excerpted from http://blog.csdn.net/howeverpf/article/details/40687049Wireshark Introduction and Advanced Series (I.)
"The gentleman born not dissimilar also, good false in the matter also"---xunzi
This article by csdn-蚍蜉 Shake Pine "homepage:HTTP://BLOG.CSDN.NET/HOWEVERPF" original, reprint please indicate the source!
You enter the keyword "Wireshark, use, tutorial" on Baidu, you can find a lot of relevant information. So here's the question,
Why do I have to write this series of articles?
Most of the data you can find in front of you may have two minor problems:
- Most of the information on the web is quoted (or translated from) Wireshark's official user manual, or using a user-manual-like notation, which tells you in detail what windows, menus, options, and what functions these windows, menus, and options can accomplish. For an already basic experience, it is possible for a person who has encountered a problem that needs to be queried for a solution; For a person who has no experience, but has a lot of free time, it is appropriate for those who want to have a full understanding of the tool, but for those who do not use Wireshark, not perfection solution, just because of a certain demand , it must be inappropriate to quickly use Wireshark to complete a task.
- Most of the information on the internet for some years, because of the objective constraints, most of the data corresponding to the Wireshark version stopped at 1.08.x. The current beta version of Wireshark has been updated to 1.99.0, the stable version has been updated to 1.12.1 (even my habit of the slow half of the people use is already 1.10.0 ... ) information has been lost in a lag.
That's why I write these articles. Based on the 1th, this series of articles will be written in the form of "problem/demand-flow/step-by-note/description", unless it is specifically done with the window function; Based on 2nd, the Wireshark version used by default in this series of articles is 1.10.0rc2 (lowerFigure 1 is the boot interface that will appear first when the version is started).
First, the use of Wireshark to grasp the most basic process of the package sometimes, we just need to use Wireshark simple capture some packets to see the current network operation or native communication situation, the type and content of the packet does not have an expected explicit requirements, in this case, the process is simple:
[Plain]View Plaincopy print?
- "Start the Software--Select the network interface card (commonly referred to as the interface, that is, interface) and start to grab the packet--stop grabbing the packet--and save the packet."
1.1 Startup software with the old version of Wireshark directly into the main interface after the start of the 1.8.x version, the beginning of the software after the start is shown in the boot interface. The interface contains the Wireshark of several of the most common functions of the shortcut buttons, divided into capture, capture help, Files, online four parts.
Figure 1-1 The new Wireshark boot interface
1.2 Selecting the NIC and starting to grab the package this article focuses on real-time packet capture for the moment, so we focus our attention on the front
Figure 1-1The "Capture" section in the upper left corner is as follows:
Figure 1-2 Part of the new Wireshark boot interface related to real-time packet capture
There are three shortcut buttons in this section: Interface list (network card details), start (start grabbing), and capture options. Below the "Start" button is a brief list of network cards. When we use the Wireshark on our own PC, we generally have a clear picture of the operation of each NIC on the PC. For example, I do not plug in the network cable, using a roommate to share the WiFi, that is the communication is definitely only wireless card. So I'm going to grab the bag. Select the "Wireless network Connection" below the "Start" button in the figure 1-2 (if you want to check, use the CTRL key), and then click the black box callout in the "Start" button, Wireshark began to grab the bag.
Sometimes we may not be very clear on the host network card operation, this time you need to click on the "Interface List" button in figure 1-2 , thefollowing network card details list,
Figure 1-3 nic details list
You can visually see the upper and lower packet count of each network card "on the upper right corner of the box callout", according to this information, we can clearly see the current only "wireless network connection" in the communication, so tick the check box in front of the network card "the upper left Indigo Oval Box Callout", and then click the "Start" button " Below the black oval box callout ", Wireshark also began to grab the bag.
1.3 Stop Grab Bag
If you want to grab the packet, you should let Wireshark stop. There are three basic ways to stop grabbing a bag manually.
- Using the Ctrl+e key combination
- menu bar " figure 1-1 Upper Callout": Click "Capture"--"Stop" and " figure 1-4 "
- Toolbar " Figure 1-1 Upper Callout": Click on the "Fourth square button, figure 1-5 black Oval Box Callout"
Figure 1-4 Capture Menu
Figure 1-5 Toolbar
1.4 Data Packet Save
After the capture of the packet, we may not be in a hurry to do the analysis, or the current analysis can be done is not complete, need to deepen the back ... So many things, we need to save these packets with files.
There are three ways to save a packet,
- Use the Ctrl+s key combination;
- Menu bar: Click "File"--"Save"
- Toolbar: Click on the "7th button, the Black round corner box in figure 1-5 "
Then the following window pops up,
Figure 1-6 Supported packet storage formats for Wireshark
The new version of Wireshark supports many formats "black rounded box callout in figure 1-6 " when storing packets. As you can see, the default type of Save is pcapng, which may be a lot of advantages, but for compatibility reasons, I recommend that you set the storage format to the second option "shaded callout in the black rounded box of the figure 1-6 " When you save the package. This is mainly because Pcapng is still a new gadget, supporting his software is not enough.
Sometimes the packets we capture are not just for ourselves, but for our peers, and if your partner is using the Wireshark version of 1.8.x or other tools that are more convenient to you, then the PCAP format, which is widely supported in the industry, will be a bridge for your communication.
When you save the packet, there is an option in the lower left corner "Compress with gzip" in the black oval box callout in figure 1-6 , and if you tick this option, the saved file is then gzip compressed. Generally save the packet when there is no need to check this option, because the packet is not compressed at all, when the packet is also completely can save the file, and then use the compression software packaging.
At this point, the most basic grasp the package process is finished, this article to the end, the next article will introduce the meaning of Capture options and settings, welcome to continue to pay attention!
Wireshark Introduction and Advanced Series (I.)