Wireshark Introduction and Advanced Series (II)

excerpted from http://blog.csdn.net/howeverpf/article/details/40743705Wireshark Introduction and Advanced Series (II)

"The gentleman born not dissimilar also, good false in the matter also"---xunzi

This article by csdn-蚍蜉 Shake Pine "homepage:HTTP://BLOG.CSDN.NET/HOWEVERPF" original, reprint please indicate the source!

In the previous article we talked about the most basic flow of packet capture and storage using Wireshark, and more generally, we may have some requirements for the packets to be captured and their presentation, for example:

• We want the captured packets to be much higher in proportion to the packages we use, which requires a set of catch filtering rules;
• We want to save the packet to the specified file while capturing the packet;
• We hope that when a certain condition is met, Wireshark will automatically stop grabbing the packet without requiring us to stop it manually;
• We want to capture the latest captured packets in real-time, and see the number of various types of network packets statistics;
• We want to transform the digital address of the physical layer, network layer and transport layer into more readable text information;

All of these requirements can be met by setting up Capture options, so a more complete capture process than the previous Boven is:

[Plain]View Plaincopy print?

1. "Start the software and set the capture options and start grabbing the packet--stop grabbing the packet--and save the packet"

The other steps are basically the same, but the simple "selected Nic" has evolved into a more complex "set capture option". In this blog post, let's take a look at the capture Options.

"This large part of the content refers to Wireshark's help manual, but it is not possible to download the Wireshark User Guide 1.10 (English original)", or "Wireshark User Guide old version (Chinese translation)"

Ii. Capture options (capture option) the meaning of each item and the setting software starts, in the boot interface, we directly click on the "Capture" section below theCapture Options Shortcut button "at the bottom of Figure 2 of the first post," pops up the captured option window shown,

Figure 2-1 Capture Options (packet capture option) Pop-up window

Through, you can see that theCapture options pop-up according to the content of the different settings, can be divided into five areas " figure 2-1 in five black rounded squares respectively labeled". Below, from the top to the bottom, from left to right, the sub-region describes in turn what the various options have meaning, whether the setting or not affect us.

2.1capture[capture package related Settings]

Figure 2-2 Packet capture related settings

The options in this area have a direct impact on the capture of the packets, in the top-down order, specifically, they include,

2.1.1 Net cards

Located at the top of this area, it is obvious that you want to grab the packet on which NIC, tick the check box in front of the NIC. Choose at least one of the many options available!

2.1.2 Option: Capture on all interfaces

When this option is checked, it means that you want to capture the network packets on all of the Wireshark at the same time. "This is the equivalent of checking all the NICs in the list above you, but only the packets on the NIC specified in the NIC list are captured."

2.1.3 Option: Use promiscuous mode on all interfaces

Checking this option means that you have to wireshark the NIC to turn on promiscuous mode when you grab the packet. "To put it simply, a network card that turns on promiscuous mode captures all frames that flow through the network card, and does not turn on to capture only the broadcast frame and the frames that are sent to the NIC." More detailed on the Ethernet card several modes of operation, see "Network card working mode"

2.1.4 Button: Manage Interfaces

You can click this button if you want to add or delete the entry in the "Nic list". "In fact, this can also be set up pipeline and remote network card as the source of the packet, I do not use this function, not much to say."

2.1.5 Input Box and button: Capture Filter

If you want to set filter conditions for packet captures (the official point, which seems to be more of a filter ), and you happen to know a little bit about the tcpdump expression, you can filter the expression by syntax in the input box next to this button, similar to what I entered in Figure 2-1:

[Plain]View Plaincopy print?

1. Host 192.168.1.17 and Port 110

Of course, it is possible that you do not understand the filter expression completely, then you can also directly click this button, pop up the following window, there are some commonly used filters,

Figure 2-3 Capture Filter pop-up window

We choose any of these optional filters, such as the "IP address 192.168.0.1" selected in 2-3, can be seen below, "IP address 192.168.0.1" is just a filter of an intuitive, easy-to-understand name, It actually corresponds to the filter expression "host 192.168.0.1". Figure 2-3 The pop-up window already has the simplest, including "as long as the IP packet", "as long as the UDP packet", "as long as the HTTP packet", "Do not ARP packet" and other most commonly used filters. Using it we can also delete and modify some commonly used filters, of course, if you have to learn how to write filter expressions. "Due to the high similarity between the tcpdump, and the need to learn the syntax of the filter expression, you can refer to the tcpdump's detailed usage of the blog post, of course, you can also directly download the information" Winpcap_bpf_fiter filter rules setting documentation. PDF "

2.1.6 button: Compile selected BPFs

This beginning I did not understand, also thought is to let filter to take effect, must write good filter expression after point this, so every time is handy point on a record ~ ~ ~ also wrote this article when only found, do not point this also can take effect ... Check out the Wireshark help manual and understand that it's just a tool that helps you compile filter expressions into the BPF code form (which looks a bit like assembly code). If you just use Wireshark and don't write your own WinPcap-based sniffer tools, I guess I shouldn't be using this.

