Wireshark packet capture tool usage tutorial and common packet capture rules

Source: Internet
Author: User
Tags snmp connection reset

Wireshark is a very useful packet capture tool. When we encounter network-related problems, we can use this tool for analysis. However, it should be noted that this is just a tool, the usage is very flexible, so the content described today may not help you solve the problem directly, but as long as you have the idea of solving the problem, learning to use this software is very useful.
Wireshark http://www.wireshark.org/download.html official
If you cannot remember it, you can enter wir in Baidu to view the keyword of Baidu intelligent match. Select the first address and download it.

Briefly introduce some commonly used buttons of the software, because I am not very familiar with the software, so I will simply say the most commonly used buttons. After opening the software, the buttons in the red box below are from left to right:
-The list shows the network packages of all NICs, which are rarely used;
-The packet capture option is displayed. Generally, click this button to start packet capture;
-Starting a new packet capture, usually rarely used;
-Stop packet capture. after you have finished the packet capture, click it to stop;
-Clearing the packets that have been captured can prevent the machine from changing the card if the packet is captured for too long;

In fact, we only need to know the bold button function above to complete packet capture. The rest is how to capture the desired data packet and how to analyze the problem.

Next, let's talk about the packet capture option interface, that is, the interface that comes out of the second button. Here we only introduce the most common functions, first, the above red box is to select the network card to be captured. After the network card is selected, the IP address of the network card is displayed below.
Then the capture filter is the place where the packet capture rule is to be written, also known as the "filter rule". Many of the rules we will talk about below should be written in this box. After the rules are written, click Start below to start packet capture.

After the packet capture is complete, if you need to find someone else to analyze the captured data packets, you can click File on the menu and then click Save As to save the captured data packets, for example:

OK. Here, the basic usage is finished, and the next step is the key content.

The most common problem with Wireshark is that when you use the default settings, you will get a lot of redundant information, so it is difficult to find the part you need. This is why filters are so important. They help us quickly find the information we need in complex results.

Filter differences
Capturefilters ):Used to determine what information is recorded in the capture results. You need to set it before capturing.
Display filter ):Perform a detailed search in the captured results. They can modify the captured results as needed.
Which filter should I use?

The two filters have different purposes.
The capture filter is the first layer of the data filter. It is used to control the number of captured data to avoid generating too large log files.
The display filter is a more powerful (complex) filter. It allows you to quickly and accurately find the required records in the log file.

The syntax used by the two filters is completely different.

Capture Filter

Protocol (Protocol ):
Possible values: ether, FDDI, IP, ARP, RARP, decnet, Lat, SCA, moprc, mopdl, TCP and UDP.
If no protocol is specified, all supported protocols are used by default.

Direction ):
Possible values: SRC, DST, Src and DST, SRC or DST
If the source or destination is not specified, "src or DST" is used as the keyword by default.
For example, "host" is the same as "src or DST host

Host (s ):
Possible values: net, port, host, portrange.
If this value is not specified, the "host" keyword is used by default.
For example, "src" is the same as "src host

Logical operations (logical operation ):
Possible values: not, And, or.
No ("not") has the highest priority. Or ("or") and ("and") have the same priority. The operation is performed from left to right.
For example,
"Not TCP port 3128 and TCP port 23" are the same as "(not TCP port 3128) and TCP port 23.
"Not TCP port 3128 and TCP port 23" are different from "not (TCP port 3128 and TCP port 23.


TCP/IP Port 3128// Capture packets whose destination TCP port is 3128.
Ip src host Capture packets whose source IP address is
Host Capture packets whose destination or source IP address is
Ether host e0-05-c5-44-b1-3c// Capture packets whose destination or source MAC address is a e0-05-c5-44-b1-3c. If you want to capture data packets from the local machine that communicate with all the Internet, you can replace the MAC address here with the MAC address of the route.
SRC portrange 2000-2500// Capture packets whose source is UDP or TCP and the port number ranges from 2000 to 2500.
Not imcp// Display all packets except ICMP. (ICMP is usually used by the ping tool)
SRC host and not DST net The Source IP address is, but the destination is not a packet of
(SRC host or SRC net and tcp dst portrange 200-10000 and DST net Capture all packets in the network with the source IP address or the source network IP address and the destination TCP port number between 200 and 10000.
SRC net 
SRC net mask Capture all packets in the network whose source address is


When using keywords as values, you need to use the Backslash "/".
"Ether proto/IP" (same as the keyword "ip ).
In this way, the IP protocol will be used as the target.

"Ip proto/ICMP" (same as the keyword "ICMP ).
In this way, ICMP, which is commonly used in the ping tool, is used as the target.

You can use the keyword "Multicast" and "broadcast" after "ip" or "Ether.
"No broadcast" is useful when you want to exclude broadcast requests.

Protocol (Protocol ):
You can use a large number of protocols that are located between layer 2nd and Layer 7 of the OSI model. Click "expression ..." You can see them.
For example, IP, TCP, DNS, and SSH

String1, string2 (optional ):

The subclass of the Protocol.
Click "+" next to the parent class and select its subclass.

