Reprint: Installation and use of Linux under Wireshark

Source: Internet
Author: User
Tags gtk snmp types of filters

Wireshark is the most popular network analysis tool in the world. This powerful tool captures data from the network and provides users with a variety of information about the network and upper layer protocols. Like many other network tools, Wireshark uses the Pcapnetwork library for packet capture.

AD:


Wireshark is the most popular network analysis tool in the world. This powerful tool captures data from the network and provides users with a variety of information about the network and upper layer protocols.
Like many other network tools, Wireshark uses the PCAP network library for packet capture.

Advantages of Wireshark:

-Easy to install.

-Easy to use interface.

-Offers a wide range of features.

Wireshark's name was ethereal, and the new names were in 2006. At that time, Ethereal's main developer decided to leave the company he worked for and continue to develop the software. But because ethereal the name of the use of the original company has been registered, Wireshark this new name was born.

System Requirements:

The Libpcap library is important for both ethereal and wireshark, and they need to use the functionality of this library for packet capture work.
If Libpcap or other necessary components are not installed on your system, they will be added automatically when you install ethereal or wireshark using "Apt-get". Please refer to Wireshark tutorial.

Use the following command to get a detailed list of dependencies for ethereal or Wireshark.

#apt-cache depends Wireshark
#apt-cache depends ethereal

This is the result from our system:

# Apt-cache depends ethereal

Ethereal

Dépend:libadns1

dépend:libatk1.0-0

Dépend:libc6

Dépend:libcairo2

Dépend:libcap1

Dépend:libfontconfig1

dépend:libglib2.0-0

Dépend:libgnutls12

dépend:libgtk2.0-0

dépend:libpango1.0-0

dépend:libpcap0.8

Dépend:libpcre3

Dépend:libx11-6

Dépend:libxcursor1

Dépend:libxext6

Dépend:libxfixes3

Dépend:libxi6

Dépend:libxinerama1

Dépend:libxrandr2

Dépend:libxrender1

dépend:zlib1g

Dépend:ethereal-common

Recommande:gksu

Installation:

To install using the installation package:
It should be emphasized that Wireshark does not provide a previous version of the installation package for ubuntuedgy (6.10), nor does it directly provide a version that can be run stably on Debian.
In these cases, you need to download the ethereal package, or download the Wireshark source code directly and compile it yourself.

Ubuntu

Previous versions of Ubuntu Edgy (6.10):

#apt-get Install Ethereal

Ubuntu Edgy (6.10) later versions (including Edgy):

#apt-get Install Wireshark

Debian

As of March 2007, no version of Wireshark has been able to run stably on Debian. So you can choose to download etherealethereal

#apt-get Install Ethereal

or download and use an unstable version of Wireshark from Debian Packagewebsite.
To run Wireshark or ethereal under Debian or Ubuntu:

#ethereal

#wireshark

Manual Installation:
To install the compilation tool:

#apt-get Install Build-essantial
In order to successfully compile Wireshark, you need to install GTK + 's development files and the glib library (libraries).
#apt-get Install Libgtk2.0-devlibglib2.0-dev
Install Checkinstall to manage software that is installed directly from your system by source code.
#apt-get Install Checkinstall
Download and unzip the Wireshark source code:
#tar-XVF wireshark-0.99.5.tar.gz
Check the dependencies of the Wireshark:
#cd wireshark-0.99.5
#./configure
If the following error message appears, you will need to install the GTK + and glib libraries (refer to the previous steps):
Checking for GTK +-version >= 2.0.0 ... No
Could not run GTK + test program, checking why ...
The test program failed to compile or link. See the Fileconfig.log for the
Exact error that occured. This usually means GTK + isincorrectly installed.
Checking for pkg-config ... (cached)/usr/bin/pkg-config
Checking for glib-version >= 2.0.0 ... No
Could not run GLIB test program, checking why ...
The test program failed to compile or link. See the Fileconfig.log for the
Exact error that occured. This usually means GLIB isincorrectly installed.
CONFIGURE:ERROR:GLIB2 distribution not found.

Compile and install:
#make
#checkinstall
Run Wireshark:
#wireshark
Install Tshark:
You can easily install Tshark (command line mode tool) in the following ways:
#apt-getinstall Tshark
Run:

In this tutorial, we'll show you how to run Wireshark with the default settings.
You can get more help from Wireshark User ' sguide.
Run Wireshark or ethereal: (What is the difference between ethereal and Wireshak?) )

#wireshark

#ethereal


Select the device you want to capture.

Capture--Options

Select the device you want to capture and click Start.

Wireshark the results of the operation.


For more efficient use of wireshark, it is also necessary to learn more about its features and learn how to manage and use filters to find the results you want.
Interface Description:

After successfully running Wireshark, we can go to the next step and learn more about this powerful tool.
The following is when a computer with the address 192.168.1.2 is accessing the "openmaniak.com" website.


