It is difficult to master the numerous protocols in the TCP / IP protocol family one by one. When you urgently need to analyze the traffic scenarios of the host and client, you need to understand the protocol! The following is the record where it is used. If there are errors, please comment and point out, thank you.
Wireshark is equivalent to the computer's total network proxy. Unlike burpsuite, which can only intercept the browser's http / https protocols, he can intercept hundreds of protocols used on the computer, and problems will also arise. So, so many protocols, so many data packets, hundreds of data packets in almost a second, novices see this data like a waterfall scene, timidly estimated that they must be scared, don't panic, follow the old shuttle.
You think of him as a mysql database. There are a lot of libraries, tables, fields, and data in it. You must filter out the desired data through accurate filtering syntax to get packets and response packets for analysis. If you do n’t filter, then this The artifact has nothing to do with you.
Using this gadget scenario, many times I do n’t know what ghost protocol is used by the client. When setting the approximate range, empty the packet, and then quickly click on a client ’s packet sending function, wireshark will intercept the previous position, so that Well positioned. Then analyze the TCP flow to see what protocol is being used for filtering.
Choose network card
Wireshark is to capture the network packet of a certain network card on the machine. When there are multiple network cards on your machine, you need to select a network card.
Use wifi to choose wi-fi: en0
en0 is your network card logo.
If you use a wired network cable, see what the logo is. I have n’t used a cable for a long time.
If you know the ip of the server
# Source 为本机的地址
# 过滤 Source字段为: 10.161.114.198 的数据
ip.src eq 10.161.114.198
# Destination 表示 服务器的地址
# 过滤 Destination字段为: 10.161.204.10 的数据
ip.dst eq 10.161.204.10
Each record has the following protocol layers
(1) Frame: Overview of data frames at the physical layer
(2) Ethernet II: Ethernet frame header information at the data link layer
(3) Internet Protocol Version 4: Internet layer IP packet header information
(4) Transmission Control Protocol: Data at the transport layer Section header information, here is TCP
(5) Hypertext Transfer Protocol: Application layer information, here is HTTP protocol
The information of the application layer is all binary garbled, look at the egg,
Don't be afraid, right click Follow-> TCP Stream, you can still see some data.
Intercept TCP header
Fill in the expression in the capture filter: host www.cnblogs.com and port 80 (80 is equivalent to http)
There will be multiple TCP streams in the display filter, then fill in the expression: tcp.stream eq 0 Filter out the first TCP stream (including a complete TCP connection: three handshakes and four waved hands)
tcp.stream eq 0
If you know what protocol to use-http protocol interception example
-
Filter http and clean up historical data
-
Just open a domain name
-
Analysis package
I don't know why http is also called OCSP protocol, at least the format is the same, no matter what.
-
Analyzing the TCP stream, the familiar format is back.
