Source: Describe the use and operation of wireshark capture tool
wireshark is a very popular network packet analysis software, is very powerful. Various networks can be intercepted packet, the network packet to display more information. Use wireshark people must understand the network protocol, otherwise it can not read the wireshark.
For security reasons, wireshark packet can only view, but not modify the contents of a packet or packets sent.
wireshark can get HTTP, HTTPS can get, but can not decrypt HTTPS, HTTPS so wireshark to see not understand the contents of the summary, if the deal HTTP, HTTPS or use Fiddler, other protocols such as TCP, UDP to use wireshark.
wireshark capture start
Begin interface
wireshark capture network packets a piece of card on the machine, when multiple NICs on your machine, you need to select a card.
Click Caputre-> Interfaces .. The following dialog box appears, select the correct card. Then click on the "Start" button to start the capture
Wireshark window Introduction
The main interface is divided into several WireShark
1. Display Filter (display filter) for filtering
2. Packet List Pane (packet list), displays the captured packets, active and destination address, port number. Different colors, on behalf of
3. Packet Details Pane (details packet), the packet in the display field
4. Dissector Pane (16 hexadecimal data)
5. Miscellanous (address bar, Miscellaneous)
Use filters is very important, when beginners wireshark, will get a lot of redundant information in thousands or even tens of thousands of records, that it's hard to find the part they need. Hangs.
Filters will help us to quickly find the information we need in large amounts of data.
There are two filters,
One is a display filter, that is the main interface, required for recording in the recording captured found
One is the capture filter to capture packet filtering, so as not to capture too many records. Settings> Capture Filters - At Capture
Save filter
On the Filter bar, fill expression Filter, click the Save button, a name. For example "Filter 102",
The Filter button bar on more than one "Filter 102" of.
Filtering regular expressions
Expression rules
1. Protocol Filter
Such as TCP, TCP protocol only show.
2. IP Filter
For example ip.src == 192.168.1.102 display source address 192.168.1.102,
ip.dst == 192.168.1.102, the destination address is 192.168.1.102
3. port filtering
tcp.port == 80, port 80
tcp.srcport == 80, is willing to show only the TCP protocol port 80.
4. Http mode filter
http.request.method == "GET", show only HTTP GET method.
The logical operators of AND / OR
Commonly used filter expression
Use a filter expression
List Packet (Packet List Pane)
Packet list in the display panel, number, time stamp, source address, destination address, protocol, length, and packet information. You can see the different protocols used different colors.
You can also modify these rules display color, View -> Coloring Rules.
Packet details (Packet Details Pane)
This panel is our most important, to view the agreement in each field.
Each line of information respectively
Frame: a physical layer data frame profiles
Ethernet II: data link layer Ethernet frame header information
Internet Protocol Version 4: Internet layer IP packet header information
Transmission Control Protocol: transport layer data segment T of header information, here TCP
Hypertext Transfer Protocol: the application layer, where the HTTP protocol
The specific content of TCP packets
Wireshark captured can be seen in each field of the TCP packet from FIG.
See this, basically for wireshak have a preliminary understanding, now we see an example of a TCP three-way handshake
Three-way handshake is
This map I have seen many times before, this time we use the actual analysis wireshark three-way handshake process.
Open wireshark, open your browser and enter http://www.cr173.com
Wireshark http entered in the filter, and then select that record GET / tankxiao HTTP / 1.1, and then right-click on the "Follow TCP Stream",
The aim is to get the browser to open the site-related data packet, you will get the following chart
The figure can be seen wireshark intercepted three packets to the three-way handshake. The fourth package is HTTP, indicating that indeed is the use of HTTP TCP connection establishment.
The first handshake packet
A client sends the TCP, flag is SYN, sequence number 0, the request to establish a connection on behalf of the client. As shown below
Second handshake packets
The server sends back acknowledgment packet flag is SYN, ACK. Confirmation number (Acknowledgement Number) is set to customers ISN plus one. I.e. 0 + 1 = 1, as shown below
Third handshake packets
The client sends an acknowledgment packet again (ACK) the SYN flag bit is 0, ACK flag is sent from the server 1 and the ACK sequence number field of +1 to each other on the determined transmission field. And put in a data segment written ISN +1, as shown below:
So by the TCP three-way handshake to establish a connection
Wireshark is the world's foremost network protocol analyzer, is the standard in many industries. This software, in 1998 continued.
The agreement includes hundreds of features deep inspection, added more time, real-time capture and offline analysis Standard three-pane packet browser, you can browse the network data captured by a GUI, or via the TTY tshark utility model, and rich VoIP analysis.