Wireshark packet analysis (1) -- Getting started

Wireshark introduction:

Wireshark is one of the most popular and powerful open-source packet capture and analysis tools. Popular in the SecTools security community, once surpassed Metasploit, Nessus, Aircrack-ng and other powerful tools. This software plays a major role in network security and forensic analysis. As a network data sniffing and protocol analyzer, it has become a required tool for network operation management, network fault diagnosis, and network application development and debugging.

Find data packets:

Press ctrl + N to open the search dialog box

 

You can see three query conditions:

• Display filter is used to filter data by expression. It is powerful and will be described later, for example, ip. addr = 192.168.1.23.
• Hex value filters data packets in hexadecimal format, for example, 00: ff.
• String is searched by a String, such as passwd.

Press ctrl + N to search down, and press ctrl + B to search forward. In fact, wireshark's usage instructions have been very user-friendly, and all its settings windows have online Help instructions. Above is the "Help" in the lower left corner. It's in English, so the question is, why don't you understand it?

Mark data packets:

Select a data Packet in the Packet List, right-click and select Mark Packet to Mark the data Packet. After marking, the data Packet is highlighted. The shortcut key is to select a data packet, press ctrl + M, the unmark is also ctrl + M,

Shift + ctrl + N, shift + ctrl + B can be used to switch between multiple labeled data.

Capture settings:

After Wireshark is started, the Capture Optiion in the network interface on the left can be used to set various packet Capture rules.

• Set the network interface in '1'. You can double-click an interface to display the specific settings of this interface (for example ). Here, you can set whether to enable the hybrid mode, whether to capture data packets in pcap-ng format, and limit the size of each captured data packet by the number of bytes.

• In '3' file capture settings: filter rules are provided here. Various triggers (based on the file size or time). The Ring Buffer With option can be used to set the Ring Buffer to create files, the FIFO principle is used to retain only the specified number of files, so that only the specified number of data packets is captured, and a large amount of data packets occupy a large amount of space.
• Stop capture in '4': Similarly, you can stop packet capture based on the file size, time, or number of data packets.
• In '5', the settings are displayed. Note that the real-time display will increase the CPU load. You can cancel this option.
• In '6' name resolution. resolve the MAC address, and try to resolve the MAC address of the data link layer to the IP address of the network layer. If the resolution fails, the first three bytes of the MAC address are converted to the name of the specified manufacturer, for example, Netgear_01: 02: 03; network name resolution: try to use the DNS protocol to resolve the IP address to the host name. Note that this will generate extra DNS traffic. Transfer name resolution: try to resolve the port number to its related name, for example, port 80 to http display.

Filter:

The filter is an advanced setting. It can capture data packets according to the setting requirements, which is very powerful and easy to use. Wireshark provides two data packet filtering rules:

• Capture and filter: capture related data packets as specified during data packet capture.
• Display capture: Wireshark captures all data packet traffic and displays related data packets according to the setting conditions.

(1) capture and filter

This setting can be used when the processed data packet is large or the specified data packet needs to be captured. It can be set in the Capture Filter.

Capture the used BPF (Berkeley Packet Filter) syntax expression:

Host, net, port	Name or number
Src, dst	Transmission direction
Ether, ip, tcp, udp, http, ftp	Matching protocol

 

 

 

Three logical operators:

• Concatenation operator (&)
• Or (|) select operator
• Non (!) Negative operator

Many advanced and practical filtering rules can be combined using BPF qualifiers and logical operators. For example:

• Host 192.168.1.23 // capture all IPV4 traffic with host 192.168.1.23
• Host fe80: 2ad0: 5aff: fe6f: 92b0 // capture all IPV6 traffic with fe80: 2ad0: 5aff: fe6f: 92b0 host
• Host server1 // capture all server traffic
• Ether host 00-8a-23-e3-d2-df // filter based on MAC address
• Src host 192.168.1.20 & port 80 // capture traffic from port 80 of 192.168.1.2
• Dst 192.168.1.20 // capture traffic sent to 192.168.1.20
• ! Port 8080 // capture non-8080 port traffic
• Icmp // only capture ICMP traffic
• ! Ip // only capture ipv traffic, ip6 only capture ipv6 traffic

(2) display capture

Display filtering can be set in the filtering box under the main menu. All protocols and their available filtering rules are listed in the "Expression" on the right. The setting function is very powerful. A filtering expression is automatically provided after the setting is successful. Users who are familiar with the filtering expression can directly use the filtering expression to filter.

Related comparison operators:

=	Equal
! =	Not equal
>	Greater
<	Less
> =	Greater than or equal
<=	Less than or equal

 

 

 

 

 

Logical operators:

And	Both conditions are met
Or	One of the conditions is met.
Xor	Only one condition is met.
Not	No conditions met

 

 

 

Related expression example:

• Ip. addr = 192.168.1.10 or ip. addr = 192.168.1.11
• ! Tcp. port = 3389
• Tcp. flags. syn = 1
• ! Dns
• Https
• Tcp. port = 23 | tcp. port = 22
• Smtp | pop | imap

Of course, you can save the frequently used filter expressions and use them again. The settings are available in the Capture-> Capture Filters on the main menu.

 

Wireshark packet analysis (1) -- Getting started