Wireshark Grab Bag Analysis

Wireshark Grab Bag analysis

Wireshark is a very popular network packet analysis software, the function is very powerful. You can crawl various network packets and display the details of the network packets. Start Interface

Wireshark is a network packet that captures a NIC on a machine, and when you have multiple NICs on your machine, you need to select a NIC.

Click Caputre->interfaces. The following dialog box appears and selects the correct network card. Then click on the "Start" button to start grabbing the bag

Wireshark Window Introduction

WireShark is mainly divided into these interfaces

1. Display filter (show filters) for filtering

2. Packet list Pane (packet list), displays the captured packets, the source address and destination address, and the port number. Different colors, representing

3. Packet details Pane (packet detail), showing the fields in the package

4. Dissector Pane (16 binary data)

5. Miscellanous (Address bar, miscellaneous)

The use of filtering is very important, when beginners use Wireshark, will get a lot of redundant information, in thousands of or even tens of thousands of records, so that it is difficult to find the part of their own. Got dizzy.

Filters help us quickly find the information we need in a large amount of data.

There are two types of filters,

One is the display filter, which is the one on the main interface, which is used to find the required records in the captured records.

One is the capture filter, which filters the captured packets to avoid capturing too many records. Set in Capture Filters

Save Filter

On the filter bar, after filling in the filter expression, click the Save button and take a name. such as "Filter 102",

There is a "filter 102" button on the filter bar.

Filter the rules of an expression

An expression rule

1. Protocol filtering

TCP, for example, shows only the TCP protocol.

2. IP filtering

For example IP.SRC ==192.168.1.102 display source address is 192.168.1.102,

IP.DST==192.168.1.102, the target address is 192.168.1.102

3. Port filtering

Tcp.port ==80 with a port of 80

Tcp.srcport = = 80, only the TCP protocol's wish port is 80.

4. HTTP Mode filtering

http.request.method== "Get", showing only the HTTP GET method.

5. Logical operator is and/or

Commonly used filter expressions

Filter an expression	Use
http	View only the records of the HTTP protocol
IP.SRC ==192.168.1.102 or ip.dst==192.168.1.102	Source address or Destination address is 192.168.1.102

Package list (Packet list Pane)

The list of packets is displayed in the panel, number, timestamp, source address, destination address, protocol, length, and packet information. You can see that different protocols are displayed in different colors.

You can also modify these display color rules, View->coloring.

Packet Details (Packet details Pane)

This panel is the most important one for us to view each of the fields in the protocol.

Each line information is

Frame: Data Frame overview of the physical layer

Ethernet II: Data Link Layer Ethernet frame header information

Internet Protocol Version 4: Internet Layer IP packet header information

Transmission Control Protocol: Data segment header information for the Transport layer T, here is the TCP

Hypertext Transfer Protocol: Application layer information, here is the HTTP protocol

ARP Packets
IP Packets UDP packet TCP Packets

HTTP Package

Linux Grab Kit tcpdump

Options for Tcpdump

· -a--the network address and broadcast address into a name

· -d--the code for matching packets in a compiled format that people can understand.

· -dd--the code of the matching packet in the format of the C program segment

· -ddd--the code for matching packets in decimal form

· -e--Print out header information for the data link layer on the output line

· -f--Print out the external Internet address in digital form

· -l--the standard output into a buffered row form

· -n--not convert the network address into a name

· -t--does not print timestamps on each line of the output

· -v--output A slightly more detailed information, such as the TTL and the type of service that can be included in the IP packet

· -vv--output Detailed message information

· -c--after receiving the specified number of packages, tcpdump will stop

· -f--reads an expression from the specified file, ignoring other expressions

· -i--specifying the network interface for listening

· -r--read packets from the specified file (these packages are typically generated via the-w option)

· -w--writes the package directly to the file, does not parse and print it out

-t--A packet that is heard directly as a specified type of message

Example

Grab the packet at the eth2 and save the result in the Test.cap file, then open the file directly with Wireshark to see the contents of the package.

You are welcome to follow my blog. If in doubt, please add QQ Group: 135430763 study together.