2.2 Capture files[Storage-related Settings]
Figure 2-4 Data package file storage related Settings

The options for this area only need to be set when you want to automatically save the package. In practical applications, there are cases where a simple temporary analysis is not required, and there are cases where we first capture the cache in real time and then selectively save the file after a rough look. In both cases, you do not have to set options for this area.

2.2.1 Input Box: File

Simply, specify the file name and its full path directly by typing or using the rear brose button. The default is white space, which means that the captured packets are stored in a temporary file in the default cache directory.

2.2.2 Options: Use pcap-ng format

Checking this option means that you want to use the PCAPNG format for Wireshark when you save the file "For more information, see Http://wiki.wireshark.org/Development/PcapNg." When you specify to grab packets on multiple network cards, you must use the Pcapng format to save the file; For compatibility reasons, I do not recommend checking the packet on a single-block network card.

2.2.3 Options: Use multiple Files

When this option is checked, Wireshark uses multiple files to store the packets, whereas a single file store is used by default. Whether you use a single file or multiple files depends on the size of the data, your purpose, and more.

2.2.4 Options:Next file every N megabytes (s)/minute (s)If use multiple files is not checked above, this option is disabled and invalid.

When you use multiple file stores, you must specify criteria for toggling the next file. There are two types of switching conditions , one is when to switch between how much traffic is captured (the default is MB, the smaller KB is supported, and a larger gigabyte), and the other is when the capture interval is long (the default unit of minutes, which also supports seconds, hours, days).

When using multiple file stores, you have to select at least one of the two switching modes!

2.2.5 Options: Ring buffer with N filesIf use multiple files is not checked above, this option is disabled and invalid.

When using multiple file stores, you can check and set this option if you have a limited number of files and allow files to be overwritten . This means that Wireshark creates up to n files at the time of storage, and when the switching condition is required to create the N+1 file, it will directly deposit the captured packets into the most "old" (oldest) file of the current one, thus making the oldest file the most "new". This is analogous to establishing a ring buffer queue with n capacity.

For the time being, I understand that the process of making the most "old" files into the most "new" files is the process of covering, if you daoteng find essentially adding or other mechanisms, please contact me!

2.2.6 option: Stop capture after n file (s) if "Use multiple Files" is not checked above, this option is disabled and invalid.

When using multiple file stores, you can check and set this option if you have a limited number of files and do not allow file overrides. This means that Wireshark creates up to n files at the time of storage, and it stops grabbing the packet directly when it needs to create the N+1 file when the switch condition is reached.

This method of automatically stopping the packet capture is only applicable when specifying the use of multiple file stores. The general method of automatic stop grabbing is described in the next section.

2.3 Stop capture automatically after[auto stop capture settings]
Figure 2-5 Automatic stop capture settings

In the previous article, we stopped grabbing the bag manually. And the option of this area can help us to set some conditions to let Wireshark automatically stop grasping the packet, it is necessary to mention that these options are not mutually exclusive, you can tick multiple, they should be "or" relationship.

2.3.1 Options: N packet (s)

When this option is checked, Wireshark will automatically stop grabbing packets after a specified number of packets have been captured.

2.3.2 Options: N megabytes (s)

When this option is checked, Wireshark will automatically stop grabbing packets after capturing data traffic of the specified size. The default traffic unit is MB, a smaller KB, and a larger gigabyte.

2.3.3 Options: N minute (s)

When this option is checked, Wireshark will automatically stop grabbing the packet after a specified length of time, starting with the capture as the starting point for the timer. The default time unit is minutes and seconds, hours, and days are also supported.

