Wireshark packet capture and TCP three-way handshake Analysis

Wireshark Introduction

 

Wireshark official download site: http://www.wireshark.org/

Wireshark is a very popular network packet analysis software with powerful functions. You can intercept various network packets to display the details of network packets.

Wireshark is an open-source software that can be safely used. It can run on Windows and Mac OS.

Wireshark users must understand the network protocol. Otherwise, they cannot understand Wireshark.

 

Wireshark cannot do

 

For security considerations, Wireshark can only view packets, but cannot modify the contents of the packets or send packets.

 

Wireshark starts packet capture

 

Below is the start Interface

Wireshark is a network package that captures a certain network card on the machine. When there are multiple network cards on your machine, you need to select a network card, generally the one with data transmission.

Click caputre-> interfaces .. The following dialog box is displayed. Select the correct Nic. Click "start" to start packet capture.

Wireshark window Introduction

 

Wireshark is mainly divided into these interfaces

1. Display filter, used for filtering

2. Packet List Pane (packet list): displays the captured packets, source addresses, target addresses, and port numbers. Different colors, representing

3. Packet details pane (packet details) to display the fields in the packet

4. dissector pane (hexadecimal data)

5. miscellanous (Address Bar, miscellaneous)

 

Wireshark display Filtering

 

Filtering is very important. When Beginners use Wireshark, they will get a lot of redundant information, which is so difficult to find what they need in thousands or even tens of thousands of records. Confused.

Filters help us quickly find the information we need in a large amount of data.

There are two filters,

One is the display filter, which is the one on the main interface used to find the desired record in the captured record.

One is the capture filter, which is used to filter captured packets to avoid capturing too many records. Set in capture-> capture Filters

Filter expression rules

 

Expression rules

1. Protocol Filtering

For example, TCP only displays the TCP protocol.

2. IP address filtering

For example, IP. src = 192.168.1.102 indicates that the source address is 192.168.1.102,

IP. dst = 192.168.1.102, Destination Address: 192.168.1.102

3. Port Filtering

TCP. Port = 80, port 80

TCP. srcport = 80, only the source port of TCP protocol is 80.

4. http mode filtering

HTTP. Request. Method = "get", only the http get method is displayed.

5. The logical operator is and/or.

Common filter expressions

Filter expression	Purpose
HTTP	View Only HTTP protocol records
IP. src = 192.168.1.102 or IP. dst = 192.168.1.102	The source address or target address is 192.168.1.102.

 

 

 

 

 

 

 

 

 

Packet List Pane)

 

The number, timestamp, source address, target address, protocol, length, and packet information are displayed on the panel of the package list. You can see that different protocols are displayed in different colors.

You can also modify the display color rules, view-> coloring rules.

Packet details pane)

 

This panel is the most important for us to view every field in the Protocol.

Each row information is

Frame: data frame overview of the Physical Layer

Ethernet II: Ethernet frame header information at the data link layer

Internet Protocol Version 4: Internet layer IP packet header information

Transmission Control Protocol: information about the data segment header of transport layer T, which is TCP

Hypertext Transfer Protocol:
Information on the application layer, which is the HTTP protocol

 

Wireshark and corresponding OSI Layer-7 Model

Specific content of the TCP package

 

Each field in the TCP packet captured by Wireshark is displayed.

 

 

Instance analysis TCP three-way handshake process

 

Here, we basically have a preliminary understanding of wireshak. Now let's look at an example of a TCP three-way handshake:

 

The three-way handshake process is

 

This time we used Wireshark to analyze the three handshakes.

Open Wireshark, open browser input http://blog.csdn.net/xifeijian

Enter HTTP filtering in Wireshark, select the record of get/xifeijian HTTP/1.1, right-click and click "follow TCP stream ",

The purpose of this operation is to obtain the data packets related to opening a website in a browser:

As shown in the figure, Wireshark intercepts three data packets of three handshakes. The fourth packet is HTTP, which indicates that HTTP uses TCP to establish a connection.

 

First handshake packet

The client sends a TCP packet. The flag is SYN and the serial number is 0, indicating that the client requests to establish a connection. For example

The second handshake packet.

The server sends back the confirmation packet. The flag is SYN, and ACK. Sets acknowledgement number to the customer's I S N plus 1 to. 0 + 1 = 1, as shown in

Data packet for the third handshake

The client resends the ack syn flag to 0 and the ACK flag to 1. in addition, the serial number field + 1 sent from the server is placed in the confirmation field and sent to the other party. and put the ISN's + 1 in the data segment, for example:

 

In this way, a connection is established through TCP three-way handshake.