Wireshark data packet capture tutorial
Wireshark data packet capture tutorial understanding capture analysis data packet understanding Wireshark capture data packet when we understand the role of the main Wireshark window, learn to capture data, then we should understand these captured data packets. Wireshark displays the binary data captured from the network in the Packet Details panel according to different Protocol Packet structure specifications. This section describes how to identify data packets to help users clearly analyze data.
In Wireshark, there are three terms for data packet naming: frame, packet, and segment. Next we will introduce these three terms by analyzing a data packet. A packet captured in Wireshark, as shown in Figure 1.45. After the content in each frame is expanded, it is similar to the information displayed in Figure 1.48.
Figure 1.48 data packet details
The page shows the information of the five elements. By default, the information is not displayed. The information of each row is as follows:
Q Frame: the data Frame overview of the physical layer.
Q Ethernet II: Ethernet frame header information at the data link layer.
Q Internet Protocol Version 4: the header information of the IP packet on the Internet layer.
Q Transmission Control Protocol: information about the data segment header of the transport layer, which is TCP Protocol.
Q Hypertext Transfer Protocol: information of the application layer. This is the HTTP Protocol.
The following describes the frames, packages, and segments in Figure 1.48. As follows:
(1)Data frame overview of Physical Layer
Frame 5: 268 bytes on wire (2144 bits), 268 bytes captured (2144 bits) on interface 0 # Frame 5, line 268 bytes, actually captured 268 bytes
Interface id: 0 # Interface id
Encapsulation type: Ethernet (1) # Encapsulation type
Arrival Time: Jun 11,201 5 05:12:18. 469086000 China Standard Time # capture date and Time
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1402449138.469086000 seconds
[Time delta from previous captured frame: 0.025257000 seconds] # interval between this package and the previous package
[Time since reference or first frame: 0.537138000 seconds] # interval between the package and the first frame
Frame Number: 5 # Frame Number
Frame Length: 268 bytes (2144 bits) # Frame Length
Capture Length: 268 bytes (2144 bits) # Capture Length
[Frame is marked: False] # indicates whether the Frame is marked: No
[Frame is ignored: False] # Whether the Frame is ignored: No
[Protocols in frame: eth: ip: tcp: http] # protocol hierarchy encapsulated in the frame
[Number of per-protocol-data: 2] #
[Hypertext Transfer Protocol, key 0]
[Transmission Control Protocol, key 0]
[Coloring Rule Name: HTTP] # The Name Of The colored Protocol
[Coloring Rule String: http | tcp. port = 80] # The color Rule displays a String.
(2)Data link layer Ethernet frame header information
Ethernet II, Src: Giga-Byt_c8: 4c: 89 (1c: 6f: 65: c8: 4c: 89), Dst: Tp-LinkT_f9: 3c: c0 (6c: e8: 73: f9: 3c: c0)
Destination: Tp-LinkT_f9: 3c: c0 (6c: e8: 73: f9: 3c: c0) # target MAC address
Source: Giga-Byt_c8: 4c: 89 (1c: 6f: 65: c8: 4c: 89) # Source MAC address
Type: IP (0x0800)
(3)Internet layer IP packet header information
Internet Protocol Version 4, Src: 192.168.0.104 (192.168.0.104), Dst: 61.182.140.146 (61.182.140.146)
Version: 4 # Internet protocol IPv4
Header length: 20 bytes # length of the IP packet Header
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport) # differential service Field
Total Length: 254 # Total Length of the IP package
Identification: 0x5bb5 (23477) # flag field
Flags: 0x02 (Don't Fragment) # MARK THE FIELD
Fragment offset: 0 # the offset of the score
Time to live: 64 # TTL
Protocol: TCP (6) # The upper layer Protocol encapsulated in this package is TCP
Header checksum: 0x52ec [validation disabled] # checksum of Header data
Source: 192.168.0.104 (192.168.0.104) # Source IP address
Destination: 61.182.140.146 (61.182.140.146) # target IP Address
(4)Transport Layer TCP Data Segment header information
Transmission Control Protocol, Src Port: 51833 (51833), Dst Port: http (80), Seq: 1, Ack: 1, Len: 214
Source port: 51833 (51833) # Source port number
Destination port: http (80) # Destination port number
Sequence number: 1 (relative sequence number) # serial number (relative serial number)
[Next sequence number: 215 (relative sequence number)] # Next serial number
Acknowledgment number: 1 (relative ack number) # confirm the serial number
Header length: 20 bytes # Header length
Flags: 0x018 (PSH, ACK) # TCP tag field
Window size value: 64800 # size of the traffic control Window
Checksum: 0x677e [validation disabled] # Checksum of the TCP Data Segment
Wireshark analysis data packets
Data packets in Wireshark can be called network data. Each network has many different applications and different networks. However, some common packages usually contain logon programs and web browsing sessions. This section describes how to analyze network data by accessing a Web browser.
Generally, three protocols, DNS, TCP, and HTTP, are involved in accessing the Web server. Because the data packets sent back and forth are complex in this process, the following describes the analysis of Web browsing data.
[Example 1-3] analyze and access Web browsing data. The procedure is as follows:
(1)Capture packets that access www.qq.com and save the file name as http-wireshar.pcapng. In this example, file 1.49 is captured.
Figure 1.49 http-wireshar.pcapng capture File
(2)Next, analyze the entire Web access process by capturing the data in the file. During the capture process, data such as DNS requests, responses, and TCP three-way handshakes are included. As shown in figure 1.50, the page shows the DNS resolution process between websites.
Figure 1.50 DNS resolution
(3)At 31 frames on the page, DNS resolves www.qq.com as an IP address packet (called A "A" record ). 32 frames indicate a DNS response packet for the IP address associated with the host name. If the client supports IPv4 and IPv6, an IPv6 address (known as "AAAA" Record) is displayed on this page ). At this time, the DNS server will respond to an IPv6 address or mixed information.
Note: 31 frames are the process in which the client requests Baidu to resolve IP addresses through the DNS server. Marked as "A" record.
32 frames are the process in which the DNS server responds to the client request. Identified as response.
(4)As shown in figure 1.51, three TCP handshakes (33, 34, 35 frames) between the client and the server and the GET homepage (36 frames) of the client request are displayed on this interface ). Then the server receives the request (37 frames) and sends the response packet (38 frames ).
Note: 33 frames are TCP requests sent by the client to the server to establish a connection. It is identified as SYN.
34 frames indicates the process in which the server returns a confirmation packet to the client after receiving a request. It is identified as SYN and ACK.
35 frames are the process in which the client responds to the server's sending confirmation packet and a connection will be established on the server. ID is ACK.
36 frames is the process in which the client sends HTTP request content to the server. It is marked as GET.
37 frames are the request process of the corresponding client of the server, and the request is received. ID is ACK.
38 frames are the process in which the server responds to the content from the client.
Figure 1.51 TCP three-way handshake
(5)When the client requests another link from the same server, a GET packet (1909 frames) is displayed again, as shown in Figure 1.52.
Figure 1.52 request another element
In addition, if you connect to another Web site, the client will perform DNS query (156, 157 frames) and TCP three-way handshake (158, 159, 160 frames) on the next site again ). 1.53.
Figure 1.53 request the next site