wireshark formerly known as Ethereal, is a free and open source network sniffer packet capture tool, it is also the world's most popular network analyzer, mainly used in network packet capture, and try to show the most detailed packet data network , It allows you to view what is happening on the network from a micro perspective, and is the software of choice for many commercial, non-profit enterprises, government agencies and educational institutions. It has a powerful filter engine, users can use filters to filter out useful data packets to eliminate interference from irrelevant information, and the wireshark network packet capture tool uses WinPCAP as the interface to directly exchange data packets with the network card. Real-time detection of network communication data, detection of network communication data snapshot files it grabs, and browsing these data through a graphical interface, you can view the detailed content of each layer in the network communication data packet, such as including strong display filter language and viewing TCP The ability to reconstruct the flow of the session, supports hundreds of protocols and streaming media types, is powerful and complete, and meets the various needs of users as much as possible. In addition, the software also has a standard three-pane packet browser interface, and you can visually see the data packets of the detailed protocol information without too much window switching. At the same time, the software can export a detailed IP jump list, so the user can see how many nodes the data packet sent from one side needs to go through to reach the other party's house, and how many ms in total, through these detailed data, data transmission can be optimized to improve access Loading speed.
ps: This site provides a green version of wireshark , which has been made in a portable version. It can be used after downloading and installing directly, and the software interface is all in Chinese, which meets the needs of users to a large extent. Friends in need are welcome to download the experience .
Original link: http://www.ddooo.com/softdown/185191.htm
Wirehark green version installation tutorial:
1. Download and unzip on this site to get the wireshark green portable version installation package;
2. Double-click "WiresharkPortable_3.4.2.paf.exe" to start the installation and select the Chinese language;
3. The default installation directory [C:\Users\Administrator\Desktop\ wireshark green portable version\WiresharkPortable], follow the prompts to continue the installation;
4. After the installation is complete, it will display that the portable version has been installed;
5. Open the software, as shown in the figure below
How does wireshark capture packets?
1. After opening the software, click the capture network interface card selection button, and select the network card interface that needs to be captured; if you are not sure which network interface, you can see the most changed interface in the packs item, select it and click "start" to start the capture Package;
3. If you need to perform special configuration, you need to perform the configuration operation of the package capture first, click the configuration operation button on the way, enter the package capture configuration operation interface, and perform the corresponding configuration; after the configuration is complete, click "start" to start capturing Package;
4. After wireshark is started, wireshark is in the state of capturing packets;
5. Perform operations that require packet capturing, such as ping www.baidu.com;
6. After the operation is completed, the relevant data packets are captured. In order to avoid other useless data packets from affecting the analysis, you can filter the data packet list by setting filter conditions in the filter bar. The results are as follows. Note: ip.addr == 119.75.217.26 and icmp means that only the data packets with the ICPM protocol and the source host IP or destination host IP of 119.75.217.26 are displayed;
7. If the desired data packet is not captured, click Recapture Just click the button; or after grabbing the data packet you need, you can click the red stop button;
8. Different protocols in the data packet list area are distinguished by different colors. The protocol color identification is located in the menu bar view --> coloring rules, as shown below
Software features
1. Applicable to UNIX and Windows.
2. Capture real-time packet data from the network interface.
3. Open the file containing the packet data captured using tcpdump/WinDump, Wireshark and many other packet capture programs.
4. Import the data package from the text file containing the hexadecimal data package data dump.
5. Display data packets containing very detailed protocol information.
6. Save the captured packet data.
7. Export part or all of the data packets in a variety of capture file formats.
8. Filter data packets according to many criteria.
9. Search for data packages according to many criteria.
10. Color the packet display according to the filter.
11. Create various statistics.
Features
1. In-depth inspection of hundreds of protocols, which has been increasing
2. Real-time capture and offline analysis
3. Standard three-pane packet browser
4. Multi-platform: Windows, Linux, macOS, Solaris, FreeBSD, NetBSD and many other operations Run on the system
5. Captured network data can be browsed through GUI or TTY mode TShark utility
6. The industry's most powerful display filter
7. Rich VoIP analysis
8. Read/write many different capture file formats : Tcpdump (libpcap), Pcap NG, Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network GeneralSniffer (compressed and uncompressed), Sniffer Pro and NetXray, Network Instruments Observer, NetScreen monitoring, Novell LANalyzer, RADCOM WAN/LAN analysis , Shomiti / Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, WildPackets EtherPeek / TokenPeek / AiroPeek, etc.
