One-stop learning Wireshark (i): Wireshark basic usage

In accordance with international practice, from the most basic of speaking.

Crawl Messages :

After downloading and installing the Wireshark, start Wireshark and select the interface name in the interface list and start grabbing the packet on this interface. For example, if you want to crawl traffic on a wireless network, click the wireless interface. Click Capture options to configure advanced properties, but this is not necessary now.

After clicking on the interface name, you can see the messages received in real time. Wireshark will capture every message sent and received by the system. If the interface being crawled is wireless and the option is mixed mode, you will see other messages on the network as well.

Each row of the upper panel corresponds to a network message, which shows the message receiving time (relative to the start of the crawl), the source and destination IP address, the protocol and the message information by default. Click on a line to see more information in the following two windows. The "+" icon displays detailed information about each layer in the message. The bottom window also lists the contents of the message in 16 binary and ASCII mode.

To stop grabbing the message, click the Stop button in the upper-left corner.

Color Identification :

The message has been shown here in green, blue, and black. Wireshark a variety of flow messages at a glance with color. For example, the default green is TCP messages, dark blue is DNS, Blue is UDP, black identifies problematic TCP messages-such as disorderly sequence messages.

Sample Message :

For example, if you install Wireshark at home, but there is no interest in the home LAN environment to observe, then you can go to wireshark wiki Download message sample file.

Opening a crawl file is fairly straightforward, click Open on the main screen and browse for the file. You can also save your own capture package file in Wireshark and open it later.

Filter Messages :

If you are trying to analyze a problem, such as a message sent by a program during a call, you can turn off all other applications that use the network to reduce traffic. However, there may be a large number of messages to be screened, when a wireshark filter is used.

The most basic way is to filter the bar at the top of the window and click Apply (or press ENTER). For example, enter "DNS" to see only DNS messages. When entered, the Wireshark will help to automatically complete the filtering conditions.

You can also click the Analyze menu and select display filters to create a new filter condition.

Another interesting thing is that you can right-click the message and choose Follow TCP Stream.

You will see all of the sessions between the server and the target side.

After closing the window, you will notice that the filter is automatically referenced by the--wireshark to display the messages that make up the session.

Check Messages :

Once a message is selected, you can dig deeper into its contents.

You can also create filters here-just right-click Details and use the Apply as Filter submenu to create filters based on this detail.

Wireshark is a very powerful tool, and the first section only describes its most basic usage. Network experts use it to debug network protocol implementation Details, check security issues, network protocol internals, and so on.

One-stop learning Wireshark (i): Wireshark basic usage