Wireshark Data capture teaching Wireshark capturing data

Source: Internet
Author: User
Tags set time

Wireshark data grasping Wireshark capturing data Wireshark grasping the packet method

When using Wireshark to capture Ethernet data, you can capture the analysis to your own packets, or you can capture the same LAN and capture the other person's packets in case you know the IP address of the other.

Wireshark capturing its own packets

If the client is connected directly to the Internet via a router, 1.28 shows. In this diagram, pc a installs Wireshark, which can capture its own data directly on the host computer.

Figure 1.28 Capturing data on the host

Wireshark capturing someone else's packet

If you are in a LAN, and know someone else's IP address, you can also use Wireshark to capture other people's packets. Here's how:

1. Port mapping

Within the LAN, the PC that works under the same switch, 1.29 shows. PC A and PC B work under the same switch, when PC a installs Wireshark, the data port of any PC on the switch is mirrored, and the switch is set to replicate all the data to the Wireshark port under the user switch port. At this point, pc A can crawl other PC data, such as capturing PC B data.

2. Using a hub

We can change the switch in Figure 1.29 to a hub so that all the packets are in-line. That is, whoever's packet will be sent to every computer on the hub. Just set the NIC to promiscuous mode to catch someone else's bag.

3. Using ARP Spoofing

We all know that sending and receiving data will go through the router, as shown in 1.30. After installing Wireshark on pc A in this figure, ARP spoofing can be used to  packets between PC B, PC C or PC B and PC C. PC A sends ARP packets within the LAN, making the other computers mistakenly thinking that it is a gateway. That way, other computers will send their packets to pc A, so pc a can catch their packets.

Figure 1.29 capturing PC B packet Figure 1.30 capturing a packet

Wireshark Capturing data

Start the interface shown in wireshark,1.31 in the Windows window program.

Figure 1.31 Wireshark main interface Figure 1.32 capturing network data

In this interface you can see the local connection, the VMware network Adapter VMnet1, the VMware Network Adapter VMnet8, which is the 3 capture network interface. There are 3 in this machine, if using other computer network capture interface may be different. You can capture network data only if the Capture network interface is selected. So first select the network interface. Here Select the Local area connection as the Capture network interface, and then click the Graph button to capture the network data, as shown in 1.32.

Click the button in the diagram to stop capturing. We can save the captured data. Click the button in the diagram to display the interface shown in 1.33.

In this interface, you can choose where to save the captured data and name the saved file. Then click the "Save" button. Here is saved on the desktop, the filename is called Wireshark.

Wireshark Open capture File

When we save the captured data for the next check-up. So how do you open a file that has been captured? An introduction will be made here.

(1 in the Start Wireshark interface, click the Open button to pop up the Open dialog box, shown in 1.34.

(2 in this interface, select the location where the capture file is saved, and then click the Open button to open the captured file.

Wireshark Quick Start

On the basis of learning to using Wireshark, further understanding of the uses of the Wireshark parts is also needed. This section will explain in more detail.

Wireshark main Window Interface Introduction

Open a capture file, as shown in 1.35:

Figure 1.35 Wireshark main window interface Figure 1.36 menu bar

In Figure 1.35, each part of the Wireshark is marked as a number. The meanings of each section are described below, as follows:

    • Q① title bar--for displaying file names, captured device names.
    • Q② the standard menu bar--wireshark the menu bar.
    • Q③ Toolbar--Common Function shortcut icon button.
    • Q④ Display filter area-reduces the complexity of viewing data.
    • Q⑤packet List panel-displays a summary of each data frame.
    • Q⑥packet Details Panel--Analyze the detail of the packet.
    • Q⑦packet bytes Panel--Displays the details of the packet in 16 binary and ASCII format.
    • Q⑧ status Bar--the number of grouped, displayed, tagged frames, profiles.

The above is a simple introduction to the Wireshark main window interface of the meaning of the sections below for each part of the detailed introduction

Wireshark Menu Bar Introduction

Wireshark is shown in menu bar interface 1.36. Two menus that have been painted out of the interface are described in the toolbar.

The function of each button in the menu bar is as follows:

    • Q File: Open the file set, save the package, export the HTTP object.
    • Q EDIT: Search for packages, tag packages, and set time properties.
    • Q View: View/Hide toolbars and panels, edit time columns, reset colors, and more.
    • Q Analysis: Create display filter macros, view enable protocols, save attention decoding.
    • Q Statistics: Build charts and open various protocol statistics windows.
    • Q Phone: Perform all speech functions (chart, graphics, playback)
    • Q Bluetooth: ATT service settings.
    • Q Help: Learn Wireshark global storage and personal profiles

Wireshark Toolbar Introduction

When users learn more about the role of each button in the toolbar, the user can quickly perform various actions. In the toolbar, the action of each button is shown in 1.37.

Figure 1.37 Toolbar diagram 1.38 wireshark Panel

Wireshark Panel Introduction

The Wireshark has three panels, namely the Packet list panel, the Packet details panel, and the Packet bytes panel. The positions of these three panels are shown in 1.38.

Three panels are already marked in this interface. These three panels are interrelated, and if you want to see the specifics of a single packet in the packet details panel, you must click to select that packet in the Packet list panel. After the packet is selected, you can view the byte information for the corresponding field in the Packet bytes panel by selecting a field for the packet in the packet details panel to analyze it. The contents of the panel are described below.