9. Capture files compressed with gzip can be decompressed in real time.
10, Ethernet, IEEE 802.11, PPP / HDLC, ATM, etc. Bluetooth, USB, Token Ring, Frame Relay, FDDI, etc. Read real-time data (depending on your platform)
11. Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP and WPA / WPA2
12. Coloring rules can be applied to the data packet list for fast and intuitive analysis.
13. The output can be exported as XML, PostScript, CSV or plain text
Filter rule
Expression rule
1. Protocol filtering For
example, TCP, only TCP protocol is displayed.
2. IP filtering For
example, ip.src ==192.168.1.102 shows that the source address is 192.168.1.102,
ip.dst==192.168.1.102, the destination address is 192.168.1.102
3. The port filtering
tcp.port == 80, the port is 80 The
tcp.srcport == 80, only displays the TCP protocol's willing port as 80.
4. Http mode filtering
http.request.method=="GET", only displays the HTTP GET method.
5. The logical operator is the
commonly used filter expression of AND/OR
. The
packet list pane displays the number, timestamp, source address, destination address, protocol, length, and packet information in the packet list pane. You can see that different protocols are displayed in different colors.
You can also modify these color display rules, View ->Coloring Rules.
Example:
ip.src eq 192.168.1.107 or ip.dst eq 192.168.1.107
or
ip.addr eq 192.168.1.107 // Both source IP and destination can be displayed
An example of a screenshot of the wireshark graphics window running on IP Linux. The other filtering rules are similar in operation, so no screenshots will be taken.
ip.src eq 10.175.168.182
Tip: In the Filter edit box, if the grammar is incorrect, the box will be red, and if it is correct, it will be green. 
Filtering port After
understanding the above Wireshark filtering rules, the next editor will explain to you the filtering port. In fact, the meaning of this filtering port is relatively easy to understand, so users who don’t understand can refer to the following editor to share with you Content, so that you can understand its entire use process.
Example:
tcp.port eq 80 // No matter whether the port is source or target, it will display
tcp.port == 80
tcp.port eq 2722
tcp.port eq 80 or udp.port eq 80
tcp.dstport == 80 // only Display the target port 80 of the tcp protocol
tcp.srcport == 80 // Only display the source port 80 of the tcp protocol
udp.port eq 15000
Then filter the port range:
tcp.port >= 1 and tcp.port <= 80
Update log
Wirehark green portable version v3.4.2 update description
bug fix
wnpa-sec-2020-07 BACapp dissector may crash
Other
add (IETF) QUIC Dissector.
Renaming the profile name will lose the list selection.
The parser error warning, parsing the TLS certificate request with many names.
In -> TCP flow graph -> time series (tcptrace), there is only ACK, but no data frame is visible.
Copy>Description does not apply to all tree items.
Failed to import the configuration file-zip file in Windows, and the directory crash caused Wireshark to crash.
When adding or removing display filters, the "Packet List" selection disappears.
Check for updates and automatic updates, it does not work in 3.2.1.
f5ethtrailer: TLS tail creates incorrect CLIENT keyboard log entries.
Buildbot crash output: randpkt-2020-03-04-18423.pcap.
The file open dialog box displays garbled characters.
RTCP Bye without an optional reason is reported as [malformed packet].
[oss-fuzz] #20732: Undefined shift in dissect_rtcp.
SOMEIP: If you are using IPv6 (BUG), the SOME/IP-SD dissector cannot register the SOME/IP port.
tshark log: "...unable to open: too many open files."
About Wireshark>Keyboard shortcuts>Ignore all typos in the displayed content.
Buildbot crash output: randpkt-2020-04-02-31746.pcap.