Wireshark is the most popular network analysis tool in the world. This powerful tool captures the data in the network and provides users with information about the network and upper layer protocols.
Like many other network tools, Wireshark also uses the PCAP network library for packet capture.
Advantages of Wireshark:
-Easy to install.
-Simple and Easy-to-use interface.
-Provides a wealth of functionality.
Wireshark's original name was ethereal, which was started in 2006. At that time, Ethereal's main developer decided to leave the company he had previously served and continue to develop the software. But because ethereal the right to use this name has already been registered by the original company, Wireshark this new name also came into being.
Wireshark currently the world's most popular protocol analysis software, using it can be captured in the various protocols of the network binary data stream translation for people easy to read and understand the form of text and graphics, greatly facilitate the network activities of the monitoring analysis and teaching experiments. It has a very rich and powerful statistical analysis function, can be in Windows,linux and UNIX and other systems run. This software in 1998 by the United States Gerald Combs pioneered research and Development, formerly known as Ethereal, so far the world has more than 100 network experts and software personnel are participating in this software upgrading and maintenance. Its name was changed from original ethereal to Wireshark in May 2006. So far it has updated the speed of about 2-3 months to launch a new version, the September 2007 version number is 0.99.6. But the main features and usage of the software are unchanged after the upgrade. It is a free source code software, anyone can download freely, can also participate in common development.
Wireshark Network protocol analysis software can be easily and intuitively applied to computer network principles and network Security teaching experiments, network security Monitoring, network performance parameters testing, network malicious code capture analysis, network user behavior monitoring, hacker activity tracking. It is therefore widely used in the teaching, research and experimental work of network management experts, information security experts, software and hardware developers, and some famous universities in the United States.
Some of the nuances of ethereal and wireshark are as follows when installing new and old packages and using them:
(1) Ethereal software installation package included in the network data acquisition software is the version of WinPcap 3.0, save capture data can only be used in English file name, filename default suffix is. cap
(2) Wireshark Software installation package, currently contains the network data acquisition software is WINPCAP 4.0 version, save capture data can be used in Chinese file name, filename default suffix is. pcap. In addition, Wireshark can interpret more network communication protocol data, have a better statistical analysis function on network data flow, it is more convenient to use in network security teaching and daily network supervision work, and the basic use method still is same with ethereal.
WinPcap (Windows packet capture) is the next free, public network access system on the Windows platform. Development WinPcap This project is designed to provide Win32 applications with the ability to access the bottom of the network.
Under Linux, when we need to crawl network packet analysis, it is usually to use tcpdump Crawl network raw data packets to a file, and then download to the local use of Wireshark interface network analysis tools for network packet analysis.
Recently discovered that the original Wireshark also provides a Linux command-line tool-tshark. Tshark not only has the function of grasping the package, but also with the ability to resolve various protocols. Here are two examples to introduce the Tshark tool.
1. Installation method
Centos:
The code is as follows:
Yum Install-y Wireshark
Ubuntu:
The code is as follows:
Apt-get install-y Tshark
2, real-time printing of the current HTTP request URL (including domain name)
The code is as follows:
Tshark-s 512-i eth0-n-F ' TCP DST Port ' R ' http.host and Http.request.uri '-t fields-e http.host-e . uri-l | Tr-d ' t '
The following describes the meaning of the parameter:
-S 512: Crawl only the first 512 bytes of data
-I eth0: capture eth0 network card
-N: Prohibit network object name resolution
-F ' TCP DST Port 80′: packets that only capture protocol for TCP, destination port 80
-R ' Http.host and Http.request.uri ': Filtering out Http.host and Http.request.uri
-T fields-e http.host-e Http.request.uri: printing http.host and Http.request.uri
-L: Output to standard output
3, real-time print the current MySQL query statement
The code is as follows:
Tshark-s 512-i eth0-n-F ' TCP DST Port 3306 '-R ' mysql.query '-t fields-e mysql.query
The following describes the meaning of the parameter:
-S 512: Crawl only the first 512 bytes of data
-I eth0: capture eth0 network card
-N: Prohibit network object name resolution
-F ' TCP DST Port 3306′: packets that only capture protocol for TCP, destination port 3306
-R ' mysql.query ': Filtered out Mysql.query
-T fields-e mysql.query: print MySQL query statement
Tshark uses-F to specify the capture packet filtering rules, which, like tcpdump, can be traced through the command man Pcap-filter.
Tshark uses-R to filter the captured packets consistent with the upper-left corner of the interface version Wireshark.