2.4 Display options[show option settings]
Figure 2-6 Display option settingsThisoptions to influence the display of live captures.
2.4.1 Option: Update List of packets in real timeChecking this option will enable the Wireshark to open two input (lines) at the same time, one input (line) path is responsible for capturing the packet, and the other is responsible for real-time parsing and presentation of the captured packet; Conversely,Wireshark will "wholeheartedly" grasp the packet , wait until the packet is stopped, and then parse and display all the captured packets at once.
Obviously, the real-time parsing, presentation of the packet, more or less consumes CPU resources, so it will have a large impact on the capture performance, the packet loss rate may increase. 2.4.2 Options: Automatic scrolling in live captureif "Update list of packets in real time" is not checked, this option is disabled and invalid. Checking this option will allow Wireshark to automatically scroll the "packet List" sub-window in the main window to the last row after the packet is started, so that you can see the latest captured packets at the very bottom of the child window at any time. In fact, if you do not tick, you manually drag the child window scroll bar is the same.
2.4.3 Options: Hide capture Info Dialogif you want to make a general understanding of the packet capture when Wireshark catches the packet, do not tick this option,Wireshark will pop up the profile window shown when the packet is grabbed ,

Figure 2-7 Overview of Packet capture pop-up window

Conversely, when this option is checked,Wireshark hides the pop-up when it grabs the packet.


2.5 name resolution[-resolution related Settings]

Figure 2-8 name resolution related settings

The options in this area are used to set the address resolution and display effect of each layer of the packet when the capture result is displayed. It is necessary to note that these parsing results are only temporary, if you save the captured packets,Wireshark will only save the most original address of each layer, and will not save these parsing results.
2.5.1 Options: Resolve Mac addresses When this option is checked,Wireshark will try (but not guarantee) to resolve the MAC address into a more recognizable form, such as: [Plain]View Plaincopy print?

1. 01:00:5e:00:35:16 ==> ipv4mcast_00:35:16
2. 00:26:82:88:45:ac ==> Gemtekte_88:45:ac
3. 28:c6:8e:19:e9:5b ==> netgear_19:e9:5b

looking closely, you can easily find that it only resolves the first three bytes of the MAC address, and the last three bytes remain intact in the parsing results. The rationale for this analysis is that the six-byte MAC address can actually be divided into two halves: the first three bytes are distributed uniformly by the IEEE registry, called OUI(organization unique identifier) or company_id ( company identifier ), It is generally possible to identify the manufacturer by these three bytes, and the latter three bytes are allocated by the manufacturer itself, which makes little sense.
2.5.2 option:Resolve network-layer names When this option is checked,Wireshark will try (but not guarantee) to resolve the network layer address (typically the IP address) into a more recognizable form (such as a domain name, hostname). its implementation is generally by calling GetHostName () of the reverse Domain name query "refer to the DNS in the forward parsing and reverse resolution" form, This can result in two problems: 1. Additional DNS traffic is generated due to queries, which can affect the accuracy of the analysis during some analysis, and 2. Capture performance is impacted by queries that consume system resources. So I do not recommend to grab the bag check this option, analysis can set this. If you use common blocking queries, there are many times when the query fails, or the query is difficult to wait for delay, which will increasingly affect the performance of the capture. It is best to use concurrent DNS (synchronous DNS query). 2.5.3 option:Resolve transport-layer name When this option is checked,Wireshark will resolve the transport Layer address (typically the port number) to its corresponding application-tier service, as far as possible (but not guaranteed). For example: [Plain]View Plaincopy print?

1. 80, 8080 ==> http
2. ==> FTP
3. ==> Telnet
4. ==> SMTP
5. ==> DNS
6. ==> POP3
7. 443 ==> SSL, TLS

The rationale behind this parsing is that many commonly used services tend to bind fixed port numbers (0~1023), which are generally known as well -known port numbers or system port numbers. "You can see Wikipedia---tcp/udp port list"2.5.4 option: Use external Network name Resolver This option and its approximate options are not available in earlier versions of Wireshark. In practice, I have not personally had the opportunity to experience the difference between this option or not, and I did not find the relevant description in the 1.10 version of my own user guide. Finally searched, probably understood a bit. The intention to add this option should be to match the above option "Resolve network-layer names" to use. We know that ordinary DNS queries follow the native cache query, Hosts file query, the order of the external query, if the first two internal lookups fail, will use the external query, but if you do not tick this option, then Wireshark when resolving the host name or domain name corresponding to the IP address, only the internal query is used, and if the failure does not attempt an external query, the result of the failure is returned directly . Although this is the original intention, but in the implementation of the time seems to be a bit of a problem ...This section references:

• "What's" use External Network Name Resolver "setting?" "
• "Doesn ' t respect disabling" Use of the external Network name resolver "
• "Using a Wireshark Hosts File for quicker analysis" (may not open, you can see this saved Picture: Http://vdisk.weibo.com/s/aUCQJfkRisFHX)

Wireshark Introduction and Advanced Series (II)