Ethereal parameter settings
Capture card and need to set filter expression, if the filter expression is not set, it will catch all network packets through the network card settings.
Capture filter expression
Description:
Protocol (Protocol): tcp, udp, etc. If you do not specify the protocol type, to capture all supported protocols by default.
Direction (direction): src, dst, etc. If you do not specify the direction, the default use src or dst as keywords.
Host (s): net, port , host, portrange like keyword default host, src 10.1.1.1 and equivalents src host 10.1.1.1.
Logical Operations (logical operations): not, and, or the like, no (not) having the highest priority. Or (or) and a (and) having the same priority, from left to right during operation.
Capture filters using common expressions
1) only captures a host of HTTP traffic
host 192.168.23.100 and port 80 and http # only capture http traffic 192.168.23.100 host of
port 80 and http # captures all http traffic through the interface
host 192.168.23.100 and not port 80 # to capture the host 192.168.23.100 addition to 80 other ports all traffic
not port 80 # to capture all other traffic except port 80
2) only captures a host of all traffic
host 192.168.23.100 # capture the source and destination hosts are 192.168.23.100
dst 192.168.23.100 # capture both the destination host 192.168.23.100
src 192.168.23.100 # capture source host are 192.168.23.100
NET 192.168.5.0/24 # capture all network traffic for all of the hosts d192.168.5
3) only capture traffic to a specific port
tcp portrange 8000-9000 an port 80 # 80 capture and traffic between the port of Port 8000-9000
Port 5060 # sip capture traffic because the default sip port is 5060. TELL: port 22 # ssh traffic capture
Ethereal display panel
Wireshark and main display filter list packets, packet details, hexadecimal data, address bar.
Common display with a filter expression
1) The port filtering
flow tcp.port == 9999 # 9999 screened protocol tcp port
(tcp.srcport == 53084) && (tcp.dstport == 9999) # screening protocol destination port tcp 9999 and the source port traffic 53084
2) The screened ip
== 192.168.23.1 # ip ip.src source is the flow of 192.168.23.1
ip.dst == 192.168.23.142 # ip is the object of the traffic 192.168.23.142
3) The content filtering
tcp contains "11111111111111" #tcp packet contents contain 11111111111111
HTTP the contains "1111111" #http packet content contains 11111111111111
TCP packet format
TCP transport layer packet format distinction match:
flag function corresponding to:
the URG: Urgent Pointer (urgent pointer) effective.
ACK: acknowledgment number is valid.
PSH: receiver should this segment to the application layer as soon as possible.
RST: reconnection.
SYN: Synchronous serial number to initiate a connection.
FIN: start to finish sending.
Window size: used for flow control.
And inspection: Inspection and covering the whole of the TCP segment: TCP header and TCP data, and udp similar need to calculate the pseudo-header.
Usage tracking data stream transmission View
