other-Wireshark_ network packet capture

---

title: other-Wireshark_Network capture
categories: Others
tags: [Capture, Wireshark]
date: 2020-10-26 16:57:58
comments: false
mathjax: true
toc: true

other-Wireshark_ network packet capture

---

Prequel

• Download link: Network packet analysis tool Wireshark 3.3.0 + x64 Chinese multilingual free version-http://www.dayanzai.me/wireshark.html
• wireshark practical filtering expression (for ip, protocol, port, length and content)-https://blog.csdn.net/aflyeaglenku/article/details/50884296
• Wireshark usage skills and data packet analysis method-https://zhuanlan.zhihu.com/p/31512066

---

Filter condition

• Wirehark filtering rules and usage-https://blog.csdn.net/wojiaopanpan/article/details/69944970

Filter IP

If the source IP or destination IP is equal to a certain IP, for example

1. ip.src == 192.168.1.107 || ip.dst == 192.168.1.107`
2. ip.addr == 192.168.1.107: equivalent to ip.src == 192.168.1.107 || ip.dst == 192.168.1.107

---

Filter port

1. tcp.port == 80: equivalent to tcp.srcport == 80 || tcp.dstport == 80
2. tcp.port == 80 || udp.port == 80
3. tcp.dstport == 80: Only display the target port 80 of the tcp protocol
4. tcp.srcport == 80: only display the source port 80 of the tcp protocol

---

Filter protocol

1. tcp
2. udp
3. arp
4. icmp
5. http
6. smtp
7. ftp
8. dns
9. msnms
10. ip
11. ssl
12. oicq
13. bootp
14. Exclude arp package, such as! Arp or not arp

---

Filter packet length

1. udp.length == 26 This length refers to the fixed length of udp itself 8 plus the sum of the data packet below udp
2. tcp.len >= 7 refers to the ip packet (the piece of data below tcp), excluding tcp itself
3. ip.len == 94 Except for the fixed length of the Ethernet header 14, everything else is considered ip.len, that is, from the ip itself to the end
4. frame.len == 119 the length of the entire packet, from the beginning of eth to the end

---

Filter MAC

EtherNet Head Filter

1. eth.dst == A0:00:00:04:C5:84 // Filter the target mac
2. eth.src eq A0:00:00:04:C5:84 // Filter source mac
3. eth.dst == A0: 00: 00: 04: C5: 84
4. eth.dst == A0-00-00-04-C5-84
5. eth.addr eq A0:00:00:04:C5:84 // Filter the source MAC and target MAC equal to A0:00:00:04:C5:84

---

Filter http mode

1. http.request.method == “GET”
2. http.request.method == “POST”
3. http.request.uri == “/img/logo-edu.gif”
4. http contains “GET”
5. http contains “HTTP/1.”

// GET package

1. http.request.method == “GET” && http contains "Host: "

2. http.request.method == “GET” && http contains "User-Agent: "

// POST packet

1. http.request.method == “POST” && http contains "Host: "
2. http.request.method == “POST” && http contains "User-Agent: "

// response packet

1. http contains “HTTP/1.1 200 OK” && http contains "Content-Type: "
2. http contains “HTTP/1.0 200 OK” && http contains "Content-Type: "

---

Filter TCP parameters

1. tcp.flags displays packets containing TCP flags.
2. tcp.flags.syn == 0x02 Display the packets containing the TCP SYN flag.
3. tcp.window_size == 0 && tcp.flags.reset != 1

---

Filter package contents

1. tcp[20] means start from 20, take 1 character
2. tcp[20:] means starting from 20, take more than 1 character

Note: The content in the two dotted lines failed the test on my wireshark (linux).

