Ethereal can be used to capture packets from the network and analyze packets. The following describes how to use ethereal in windows.
I. Installation
1. Download and install Winpcap
Http://coolersky.com/download/hacker/aidance/2005/0805/87.html |
2. Download and install Ethereal
Http://coolersky.com/download/hacker/sniffer/2005/1227/152.html |
Note: The New version of Ethereal has integrated Winpcap. Download Ethereal to complete the installation.
Ii. Use
After starting ethereal, select capature> Start. When you do not want to capture the package, click STOP and the captured package will be displayed on the panel and analyzed.
Below is:
1. Use the-capture option for Ethereal
Nterface: Specifies the interface (NIC) on which the packet is captured. Generally, it is a single Nic, so you can use the default one.
Limit each packet: limit the size of each package, which is not limited by default.
Capture packets in promiscuous mode: whether to enable the hybrid mode. If it is enabled, capture all data packets. Generally, you only need to monitor the packets received or sent by the local machine. Therefore, you should disable this option.
Filter: filter. Only the packages that meet the filtering rules can be crawled (skipped temporarily ).
File: If you need to write the captured package to the file, enter the file name here.
Use ring Buffer: whether to use circular buffer. It is not used by default, that is, packet capture is always performed. Note that loop buffer is only valid when writing files. If loop buffering is used, you also need to set the number of files and roll back when the file size is large.
OthersSelect the default option.
2. ethereal packet capture filter
The packet capture filter is used to capture packets of interest and capture packets. The packet capture filter uses the libcap filter language. The tcpdump manual has a detailed explanation. The basic structure is [not] primitive [and | or [not] primitive...].
IndividualsOpinion: If you want to capture certain data packets, you can use either of the following two methods:
(1) When capturing packets, set the packet capture filter first. In this way, only the data packets of the set type are captured;
(2) capture the packets received or sent by the local machine one brain, and then use the display filter introduced in the next section, only enable Ethereal to display the types of data packets you want;
3. Display filter of etheral (key content)
After the packet capture is complete, the filter can be used to find the package you are interested in, you can find the packages you are interested in by comparing the Protocol, whether a domain, Domain value, or Domain value exists.
For example, if you only want to view the packets using the TCP protocol, enter TCP in the filter in the lower left corner of the ethereal window, and press enter to display only the packets of the TCP protocol. As shown in:
The Value Comparison expression can use the following operator to construct a C representation of the display filter natural language class.
Eq =
Ne! =
GT >
Lt <
Ge > =
Le <=
|
Expressions can be combined using the following logical operators to represent natural language class C.
And &: logical and
IP. ADDR = 10.1.10.20 & TCP. Flag. Fin |
Or |: logical or
IP. ADDR = 10.1.10.20 | IP. ADDR = 10.1.10.21 |
XOR ^: exclusive or
Tr. dst [0: 3] = 0.6.29 XOR tr. SRC [0: 3] = Not |
! : Non-logical
|
For example, if I want to capture all the HTTP packets received or sent by a host whose IP address is 192.168.2.10, the appropriate filter is:
4. Use protocol plug-ins in Ethereal
Ethereal supports many protocols, but some protocols can be parsed only after the plug-in is installed, such as H.323. The following uses the H.323 protocol as an example:
(1) first download the ethereal H.323 plug-in, http://www.voice2sniff.org/
(2) After the download is complete, decompress the file (h323.dll) to the plugin/0.9.x directory of the ethereal installation directory. For example, my file is 0.9.11.
(3) perform the following settings:
A. Start Ethereal B. Menu edit-> preference C. Click "+" in front of protocols to expand protocols. D. Locate q931 and click E. Make sure that "desegment... TCP segments" is selected (that is, the box is pressed) F. Click TCP G. Make sure that "allow... TCP streams" is selected. H. Make sure that "check... TCP checksum" and "use... sequence numbers" are not selected" I. Click tpkt J. Make sure that "desegment... TCP segments" is selected. K. Click Save, then click Apply, and then click OK. |
Of course, you can re-install the new Winpcap and ethreal versions. In this way, you do not need to install new plug-ins in the old ethreal version to support new protocol plug-ins, this is also a kind of lazy practice.