Wireshark packet analysis (1) -- Getting started

Source: Internet
Author: User

Wireshark introduction:

Wireshark is one of the most popular and powerful open-source packet capture and analysis tools. Popular in the SecTools security community, once surpassed Metasploit, Nessus, Aircrack-ng and other powerful tools. This software plays a major role in network security and forensic analysis. As a network data sniffing and protocol analyzer, it has become a required tool for network operation management, network fault diagnosis, and network application development and debugging.

Find data packets:

Press ctrl + N to open the search dialog box


You can see three query conditions:

  • Display filter is used to filter data by expression. It is powerful and will be described later, for example, ip. addr =
  • Hex value filters data packets in hexadecimal format, for example, 00: ff.
  • String is searched by a String, such as passwd.

Press ctrl + N to search down, and press ctrl + B to search forward. In fact, wireshark's usage instructions have been very user-friendly, and all its settings windows have online Help instructions. Above is the "Help" in the lower left corner. It's in English, so the question is, why don't you understand it?

Mark data packets:

Select a data Packet in the Packet List, right-click and select Mark Packet to Mark the data Packet. After marking, the data Packet is highlighted. The shortcut key is to select a data packet, press ctrl + M, the unmark is also ctrl + M,

Shift + ctrl + N, shift + ctrl + B can be used to switch between multiple labeled data.

Capture settings:

After Wireshark is started, the Capture Optiion in the network interface on the left can be used to set various packet Capture rules.

  • Set the network interface in '1'. You can double-click an interface to display the specific settings of this interface (for example ). Here, you can set whether to enable the hybrid mode, whether to capture data packets in pcap-ng format, and limit the size of each captured data packet by the number of bytes.

  • In '3' file capture settings: filter rules are provided here. Various triggers (based on the file size or time). The Ring Buffer With option can be used to set the Ring Buffer to create files, the FIFO principle is used to retain only the specified number of files, so that only the specified number of data packets is captured, and a large amount of data packets occupy a large amount of space.
  • Stop capture in '4': Similarly, you can stop packet capture based on the file size, time, or number of data packets.
  • In '5', the settings are displayed. Note that the real-time display will increase the CPU load. You can cancel this option.
  • In '6' name resolution. resolve the MAC address, and try to resolve the MAC address of the data link layer to the IP address of the network layer. If the resolution fails, the first three bytes of the MAC address are converted to the name of the specified manufacturer, for example, Netgear_01: 02: 03; network name resolution: try to use the DNS protocol to resolve the IP address to the host name. Note that this will generate extra DNS traffic. Transfer name resolution: try to resolve the port number to its related name, for example, port 80 to http display.


The filter is an advanced setting. It can capture data packets according to the setting requirements, which is very powerful and easy to use. Wireshark provides two data packet filtering rules:

  • Capture and filter: capture related data packets as specified during data packet capture.
  • Display capture: Wireshark captures all data packet traffic and displays related data packets according to the setting conditions.

(1) capture and filter

This setting can be used when the processed data packet is large or the specified data packet needs to be captured. It can be set in the Capture Filter.

Capture the used BPF (Berkeley Packet Filter) syntax expression:

Host, net, port Name or number
Src, dst Transmission direction
Ether, ip, tcp, udp, http, ftp Matching protocol




Three logical operators:

  • Concatenation operator (&)
  • Or (|) select operator
  • Non (!) Negative operator

Many advanced and practical filtering rules can be combined using BPF qualifiers and logical operators. For example:

  • Host // capture all IPV4 traffic with host
  • Host fe80: 2ad0: 5aff: fe6f: 92b0 // capture all IPV6 traffic with fe80: 2ad0: 5aff: fe6f: 92b0 host
  • Host server1 // capture all server traffic
  • Ether host 00-8a-23-e3-d2-df // filter based on MAC address
  • Src host & port 80 // capture traffic from port 80 of
  • Dst // capture traffic sent to
  • ! Port 8080 // capture non-8080 port traffic
  • Icmp // only capture ICMP traffic
  • ! Ip // only capture ipv traffic, ip6 only capture ipv6 traffic

(2) display capture

Display filtering can be set in the filtering box under the main menu. All protocols and their available filtering rules are listed in the "Expression" on the right. The setting function is very powerful. A filtering expression is automatically provided after the setting is successful. Users who are familiar with the filtering expression can directly use the filtering expression to filter.

Related comparison operators:

= Equal
! = Not equal
> Greater
< Less
> = Greater than or equal
<= Less than or equal






Logical operators:

And Both conditions are met
Or One of the conditions is met.
Xor Only one condition is met.
Not No conditions met




Related expression example:

  • Ip. addr = or ip. addr =
  • ! Tcp. port = 3389
  • Tcp. flags. syn = 1
  • ! Dns
  • Https
  • Tcp. port = 23 | tcp. port = 22
  • Smtp | pop | imap

Of course, you can save the frequently used filter expressions and use them again. The settings are available in the Capture-> Capture Filters on the main menu.


Wireshark packet analysis (1) -- Getting started

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.