Wireshark data packet capture tutorial-Wireshark

Wireshark data packet capture tutorial-Wireshark Data Capture
Wireshark data packet capture tutorial-Wireshark data packet capture method when using Wireshark to capture Ethernet data, you can capture and analyze your own data packets, you can also capture the same LAN, capture the packets of the other party when they know the IP address of the other party.
Wireshark captures its own data packets. If the client directly accesses the Internet through the router, 1.28 is shown. In this figure, Wireshark is installed on pc a to directly capture data on the host.

Figure 1.28 capture data on the host
Wireshark can also be used to capture others' data packets if they are all in a LAN and know their IP addresses. The specific method is as follows:
1. Port ing
The PC working under the same switch in the LAN, as shown in Figure 1.29. Pc a and pc B work under the same switch. After Wireshark is installed on PC A, the data port of any PC on the switch is mirrored, set the switch to copy all data to the Wireshark port under the user exchange port. Then pc a can capture data from other PCs, such as pc B.
2. Use a hub
We can replace the vswitch in Figure 1.29 with a hub, so that all data packets are sent through. That is to say, no matter who sends data packets to every computer on this hub. You only need to set the NIC to the hybrid mode to capture other packets.
3. ARP Spoofing
We all know that data transmission and receipt must go through routers, as shown in Figure 1.30. In this figure, after Wireshark is installed on pc a, ARP spoofing can be used to capture packets between pc B, pc c, or pc B and PC C. Pc a sends an ARP packet in the LAN so that other computers mistakenly think that it is A gateway. In this way, other computers will send their packets to pc a, so pc a can catch their packets.

Figure 1.29 capture pc B data packets fig 1.30 capture data packets
Wireshark capture data through the above learning, download and install Wireshark, you can use it to capture data. The following uses development version 1.99.7 as an example to explain how to capture data.
How does Wireshark capture data to start Wireshark in a Windows window program, as shown in page 1.31.

Figure 1.31 Wireshark main interface Figure 1.32 capturing network data
On this page, you can see the local connection, VMware Network Adapter VMnet1, and VMware Network Adapter VMnet8, which are three capture Network interfaces. There are three in the Local Machine. If you use other computer network capture interfaces, they may be different. Only the capture network interface can capture network data. Therefore, first select the network interface. Select a local connection as the capture network interface, and click the button in the figure to capture network data, as shown in Figure 1.32.
Click the button in the figure to stop the capture. We can save the captured data. Click the button in the figure to display the page shown in 1.33.

Figure 1.33 save captured data figure 1.34 open a captured File
On this page, you can select the location where the captured data is saved and name the saved file. Click "save. Stored on the desktop, the file name is Wireshark.
Wireshark opens the capture file. When we save the captured data, we can view it next time. So how to open the captured file? Here is an introduction.
(1)On the Wireshark startup page, click the OPEN button to bring up the open dialog box, as shown in 1.34.
(2)On this page, select the location where the captured file is saved, and click "open" to open the captured file.
On the basis of learning to use Wireshark to capture data, Wireshark Quick Start also needs to further understand the usage of each part of Wireshark. This section describes in detail.
The Wireshark main window shows how to open a capture file, as shown in Figure 1.35:

Figure 1.35 Wireshark Main Window Interface figure 1.36 menu bar
In Figure 1.35, each part of Wireshark is marked as a number. The meanings of each part are described as follows:

Q ① title bar -- displays the file name and the captured device name.

Q ② menu bar-standard menu bar of Wireshark.

Q ③ toolbar-Shortcut icons for common functions.

Q ④ display the filtering area-reduce the complexity of viewing data.

Q ⑤ Packet List panel -- displays the summary of each data frame.

Q ⑥ Packet Details panel -- analyze the Details of the package.

Q 7packet Bytes panel-displays the details of data packets in hexadecimal and ASCII Formats.

Q & A Status Bar-number of groups, displayed frames, and marked frames. configuration file.

The above section briefly introduces the meaning of each part of the Wireshark main window interface, and introduces each part in detail.

Wireshark menu bar

Wireshark's menu bar interface is shown in 1.36. The two menus that have been painted on this interface are described in the toolbar.

The function of each button in the menu bar is as follows:

Q file: open the file set, save the package, and export the HTTP object.

Q Editing: Search for packages, tag packages, and set time attributes.

Q view: View/hide the toolbar and panel, edit the Time column, and reset the color.

Q analysis: Create a display filter macro, view the enabled protocol, and save the follow decoding.

Q statistics: Create charts and open various Protocol statistics windows.

Q phone: Execute all voice functions (charts, graphics, and playback)

Q Bluetooth: ATT service settings.

Q help: Learn Wireshark global storage and personal configuration files

Wireshark toolbar Introduction

After you learn more about the functions of each button in the toolbar, you can perform various operations quickly. In the toolbar, the role of each button is 1.37.

Figure 1.37 toolbar figure 1.38 Wireshark panel

? Wireshark panel Introduction

Wireshark has three panels: Packet List panel, Packet Details panel, and Packet Bytes panel. The position of the three panels, as shown in Figure 1.38.

