Wireshark Illustrated Tutorials (Introduction, clutch, filter)

Wireshark is the most popular network analysis tool in the world. This powerful tool captures data from the network and provides users with a variety of information about the network and upper layer protocols. Like many other network tools, Wireshark uses the PCAP network library for packet capture. can crack LAN QQ, mailbox, MSN, account number and so on password !!

Wireshark's name was ethereal, and the new names were in 2006. At that time, Ethereal's main developer decided to leave the company he worked for and continue to develop the software. But because ethereal the name of the use of the original company has been registered, Wireshark this new name was born.

After successfully running Wireshark, we can go to the next step and learn more about this powerful tool.

The following is when a computer with the address 192.168.1.2 is accessing the "openmaniak.com" website.

1. MENUS (menu) 2. Shortcuts (shortcut) 3. Displayfilter (Display filter) 4. Packetlist PANE (Package list)

5. Packetdetails PANE (Packet details) 6. Dissectorpane (16 binary data) 7. Miscellanous (Miscellaneous)

1. MENUS (menu)

The 8 menu items above the program are used to configure the Wireshark:

-"File" (Files) -"Edit" (edit) -"View" (view) -"Go" (Go to) -"Capture" (capturing) -"Analyze" (analysis) -"Statistics" (statistics) -"Help"

Open or save the captured information. Find or mark a package. For global settings. Sets the view of the Wireshark. Jumps to the captured data. Set the capture filter and start snapping. Set analysis options. View statistics for Wireshark. View local or online support.

2. Shortcuts (shortcut)

Below the menu, there are some common shortcut buttons.
You can move the mouse pointer over an icon to get a description of its function.

3. Displayfilter (Display filter)

The display filter is used to find the content in the capture record.
Do not confuse the concept of a capture filter with a display filter. Please refer to the Wireshark filter for more information.

Back to top of page

4. PACKET Listpane (Package list)

All packets that have been captured are displayed in the package list. Here you can see the MAC/IP address of the sending or receiving party, the TCP/UDP port number, the protocol, or the contents of the packet.

If you are capturing an OSI Layer2 packet, you will see a MAC address in the source (source) and destination (destination) columns and, of course, the port column will be empty at this time.
If you are capturing an OSI Layer3 or higher-level packet, you will see an IP address in the source (source) and destination (destination) columns. The port column will only be displayed if the packet is 4th or higher.

Here you can add/Remove columns or change the color of each column:
Edit Menu-Preferences

5. PACKET Detailspane (Packet details)

The details of the item selected in the Package list are shown here.
The information is grouped by different OSI layers, and you can expand each item to view it. The following is an expanded HTTP message.

6. Dissector PANE (16 binary data)

The parser is also called the "16 data viewing panel" in Wireshark. The content shown here is the same as in "packet Details", but instead is expressed in 16 binary format.
In the example above, we select View TCP port (80) in "packet Details", and the corresponding 16 data will be automatically displayed in the following panel (0050).

7. Miscellanous (Miscellaneous)

At the bottom of the program, you can get the following information:

-A network device that is capturing.
-whether the capture has started or has stopped.
-Capture the location where the results are saved.
-The amount of data that has been captured.
-The number of packets that have been captured. P
-The number of packets displayed. (D) (after the Display filter filter is still displayed after the packet)
-Number of packets marked. M

As you can see in the first section of the Wireshark tutorial, it is very easy to install, run Wireshark and start analyzing the network.

The most common problem when using Wireshark is that when you use the default settings, you get a lot of redundancy so that it's hard to find the parts you need.
Overkill

That's why filters are so important. They can help us quickly find the information we need in a complex and complex outcome.

- -	Capture filter: Used to determine what information is recorded in the capture results. Need to be set before starting capture. Display filters: Find them in detail in the capture results. They can be modified as soon as they get the results of the capture.

So what kind of filter should I use?

The purpose of the two types of filters is different.
The capture filter is the first layer of data passing through the filter, which controls the number of captured data to avoid generating too large log files.
The display filter is a more powerful (complex) filter. It allows you to quickly and accurately locate the required records in the log file.

The syntax used by the two filters is completely different. We'll cover them in the next few pages:

1. Capture Filter 2. Display Filter

1. Capture Filter

The syntax for capturing filters is the same as other software developed using LIPCAP (Linux) or WinPcap (Windows) libraries, such as the famous tcpdump. The capture filter must be set before starting the capture, which is different from the display filter.

To set the capture filter:
-Select Capture--options.
-Fill in the Capture Filter column or click the "Capturefilter" button to give your filter a name and save it so that you can continue using the filter in future snaps.
-click Start to capture.

Syntax:

Protocol

Direction

Host (s)

&nb SP;

Value

Logical Operations

Other expression

Example:

tcp

DST

10.1.1.1

and

TCP DST 10.2.2.2 3128

Protocol (protocol):
Possible values: Ether, FDDI, IP, ARP, RARP, DECnet, lat, SCA, MOPRC, MOPDL,TCP and UDP.
If no particular agreement is specified, all supported protocols are used by default.

