Wireshark抓包工具使用以及数据包分析

多年之后，愿你有清风与烈酒，也有人是你的归途。

---

打开Wireshark抓包工具开始抓包会看到如下展开内容： 
这里我是对wlan进行抓包，192.168.2.112是我当前wifi的ip地址。

点击某个包，可以查看具体内容，差不多刚好对于五层协议：

• Frame：物理层的数据帧概况。
• Ethernet II：数据链路层以太网帧头部信息。
• Internet Protocol Version 4：互联网层IP包头部信息。
• Transmission Control Protocol：传输层的数据段头部信息，此处是TCP协议。 
  User Datagram Protocol：UDP协议
• Hypertext Transfer Protocol：应用层的信息，此处是HTTP协议。

---

一、各层分析：

将上诉Frame ，Ethernet || 等展开可看到具体传输信息：

1、物理层Frame

<span style="color:#000000"><code>-<span style="color:#009900">Frame</span> <span style="color:#006666">5</span><span style="color:#009900">:</span> <span style="color:#006666">66</span> bytes on wire (<span style="color:#006666">528</span> bits), <span style="color:#006666">66</span> bytes captured(捕获) (<span style="color:#006666">528</span> bits) on interface <span style="color:#006666">0</span>   /<span style="color:#008800">/5号帧，对方发送66字节，实际收到66字节
</span>
-<span style="color:#009900">Interface</span> <span style="color:#009900">id:</span> <span style="color:#006666">0</span> (\<span style="color:#009900">Device</span>\<span style="color:#009900">NPF_</span>{<span style="color:#006666">37239901</span>-<span style="color:#006666">4</span>A63-<span style="color:#006666">419</span>C-<span style="color:#006666">9693</span>-<span style="color:#006666">97957</span>A8232CD})     /<span style="color:#008800">/接口id为0 
</span>
-<span style="color:#009900">Encapsulation</span> <span style="color:#009900">type:</span> <span style="color:#009900">Ethernet</span> (<span style="color:#006666">1</span>)  /<span style="color:#008800">/封装类型
</span>
-<span style="color:#009900">Arrival</span> <span style="color:#009900">Time</span><span style="color:#009900">:</span> <span style="color:#009900">Jul</span>  <span style="color:#006666">5</span>, <span style="color:#006666">2017</span> <span style="color:#006666">15</span><span style="color:#009900">:</span><span style="color:#006666">14</span><span style="color:#009900">:</span><span style="color:#006666">31.865685000</span> /<span style="color:#008800">/捕获日期和时间（中国标准时间）
</span>
-[<span style="color:#009900">Time</span> shift <span style="color:#000088">for</span> this <span style="color:#009900">packet:</span> <span style="color:#006666">0</span>.<span style="color:#006666">000000000</span> seconds]
-<span style="color:#009900">Epoch</span> <span style="color:#009900">Time</span><span style="color:#009900">:</span> <span style="color:#006666">1499238871.865685000</span> seconds
-[<span style="color:#009900">Time</span> delta from previous captured <span style="color:#009900">frame:</span> <span style="color:#006666">0</span>.<span style="color:#006666">006</span>86100<span style="color:#006666">0</span> seconds]  /<span style="color:#008800">/与前一包时间间隔
</span>-[<span style="color:#009900">Time</span> delta from previous displayed <span style="color:#009900">frame:</span> <span style="color:#006666">0</span>.<span style="color:#006666">006</span>86100<span style="color:#006666">0</span> seconds]
-[<span style="color:#009900">Time</span> since reference <span style="color:#000088">or</span> first <span style="color:#009900">frame:</span> <span style="color:#006666">0</span>.<span style="color:#006666">613985000</span> seconds] /<span style="color:#008800">/#此包与第一帧的时间间隔
</span>
-<span style="color:#009900">Frame</span> <span style="color:#009900">Number</span><span style="color:#009900">:</span> <span style="color:#006666">5</span>                      /<span style="color:#008800">/帧序号
</span>-<span style="color:#009900">Frame</span> <span style="color:#009900">Length</span><span style="color:#009900">:</span> <span style="color:#006666">66</span> bytes (<span style="color:#006666">528</span> bits)    /<span style="color:#008800">/帧长度
</span>-<span style="color:#009900">Capture</span> <span style="color:#009900">Length</span><span style="color:#009900">:</span> <span style="color:#006666">66</span> bytes (<span style="color:#006666">528</span> bits)  /<span style="color:#008800">/捕获字节长度 
</span>-[<span style="color:#009900">Frame</span> is <span style="color:#009900">marked:</span> <span style="color:#009900">False</span>]             /<span style="color:#008800">/是否做了标记
</span>-[<span style="color:#009900">Frame</span> is <span style="color:#009900">ignored:</span> <span style="color:#009900">False</span>]            /<span style="color:#008800">/是否被忽略
</span>-[<span style="color:#009900">Protocols</span> <span style="color:#000088">in</span> <span style="color:#009900">frame:</span> <span style="color:#009900">eth:</span><span style="color:#009900">ethertype:</span><span style="color:#009900">ip:</span>tcp] /<span style="color:#008800">/帧内封装的协议层次结构
</span>-[<span style="color:#009900">Coloring</span> <span style="color:#009900">Rule</span> <span style="color:#009900">Name</span><span style="color:#009900">:</span> <span style="color:#009900">HTTP</span>]  /<span style="color:#008800">/着色标记的协议名称
</span>-[<span style="color:#009900">Coloring</span> <span style="color:#009900">Rule</span> <span style="color:#009900">String</span><span style="color:#009900">:</span> http || tcp.port == <span style="color:#006666">80</span> || http2] /<span style="color:#008800">/着色规则显示的字符串
</span></code></span>