1. MENUS (menu)

The 8 menu items above the program are used to configure the Wireshark:
-"File" (Files)
-"Edit" (edit)
-"View" (view)
-"Go" (Go to)
-"Capture" (capturing)
-"Analyze" (analysis)
-"Statistics" (statistics)
-"Help"
Open or save the captured information.
Find or mark a package. For global settings.
Sets the view of the Wireshark.
Jumps to the captured data.
Set the capture filter and start snapping.
Set analysis options.
View statistics for Wireshark.
View local or online support.

2. Shortcuts (shortcut)
Below the menu, there are some common shortcut buttons.
You can move the mouse pointer over an icon to get a description of its function.


3. Display filter (show filters)

The display filter is used to find the content in the capture record.
Do not confuse the concept of a capture filter with a display filter. Please refer to the Wireshark filter for more information.
4. PACKET list PANE (packet listing)
All packets that have been captured are displayed in the package list. Here you can see the MAC/IP address of the sending or receiving party, the TCP/UDP port number, the protocol, or the contents of the packet.
If you are capturing an OSI Layer2 packet, you will see a MAC address in the source (source) and destination (destination) columns and, of course, the port column will be empty at this time.
If you are capturing an OSI Layer3 or higher-level packet, you will see an IP address in the source (source) and destination (destination) columns. The port column will only be displayed if the packet is 4th or higher.
Here you can add/Remove columns or change the color of each column:
Edit Menu-Preferences


5. PACKET details PANE (packet detail)

The details of the item selected in the Package list are shown here.
The information is grouped by different OSI layers, and you can expand each item to view it. The following is an expanded HTTP message.


6. dissector PANE (16 binary data)

The parser is also called the "16 data viewing panel" in Wireshark. The content shown here is the same as in "packet Details", but instead is expressed in 16 binary format.
In the example above, we select View TCP port (80) in "packet Details", and the corresponding 16 data will be automatically displayed in the following panel (0050).
7. Miscellanous (Miscellaneous)
At the bottom of the program, you can get the following information:
-A network device that is capturing.
-whether the capture has started or has stopped.
-Capture the location where the results are saved.
-The amount of data that has been captured.
-The number of packets that have been captured. P
-The number of packets displayed. (D) (after the Display filter filter is still displayed after the packet)
-Number of packets marked. M
Filter:

As you can see in the first section of the Wireshark tutorial, it is very easy to install, run Wireshark and start analyzing the network.
The most common problem when using Wireshark is that when you use the default settings, you get a lot of redundancy so that it's hard to find the parts you need.
Overkill
That's why filters are so important. They can help us quickly find the information we need in a complex and complex outcome.

-
-
Capture filter: Used to determine what information is recorded in the capture results. Need to be set before starting capture.
Display filters: Find them in detail in the capture results. They can be modified as soon as they get the results of the capture.
So what kind of filter should I use?
The purpose of the two types of filters is different.
The capture filter is the first layer of data passing through the filter, which controls the number of captured data to avoid generating too large log files.
The display filter is a more powerful (complex) filter. It allows you to quickly and accurately locate the required records in the log file.
The syntax used by the two filters is completely different. We'll cover them in the next few pages:


1. Capture Filter
The syntax for capturing filters is the same as other software developed using LIPCAP (Linux) or WinPcap (Windows) libraries, such as the famous tcpdump. The capture filter must be set before starting the capture, which is different from the display filter.
The steps to set up the capture filter are:
-Choose capture, Options.
-Fill in the "Capture Filter" column or click the "Capturefilter" button to make a name for your filter and save it so that you can continue to use the filter in future snaps.
-click Start to capture.


Grammar: Protocol Direction Host (s) Value Logical Operations Other expression
Example: Tcp Dst 10.1.1.1 80 and TCP DST 10.2.2.2 3128

Protocol (protocol):
Possible values: Ether, FDDI, IP, ARP, RARP, DECnet, lat, SCA, MOPRC, MOPDL,TCP and UDP.
If no particular agreement is specified, all supported protocols are used by default.
Direction (direction):

Possible values: src, DST, src and DST, src or DST
If the source or destination is not specifically specified, the default is "src or DST" as the keyword.
For example, "host 10.2.2.2" is the same as "src or DST host 10.2.2.2".

Host (s):

Possible values are: NET, port, host, Portrange.
If this value is not specified, the "host" keyword is used by default.
For example, "src 10.1.1.1" is the same as "src host 10.1.1.1".

Logical Operations (logical operation):

Possible values: not, and, or.
No ("not") has the highest priority. or ("or") and with the same precedence as ("and"), the operation is performed from left to right.
For example
"Not TCP port 3128 and TCP port 23" is the same as "(not TCP port 3128) and TCPPort 23".
"Not TCP port 3128 and TCP port 23" differs from "Not (TCP port 3128 and TCPPort 23)".