Comparison operators (comparison operator ):
You can use six comparison operators:

Logical e-xpressions (logical operator ):

Display Filter

SNMP|DNS|ICMP// Displays SNMP, DNS, or ICMP packets.
IP. ADDR = Display the packets whose source or destination IP address is
IP. SRC! = or IP. dst! = // display packets whose source is not or whose destination is not
In other words, the displayed package will be:
Source IP Address: Any IP address except; Target IP Address: Any
Source IP Address: Any; destination IP address: Any IP address except
IP. SRC! = and IP. dst! = Display packets whose source is not and the destination IP address is not
In other words, the displayed package will be:
Source IP Address: Any IP address except It must also be met. Target IP Address: Any IP address except
TCP. Port = 25// Display the packets whose source or destination TCP port number is 25.
TCP. dstport = 25// Display the packets whose destination TCP port is 25.
TCP. flags// Display the packets containing the TCP flag.
TCP. Flags. SYN = 0 × 02// Display the packets containing the tcp syn flag.
If the filter syntax is correct, the background of the expression is green. If the expression is red, the expression is incorrect.
For more detailed description, see: http://openmaniak.com/cn/wireshark_filters.php

The above is only packet capture and simple filtering. In fact, if you want to meet the requirements for analyzing these network packets, you also need to know some packet tags, for example, what is the TCP three-way handshake?

Three-way handshake
A virtual connection is established through three-way handshakes.
1. (client)-> [SYN]-> (server)
If the client communicates with the server, the client first sends a SYN (synchronize) packet to the server, telling the server to request a connection.
Note: a syn packet is a TCP packet with only the SYN flag set to 1 (see TCP Baotou resources ). it is very important to realize this. Only when the server receives the SYN packet from the client can a connection be established. Therefore, if your firewall discards all Syn packets sent to the Internet interface, you cannot allow any external host to establish a connection.

2. (client) <-[SYN/ack] <-(server)
After receiving the SYN packet from the client, the server sends a confirmation packet (SYN/ACK) to the client to confirm the first Syn packet, and continue the handshake operation.
Note: SYN/ACK packets are only packets marked with SYN and ACK as 1.

3. (client)-> [ack]-> (server)
The client receives the SYN/ACK packet from the server, and sends an ACK packet to the server to notify the server that the connection has been established. So far, three handshakes are completed, and a TCP connection is completed.
Note: The ack package is only a TCP packet marked as 1. Note that when the three handshakes are complete and the connection is established, each packet of the TCP connection sets an ACK bit.

This is why connection tracking is important. if no connection trace is available, the firewall cannot determine whether the received ack package belongs to a established connection. when an ACK packet is received by ipchains, it will pass (this is definitely not a good idea ). when the status firewall receives this package, it first finds in the connection table whether it belongs to the established connection, otherwise it discards the package.

Four handshakes four-way handshake
Four handshakes are used to close established TCP connections.

1. (client)-> ack/FIN-> (server)
2. (client) <-ack <-(server)
3. (client) <-ack/FIN <-(server)
4. (client)-> ack-> (server)

Note: Because the TCP connection is a two-way connection, closing the connection requires two directions.Ack/FIN packages (set ack and fin to 1) are generally considered as fin (final) packages. However, since the connection has not been closed, the fin package is always marked with an ACK mark. packages without an ACK mark are not legal and are generally considered malicious.

Connection Reset resetting a connection

The four handshakes are not the only method to disable TCP connections. sometimes, if the host needs to close the connection as soon as possible (or the connection times out, the port or host cannot be reached), the RST (reset) package will be sent. note that because the RST package is not a required part of the TCP connection, you can only send the RST package (that is, without the ACK mark ). however, in normal TCP connections, the RST package can be labeled with Ack validation.

Please note that the RST package does not receive confirmation from the party?

Invalid TCP flag invalid TCP flags

So far, you have seen SYN, ack, fin, and RST tags. In addition, PSH (push) and URG (urgent) tags.

The most common illegal combination is the SYN/FIN package. Note: Because the SYN package is used to initialize the connection, it cannot appear together with the fin and RST Mark. This is also a malicious attack.

Most firewalls now know SYN/FIN packets, and some other combinations, such as SYN/FIN/Psh, SYN/FIN/rst, SYN/FIN/rst/Psh. Obviously, when such a package appears on the network, your network is definitely under attack.

Other known illegal packages include fin (without the ACK mark) and "null. As discussed earlier, because ack/FIN packets are generated to close a TCP connection, normal FIN packets are always labeled with Ack ." A null packet is a packet without any TCP flag (URG, ack, Psh, RST, Syn, and fin are all 0 ).

So far, in normal network activity, the TCP protocol stack cannot generate a TCP packet with any of the above-mentioned mark combinations. When you find these abnormal packages, someone will be unfriendly to your network.

UDP (user data packet Protocol)

TCP is a connection-oriented protocol, while UDP is a non-connection protocol. UDP does not mark and confirm the acceptance. Packet Loss Processing is completed at the application layer. (Or accidental arrival ).

Note: Normally, when a UDP packet reaches a closed port, a UDP reset packet is returned. Because UDP is non-connection-oriented, there is no confirmation information to confirm whether the package has arrived at the destination correctly. Therefore, if your firewall discards the UDP packet, it will open all the UDP ports (?).

Some packets on the Internet will be discarded normally, and even some UDP packets sent to the disabled port (non-firewall) will not reach the destination, they will return a reset UDP packet.

For this reason, UDP port scanning is always inaccurate and unreliable.

It seems that fragments of Large UDP packets are common forms of DoS (Denial of Service) attacks (here is an example of DoS attack, http://grc.com/dos/grcdos.htm ).

ICMP (internetcontrol Message Protocol Internet Control Message Protocol)

Like the name, ICMP is used to transmit control information between hosts and routers. ICMP packets can contain diagnostic information (Ping, traceroute-note that traceroute in UNIX systems uses UDP packets instead of ICMP ), error message (Network/host/port inaccessible Network/host/port unreachable), Information (timestamp, Address Mask Request, etc .), or control information (source quench, redirect, etc .).

You can find the ICMP packet type in the http://www.iana.org/assignments/icmp-parameters.

Although ICMP is generally harmless, some types of ICMP information need to be discarded.

Redirect (5), alternate host address (6), and router advertisement (9) can be used to forward communication.

Echo (8), timestamp (13) and Address Mask Request (17) can be used to determine whether the host is up, local time, and address mask respectively. Note that they are related to the returned information category. They themselves cannot be used, but the information they leak is useful to attackers.

ICMP messages are sometimes used as part of DoS attacks (for example, flood Ping, dead Ping? Haha, interesting ping of death )? /P>

Packet fragmentation note a note about packet fragmentation

If the size of a package exceeds the maximum TCP segment length (MSs (maximum segment size) or MTU (maximum transmission unit), the only way to send this package to the destination is to split the package. Because packet sharding is normal, it can be used for malicious attacks.

Because the first part of a fragmented package contains a packet header, if the package fragment function is not available, the package filter cannot detect the additional package fragment. Typical attacks typical attacks involve in overlapping the packet data in which packet header is typical attacks involve in stopping the packet data in which packet header isnormal until is it overwritten with different destination IP (or port) thereby bypassing firewall rules. Packet sharding can be part of DoS attacks. It can crash older IP stacks or increase the CPU connection capability.

The connection tracking code in Netfilter/iptables can be automatically split and reorganized. It still has vulnerabilities and may be vulnerable to saturated connection attacks, which can consume CPU resources.

OK, so far, some small tutorials on Wireshark packet capture tools have been completed, and the reason why I want to write such a tangled tutorial is, A few days ago, this packet capture solution solved the problem that fantasy westward journey easily fell offline on the diskless network-dimension master. At that time, it captured the data packets when fantasy westward journey fell offline.
Note the Red Data. is the server of fantasy westward journey, while is the client of fantasy westward journey. when the client is disconnected, it is found that a server with a fantasy westward journey first sends a [Fin, ack] data packets. According to the above explanation, the data packets marked by fin indicate that the connection is to be disconnected, and then the client returns a confirmation to the server to disconnect the connection package. When we saw this packet capture data, we realized that it was not a common network problem to say that we love to drop the line on the virtual disk of the net_dimensional master system, because from the data packet information, it is because the dream server actively asks to disconnect the connection, which is due to the following reasons:
1. The server finds that the client is illegal. For example, if there is a plug-in or something, the client is kicked off;
2. The client is kicked out due to heavy server pressure;
3. In short, the disconnection is not caused by client issues;

So now the conclusion is that, why is there a dream disconnection problem on the virtual disk of the master network? The reason is that the virtual disk of the netvertiser system is implemented by simulating the real hard disk mode. During the simulation, the serial number of the hard disk is set to the fixed osdiy888, fantasy westward journey, after identifying the client's hard disk information, found that a large number of clients with the same hard disk serial number, think it is cheating or use hanging plug-ins, as a result, the server is randomly kicked out and deprecated. If we set the hard disk serial number to null, this problem does not occur again. This problem will be solved in future new versions.

The purpose of this case is not to illustrate how many packets can be captured, but to explain some ideas and methods to solve the problem. Some people have ideas but lack methods, such as not using tools, some people collect a lot of tools, but they don't use them. I actually belong to the latter. I collected more than n tools a few years ago, but few of them are used. After learning to use these tools, I found that thinking + tools will increase efficiency in solving the problem. In the next few days, I will introduce the writing of gadgets to you. I hope you will learn more when you are free, if you have any questions, Baidu will try again, instead of asking for help. After all, it is better to ask for help! You can do it directly ~

Note: In order to prevent ARP attacks, some systems are immune to an npptools. dll file, which causes the software to fail to be installed properly. You can simply install this patch.

From: http://www.clxp.net.cn/article.asp? Id = 2288


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.