1.Packet List Panel

The panel displays all the packets in the current capture file as a tabular format. From figure 1.38, you can see that there are seven columns in the panel, each of which reads as follows:

    • Q No column: The number of the package. The number will not change, even if filtering is used.
    • Q Time column: The timestamp of the package. The time format can be set by itself.
    • Q Source and Destination columns: Displays the package's origin and destination addresses.
    • Q Protocol Column: Shows the protocol type of the package.
    • Q Length column: Shows how long the package is.
    • Q Info Column: Displays additional information about the package.

In this panel, you can sort the columns in the Panel, adjust column positions, hide columns, display columns, rename or delete columns, and so on. The following are examples of functions that can be manipulated in this panel.

"Instance 1-4" demonstrates the functionality that can be implemented in the Packet list panel. As shown below:

(1 ) column sort

Open a capture file as shown in http.pcapng,1.39.

Figure 1.39 Http.pcapng capture file figure 1.40 Sorting Protocol columns

The interface shows the packets in the Http.pcapng capture file. The default wireshark is sorted by packet number from low to high. For example, to sort the Protocol column, click the Protocol column heading to display the interface shown in 1.40.

This interface is compared with figure 1.39 and can be found to be very different. From this interface, you can see that the order of no columns has changed, and the Protocol column starts with ARP.

(2 ) Move column position

For example, move the Protocol column in the Http.pcapng capture file to the back of time. Use your mouse to select the Protocol column, and then drag the column to the back of time to display the interface shown in 1.41.

Figure 1.41 Moving Protocol column Figure 1.42 column operation options

(3 ) Hide, rename, delete columns

In the capture file Http.pacpng, right-click any of the column headings in the packet list panel, and a drop-down menu will pop up as shown in 1.42.

    • Q Hide columns, restore columns: You can see a tick in the packet list panel before the seven column headings in the pop-up menu. To hide which column, click the column, and the tick disappears menu disappears the column is hidden. To restore the column, right-click the title of any column in the Packet list panel and restore it in the same way.
    • Q Rename column: Click Edit Column in the pop-up menu to display the interface shown in 1.43.

Figure 1.44 Wireshark Preferences

The interface appears above the packet list panel and is renamed in the title text box at the left end of the interface. Then click the OK button on the right side to

    • Q Delete columns, restore columns: In the pop-up menu, click the bottom of the Delete this column option. To restore columns, click Column Preferences ... option, or in the menu bar, select Edit | Preferences, click the column to the left of the popup screen to eject the Wireshark preferences box. As shown in 1.44.

Click the button in the lower-left corner to automatically create a new column with the title new column, and the type is number. You can double-click the title and type to make changes. Click the OK button when you are ready to create it.

In Wireshark, you can also perform many operations on all the packets in the packet list panel, such as tagging, ignoring, setting up grouping, and so on. Users can view the available options by right-clicking on any one of the packets, as shown in 1.45.

Figure 1.45 Available Options figure 1.46 Menu bar

The interface shows the available options for the packet in the Packet list panel. In this option, you can quickly identify problematic packets by using tag grouping.

2.Packet Details Panel

The panel displays the contents of a packet hierarchically and can be expanded or shrunk to display all the content captured in the packet.

In the packet details panel, the details of the data displayed by default are combined. If you want to view, you can click the small triangle in front of each line to expand the session of the frame. The user can also select one row and right-click to pop up the menu bar. As shown in 1.46.

In the menu bar, select expand Subtree (single session) or expand all sessions.

3.Packet bytes Panel

The content in this panel is probably the most confusing. Because it shows the original appearance of a packet being unprocessed, that is, what it looks like when it travels over the link.

The data in this panel shows the contents of the frame in 16 binary and ASCII format. When you select any field in the Packet details panel, the bytes containing the field in the Packet bytes panel are highlighted. If you don't want to see the packet bytes Panel, in the menu bar, select View | The block byte stream (B) command closes it. When viewed, use the same method to open it.

Wireshark Status Bar Introduction

The status bar is made up of two buttons and three columns. Where the size of these three columns can be adjusted when necessary. The status bar is shown in each section meaning 1.47.

Figure 1.47 Status bar

The following sections describe in detail the role of each section in the status bar. As shown below:

    • Q: This button is the Expert Information button. The color of the button is to display the highest level of information contained in the Expert Information window. The Expert Information window can alert users to network problems in the capture file and comment on the packet
    • Q: The button is the Capture File Comment button. Click this button to add, edit, or view a comment for a capture file. This feature can only be used in capture files that are saved in the. pcapng format.
    • Q First column (get field, capture or capture file information): When you select a field in the capture file, you will see the file name and column size in the status bar. If you click a field in the Packet bytes panel, its field name will be displayed in the status bar, and the packet details panel is also changed.
    • Q second column (number of packages): When you open a capture file, the second column in the status bar displays the total number of packages for that file. In Figure 1.47, the number of packets captured, the number of packets displayed, and the load time are shown. If a package is marked in the current capture file, the number of tag packets will appear in the status bar.
    • Q third column (configuration file): Represents the file currently in use. In Figure 1.47, the default file is being used. Files can be created so that you can customize the Wireshark environment yourself.

This article is selected from: Wireshark Data capture Basic Tutorial University bully internal information, reproduced please indicate the source, respect the technology respect the IT person!

Wireshark Data Grabber Wireshark capturing data

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.