Example:

TCP DST Port 3128

Displays packets for the destination TCP port of 3128.

IP src host 10.1.1.1

Displays packets with a source IP address of 10.1.1.1.

Host 10.1.2.3

A packet showing the destination or source IP address is 10.1.2.3.

SRC Portrange 2000-2500

Displays packets that are from UDP or TCP and that have a port number in the range of 2000 to 2500.

Not IMCP

All packets except ICMP are displayed. (ICMP is usually used by the Ping tool)

SRC host 10.7.2.12 and not DST NET10.200.0.0/16

The display source IP address is 10.7.2.12, but the destination is not a 10.200.0.0/16 packet.

(src host 10.4.1.12 or src net 10.6.0.0/16) and TCP Dstportrange 200-10000 and DST net 10.0.0.0/8

The display source IP is 10.4.1.12 or the source network is 10.6.0.0/16, the destination TCP port number is between 200 and 10000, and the purpose is to all packets within the network 10.0.0.0/8.

Precautions:
Use the backslash "\" when using the keyword as a value.
"Ether Proto \ip" (same as the keyword "IP").
This will be done with the IP protocol as the target.
"IP Proto \icmp" (the same as the keyword "ICMP").
This will be targeted with the ICMP commonly used by the Ping tool.
You can use the "multicast" and "broadcast" keywords after "IP" or "ether".
"No broadcast" is useful when you want to exclude broadcast requests.

View Tcpdump's homepage for a more detailed description of the capture filter syntax.
More examples of capturing filters can be found on the wiki wiresharkwebsite.

2. Display Filter:
Data that is usually filtered by the capture filter is still very complex. At this point you can use the display filter for more detailed lookups.
It is more powerful than capturing filters, and does not need to be captured again when you want to modify filter conditions.

Grammar: Protocol . String 1 . String 2 Comparison
operator
Value Logical
Operations
Other
Expression
Example: Ftp Passive Ip == 10.2.3.4 Xor Icmp.type

Protocol (protocol):
You can use a large number of protocols located on the 2nd to 7th layer of the OSI model. You can see them when you click on the "Expression ..." button.
For example: Ip,tcp,dns,ssh

You can also find the supported protocols in the locations shown below:


Wireshark's Web site provides a description of the various protocols and their subclasses.
String1, String2 (optional):
Sub-class of the Protocol.
Click the "+" sign next to the relevant parent class, and then select its child class.

Comparison operators (comparison operator):
You can use 6 comparison operators:

English: C language wording: Meaning:
eq == Equals
Ne != Not equal to
Gt > Greater than
Lt < Less than
Ge >= Greater than or equal
Le <= Less than or equal

Logical Expressions (logical operator):

English: C language wording: Meaning:
and && Logic and
Or || Logical OR
Xor ^^ Logical XOR or
Not ! Logical Non-

A logical XOR or an exclusion that is well known by programmers. When it is used between the two conditions of a filter, such a result is displayed on the screen only if and only if one of the conditions is satisfied.
Let's give an example:
"Tcp.dstport xor Tcp.dstport 1025"
Such a packet is displayed only if the destination TCP port is 80 or if it originates from Port 1025 (but does not meet the two points at the same time).


Example:
SNMP | | DNS | | Icmp Displays the SNMP or DNS or ICMP packets.
Ip.addr = = 10.1.1.1
Displays packets with a source or destination IP address of 10.1.1.1.
Ip.src! = 10.1.2.3 or IP.DST! = 10.4.5.6
Displays packets that are not 10.1.2.3 or are not intended for 10.4.5.6.
In other words, the packets shown will be:
Source IP: Any other than 10.1.2.3; Destination IP: any
And
Source IP: Any; destination IP: Any other than 10.4.5.6
Ip.src! = 10.1.2.3 and IP.DST! = 10.4.5.6
A packet that shows the source is not 10.1.2.3 and the destination IP is not 10.4.5.6.
In other words, the packets shown will be:
Source IP: Any other than 10.1.2.3, at the same time must be met, Destination IP: except 10.4.5.6
Tcp.port = = 25 Displays packets with a source or destination TCP port number of 25.
Tcp.dstport = = 25 The packet that displays the destination TCP port number is 25.
Tcp.flags Displays the packet that contains the TCP flag.
Tcp.flags.syn = = 0x02 Displays the packet that contains the TCP SYN flag.
If the filter syntax is correct, the background of the expression is green. If it is red, it indicates that the expression is incorrect.
The expression is correct
An expression error
You can find additional information about the display filter on the Wireshark official website or on the wiki wiresharkwebsite.

Reprint: Installation and use of Linux under Wireshark

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.