Wireshark (formerly Ethereal) is a network packet analysis software. The function of network packet analysis software is to capture network packets and display the most detailed network packet data as much as possible. Wireshark uses WinPCAP as the interface to exchange data packets directly with the network card. Many friends who need it will download this software to use it, but many netizens after downloading say that they don't know how to capture packets with wireshark, and there is no wireshark tutorial , so the editor will tell you below!
wireshark starts to capture packets
start interface
Wireshark captures the network packets of a certain network card on the machine. When there are multiple network cards on your machine, you need to select a network card.
Click Caputre->Interfaces.. The following dialog box appears, select the correct network card. Then click the "Start" button to start capturing packets
Introduction to the Wireshark window
WireShark is mainly divided into these interfaces
1. Display Filter (display filter), used to filter
2. Packet List Pane (packet list), display the captured packets, source address and destination address, port number. Different colors represent
3. Packet Details Pane, which displays the fields in the packet
4. Dissector Pane (hexadecimal data)
5. Miscellanous (address bar, miscellaneous)
It is very important to use filtering. When beginners use wireshark, they will get a lot of redundant information, in thousands or even tens of thousands of records, so that it is difficult to find the part they need. Getting dizzy.
Filters will help us quickly find the information we need in a large amount of data.
There are two types of filters,
One is the display filter, which is the one on the main interface, which is used to find the required records in the captured records
One is the capture filter, which filters the captured packets so as not to capture too many records. Set in Capture -> Capture Filters
save filter
On the Filter column, fill in the Filter expression, click the Save button, and choose a name. For example "Filter 102",
There is a "Filter 102" button on the Filter bar.
Rules for filtering expressions
Expression rules
1. Protocol filtering
For example, TCP, only the TCP protocol is displayed.
2. IP Filtering
For example, ip.src ==192.168.1.102 shows that the source address is 192.168.1.102,
ip.dst==192.168.1.102, the destination address is 192.168.1.102
3. Port filtering
tcp.port ==80, the port is 80
tcp.srcport == 80, only display the port of TCP protocol is 80.
4. Http mode filtering
http.request.method=="GET", only shows HTTP GET method.
5. The logical operator is AND/OR
Common filter expressions
Packet List Pane
The panel of the packet list shows the number, timestamp, source address, destination address, protocol, length, and packet information. You can see that different protocols are displayed in different colors.
You can also modify these rules for displaying colors, View ->Coloring Rules.
Packet Details Pane
This panel is our most important and is used to view every field in the agreement.
Each row of information is
Frame: Data frame overview of the physical layer
Ethernet II: Data link layer Ethernet frame header information
Internet Protocol Version 4: Internet layer IP packet header information
Transmission Control Protocol: The header information of the data segment of the transport layer T, here is TCP
Hypertext Transfer Protocol: Application layer information, here is the HTTP protocol
The specific content of the TCP packet
From the figure below, you can see each field in the TCP packet captured by wireshark.
Seeing this, basically have a preliminary understanding of wireshak, now let's look at an example of a TCP three-way handshake
The three-way handshake process is
I have seen this picture many times, this time we use wireshark to actually analyze the process of the next three-way handshake.
Open wireshark, open the browser and enter http://www.cr173.com
Enter http filter in wireshark, then select the record of GET /tankxiao HTTP/1.1, right-click and click "Follow TCP Stream",
The purpose of this is to get the data packets related to the browser opening the website, and you will get the following picture
As you can see in the figure, wireshark intercepted three packets of the three-way handshake. The fourth packet is HTTP, which shows that HTTP does use TCP to establish a connection.
first handshake packet
The client sends a TCP, the flag bit is SYN, and the sequence number is 0, which means the client requests to establish a connection. As shown below
second handshake packet
The server sends back an acknowledgment packet, and the flag bit is SYN, ACK. Set the Acknowledgement Number to the client's ISN plus 1. That is, 0+1=1, as shown below
The packet of the third handshake
The client sends the acknowledgment packet (ACK) again, the SYN flag is 0, and the ACK flag is 1. And the sequence number field of the ACK sent by the server +1, put it in the confirmation field and send it to the other party. And put the ISN in the data segment. +1, as shown below:
In this way, the connection is established through the TCP three-way handshake.