Wireshark Grab Bag analysis
Wireshark is a very popular network packet analysis software, the function is very powerful. You can crawl various network packets and display the details of the network packets. Start Interface
Wireshark is a network packet that captures a NIC on a machine, and when you have multiple NICs on your machine, you need to select a NIC.
Click Caputre->interfaces. The following dialog box appears and selects the correct network card. Then click on the "Start" button to start grabbing the bag
Wireshark Window Introduction
WireShark is mainly divided into these interfaces
1. Display filter (show filters) for filtering
2. Packet list Pane (packet list), displays the captured packets, the source address and destination address, and the port number. Different colors, representing
3. Packet details Pane (packet detail), showing the fields in the package
4. Dissector Pane (16 binary data)
5. Miscellanous (Address bar, miscellaneous)
The use of filtering is very important, when beginners use Wireshark, will get a lot of redundant information, in thousands of or even tens of thousands of records, so that it is difficult to find the part of their own. Got dizzy.
Filters help us quickly find the information we need in a large amount of data.
There are two types of filters,
One is the display filter, which is the one on the main interface, which is used to find the required records in the captured records.
One is the capture filter, which filters the captured packets to avoid capturing too many records. Set in Capture Filters
Save Filter
On the filter bar, after filling in the filter expression, click the Save button and take a name. such as "Filter 102",
There is a "filter 102" button on the filter bar.
Filter the rules of an expression
An expression rule
1. Protocol filtering
TCP, for example, shows only the TCP protocol.
2. IP filtering
For example IP.SRC ==192.168.1.102 display source address is 192.168.1.102,
IP.DST==192.168.1.102, the target address is 192.168.1.102
3. Port filtering
Tcp.port ==80 with a port of 80
Tcp.srcport = = 80, only the TCP protocol's wish port is 80.
4. HTTP Mode filtering
http.request.method== "Get", showing only the HTTP GET method.
5. Logical operator is and/or
Commonly used filter expressions
Filter an expression |
Use |
http |
View only the records of the HTTP protocol |
IP.SRC ==192.168.1.102 or ip.dst==192.168.1.102 |
Source address or Destination address is 192.168.1.102 |
|
|
|
|
Package list (Packet list Pane)
The list of packets is displayed in the panel, number, timestamp, source address, destination address, protocol, length, and packet information. You can see that different protocols are displayed in different colors.
You can also modify these display color rules, View->coloring.
Packet Details (Packet details Pane)
This panel is the most important one for us to view each of the fields in the protocol.
Each line information is
Frame: Data Frame overview of the physical layer
Ethernet II: Data Link Layer Ethernet frame header information
Internet Protocol Version 4: Internet Layer IP packet header information
Transmission Control Protocol: Data segment header information for the Transport layer T, here is the TCP
Hypertext Transfer Protocol: Application layer information, here is the HTTP protocol
ARP Packets
IP Packets UDP packet TCP Packets
HTTP Package
Linux Grab Kit tcpdump
Options for Tcpdump
· -a--the network address and broadcast address into a name
· -d--the code for matching packets in a compiled format that people can understand.
· -dd--the code of the matching packet in the format of the C program segment
· -ddd--the code for matching packets in decimal form
· -e--Print out header information for the data link layer on the output line
· -f--Print out the external Internet address in digital form
· -l--the standard output into a buffered row form
· -n--not convert the network address into a name
· -t--does not print timestamps on each line of the output
· -v--output A slightly more detailed information, such as the TTL and the type of service that can be included in the IP packet
· -vv--output Detailed message information
· -c--after receiving the specified number of packages, tcpdump will stop
· -f--reads an expression from the specified file, ignoring other expressions
· -i--specifying the network interface for listening
· -r--read packets from the specified file (these packages are typically generated via the-w option)
· -w--writes the package directly to the file, does not parse and print it out
-t--A packet that is heard directly as a specified type of message
Example
Grab the packet at the eth2 and save the result in the Test.cap file, then open the file directly with Wireshark to see the contents of the package.
You are welcome to follow my blog. If in doubt, please add QQ Group: 135430763 study together.