How to Use Wireshark to capture data frames and IP data packets

How to Use Wireshark to capture data frames and IP data packets

About Wireshark Wireshark is one of the world's foremost network protocol analyzers, and is the standard in our parts of the industry. It is the continuation of a project that started in 1998. Hundreds of developers around the world have contributed to it, and it still under active development. Wireshark's powerful features make it the tool of choice for network troubleshooting, protocol development, and education worldwide. Wireshark was written by an international group of networking experts, and is an example of the power of open source. It runs on Windows, Linux, UNIX, and other platforms. Features Wireshark has a rich feature set which contains des the following: Standard three-pane packet Browser Multi-platform: runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and others Multi-interface: along with a standard GUI, Wireshark between des tshark, a text-mode analyzer which is useful for remote capture, analysis, and scripting The most powerful display filters in the industry VoIP Analysis Live capture and offline analysis are supported Read/write into different capture file formats: TCPDUMP (libpcap), Nai's sniffer (compressed and uncompressed), Sniffer Pro, netxray, Sun Snoop and atmsnoop, shomiti/finsar surveyor, AIX's iptrace, Microsoft's network monitor, Novell's lanalyzer, radcom's Wan/LAN analyzer, HP-UX Nettl, i4btrace from the isdn4bsd project, Cisco Secure IDs iplog, the pppd log (pppdump-format), the AG Group's/wildpacket's etherpeek/tokenpeek/airopeek, Visual networks 'visual uptime and other others Capture files compressed with gzip can be decompressed on the fly Hundreds of protocols are supported, with more being added all the time Coloring rules can be applied to the packet list, which eases Analysis Open the wireshark interface. For example, click the first button on the left of the toolbar. In the displayed window, select ndis5.0 driver and click Start to start Wireshark. The interface is shown in: now we can capture data frames on the network. Now we can do the following operations: (1) Run-> cmd-> Ping swfc.edu.cn (2) Open the page with IE: http://cs2.swfc.edu.cn (3) log on to an FTP server at this point, you can click the stop button to stop Wireshark's arrest. The result is as shown in. All the captured data frames are here...Analyze data frames and data packets as followsThe meaning of the captured data is as follows: the first column is the number of the captured data; the second column is the relative time of the captured data, which is counted as 0.000 seconds from the start; the third column is the source address, the fourth column is the destination address, the fifth column is the protocol information, and the sixth column is the data packet information. To avoid data loss due to operation errors, we can first save the captured data (select the file-> Save command ). Format of the Ethernet frame: Format of the ARP Protocol encapsulated in the Ethernet:Analyze ARP encapsulation in Ethernet data frame　　Enter ARP in the edit box after the filter, and press ENTER or click Apply. For example, only ARP is supported. Other protocol packets are filtered out. Select a data frame, and then the wireshark window is divided into three parts: the above part is the list of all data frames; the middle part is the description of the data frame; the following is the data in the frame. There is a "+" in front of the three rows in the middle part. Click it to expand the row. Expand the first line. The result is as follows: we can see some basic information about this frame: Frame number: 336 (the number at the time of capture) Frame Size: 60 bytes. (The Ethernet frame has a minimum of 64 bytes, but there are only 60 bytes, so we should not calculate the four bytes of CRC, and add it to it .) Frame capture date and time: Nov 30,2006 ...... The time difference between the captured frame and the previous frame: 0.13469 ...... Time Difference Between frames and the first frame: 79.8821 ...... Frame loading Protocol: the second line of ARP is shown below: In, each part of the above column is selected, and the corresponding data section is displayed in the following column. We can see that: Destination Address (destination): FF (this is a MAC address. This MAC address is a broadcast address, that is, all computers in the LAN will receive the data frame) Source Address (source): draytek_31: 54: AB (00: 50: 7f: 31: 54: AB), so we know, 00: 50: 7f is an ethernet address block owned by draytek, an Ethernet NIC manufacturer. Protocol type encapsulated in the frame: 0x0806 (this is the type Number of the ARP Protocol .) Trailer: indicates the data filled in the Protocol. To ensure that the frames contain at least 64 bytes. Next, expand the third line. The result is as follows: in, we can see the following information: hardware type (hardware type): Ethernet (0x0001) protocol type (protocol type ): IP (0x0800) hardware information in the frame of the number of bytes (hardware size): 6 Protocol information in the frame of the number of bytes (Protocol size): 4 opcode): requset (0x0001) sender's MAC address (sender MAC address): draytek_31: 54: AB (00: 50: 7f: 31: 54: AB) sender's IP address (sender IP address): 192.168.128.1 (192.168.128.1) Target MAC address (sender MAC address): draytek_31: 54: AB (00: 50: 7f: 31: 54: AB) Destination IP address (sender IP address): 192.168.128.1 (192.168.128.1) Similarly, we can also see that FTP and HTTP are encapsulated in Ethernet data frames. (See the figure below) Take a closer look and you can see the username and password (jkxjxxz swfcxs) You have logged on to the FTP server in the data frame ). It turns out that this is also a way to steal passwords! (Now you know why your QQ password is lost ?!). Figure: ftp encapsulated in Ethernet data frame