• 1
• 2
• 3
• 4
• 5
• 6
• 7
• 8
• 9
• 10
• 11
• 12
• 13
• 14
• 15
• 16
• 17
• 18
• 19
• 20
• 21
• 22
• 23

---

2、数据链路层以太网帧头部信息：

<span style="color:#000000"><code>-<span style="color:#009900">Ethernet</span> <span style="color:#009900">II</span>, <span style="color:#009900">Src</span><span style="color:#009900">:</span> <span style="color:#009900">Tp</span>-<span style="color:#009900">LinkT_f5</span><span style="color:#009900">:</span><span style="color:#006666">3</span><span style="color:#009900">e:</span><span style="color:#006666">62</span> (<span style="color:#009900">c0:</span><span style="color:#006666">61</span><span style="color:#009900">:</span><span style="color:#006666">18</span><span style="color:#009900">:f5</span><span style="color:#009900">:</span><span style="color:#006666">3</span><span style="color:#009900">e:</span><span style="color:#006666">62</span>), <span style="color:#009900">Dst</span><span style="color:#009900">:</span> <span style="color:#009900">IntelCor_09</span><span style="color:#009900">:</span><span style="color:#006666">65</span><span style="color:#009900">:a5</span> (<span style="color:#006666">58</span><span style="color:#009900">:fb</span><span style="color:#009900">:</span><span style="color:#006666">84</span><span style="color:#009900">:</span>09<span style="color:#009900">:</span><span style="color:#006666">65</span><span style="color:#009900">:a5</span>)

- <span style="color:#009900">Destination</span><span style="color:#009900">:</span> <span style="color:#009900">IntelCor_09</span><span style="color:#009900">:</span><span style="color:#006666">65</span><span style="color:#009900">:a5</span> (<span style="color:#006666">58</span><span style="color:#009900">:fb</span><span style="color:#009900">:</span><span style="color:#006666">84</span><span style="color:#009900">:</span>09<span style="color:#009900">:</span><span style="color:#006666">65</span><span style="color:#009900">:a5</span>) /<span style="color:#008800">/目的MAC地址   
</span>- <span style="color:#009900">Source</span><span style="color:#009900">:</span> <span style="color:#009900">Tp</span>-<span style="color:#009900">LinkT_f5</span><span style="color:#009900">:</span><span style="color:#006666">3</span><span style="color:#009900">e:</span><span style="color:#006666">62</span> (<span style="color:#009900">c0:</span><span style="color:#006666">61</span><span style="color:#009900">:</span><span style="color:#006666">18</span><span style="color:#009900">:f5</span><span style="color:#009900">:</span><span style="color:#006666">3</span><span style="color:#009900">e:</span><span style="color:#006666">62</span>) /<span style="color:#008800">/源MAC地址（就是我电脑的MAC地址）
</span>- <span style="color:#009900">Type</span><span style="color:#009900">:</span> <span style="color:#009900">IPv4</span> (<span style="color:#006666">0x0800</span>)   /<span style="color:#008800">/0x0800表示使用IP协议
</span></code></span>

