Use of packet capture tools

Basic use of the packet capture tool Ethereal
This is a tutorial written by enthusiastic people on the Internet. I have put it into practice and it is very simple, but the basic work is enough. I will organize it for the moment.
You can perform basic packet capture according to the steps.

1. Use the prefix parameter settings -- capture option settings

Interface: Specifies the interface (NIC) on which the packet is captured. Generally, it is a single Nic, and the default is used.
Limit each packet: limit the size of each package, which is not limited by default.
Capture packets in promiscuous mode: whether to enable the hybrid mode. If it is enabled, capture all data packets. Generally, you only need to monitor the packets received or sent by the local machine. Therefore, you should disable this option.
Filter: filter. Only capture the packages that meet the filtering rules (skipped for the time being and executed on the main interface for convenience)
File: If you need to write the captured package to the file, enter the file name here.
Use ring Buffer: whether to use circular buffer. It is not used by default, that is, packet capture is always performed. Note that loop buffer is only valid when writing files. If loop buffering is used, you also need to set the number of files and roll back when the file is large.

Select the default option for other items.

2. Use packet capture

2.1 direct use
After starting ethreal, choose capature-> Start from the menu to start packet capture and press stop to stop packet capture. The captured package is displayed on the panel and analyzed.

Note: This method is very simple, but it is not filtered. There are too many captured packets, which is not convenient for analysis.

2.2 filter packet capture

2.2.1 basic structure:
[Not] primitive [and | or [not] primitive...]

After the packet capture is complete, the filter can be used to find the package you are interested in.
1) Protocol
2) whether a domain exists
3) Domain value
4) Comparison between domain values
To find the packages you are interested in.

For example, if you only want to view the packets using the TCP protocol, enter TCP in the filter in the lower left corner of the ethereal window, and press enter to display only the packets of the TCP protocol. As shown in
Value Comparison expression

2.2.2 filter operators
You can use the following operators to construct a display filter.

Natural Language Class C representation example
Eq = IP. ADDR = 10.1.10.20
Ne! = IP. ADDR! = 10.1.10.20
GT> frame. pkt_len> 10
Lt
GE> = frame. pkt_len> = 10
Le

Expression combination
You can use the following logical operators to combine the expressions.
Natural Language Class C representation example
And & logic and, such as IP. ADDR = 10.1.10.20 & TCP. Flag. Fin
Or | logic or, such as IP. ADDR = 10.1.10.20 | IP. ADDR = 10.1.10.21
XOR ^ exclusive or, for example, Tr. dst [0: 3] = 0.6.29 XOR tr. SRC [0: 3] =
Not! Non-logical, such! LLC

For example:

I want to capture all the HTTP packets received or sent by the host whose IP address is 192.168.2.10. The appropriate filter is

Remember one trick: if the background of the filter is green, it proves that the filter you set is in compliance with the rules, but when the background is red, it indicates that the filter you set is not allowed by ethereal. For example

All filters can be placed in the expression next to the filter... .

3. Upgrade the packet capture software-use protocol plug-ins in Ethereal

Ethereal supports many protocols, but some protocols need to be installed before they can be resolved, such as H.323.

Take the H.323 protocol as an example. First, download the H.323 plug-in of ethereal,
Http://www.voice2sniff.org/
After the download is complete, decompress the file (h323.dll) to the plug-in/0.9.x directory of the ethereal installation directory. For example, my file is 0.9.11.
Then, you need to set
1) Start Ethereal
2) menu edit-> preference
3) Click "+" in front of protocols to expand protocols
4) locate q931 and click
5) Make sure that "desegment... TCP segments" is selected (that is, the box is pressed down)
6) Click TCP
7) Make sure that "allow... TCP streams" is selected
8) Make sure that "check... TCP checksum" and "use... sequence numbers" are not selected"
9) Click tpkt
10) Make sure that "desegment... TCP segments" is selected.
11) Click Save, click Apply, and then click OK.

You can also constantly reinstall the new versions of Winpcap and ethreal, so that you do not need to install new plug-ins in the old version of ethreal to support new protocol plug-ins. This is also a kind of lazy practice J

In the future, you will have time to add more documents based on your work needs.
This post comes from the group music community-http://q.yesky.com/group/review-17808856.html

Network Packet capture tool Ethereal

(10:09:48)

Miscellaneous

Classification: practical testing technology

Network Packet capture tool Ethereal

Q: How to Use EtherealPacket Capture?

1. First filter and then capture packets: first, click capture filter in capture options to set filter rules. To view the data in real time, check the update list of packets in real time of display options, and then package. Example: enter host 192.168.1.5 and port 80, and only capture packets with IP address 192.168.1.5 and port 80.

2. Capture packets first and then filter: After capturing packets, input an expression in the filter to filter.
Example: InputIP. SRC, IP. DST, TCP. srcport, TCP. dstport, TCP. Ack, TCP. Len, EthAnd can be used with relational expressions. For exampleIP. SRC= 192.168.1.5 &&TCP. srcport= 80. Only packets whose source IP address is 192.168.1.5 and the source port is 80 are displayed.

Q: How to analyze the packets captured using Ethereal?

