A grab Bag tool network grasping tool for network personnel, analysis of the real content of network communication and fault processing. Equivalent to the purpose of the microscope study in the hands of network analysts: 1, in order to prepare for the late network communication Protocol 2, to deal with network problems need it 3, cross-platform, reduce the learning cost 4, as other clutch tool post-analysis software display effect is better
Main Page Information list: Select the network card, we can see the network card in the delivery of packets, see the packet sent, details is to look at the network card detailed information. Select End and click Start to grab the bag
The real content at the bottom, we see the hex
Sniff capture raw Data---save data----analyze data-----Multiple ways to present data
Protocol decoding----Data analysis, the principle of using libraries to match
File open supports many types of files
Specify one of the packets, right-click Decode as, you can choose which general transmission, cast-heavy Other protocol execution, specify protocol format
At the same time, we can grab the data, such as open a picture, but does not support the format, in binary reading the way to show
Wireshark set capture filter catch too much pressure, however there are a lot of no use, the pressure is too big the main problem of grasping package is to choose
Click Capture options on the home page to fill in the items you want to grab at capture Fileter
Fill in TCP src port 443 fetch 443 port, select NIC, start
Crawl all 443-Port TCP protocol
Do not data for ARP protocol
An expression
Protocol name + source + host + operator protocol optional value, ether TCP UDP SSL and many other direction optional values, source or target src or dsthost someone for host, such as host hosts (behind an IP host), network Net,po RT (Rear port), Postrange (rear port segment) logical selectable value, Not,and, or
Priority: not first, remaining lateral operations: from left to right
Display filter settings The first thing to do is to choose to show the data
Tcp.port displaying TCP data with port 80! ARP does not display the data IP of the ARP protocol. Addr==ip only displays data with address IP, regardless of source or destination (ip.dst=192.168.1.12) &&! (ip.dst==192.168.12.2)
Gu interface rescue come out you need protocol ARP protocol TCP protocol
You will also choose to list the data you need according to the data
View the host data that the target host is 192.168.191.2, and the protocol is DNS, which is displayed
When you don't want to use it, we can click Clear to find colleagues clearly, we can add the tomorrow we often need, for example not ARP we can add a button, add not ARP in filter click on the right of the save OK OKJust Add the key filter according to what you want to enter.
additional settings for grabbing the packageStop Refresh interaction the network card, re-crawlUse ... Turn on promiscuous mode in order to catch some of the packages that are not native, and click Capture, we can define the requirements to grab the package internally .
Save the settings in 1 in a moment
Select Auto .... , the network layer will pop up some data consumption ratio
Detailed analysis of each packet overview numeric sorting, tabular presentation, time milliseconds, relative times, source source address, Distations Destination address Pretocol protocol, length lengths, Info packet information If you don't want to see or want to add some information, We can right-click on the line of info and choose Columns. Pop out the window as follows
Click on the fields below and we can add the information we want to see,
Add absolute time
Right-click, edit Columns. , select absolute Time, select, OK
The top package, the middle layer protocol, and finally the real data we see is that the Wireshark is the result of the data analysis is the information point for the outline of the protocol layered package, the above and below correspond to each other, proving that these things really exist in the package, do not care, no change is not in the package
function of right-click menu when analyzing package
The bottom is what mode to wipe, binary or hexadecimal
The following is primarily a right-click operation. Not detailed overview of the top one see MAK standard special color ignore do not do analysis, no package of the display set time reference to do a reference to the Times shift Reltime control Packtet comments did not add comments in the second column, the top is not displayed manual Manually give the IP address a name, Windows cannot add con to give a reply, colleague, we can change color follow Tcpderam View sent package decode reference in the middle of the column
Expengd Expand the word all said that all of them expand the cap all of them. Apply accept as a column, above the frame this one tcpyes, colleague, we can click on the internal apply filter "
A more important point, statistical analysis in the above statisticssummery summary commnet wirekshork plus ADEESRSS Address Resolution display protocol compare can compare packet
Wireshark the setting itself
From for notes (Wiz)
The use of Wireshark learning
