Wireshark entry and entry-data packet capture and storage process

Source: Internet
Author: User
Wireshark entry and advanced series (1)

This document is composed-Qingsong[Home page: http://blog.csdn.net/howeverpf.pdf original, please note the source!

You can enter the keyword Wireshark, usage, and tutorial on Baidu to find a lot of related materials. So the question is,

Why should I write this series of articles?

Most of the information you can find earlier may have two minor problems:

  1. Most of the information on the Internet is derived from (or translated from) Wireshark's official user manual, or is written in a way similar to a user manual. They tell you in detail what windows, menus, and options Wireshark has, what functions can these windows, menus, and options accomplish. This may be effective for people who have basic experience and have encountered problems and need to query and solve them. For a person who has no experience in using it, he has a lot of free time, out of interest, it is also appropriate for people who want to fully understand this tool. However, for those who have never used Wireshark, it is only because of a certain requirement, it is definitely not suitable for the dishes who want to quickly use Wireshark to complete a task.
  2. Most of the data on the Internet has been around for years. due to objective factors, Wireshark versions for most of the data have been stopped at 1.08.x. At present, Wireshark's beta version has been updated to 1.99.0, and the stable version has been updated to 1.12.1 (even those of me who are used to slow shooting are already 1.10.0 ......) There is a lag in the data.
That's why I write these articles. based on the first point, this series of articles are written in the form of "question/requirement --> process/step --> note/description". Based on the second point, in this series of articles, the default Wireshark version is 1.10.0rc2 (Figure 1 shows the boot interface that appears after the version is started ).

I. The most basic process of packet capture using Wireshark sometimes, we only need to use Wireshark to simply capture some data packets to see the current network operation or local communication, there is no clear requirement on the data packet type and content as expected. In this case, the process is simple:
"Start the software --> select the NIC (commonly known as the network interface card, also referred to as the interface) and start packet capture --> stop packet capture --> data packet save"
1.1 The Boot software is different from the old Wireshark version when it is started and directly enters the main interface. The Boot interface shown is displayed first after the software is started in 1.8.x. This interface contains the shortcut buttons for Wireshark's most common functions, including capture, capture help, files, and online.

Figure 1 new Wireshark boot page

1.2 select the nic and start packet capture

This article only focuses on real-time packet capture for the moment, so we focus on the previous Figure 1The "capture" section in the upper left corner is as follows:

Figure 2 section of the New Wireshark boot Interface related to real-time packet capture

This section contains three shortcut buttons: interface list (NIC details list), start (start packet capture), and capture options (capture options ). Below the "Start" button is a brief list of NICs. When Wireshark is used on our PC, we generally know the running status of each Nic on the PC. For example, if I do not plug in a network cable and use the WiFi shared by my roommate, only the wireless network card is needed for communication. Therefore, to capture packets, clickFigure 2In the "Start" button under the "wireless network connection" (if you need to check, use the ctrl key) [black box at the bottom ], click the "Start" button to [mark the black oval box above the center], and Wireshark starts to capture packets.

In some cases, we may not be very clear about the running status of the NIC on the host.Figure 2In the interface list button, the following list of network card details is displayed,

Figure 3 Nic details list

You can intuitively see the packets in the upper and lower lines of each network card (marked by the black rounded corner box in the upper right corner). According to this information, we can clearly see that only "Wireless Network Connections" are currently in communication, therefore, select the check box in front of this Nic, and click "start" and click "mark in the black oval box below". Wireshark starts to capture packets.

1.3 Stop packet capture

When the packet to be captured is completed, Wireshark must be stopped. There are three basic methods to stop packet capture,

  1. Use Ctrl + E
  2. Menu Bar: Choose "capture" --> "stop "【Figure 4As shown in]
  3. Toolbar: Click the fourth square button,Figure 5Labeling in the black elliptical box]

Figure 4 capture menu

Figure 5 Toolbar

1.4 data packet Storage

After capturing data packets, we may not be in a rush to perform analysis immediately, or the current analysis is not complete enough. We need to deepen the analysis later ...... We need to use files to save these data packets.

There are also three ways to save data packets,

  1. Press Ctrl + S;
  2. Menu Bar: click "file" --> "save"
  3. Toolbar: Click [7th,Figure 5Mark the black rounded corner box]

The following window is displayed,

Figure 6 data packet storage formats supported by Wireshark

The new Wireshark version supports many formats when storing data packets 【Figure 6In the black corner box ]. We can see that the default storage type is pcapng, which may be a format with many advantages, but for compatibility consideration, I suggest you set the storage format to the second option when saving the package 【Figure 6In the black rounded corner box ]. This is mainly because pcapng is still a new product and there are not enough software to support it.

Sometimes, we capture data packets not only for our own views, but also for peer analysis. If your peer uses Wireshark versions earlier than 1.8.x or other tools that are more convenient, the pcap format, which is widely supported in the industry, will certainly help you build a fast bridge for communication.

When saving the data packet, there is an option "Compress With gzip" in the lower left corner "【Figure 6Note in the black oval box]. If you select this option, the saved file will be compressed by gzip. Generally, you do not need to select this option when saving data packets, because there is no need to compress when there are few data packets, and the file can be fully saved when there are too many data packets, pack the package with the compression software.

At this point, the most basic packet capture process is finished. This article ends. The next article will introduce the meaning and settings of capture options!

------ This article is published by csdn-qingsong! ------

Wireshark entry and entry-data packet capture and storage process

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.