• 1
• 2
• 3
• 4
• 5
• 6

---

3、互联网层IP包头部信息:

<span style="color:#000000"><code>Internet Protocol Version 4, Src: 192.168.2.112, Dst: 116.211.185.142
    0100 .... = Version: 4                   //IPV4协议
    .... 0101 = Header Length: 20 bytes (5)  //包头长度

-<span style="color:#009900">Differentiated</span> <span style="color:#009900">Services</span> <span style="color:#009900">Field</span><span style="color:#009900">:</span> <span style="color:#006666">0x00</span> (<span style="color:#009900">DSCP</span><span style="color:#009900">:</span> <span style="color:#009900">CS0</span>, <span style="color:#009900">ECN</span><span style="color:#009900">:</span> <span style="color:#009900">Not</span>-<span style="color:#009900">ECT</span>)                               /<span style="color:#008800">/差分服务字段
</span>-<span style="color:#009900">Total</span> <span style="color:#009900">Length</span><span style="color:#009900">:</span> <span style="color:#006666">52</span>                      /<span style="color:#008800">/IP包总长度
</span>-<span style="color:#009900">Identification</span><span style="color:#009900">:</span> <span style="color:#006666">0x3849</span> (<span style="color:#006666">14409</span>)        /<span style="color:#008800">/标志字段
</span>-<span style="color:#009900">Flags</span><span style="color:#009900">:</span> <span style="color:#006666">0x02</span> (<span style="color:#009900">Don</span><span style="color:#009900">'t Fragment)          //标记字段
</span>-<span style="color:#009900">Fragment</span> <span style="color:#009900">offset:</span> <span style="color:#006666">0</span>                    /<span style="color:#008800">/分的偏移量
</span>-<span style="color:#009900">Time</span> to <span style="color:#009900">live:</span> <span style="color:#006666">128</span>                     /<span style="color:#008800">/生存期TTL
</span>-<span style="color:#009900">Protocol</span><span style="color:#009900">:</span> <span style="color:#009900">TCP</span> (<span style="color:#006666">6</span>)                     /<span style="color:#008800">/此包内封装的上层协议为TCP
</span>-<span style="color:#009900">Header</span> <span style="color:#009900">checksum:</span> <span style="color:#006666">0xd100</span> [validation disabled] /<span style="color:#008800">/头部数据的校验和
</span>-[<span style="color:#009900">Header</span> checksum <span style="color:#009900">status:</span> <span style="color:#009900">Unverified</span>] /<span style="color:#008800">/头部数据校验状态
</span>-<span style="color:#009900">Source</span><span style="color:#009900">:</span> <span style="color:#006666">192.168</span>.<span style="color:#006666">2.112</span>                /<span style="color:#008800">/源IP地址
</span>-<span style="color:#009900">Destination</span><span style="color:#009900">:</span> <span style="color:#006666">116.211</span>.<span style="color:#006666">185.142</span>         /<span style="color:#008800">/目的IP地址
</span>-[<span style="color:#009900">Source</span> <span style="color:#009900">GeoIP</span><span style="color:#009900">:</span> <span style="color:#009900">Unknown</span>]              /<span style="color:#008800">/基于地理位置的IP
</span>-[<span style="color:#009900">Destination</span> <span style="color:#009900">GeoIP</span><span style="color:#009900">:</span> <span style="color:#009900">Unknown</span>]
</code></span>

