Install wireshark package capture tool in Wiresharklinux using Fedora14

Wireshark is a free network protocol detection program that supports Unix and Windows. It is a well-known free packet capture and protocol analysis tool. The Installation Method in Fedora14 is simple: Step 1: configure the yum source of the system; Step 2: yuminstallwireshark Step 3: yuminstallwireshark-gnome

Wireshark is a free network protocol detection program that supports Unix and Windows. It is a well-known freePacket CaptureAnd protocol analysis tools. In FEdThe Installation Method in ora 14 is simple:

Step 1: configure the yum source of the system;

Step 2: yum install wireshark

Step 3: yum install wireshark-gnome (install its graphical interface, which is slightly different from the interface in windows)


Wireshark instructions:

ProtoCol(Agreement ):
Possible values: ether, fDdI, ip, arp, rarp, decnet, lat, sca, moprc, mopdl, tCpAnd udp.
If no protocol is specified, all supported protocols are used by default.
Direction ):
Possible values: src, dst, src and dst, src or dst
If the source or destination is not specified, "src or dst" is used as the keyword by default.
For example, "host 10.2.2.2" is the same as "src or dst host 10.2.2.2.
Host (s ):
Possible values: net, port, host, and porTrAnge.
If this value is not specified, the "host" keyword is used by default.
For example, "src 10.1.1.1" is the same as "src host 10.1.1.1.
Logical Operations (Logical operation ):
Possible values: not, and, or.
No ("not") has the highest priority. Or ("or") and ("and") have the same priority. The operation is performed from left to right.
For example,
"Not tcp port 3128 and tcp port 23" are the same as "(not tcp port 3128) and tcp port 23.
"Not tcp port 3128 and tcp port 23" are different from "not (tcp port 3128 and tcp port 23.

Example:
Capture:
Tcp dst port 21 indicates the packets whose destination TCP port is 21.

The ip src host 192.168.30.242 shows the packets whose source ip address is 192.168.30.242.
Host 192.168.30.242 displays the packets whose destination or source IP address is 192.168.30.242.
Src portrange 2000-2500 displays packets whose source is UDP or TCP and whose port number is within the range of 2000 to 2500.
Not IMcP display except ICmpAll packets. (Icmp is usuallyPingTool usage)
Src host 10.7.2.12 and not dst net 192.168.30.0/24 show that the source IP address is 10.7.2.12, but the destination is not a packet of 192.168.30.0/24.
(Src host 10.4.1.12 or src net 10.6.0.0/16) and tcp dst portrange 200-10000 and dst net 10.0.0.0/8
The source IP address is 10.4.1.12 or the source network is 10.6.0.0/16, the destination TCP port number is between 200 and 10000, And the destination is all packets in the network 10.0.0.0/8.

Note:
When using keywords as values, you need to use the Backslash "".
"Ether proto ip" (same as the keyword "ip ).
In this way, the IP protocol will be used as the target.
"Ip proto icmp" (same as the keyword "icmp ).
In this way, icmp, which is commonly used in the ping tool, is used as the target.
You can use the keyword "multicast" and "broadcast" after "ip" or "ether.
"No broadcast" is useful when you want to exclude broadcast requests.

Analysis:
FtpHttpipudp cpipxdns can display a protocol separately.

Ip. addr = 192.168.30.242: the destination or source ip address is 192.168.30.242.
Tcp. port eq 25 or icmp displays packets whose tcp port is 25 or imcp
Tcp. dstport = 25 indicates the packet whose destination TCP port number is 25.
Tcp. port = 80 | udp. port = 80 indicates that the tcp port is 25 or that the udp port is 80.
Eth. addr = 00-1C-23-27-72-1E the mac address of the package is 00-1C-23-27-72-1E.
Tcp. flags displays packets containing the TCP flag.
Tcp. flags. syn = 0 &TimeS; 02 displays packets containing the tcp syn flag.
Http. request. uri matches "gl = se $" matches the packets whose last character is gl = se in the url.