One-stop learning Wireshark (ii): Application Wireshark observing basic network protocols

Tcp:

TCP/IP establishes a connection through a three-time handshake. The three types of messages in this process are: Syn,syn/ack,ack.

The first step is to find the first SYN message that the PC sends to the Web server, which identifies the start of the TCP three handshake.

If you cannot find the first SYN message, choose the Edit-and find Packet menu option. Select Display filter, enter filter condition: tcp.flags, you will see a flag list for selection. Select the appropriate Flag,tcp.flags.syn and add ==1. Click Find and the first SYN message in the trace will be highlighted.

Note: Find packet can also be used to search for hexadecimal characters, such as malware signals, or search strings, such as the protocol commands in a capture package file.

A quick way to filter the TCP message stream is to right-click the message in the Packet list Panel and select Follow TCP stream. This creates an automatic filtering condition that shows only TCP session messages.

This step will pop up a session display window, by default contains the ASCII code of the TCP session, the client message in red indicates that the server message is blue.

A window similar to the one shown here is useful for reading protocol payloads, such as HTTP,SMTP,FTP.

Change to hex dump mode to view the hexadecimal code of the payload, as shown in:

When the pop-up window is closed, Wireshark only displays the selected TCP message stream. It is now easy to distinguish 3 handshake signals.

Note: Here Wireshark automatically creates a display filter for this TCP session. In this example: (IP.ADDR eq 192.168.1.2 and IP.ADDR eq 209.85.227.19) and (Tcp.port eq and tcp.port eq 52336)

SYN Message:

The 5th message shown in the figure is a SYN message sent from the client to the server, which is used to synchronize with the server to ensure that the client and server-side communication is transmitted sequentially. The SYN message has a serial number on the head. The bottom dialog box shows some useful information such as message type, serial number.

Syn/ac K Message:

Message number 7th is the response of the server. Once the server receives a SYN message from the client, attends the sequence number of the message and uses this number as a response, that is, it informs the client that the server received the SYN message, and that the original SYN message sequence number is added one and is implemented as the response number, then the client knows that the server can receive the communication.

ACK Message:

Message 8th is the client to the server to send a confirmation message, tell the server client received the Syn/ack message, and the same as the previous step the client will also add a serial number, the packet is sent, the client and the server into the established state, complete three handshake.

ARP & ICMP:

Open the Wireshark grab bag. Open the Windows Console window and use the ping command line tool to view the status of the connection to the neighboring machine.

After you stop grabbing the packet, Wireshark as shown.

ARP and ICMP messages are relatively difficult to identify, creating filtering conditions that display only ARP or ICMP.

ARP Message:

The Address Resolution protocol, known as ARP Resolution Protocol, is a TCP/IP protocol that obtains physical addresses based on IP addresses. The function is that the host broadcasts the ARP request to all hosts on the network, receives the return message, determines the physical address of the destination IP address, and simultaneously stores the IP address and hardware address in the native ARP cache, querying the ARP cache directly on the next request.

The ARP request originally issued from the PC determines the MAC address of the IP address 192.168.1.1 and receives an ARP reply from the neighboring system. After the ARP request, you will see the ICMP message.

ICMP Message:

The network Control Message contract (PROTOCOL,ICMP) is used for sending control messages in a TCP/IP network, providing feedback on various issues that may occur in the communications environment, through which managers can diagnose problems that occur, Then take appropriate measures to resolve.

The PC sends the ECHO request and receives an echo reply as shown in. The ping message was Mark type 8, and the reply message mark was type 0.

If you ping the same system multiple times and delete the ARP cache on the PC, a new ARP request is generated after using the following ARP command.

C:\> Ping 192.168.1.1

... ping output ...

C:\> Arp–d *

HTTP:

The HTTP protocol is the most widely used base protocol today, thanks to many applications that are web-based, easy to implement, and simple to deploy, without the need for additional clients to use the browser. This process begins with requesting the server to transfer the network files.

Include a get command from the visible message, and when HTTP sends the initial GET command, TCP continues the data transfer process, and during the next link, HTTP requests data from the server and uses TCP to pass the data back to the client. Before the data is transferred, the server informs the client that the request is valid by sending an HTTP OK message. If the server does not have a license to send the target to the client, 403 Forbidden will be returned. If the server cannot find the target requested by the client, it returns 404.

If there is no more data, the connection can be terminated, similar to the TCP three handshake signal of the SYN and ACK messages, here is the fin and ACK messages sent. When the server ends transmitting data, it sends Fin/ack to the client, which indicates an end connection. The client then returns an ACK message and adds 1 to the serial number in the Fin/ack. This terminates the communication from the server side. To end this process the client must re-initiate this process on the server side. The fin/ack process must be initiated and confirmed on both the client and server side.

One-stop learning Wireshark (ii): Application Wireshark observing basic network protocols