Wireshark Protocol Analysis Tool Application

First, Wireshark introduction and installation

Wireshark(formerly known as Ethereal) is a network packet analysis software. The function of the network packet analysis software is to retrieve the network packet and display the most detailed network packet information as far as possible. Wireshark uses WinPcap as an interface to exchange data messages directly with the network card.

Official website: https://www.wireshark.org/download.html

Installing the Wireshark process will also choose to install WinPCAP(WinPCAP (Windows packet capture) is a free, public network access system under the Windows platform. Development WinPcap The purpose of this project is to provide Win32 applications with access to the network's underlying capabilities.

Second, Wireshark grasping packet analysis

Note: This Wireshark version is wireshark-win64-2.0.3

1. Start interface

Wireshark is a network packet that captures a NIC on a machine , and when you have multiple NICs on your machine, you need to select a NIC.

(Ethernet is chosen here.)

2, Wireshark window Introduction

--->display filter (display filter) for filtering

The use of filtering is very important, when beginners use Wireshark, will get a lot of redundant information, in thousands of or even tens of thousands of records, so that it is difficult to find the part of their own. Filters help us quickly find the information we need in a large amount of data.

There are two types of filters:

One is the display filter, which is the one on the main interface, which is used to find the required records in the captured records.

One is the capture filter, which filters the captured packets to avoid capturing too many records. Set in Capture Filters

Filter the rules of an expression

(1). Protocol filtering

TCP, for example, shows only the TCP protocol.

(2). IP filtering

For example IP.SRC ==192.168.1.102 display source address is 192.168.1.102,

IP.DST==192.168.1.102, the target address is 192.168.1.102

(3). Port filtering

Tcp.port ==80 with a port of 80

Tcp.srcport = = 80, only the TCP protocol's wish port is 80.

(4). HTTP Mode filtering

http.request.method== "Get", showing only the HTTP GET method.

(5). Logical operator is and/or

Commonly used filter expressions

Filter an expression	Use
http	View only the records of the HTTP protocol
IP.SRC ==192.168.1.102 or ip.dst==192.168.1.102	Source address or Destination address is 192.168.1.102

--->packet list Pane, which shows the captured packets, the source address and the destination address, and the port number. You can see that different protocols are displayed in different colors.

You can also modify these display color rules, View->coloring.

The line information, respectively, is

Frame: Data Frame overview of the physical layer

Ethernet II: Data Link Layer Ethernet frame header information

Internet Protocol Version 4: Internet Layer IP packet header information

Transmission Control Protocol: Data segment header information for the Transport layer T, here is the TCP

Hypertext Transfer Protocol: Application layer information, here is the HTTP protocol

Wireshark and corresponding OSI seven-layer model

Specific contents of TCP packets

Each of the fields from the TCP package that you can see Wireshark captures:

--->packet details Pane (packet details), showing the fields in the package

--->dissector Pane (16 binary data)

--->miscellanous (address bar, miscellaneous)

Example analysis of TCP three-time handshake process

can refer to the article: Wireshark how to grab bag, Wireshark Grab package detailed graphic tutorial

Wireshark Protocol Analysis Tool Application