tcp[20:8] means starting from 20, take 8 characters
tcp[offset,n]
udp[8:3]81:60:03 // Offset 8 bytes, then take 3 numbers, is it the same asThe following data are equal?
udp[8:1]==32 If my guess is correct, it should be udp[offset:number of interceptions]=
nValue eth.addr[0:3]00:06:5B
Example:
Determine whether the first three data packets below upd are equal to 0x20 0x21 0x22.
We all know that the udp fixed length is 8
udp[8:3]20:21:22
Determine whether the first three packets of the tcp block are equal to 0x20 0x21 0x22
tcp In general, the length is 20, but sometimes it is not 20
tcp[8:3]20:21:22
If you want to get the most accurate one, you should first know the tcp length
matches (match) and contains (containing a string) syntax
ip.src192.168.1.107 and udp[8:5] matches “\x02\x12\x21\x00\x22″ ------???--------
ip.src192.168.1.107 and udp contains 02:12:21:00:22
ip.src192.168.1.107 and tcp contains “GET”
udp contains 7c:7c:7d:7d matches the UDP packet with 0x7c7c7d7d in the payload, not necessarily from the first byte.

---

http packet capture-json

• Request data

  const url = "http://192.168.1.233:57305/hotupdate"
  request.post(url, {
        
        
      json: {
        
        
          Plat: 1042,
          Os: 2,
          Appid: 3,
          Uid: "123123",
          Version: "0.301.3.4",
          Deviceid: "wolegequ",
      }
  }, (error, res, body) => {
        
        
      if (error) {
        
        
          console.error(error)
          return
      }
      console.log(`--- statusCode: ${
          
          res.statusCode}`)
      console.log(`--- post rsp:`, body)
  })
  

Request packet

• For example, enter the expression: ip.dst == 192.168.1.233 && tcp.port == 57305

  You can capture request target ip data of 192.168.1.233

  

Return package

• For example, enter the expression: ip.src == 192.168.1.233 && tcp.port == 57305

  You can capture the source ip for the return of data 192.168.1.233

  

---

http capture-stream

This demo is based on the protocol in the game. The buff structure of the upstream data: [buff total size]+[pb buff], pb buff is composed of head + body

Request packet

1. Select the request interface -> right-click Data -> export packet byte stream , and export to the file loginData.bin . This is the binary data of the client's single-ended uplink

   

2. Parse the loginData.bin file. (golang demo)

   func Test_login_data(t *testing.T) {
         
         
   	path := "C:/Users/wolegequ/Desktop/loginData.bin"
   	bts, err := ioutil.ReadFile(path)
   	if err != nil {
         
         
   		panic(err)
   	}
   
   	log.Printf("--- total len: %d\n", len(bts))
   	pld := &csprotos.PayloadData{
         
         }
   	err = proto.Unmarshal(bts[2:], pld) // 去掉头部 两个字节 (buff 总长度值)
   	if err != nil {
         
         
   		panic(err)
   	}
   
   	log.Printf("--- body len: %d\n", len(pld.CSBody))
   	req := &csprotos.LoginReq{
         
         }
   	err = proto.Unmarshal(pld.CSBody, req)
   	if err != nil {
         
         
   		panic(err)
   	}
   
   	log.Printf("--- req: %v\n", req)
   }
   
   /* 结果:
   2020/10/26 20:10:11 --- total len: 81
   2020/10/26 20:10:11 --- body len: 57
   2020/10/26 20:10:11 --- req: PlatID:1042 ChanID:1 ...
   */
   

---

tcp capture-stream

Almost the same as [http Capture-stream](#http Capture-stream)

Request packet

1. Select the request interface -> right-click Data -> export packet byte stream , and export to the file heart.bin . This is the binary data of the client's single-ended uplink

   

2. Parse the heart.bin file. (golang demo)

   func Test_login_data(t *testing.T) {
         
         
   	path := "C:/Users/wolegequ/Desktop/heart.bin"
   	bts, err := ioutil.ReadFile(path)
   	if err != nil {
         
         
   		panic(err)
   	}
   
   	log.Printf("--- total len: %d\n", len(bts))
   	pld := &csprotos.PayloadData{
         
         }
   	err = proto.Unmarshal(bts[2:], pld) // 去掉头部 两个字节 (buff 总长度值)
   	if err != nil {
         
         
   		panic(err)
   	}
   	log.Printf("--- pld: %+v\n", pld)
   
   /* 结果:
   2020/10/26 20:43:11 --- total len: 34
   2020/10/26 20:43:11 --- pld: CSHead:{CMDID:303 ReqID:26 ...} CSBody:"" ExtA:12516300 ExtC:1320706011723882496
   */
   }
   

---