Mark the three panels on this page. These three panels are correlated. If you want to view the specific content of a separate data Packet in the Packet Details panel, you must click the selected data Packet in the Packet List panel. After this Packet is selected, you can select a field of the Packet in the Packet Details panel for analysis. In this way, you can view the byte information of the corresponding field in the Packet Bytes panel. The following describes the panel content.

1. Packet List panel

This panel displays all data packets in the current captured file in a table. From figure 1.38, we can see that there are a total of seven columns in the panel, each of which is as follows:

Q No (Number) column: Number of the package. This number will not change, even if filtering is used.

Q Time column: the package timestamp. You can set the time format by yourself.

Q Source and Destination columns: displays the package's Source and target addresses.

Q Protocol column: displays the Protocol type of the package.

Q Length Column: displays the package Length.

Q Info column: displays additional package information.

In this panel, you can sort, adjust column positions, hide, display, rename, or delete columns in the panel. The following example describes the functions that can be operated on the panel.

[Example 1-4] shows the functions that can be implemented in the Packet List panel. As follows:

(1)Column sorting

Open http. pcapng, as shown in Figure 1.39.

Figure 1.39 http. pcapng capture file figure 1.40 sort the Protocol Column

This interface displays the packets in the http. pcapng capture file. Wireshark is sorted from low to high by default. For example, to sort the Protocol columns, click the Protocol column title to display the page shown in 1.40.

Compare the interface with figure 1.39, and you will find great changes. From this interface, we can see that the order of the No column has changed, and the protocol columns start with ARP.

(2)Move column position

For example, move the Protocol column in the http. pcapng capture file to the end of Time. Select the Protocol column with the mouse, and drag the column to the end of Time. The page shown in 1.41 is displayed.

Figure 1.41 move a Protocol column figure 1.42 column operation options

(3)Hide, rename, and delete Columns

In the capture file http. pacpng, right-click any column title in the Packet List panel and a drop-down menu is displayed, as shown in Figure 1.42.

Q hide and restore columns: Check the headers of the seven columns in the Packet List panel in the pop-up menu. Click the column to hide the column. The check box disappears and the column is hidden. To restore the column, right-click the title of any column in the Packet List panel and restore it in the same way.

Q rename column: Click Edit column in the pop-up menu to display the page shown in 1.43.

Figure 1.44 Wireshark preferences

This interface appears on the top of the Packet List panel. Rename the title text box on the left side of the interface. Click OK on the right side.

Q: delete and restore columns: Click the delete column option at the bottom of the pop-up menu. To restore a Column, click the Column Preferences... option (or select "edit" | "Preferences" in the menu bar and click the Column on the left side of the page) to bring up the Wireshark Preferences box. 1.44.

Click the button in the lower left corner to automatically create a New Column with the type of Number. You can double-click the title and type to change it. After creation, click OK.

In Wireshark, you can perform many operations on all data packets in the Packet List Panel, such as marking, ignoring, and setting groups. You can right-click any data packet to view available options, as shown in Figure 1.45.

Figure 1.45 available options figure 1.46 menu bar

The available Packet options are displayed on the Packet List panel. In this option, you can use tag groups to quickly locate problematic data packets.

2. Packet Details panel

The panel displays the content of a data packet in layers and displays all the content captured in the data packet by expanding or shrinking.

On the Packet Details panel, the detailed information of the data displayed by default is merged. To view the frames, click the triangle in front of each row to expand the frame session. You can also right-click a row to bring up the menu bar. 1.46.

On the menu bar, select expand subtree (single session) or expand all sessions.

3. Packet Bytes panel

The content in this panel may be the most confusing. It shows the original form of unprocessed data packets, that is, the way they are transmitted on the link.

The data in this panel displays the frame content in hexadecimal and ASCII Formats. When any field is selected in the Packet Details panel, the Bytes that contain this field in the Packet Bytes panel are also highlighted. If you do not want to see the Packet Bytes panel, you can choose "View"> "group byte stream (B)" in the menu to close it. Use the same method to open it.

Wireshark Status Bar

The status bar consists of two buttons and three columns. The size of the three columns can be adjusted as necessary. The meaning of each part in the status bar is 1.47.

Figure 1.47 Status Bar

The following describes the functions of each part in the status bar. As follows:

Q: This button is an expert information button. The button color is used to display the highest level of information contained in the expert information window. The expert information window reminds users of network problems and comments of data packets in captured files.

Q: This is the capture file comment button. Click this button to add, edit, or view comments of a captured file. This function can only be used for capturing files saved in. pcapng format.

Q: When a field is selected in the capture file, the file name and column size are displayed in the status bar. If you click a field in the Packet Bytes panel, its field name is displayed in the status bar, and the Packet Details panel is also changing.

Q second column (number of packages): When a capture file is opened, the second column in the status bar displays the total number of packages for the file. In Figure 1.47, the number of captured packets, number of packets, and loading time are displayed. If a packet is marked in the current capture file, the number of packets marked will appear in the status bar.

The third column (configuration file) of q indicates the file currently in use. The Default file is being used in Figure 1.47. You can create a file to customize the Wireshark environment.