title: other-Wireshark_Network capture
categories: Others
tags: [Capture, Wireshark]
date: 2020-10-26 16:57:58
comments: false
mathjax: true
toc: true
other-Wireshark_ network packet capture
Prequel
- Download link: Network packet analysis tool Wireshark 3.3.0 + x64 Chinese multilingual free version-http://www.dayanzai.me/wireshark.html
- wireshark practical filtering expression (for ip, protocol, port, length and content)-https://blog.csdn.net/aflyeaglenku/article/details/50884296
- Wireshark usage skills and data packet analysis method-https://zhuanlan.zhihu.com/p/31512066
Filter condition
- Wirehark filtering rules and usage-https://blog.csdn.net/wojiaopanpan/article/details/69944970
Filter IP
If the source IP or destination IP is equal to a certain IP, for example
- ip.src == 192.168.1.107 || ip.dst == 192.168.1.107`
- ip.addr == 192.168.1.107: equivalent to ip.src == 192.168.1.107 || ip.dst == 192.168.1.107
Filter port
- tcp.port == 80: equivalent to tcp.srcport == 80 || tcp.dstport == 80
- tcp.port == 80 || udp.port == 80
- tcp.dstport == 80: Only display the target port 80 of the tcp protocol
- tcp.srcport == 80: only display the source port 80 of the tcp protocol
Filter protocol
- tcp
- udp
- arp
- icmp
- http
- smtp
- ftp
- dns
- msnms
- ip
- ssl
- oicq
- bootp
- Exclude arp package, such as! Arp or not arp
Filter packet length
- udp.length == 26 This length refers to the fixed length of udp itself 8 plus the sum of the data packet below udp
- tcp.len >= 7 refers to the ip packet (the piece of data below tcp), excluding tcp itself
- ip.len == 94 Except for the fixed length of the Ethernet header 14, everything else is considered ip.len, that is, from the ip itself to the end
- frame.len == 119 the length of the entire packet, from the beginning of eth to the end
Filter MAC
EtherNet Head Filter
- eth.dst == A0:00:00:04:C5:84 // Filter the target mac
- eth.src eq A0:00:00:04:C5:84 // Filter source mac
- eth.dst == A0: 00: 00: 04: C5: 84
- eth.dst == A0-00-00-04-C5-84
- eth.addr eq A0:00:00:04:C5:84 // Filter the source MAC and target MAC equal to A0:00:00:04:C5:84
Filter http mode
- http.request.method == “GET”
- http.request.method == “POST”
- http.request.uri == “/img/logo-edu.gif”
- http contains “GET”
- http contains “HTTP/1.”
// GET package
-
http.request.method == “GET” && http contains "Host: "
-
http.request.method == “GET” && http contains "User-Agent: "
// POST packet
- http.request.method == “POST” && http contains "Host: "
- http.request.method == “POST” && http contains "User-Agent: "
// response packet
- http contains “HTTP/1.1 200 OK” && http contains "Content-Type: "
- http contains “HTTP/1.0 200 OK” && http contains "Content-Type: "
Filter TCP parameters
- tcp.flags displays packets containing TCP flags.
- tcp.flags.syn == 0x02 Display the packets containing the TCP SYN flag.
- tcp.window_size == 0 && tcp.flags.reset != 1
Filter package contents
- tcp[20] means start from 20, take 1 character
- tcp[20:] means starting from 20, take more than 1 character
Note: The content in the two dotted lines failed the test on my wireshark (linux).
tcp[20:8] means starting from 20, take 8 characters
tcp[offset,n]
udp[8:3]81:60:03 // Offset 8 bytes, then take 3 numbers, is it the same asThe following data are equal?
udp[8:1]==32 If my guess is correct, it should be udp[offset:number of interceptions]=
nValue eth.addr[0:3]00:06:5B
Example:
Determine whether the first three data packets below upd are equal to 0x20 0x21 0x22.
We all know that the udp fixed length is 8
udp[8:3]20:21:22
Determine whether the first three packets of the tcp block are equal to 0x20 0x21 0x22
tcp In general, the length is 20, but sometimes it is not 20
tcp[8:3]20:21:22
If you want to get the most accurate one, you should first know the tcp length
matches (match) and contains (containing a string) syntax
ip.src192.168.1.107 and udp[8:5] matches “\x02\x12\x21\x00\x22″ ------???--------
ip.src192.168.1.107 and udp contains 02:12:21:00:22
ip.src192.168.1.107 and tcp contains “GET”
udp contains 7c:7c:7d:7d matches the UDP packet with 0x7c7c7d7d in the payload, not necessarily from the first byte.
http packet capture-json
-
Request data
const url = "http://192.168.1.233:57305/hotupdate" request.post(url, { json: { Plat: 1042, Os: 2, Appid: 3, Uid: "123123", Version: "0.301.3.4", Deviceid: "wolegequ", } }, (error, res, body) => { if (error) { console.error(error) return } console.log(`--- statusCode: ${ res.statusCode}`) console.log(`--- post rsp:`, body) })
Request packet
-
For example, enter the expression:
ip.dst == 192.168.1.233 && tcp.port == 57305
You can capture request target ip data of 192.168.1.233
Return package
-
For example, enter the expression:
ip.src == 192.168.1.233 && tcp.port == 57305
You can capture the source ip for the return of data 192.168.1.233
http capture-stream
This demo is based on the protocol in the game. The buff structure of the upstream data: [buff total size]+[pb buff], pb buff is composed of head + body
Request packet
-
Select the request interface -> right-click Data -> export packet byte stream , and export to the file loginData.bin . This is the binary data of the client's single-ended uplink
-
Parse the loginData.bin file. (golang demo)
func Test_login_data(t *testing.T) { path := "C:/Users/wolegequ/Desktop/loginData.bin" bts, err := ioutil.ReadFile(path) if err != nil { panic(err) } log.Printf("--- total len: %d\n", len(bts)) pld := &csprotos.PayloadData{ } err = proto.Unmarshal(bts[2:], pld) // 去掉头部 两个字节 (buff 总长度值) if err != nil { panic(err) } log.Printf("--- body len: %d\n", len(pld.CSBody)) req := &csprotos.LoginReq{ } err = proto.Unmarshal(pld.CSBody, req) if err != nil { panic(err) } log.Printf("--- req: %v\n", req) } /* 结果: 2020/10/26 20:10:11 --- total len: 81 2020/10/26 20:10:11 --- body len: 57 2020/10/26 20:10:11 --- req: PlatID:1042 ChanID:1 ... */
tcp capture-stream
Almost the same as [http Capture-stream](#http Capture-stream)
Request packet
-
Select the request interface -> right-click Data -> export packet byte stream , and export to the file heart.bin . This is the binary data of the client's single-ended uplink
-
Parse the heart.bin file. (golang demo)
func Test_login_data(t *testing.T) { path := "C:/Users/wolegequ/Desktop/heart.bin" bts, err := ioutil.ReadFile(path) if err != nil { panic(err) } log.Printf("--- total len: %d\n", len(bts)) pld := &csprotos.PayloadData{ } err = proto.Unmarshal(bts[2:], pld) // 去掉头部 两个字节 (buff 总长度值) if err != nil { panic(err) } log.Printf("--- pld: %+v\n", pld) /* 结果: 2020/10/26 20:43:11 --- total len: 34 2020/10/26 20:43:11 --- pld: CSHead:{CMDID:303 ReqID:26 ...} CSBody:"" ExtA:12516300 ExtC:1320706011723882496 */ }