Here, take TCP/IP as an example (Modify the network Abstract),

I. data link layer:

1. Destination: the destination MAC address. (Eth. SRC)

2. Source: source MAC address. (Eth. dst)

3. Type: Ethernet type (ip0x0800, 8 indicates Ethernet ). (Eth. Type)

2. IP network layer:

1. Version = 4, indicating that the version number of the IP protocol is 4. This part occupies 4 bits. (IP. Version)

2. header length = 20 bytes, indicating that the total length of the IP address header is 20 bytes. This part occupies 4 bits, measured in 4 bytes. Therefore, the length of an IP header can be up to 1111 bytes, that is, 15*4 = 60 bytes.

3. Type of service = 00 indicates that the service type is 0. This part is represented by two hexadecimal values, which occupy 8 bits.

The meaning of the 8 bits is:

000 first three

0 indicates the minimum latency. If the telnet service uses this bit

0 indicates the throughput. If the FTP service uses this bit

0 indicates reliability. For example, this bit is used by the SNMP service.

0 indicates the minimum cost.

0 No

4. Total length = 48 bytes, indicating that the total length of the IP package is 48 bytes. This part occupies 16 bits, in byte. It can be seen that the maximum length of an IP packet is 2 to the power of 16 minus 1, namely: 65535 bytes. Therefore, the maximum IP data packet that can be transmitted over Ethernet is 65535 bytes. (IP. Len)

5. Identification = 363, indicating that the IP package identification number is 363. This part occupies 16 bits, expressed in decimal number. (IP. ID)

6. Flags, indicating the part flag, which occupies 3 bits. the meanings are as follows: the first "0" is not used, the second "0" is the part flag, "1" indicates the part, and "0" indicates the version is not used. The third 0 indicates whether the last digit is the flag, 0 indicates the last digit, and 1 indicates that there are more parts. (IP. flags)

7. Fragment offset = 0, indicating that the part offset is 0 bytes. This part occupies 13 BITs.

8. Time to live = 128 secongs/hops, indicating that the TTL value of the survival time is 128. This part occupies 8 bits .(IP. TTL)

9. proctol = 6 (TCP) indicates that the protocol type is TCP and the protocol code is 6. for UDP protocol, the protocol code here should be 17. for ICMP protocol, the protocol code here should be 1. this part occupies 8 bits. (IP. proto)

10. header checksun = 4035 (correct) indicates that the IP packet header checksum is 4035. The correct in the brackets indicates that the IP packet is correct and has not been modified illegally. This part occupies 16 bits, expressed in hexadecimal notation. (IP. checksum)

11. Source Address = 76.88.16.104 indicates that the IP data packet source address is 76.88.16.104. This part occupies 32 bits .(IP. SRC)

12. Destination Address = 76.88.16.16 indicates that the destination IP address of the packet is 76.88.16.16. This part occupies 32 bits .(IP. dst)

13. No options indicates that the option section is not used in the IP data packet. This option is used only when you need to record the route.

Iii. TCP transmission layer:

1. Source Port = 1038 indicates that the source port for initiating a connection is 1038. This part occupies 16 bits. Through this value, we can see that the source port number of the computer that initiates the connection. (TCP. srcport)

2. Destination Port = 21 (FTP-CTRL), indicating that the destination port to connect is 21. This part occupies 16 bits. With this value, you can see the destination port number to log on. Port 21 indicates the FTP service port. (TCP. dstport)

3. Initial Sequence Number = 1791872318 indicates the request number of the initial connection, that is, the seq value. This part occupies 32 bits, and the value is reduced by 1 from the 32 power of 1 to 2 .(TCP. seq)

4. Acknowledgment number = 1791872319 indicates that the reply number of the other party should be 1791872319, that is, the ACK value returned by the other party. This part occupies 32 bits, and the value is reduced by 1 from the 32 power of 1 to 2 .(TCP. Ack)

5. Data offset = 28 bytes, indicating the data offset size. This part occupies 4 bits.

6. Reserved bites: Reserved bits, not required here. This part occupies 6 bits.

7. Flags = 02. The value is expressed by two hexadecimal numbers. The length of this part is 6 bits, and the meanings of the six bits are :(TCP. flags)

0 URG, emergency data mark, 1 indicates there is urgent data, should be transmitted immediately.

0 ack. Confirm the flag. 1 indicates that this packet is the response packet.

0 Psh, push flag, 1 indicates that this packet should be passed immediately.

0 rst: reset flag. If you receive a data packet that does not belong to the local machine, an RST is returned.

0 SYN: the flag of the connection request. 1 indicates the request packet that initiates the connection.

0 Fin: indicates the flag of the end connection request. 1 indicates the request packet that ends the connection.

8. Window = 64240 indicates that the window is 64240. This part occupies 16 bits.

9. checksum = 92d7 (correct) indicates that the checksum is 92d7. This part occupies 16 bits and is expressed in hexadecimal notation. (TCP. checksum)

10. Urgent Pointer = 0, indicating that the emergency pointer is 0. This part occupies 16 bits.

11. Maximum Segment Size = 1460, indicating that the maximum segment size is 1460 bytes.