under the user switch port. At this point, pc A can crawl other PC data, such as capturing PC B data.
2. Using a hub
We can change the switch in Figure 1.29 to a hub so that all the packets are in-line. That is, whoever's packet will be sent to every computer on the hub. Just set the NIC to promiscuous mode to catch someone else's bag.
3. Using ARP Spoofing
We all know that sending and receiving data will go through the router, as shown in 1.30. After installing Wireshark on pc A in this figure, ARP spoofing can be used to packets between PC B, PC C or PC B and PC C. PC A sends ARP packets within the LAN, making the other computers mistakenly thinking that it is a gateway. That way, other computers will send their packets to pc A, so pc a can catch their packets.
Figure 1.29 capturing PC B packet Figure 1.30 capturing a packet
Start the interface shown in wireshark,1.31 in the Windows window program.
Figure 1.31 Wireshark main interface Figure 1.32 capturing network data
In this interface you can see the local connection, the VMware network Adapter VMnet1, the VMware Network Adapter VMnet8, which is the 3 capture network interface. There are 3 in this machine, if using other computer network capture interface may be different. You can capture network data only if the Capture network interface is selected. So first select the network interface. Here Select the Local area connection as the Capture network interface, and then click the Graph button to capture the network data, as shown in 1.32.
Click the button in the diagram to stop capturing. We can save the captured data. Click the button in the diagram to display the interface shown in 1.33.
In this interface, you can choose where to save the captured data and name the saved file. Then click the "Save" button. Here is saved on the desktop, the filename is called Wireshark.
When we save the captured data for the next check-up. So how do you open a file that has been captured? An introduction will be made here.
(1 in the Start Wireshark interface, click the Open button to pop up the Open dialog box, shown in 1.34.
(2 in this interface, select the location where the capture file is saved, and then click the Open button to open the captured file.
On the basis of learning to using Wireshark, further understanding of the uses of the Wireshark parts is also needed. This section will explain in more detail.
Open a capture file, as shown in 1.35:
Figure 1.35 Wireshark main window interface Figure 1.36 menu bar
In Figure 1.35, each part of the Wireshark is marked as a number. The meanings of each section are described below, as follows:
The above is a simple introduction to the Wireshark main window interface of the meaning of the sections below for each part of the detailed introduction
Wireshark is shown in menu bar interface 1.36. Two menus that have been painted out of the interface are described in the toolbar.
The function of each button in the menu bar is as follows:
When users learn more about the role of each button in the toolbar, the user can quickly perform various actions. In the toolbar, the action of each button is shown in 1.37.
Figure 1.37 Toolbar diagram 1.38 wireshark Panel
The Wireshark has three panels, namely the Packet list panel, the Packet details panel, and the Packet bytes panel. The positions of these three panels are shown in 1.38.
Three panels are already marked in this interface. These three panels are interrelated, and if you want to see the specifics of a single packet in the packet details panel, you must click to select that packet in the Packet list panel. After the packet is selected, you can view the byte information for the corresponding field in the Packet bytes panel by selecting a field for the packet in the packet details panel to analyze it. The contents of the panel are described below.
1.Packet List Panel
The panel displays all the packets in the current capture file as a tabular format. From figure 1.38, you can see that there are seven columns in the panel, each of which reads as follows:
In this panel, you can sort the columns in the Panel, adjust column positions, hide columns, display columns, rename or delete columns, and so on. The following are examples of functions that can be manipulated in this panel.
"Instance 1-4" demonstrates the functionality that can be implemented in the Packet list panel. As shown below:
(1 ) column sort
Open a capture file as shown in http.pcapng,1.39.
Figure 1.39 Http.pcapng capture file figure 1.40 Sorting Protocol columns
The interface shows the packets in the Http.pcapng capture file. The default wireshark is sorted by packet number from low to high. For example, to sort the Protocol column, click the Protocol column heading to display the interface shown in 1.40.
This interface is compared with figure 1.39 and can be found to be very different. From this interface, you can see that the order of no columns has changed, and the Protocol column starts with ARP.
(2 ) Move column position
For example, move the Protocol column in the Http.pcapng capture file to the back of time. Use your mouse to select the Protocol column, and then drag the column to the back of time to display the interface shown in 1.41.
Figure 1.41 Moving Protocol column Figure 1.42 column operation options
(3 ) Hide, rename, delete columns
In the capture file Http.pacpng, right-click any of the column headings in the packet list panel, and a drop-down menu will pop up as shown in 1.42.
Figure 1.44 Wireshark Preferences
The interface appears above the packet list panel and is renamed in the title text box at the left end of the interface. Then click the OK button on the right side to
Click the button in the lower-left corner to automatically create a new column with the title new column, and the type is number. You can double-click the title and type to make changes. Click the OK button when you are ready to create it.
In Wireshark, you can also perform many operations on all the packets in the packet list panel, such as tagging, ignoring, setting up grouping, and so on. Users can view the available options by right-clicking on any one of the packets, as shown in 1.45.
Figure 1.45 Available Options figure 1.46 Menu bar
The interface shows the available options for the packet in the Packet list panel. In this option, you can quickly identify problematic packets by using tag grouping.
2.Packet Details Panel
The panel displays the contents of a packet hierarchically and can be expanded or shrunk to display all the content captured in the packet.
In the packet details panel, the details of the data displayed by default are combined. If you want to view, you can click the small triangle in front of each line to expand the session of the frame. The user can also select one row and right-click to pop up the menu bar. As shown in 1.46.
In the menu bar, select expand Subtree (single session) or expand all sessions.
3.Packet bytes Panel
The content in this panel is probably the most confusing. Because it shows the original appearance of a packet being unprocessed, that is, what it looks like when it travels over the link.
The data in this panel shows the contents of the frame in 16 binary and ASCII format. When you select any field in the Packet details panel, the bytes containing the field in the Packet bytes panel are highlighted. If you don't want to see the packet bytes Panel, in the menu bar, select View | The block byte stream (B) command closes it. When viewed, use the same method to open it.
The status bar is made up of two buttons and three columns. Where the size of these three columns can be adjusted when necessary. The status bar is shown in each section meaning 1.47.
Figure 1.47 Status bar
The following sections describe in detail the role of each section in the status bar. As shown below:
This article is selected from: Wireshark Data capture Basic Tutorial University bully internal information, reproduced please indicate the source, respect the technology respect the IT person!
Wireshark Data Grabber Wireshark capturing data
Start building with 50+ products and up to 12 months usage for Elastic Compute Service