• 1
• 2
• 3
• 4
• 5
• 6
• 7
• 8
• 9
• 10
• 11
• 12
• 13
• 14
• 15
• 16
• 17
• 18

---

4、传输层TCP数据段头部信息：

<span style="color:#000000"><code>Transmission Control Protocol, Src Port: 60606, Dst Port: 80, Seq: 0, Len: 0

-<span style="color:#009900">Source</span> <span style="color:#009900">Port</span><span style="color:#009900">:</span> <span style="color:#006666">60606</span>       /<span style="color:#008800">/源端口号（ecbe）
</span>-<span style="color:#009900">Destination</span> <span style="color:#009900">Port</span><span style="color:#009900">:</span> <span style="color:#006666">80</span>     /<span style="color:#008800">/目的端口号（0050）
</span>-[<span style="color:#009900">Stream</span> <span style="color:#009900">index:</span> <span style="color:#006666">0</span>]        
-[<span style="color:#009900">TCP</span> <span style="color:#009900">Segment</span> <span style="color:#009900">Len</span><span style="color:#009900">:</span> <span style="color:#006666">0</span>]
-<span style="color:#009900">Sequence</span> <span style="color:#009900">number:</span> <span style="color:#006666">0</span>    (relative sequence number)  /<span style="color:#008800">/序列号（相对序列号）（四个字节fd 3e dd a2）
</span>-<span style="color:#009900">Acknowledgment</span> <span style="color:#009900">number:</span> <span style="color:#006666">0</span>   /<span style="color:#008800">/确认号（四个字节00 00 00 00）
</span>-<span style="color:#009900">Header</span> <span style="color:#009900">Length</span><span style="color:#009900">:</span> <span style="color:#006666">32</span> bytes    /<span style="color:#008800">/头部长度(0x80)
</span>-<span style="color:#009900">Flags</span><span style="color:#009900">:</span> <span style="color:#006666">0x002</span> (<span style="color:#009900">SYN</span>)         /<span style="color:#008800">/TCP标记字段
</span>-<span style="color:#009900">Window</span> size <span style="color:#009900">value:</span> <span style="color:#006666">8192</span>    /<span style="color:#008800">/流量控制的窗口大小（20 00）
</span>-[<span style="color:#009900">Calculated</span> window <span style="color:#009900">size:</span> <span style="color:#006666">8192</span>] 
-<span style="color:#009900">Checksum</span><span style="color:#009900">:</span> <span style="color:#006666">0x97ad</span> [unverified]   /<span style="color:#008800">/数据段的校验和(97 ad)
</span>-[<span style="color:#009900">Checksum</span> <span style="color:#009900">Status</span><span style="color:#009900">:</span> <span style="color:#009900">Unverified</span>]
-<span style="color:#009900">Urgent</span> <span style="color:#009900">pointer:</span> <span style="color:#006666">0</span>      /<span style="color:#008800">/紧急指针(00 00)
</span>-<span style="color:#009900">Options</span><span style="color:#009900">:</span> (<span style="color:#006666">12</span> bytes), <span style="color:#009900">Maximum</span> segment size, <span style="color:#009900">No</span>-<span style="color:#009900">Operation</span> (<span style="color:#009900">NOP</span>), <span style="color:#009900">Window</span> scale, <span style="color:#009900">No</span>-<span style="color:#009900">Operation</span> (<span style="color:#009900">NOP</span>), <span style="color:#009900">No</span>-<span style="color:#009900">Operation</span> (<span style="color:#009900">NOP</span>), <span style="color:#009900">SACK</span> permitted  /<span style="color:#008800">/选项（可变长度）
</span></code></span>

