Graphic Teaching ethereal network protocol analysis software (1)

When we constantly learn network protocols, we should have some knowledge about network protocol analysis software. Here we focus on the ethereal network protocol analysis software. The ethereal network protocol analysis software can be used to capture packets from the network and analyze packets. The following describes how to use ethereal in windows.

Install

1) install winpcap, http://netgroup-serv.polito.it/winpcap/install/Default.htm 2) install ethereal, http://www.ethereal.com/

Windows program is easy to use.

After starting ethereal, select Capature-> Start. when you do not want to capture the package, click stop and the captured package will be displayed on the panel and analyzed.

Below is:

Ethereal network protocol analysis software use-capture Option

Nterface: Specifies the interface Nic on which the packet is captured. Generally, it is a single Nic, so the default Limit each packet can be used: Limit the size of each packet, which is not limited by default.

Capture packets in promiscuous mode: whether to enable the hybrid mode. if it is enabled, capture all data packets. generally, you only need to monitor the packets received or sent by the local machine. Therefore, you should disable this option. filter: Filter. only capture packets that meet the filtering rules can be skipped temporarily.) File: If you need to write the captured packets to the File, enter the File name here. use ring buffer: whether to use circular buffer. it is not used by default, that is, packet capture is always performed. note that loop buffer is only valid when writing files. if loop buffering is used, you also need to set the number of files and roll back when the file is large.

Select the default option for other items.

Ethereal packet capture filter

The packet capture filter is used to capture packets of interest. the packet capture filter uses the libcap filter language. The tcpdump manual has a detailed explanation. The basic structure is [not] primitive [and | or [not] primitive...].

In my opinion, if you want to capture certain data packets, you can use either of the following two methods:

1. When capturing packets, define the packet capture filter first. In this way, only the data packets of the set type are captured;

2. Capture the packets received or sent by the local machine, and then use the explicit filter introduced in the next section, only enable Ethereal to display the types of data packets you want;

Display the key content of the filter in the etheral network protocol analysis software)

After the packet capture is complete, the filter is displayed to find the package you are interested in. The filter can be based on 1) Protocol 2) whether a domain exists. 3) Domain value 4) compare the domain values to find the packages you are interested in.

For example, if you only want to view the packets using the tcp protocol, enter tcp in the Filter in the lower left corner of the ethereal window, and press enter to display only the packets of the tcp protocol. as shown in: