Wireshark Introduction
Wireshark official download site: http://www.wireshark.org/
Wireshark is a very popular network packet analysis software with powerful functions. You can intercept various network packets to display the details of network packets.
Wireshark is an open-source software that can be safely used. It can run on Windows and Mac OS.
Wireshark users must understand the network protocol. Otherwise, they cannot understand Wireshark.
Wireshark cannot do
For security considerations, Wireshark can only view packets, but cannot modify the contents of the packets or send packets.
Wireshark starts packet capture
Below is the start Interface
Wireshark is a network package that captures a certain network card on the machine. When there are multiple network cards on your machine, you need to select a network card, generally the one with data transmission.
Click caputre-> interfaces .. The following dialog box is displayed. Select the correct Nic. Click "start" to start packet capture.
Wireshark window Introduction
Wireshark is mainly divided into these interfaces
1. Display filter, used for filtering
2. Packet List Pane (packet list): displays the captured packets, source addresses, target addresses, and port numbers. Different colors, representing
3. Packet details pane (packet details) to display the fields in the packet
4. dissector pane (hexadecimal data)
5. miscellanous (Address Bar, miscellaneous)
Wireshark display Filtering
Filtering is very important. When Beginners use Wireshark, they will get a lot of redundant information, which is so difficult to find what they need in thousands or even tens of thousands of records. Confused.
Filters help us quickly find the information we need in a large amount of data.
There are two filters,
One is the display filter, which is the one on the main interface used to find the desired record in the captured record.
One is the capture filter, which is used to filter captured packets to avoid capturing too many records. Set in capture-> capture Filters
Filter expression rules
Expression rules
1. Protocol Filtering
For example, TCP only displays the TCP protocol.
2. IP address filtering
For example, IP. src = 192.168.1.102 indicates that the source address is 192.168.1.102,
IP. dst = 192.168.1.102, Destination Address: 192.168.1.102
3. Port Filtering
TCP. Port = 80, port 80
TCP. srcport = 80, only the source port of TCP protocol is 80.
4. http mode filtering
HTTP. Request. Method = "get", only the http get method is displayed.
5. The logical operator is and/or.
Common filter expressions
Filter expression |
Purpose |
HTTP |
View Only HTTP protocol records |
IP. src = 192.168.1.102 or IP. dst = 192.168.1.102 |
The source address or target address is 192.168.1.102. |
Packet List Pane)
The number, timestamp, source address, target address, protocol, length, and packet information are displayed on the panel of the package list. You can see that different protocols are displayed in different colors.
You can also modify the display color rules, view-> coloring rules.
Packet details pane)
This panel is the most important for us to view every field in the Protocol.
Each row information is
Frame: data frame overview of the Physical Layer
Ethernet II: Ethernet frame header information at the data link layer
Internet Protocol Version 4: Internet layer IP packet header information
Transmission Control Protocol: information about the data segment header of transport layer T, which is TCP
Hypertext Transfer Protocol:
Information on the application layer, which is the HTTP protocol
Wireshark and corresponding OSI Layer-7 Model
Specific content of the TCP package
Each field in the TCP packet captured by Wireshark is displayed.
Instance analysis TCP three-way handshake process
Here, we basically have a preliminary understanding of wireshak. Now let's look at an example of a TCP three-way handshake:
The three-way handshake process is
This time we used Wireshark to analyze the three handshakes.
Open Wireshark, open browser input http://blog.csdn.net/xifeijian
Enter HTTP filtering in Wireshark, select the record of get/xifeijian HTTP/1.1, right-click and click "follow TCP stream ",
The purpose of this operation is to obtain the data packets related to opening a website in a browser:
As shown in the figure, Wireshark intercepts three data packets of three handshakes. The fourth packet is HTTP, which indicates that HTTP uses TCP to establish a connection.
First handshake packet
The client sends a TCP packet. The flag is SYN and the serial number is 0, indicating that the client requests to establish a connection. For example
The second handshake packet.
The server sends back the confirmation packet. The flag is SYN, and ACK. Sets acknowledgement number to the customer's I S N plus 1 to. 0 + 1 = 1, as shown in
Data packet for the third handshake
The client resends the ack syn flag to 0 and the ACK flag to 1. in addition, the serial number field + 1 sent from the server is placed in the confirmation field and sent to the other party. and put the ISN's + 1 in the data segment, for example:
In this way, a connection is established through TCP three-way handshake.