• 1
• 2
• 3
• 4
• 5
• 6
• 7
• 8
• 9
• 10
• 11
• 12
• 13
• 14
• 15
• 16
• 17

---

UDP数据段首部：

<span style="color:#000000"><code>User Datagram Protocol, Src Port: 7273, Dst Port: 15030
-<span style="color:#009900">Source</span> <span style="color:#009900">Port</span><span style="color:#009900">:</span> <span style="color:#006666">7273</span>               /<span style="color:#008800">/源端口（1c 69）
</span>-<span style="color:#009900">Destination</span> <span style="color:#009900">Port</span><span style="color:#009900">:</span> <span style="color:#006666">15030</span>         /<span style="color:#008800">/目的端口(3a 6b)
</span>-<span style="color:#009900">Length</span><span style="color:#009900">:</span> <span style="color:#006666">1410</span>                    /<span style="color:#008800">/长度（05 82）
</span>-<span style="color:#009900">Checksum</span><span style="color:#009900">:</span> <span style="color:#006666">0xd729</span> [unverified]   /<span style="color:#008800">/校验和(d7 29)
</span>-[<span style="color:#009900">Checksum</span> <span style="color:#009900">Status</span><span style="color:#009900">:</span> <span style="color:#009900">Unverified</span>]
-[<span style="color:#009900">Stream</span> <span style="color:#009900">index:</span> <span style="color:#006666">6335</span>]
</code></span>

• 1
• 2
• 3
• 4
• 5
• 6
• 7
• 8

---

二、Wireshark分析数据包：

1、在过滤器中添加过滤器获得访问百度时的相关信息：

Protocol（协议）: 
可能的值: ether, fddi, ip, arp, rarp, decnet, lat, sca, moprc, mopdl, tcp and udp. 
如果没有特别指明是什么协议，则默认使用所有支持的协议。

Direction（方向）: 
可能的值: src, dst, src and dst, src or dst 
如果没有特别指明来源或目的地，则默认使用 “src or dst” 作为关键字。 
例如，”host 10.2.2.2”与”src or dst host 10.2.2.2”是一样的。 
Host(s): 
可能的值： net, port, host, portrange. 
如果没有指定此值，则默认使用”host”关键字。 
例如，”src 10.1.1.1”与”src host 10.1.1.1”相同。

Logical Operations（逻辑运算）: 
可能的值：not, and, or. 
否(“not”)具有最高的优先级。或(“or”)和与(“and”)具有相同的优先级，运算时从左至右进行。 
例如： 
“not tcp port 3128 and tcp port 23”与”(not tcp port 3128) and tcp port 23”相同。 
“not tcp port 3128 and tcp port 23”与”not (tcp port 3128 and tcp port 23)”不同。

格式为：

ip.addr == www.baidu.com

Wireshark的常见几种过滤方法

然后可以获得百度的IP地址等信息。

2、过滤出dns信息

在显示过滤框输入dns，过滤出所有dns信息： 

在该界面220,234帧，是DNS将www.baidu.com解析为一个IP地址的数据包（被称为一个“A”记录）。238帧表示返回一个与主机名相关的IP地址的DNS响应包。如果客户端支持IPv4和IPv6，在该界面将会看到查找一个IPv6地址（被称为“AAAA”记录）。此时，DNS服务器将响应一个IPv6地址或混杂的信息。

说明：238帧是客户端请求百度，通过DNS服务器解析IP地址的过程。标识为“A”记录。

---

3、过滤出tcp包分析：

在显示过滤框输入：ip.dst==180.97.33.108 or ip.src==180.97.33.108

TCP通信流程大致如下： 
客户端和服务器之间TCP三次握手（4941、4942、4943帧）—->客户端请求的GET主页面（4944帧）—>服务器收到请求（4945帧）—>发送响应包（4946帧）。

说明：

• 客户端向服务器发送TCP请求建立连接。标识为SYN。

• 服务器得到请求后向客户端回应确认包的过程。标识为SYN，ACK。

• 客户端回应服务器发送确认包的过程，将于服务器建立连接。标识为ACK。

• 客户端向服务器发送HTTP请求内容的过程。标识为GET。

• 服务器相应客户端请求的过程，收到请求。标识为ACK。

• 4946帧帧是服务器向客户端回应内容的过程。

---

参考博客：https://my.oschina.net/u/1585857/blog/479306

Wireshark的常见几种过滤方法