Wireshark is a grab package software, more easy-to-use, in the usual can use it to grasp the package, analysis protocol or monitoring network, is a better tool, because recently in the study of this, so write a tutorial to facilitate everyone to learn.
First of all, Wireshark's start and grab interfaces
Start interface:
The start of the scratch-wrap interface is
Press the button under File
And then there will be
This is the display of the network card, because I have a virtual machine so will show the virtual network card, we are now catching the real card on the packet so the Ethernet card on the right click Start Start grab Bag
This is the grasp of the package interface (also the main interface)
The Wireshark main window consists of the following sections:
Menu--for starting the operation.
Main toolbar-provides the ability to quickly access items that are often used in menus.
Fiter toolbar/Filter Toolbar-provides methods to handle current display filtering.
Packet List panel-displays a summary of each package that opens the file. Click on a separate entry in the panel and the rest of the package will appear in the other two panels.
Packet Detail panel-displays more details about the package you selected in the Packet list panel.
Packet bytes Panel-Displays the data for the package you selected in the Packet list panel and the fields highlighted in the Packet details panel.
Status bar--Displays the current program status and more details for capturing the data.
1. Menu bar
The main menu includes the following items:
file--includes opening, merging capture files, save/saving, print/printing, export/exporting all or part of the capture file. and exit the Wireshark entry.
edit--includes the following items: Find the package, time reference, mark a multiple package, set preset parameters. (Cut, copy, paste cannot be executed immediately.) )
view--controls how capture data is displayed, including color, font scaling, displaying the package in a detached window, expanding or shrinking the tree-like node of the detail plate
go--contains functionality to the specified package.
analyze--includes processing display filtering, allowing or prohibiting analysis protocols, and configuring user-specified decoding and tracing of TCP streams.
statistics--includes a menu item that displays multiple statistics windows, including a summary of capture packages, protocol hierarchy statistics, and more. help--contains reference content for secondary users. such as access to some basic Help files, a list of supported protocols, user manuals. Online access to some websites, "about" 2. Toolbar (abbreviated)
3. Filter Toolbar
The dialog box pops up. This is the same as the result of entering a protocol on the toolbar to find the package, but it makes it easy to lose on the toolbar.
Click here to enter or modify the displayed filter characters, which will be checked for syntax during the input process. If you enter an incorrect format, or if you do not enter it, the background appears in red. The background will change to green until you enter a valid expression. You can click the Drop-down list to select the filter characters you typed earlier. The list is persisted even if you restart the program.
Note: After the modification, remember to click the Apply button on the right, or enter to make the filter effective. The contents of the input box are also the contents of the current filter (the contents of the current filter are reflected in the input box)
4. Package List
All packets that have been captured are displayed in the package list. Here you can see the MAC/IP address of the sending or receiving party, the TCP/UDP port number, the protocol, or the contents of the packet.
If you capture an OSI Layer 2 packet, you will see the MAC address in source and destination (destination) columns, and of course the port (port) column will be empty.
If you capture an OSI layer 3 or higher packet, you will see the IP address in source and destination (destination) columns. The port column will only be displayed when the packet is 4th or more high.
Here you can add/Remove columns or change the color of each column:
Edit Menu-> Preferences
5. Envelope Details
This shows the details of the item selected in the Package list.
The information is grouped according to the different OSI layer, and you can expand each project view.
Ps:wireshark will not be difficult, it is difficult to understand these bags
(If you do not know the Baotou information, you can check the information yourself)
6.16 Binary Data
The parser is also called the "16 data viewing panel" in Wireshark. The content shown here is the same as in the "packet Details", except that it is expressed in a 16-based format instead.
Here we also learn to filter and analyze The information we need in a lot of information.
Filter:
Filters are so important. They can help us quickly find the information we need in the complex results.
- - |
Capture filter: Used to determine what information is recorded in the capture result. Need to be set before starting capture. Display Filter: A detailed lookup in the capture result. They can modify them at will after they have captured the results. |
The purpose of the two filters is different.
1. Capture filter is the first layer of data filter, it is used to control the number of data capture to avoid the creation of too large log files.
2. The display filter is a more powerful (complex) filter. It allows you to quickly and accurately locate the required records in a log file.
1. Capture Filter
The syntax for capturing filters is the same as other software developed using LIPCAP (Linux) or WinPcap (Windows) libraries, such as the famous tcpdump. The capture filter must be set before starting the capture, which is different from the display filter.
The steps to set up a capture filter are:
-Select Capture-> options.
-Fill in the "Capture Filter" bar or click on the "Capture Filter" button to name your filter and save it so you can continue using this filter in future captures.
-click Start to capture.
Grammar: |
|
Protocol |
|
Direction |
|
Host (s) |
|
Value |
|
Logical Operations |
|
Other Expression_r |
Example: |
|
Tcp |
|
Dst |
|
10.1.1.1 |
|
80 |
|
and |
|
TCP DST 10.2.2.2 3128 |
Protocol (Agreement):
Possible values: Ether, FDDI, IP, ARP, RARP, DECnet, lat, SCA, MOPRC, MOPDL, TCP and UDP.
If no particular protocol is specified, all supported protocols are used by default.
Direction (direction):
Possible values: src, DST, src and DST, src or DST
If no particular source or destination is specified, "src or DST" is used by default as the keyword.
For example, "host 10.2.2.2" is the same as "src or DST host 10.2.2.2".
Host (s):
Possible values: NET, port, host, Portrange.
If this value is not specified, the "host" keyword is used by default.
For example, "src 10.1.1.1" is the same as "src host 10.1.1.1".
Logical Operations (logical operation):
Possible values: not, and, or.
No ("not") has the highest priority. or ("or") and with ("and") have the same precedence, and the operation is done from left to right.
For example
"Not TCP port 3128 and TCP port 23" is the same as "(not TCP port 3128) and TCP port 23".
"Not TCP port 3128 and TCP port 23" differs from not (TCP port 3128 and TCP port 23).
Example:
Displays a packet with the destination TCP port of 3128.
Displays the packets from the source IP address as 10.1.1.1.
Displays the packet with the destination or source IP address of 10.1.2.3.
A packet that displays the source as UDP or TCP and the port number in the range 2000 to 2500.
All packets except ICMP are displayed. (ICMP is usually used by the Ping tool)
SRC host 10.7.2.12 and not DST net 10.200.0.0/16 |
Displays the source IP address as 10.7.2.12, but the destination is not a 10.200.0.0/16 packet.
(src host 10.4.1.12 or src net 10.6.0.0/16) and TCP DST Portrange 200-10000 |