Direction (direction):
Possible values: src, DST, src and DST, src or DST
If the source or destination is not specifically specified, the default is "src or DST" as the keyword.
For example, "host 10.2.2.2" is the same as "src or DST host 10.2.2.2".
Host (s):
Possible values are: NET, port, host, Portrange.
If this value is not specified, the "host" keyword is used by default.
For example, "src 10.1.1.1" is the same as "src host 10.1.1.1".

logicaloperations (Logical operation):
Possible values: not, and, or.
No ("not") has the highest priority. or ("or") and with the same precedence as ("and"), the operation is performed from left to right.
For example
"Not TCP port 3128 and TCP port 23" is the same as "(not TCP port 3128) and TCPPort 23".
"Not TCP port 3128 and TCP port 23" differs from "Not (TCP port 3128 and TCPPort 23)".

Example:

TCP DST Port 3128

Displays packets for the destination TCP port of 3128.

IP src host 10.1.1.1

Displays packets with a source IP address of 10.1.1.1.

Host 10.1.2.3

A packet showing the destination or source IP address is 10.1.2.3.

SRC Portrange 2000-2500

Displays packets that are from UDP or TCP and that have a port number in the range of 2000 to 2500.

Not IMCP

All packets except ICMP are displayed. (ICMP is usually used by the Ping tool)

SRC host 10.7.2.12 and not DST net 10.200.0.0/16

The display source IP address is 10.7.2.12, but the destination is not a 10.200.0.0/16 packet.

(src host 10.4.1.12 or src net 10.6.0.0/16) and TCP Dstportrange 200-10000 and DST net 10.0.0.0/8

The display source IP is 10.4.1.12 or the source network is 10.6.0.0/16, the destination TCP port number is between 200 and 10000, and the purpose is to all packets within the network 10.0.0.0/8.

Precautions:

Use the backslash "\" when using the keyword as a value.
"Ether Proto \ip" (same as the keyword "IP").
This will be done with the IP protocol as the target.

"IP Proto \icmp" (the same as the keyword "ICMP").
This will be targeted with the ICMP commonly used by the Ping tool.

You can use the "multicast" and "broadcast" keywords after "IP" or "ether".
"No broadcast" is useful when you want to exclude broadcast requests.

View Tcpdump's homepage for a more detailed description of the capture filter syntax.
More examples of capturing filters can be found on the wiki Wireshark website.

2. Display Filter:

Data that is usually filtered by the capture filter is still very complex. At this point you can use the display filter for more detailed lookups.
It is more powerful than capturing filters, and does not need to be captured again when you want to modify filter conditions.

Syntax:

Protocol

.

String 1

.

String 2

Comparison operator

Value

Logical Operations

other expression

Example:

Ftp

Passive

Ip

==

10.2.3.4

Xor

Icmp.type

Protocol (protocol):

You can use a large number of protocols located on the 2nd to 7th layer of the OSI model. You can see them when you click on the "Expression ..." button.
For example: Ip,tcp,dns,ssh





You can also find the supported protocols in the locations shown below:





Wireshark's Web site provides a description of the various protocols and their subclasses.

string1,string2 (optional):

Sub-class of the Protocol.
Click the "+" sign next to the relevant parent class, and then select its child class.



comparisonoperators (comparison operator):

You can use 6 comparison operators:

English notation:	C language:	meaning:
eq	==	equals
ne	!	not equals
gt	&G T	greater than
lt	< ;	less than
ge	; =	greater than equals
le	<=	less than equals

logicalexpressions (logical operator):

English:	C language wording:	Meaning:
and	&&	Logic and
Or	||	Logical OR
Xor	^^	Logical XOR or
Not	!	Logical Non-

A logical XOR or an exclusion that is well known by programmers. When it is used between the two conditions of a filter, such a result is displayed on the screen only if and only if one of the conditions is satisfied.
Let's give an example:
"Tcp.dstport xor Tcp.dstport 1025"
Such a packet is displayed only if the destination TCP port is 80 or if it originates from Port 1025 (but does not meet the two points at the same time).

Example:

SNMP | | DNS | | Icmp

Displays the SNMP or DNS or ICMP packets.

Ip.addr = = 10.1.1.1

Displays packets with a source or destination IP address of 10.1.1.1.

Ip.src! = 10.1.2.3 or IP.DST! = 10.4.5.6

Displays packets that are not 10.1.2.3 or are not intended for 10.4.5.6.
In other words, the packets shown will be:
Source IP: Any other than 10.1.2.3; Destination IP: any
And
Source IP: Any; destination IP: Any other than 10.4.5.6

Ip.src! = 10.1.2.3 and IP.DST! = 10.4.5.6

A packet that shows the source is not 10.1.2.3 and the destination IP is not 10.4.5.6.
In other words, the packets shown will be:
Source IP: Any other than 10.1.2.3, at the same time must be met, Destination IP: except 10.4.5.6

Tcp.port = = 25

Displays packets with a source or destination TCP port number of 25.

Tcp.dstport = = 25

The packet that displays the destination TCP port number is 25.

Tcp.flags

Displays the packet that contains the TCP flag.

Tcp.flags.syn = = 0x02

Displays the packet that contains the TCP SYN flag.

If the filter syntax is correct, the background of the expression is green. If it is red, it indicates that the expression is incorrect.

	The expression is correct
	An expression error

Wireshark Illustrated Tutorials (Introduction, clutch, filter)