ICMP protocol packet for wireshark packet capture analysis
1. Introduction to Wireshark: (formerly Ethereal, renamed wireshark in 2006)
Wireshark is a network packet analysis software. The function of network packet analysis software is to capture network packets and display the most detailed network packet information as possible. Wireshark uses WinPCAP as an interface to exchange data packets directly with the network card.
(1) Function: can be used for network traffic capture and analysis
(2) Working principle:
i. Capture binary traffic
ii. Convert wireshark to assemble data packets
iii. Analyze captured data packets, identify protocols and other information.
(3) Advantages:
i. Open source and free
ii. Cross-platform
iii. Visual
iv. Powerful
Two, WireShark quick analysis packet skills
-
Determine the physical location of Wireshark.
-
Select Capture Interface.
-
Use capture filters.
-
Use display filters.
-
Use coloring rules.
-
Build the graph.
3. ICMP packet capture analysis of Wireshark -
Introduction to ICMP: A connectionless-oriented protocol for transmitting error reporting control information. It is a very important protocol, and it has extremely important significance for network security. It belongs to the network layer protocol and is mainly used to transfer control information between hosts and routers, including reporting errors, exchanging restricted control and status information, etc. When the IP data cannot reach the target, the IP router cannot forward the data packet according to the current transmission rate, etc., it will automatically send the ICMP message.
The main functions include: detecting the existence of remote hosts, establishing and maintaining routing data, redirecting data transmission paths (ICMP redirection), and data flow control.
-
Start wireshark: kali linux comes with wireshark tool (or official website download)
-
Select the network card eth0 (according to your own choice):
double-click eth0 to enter the packet capture interface
-
Generate a specific ICMP protocol packet: ping www.baidu.com -c 1, send a request
to capture the following information, and then pause the capture.
-
Set filter rules:
here only analyze ICMP protocol packets generated by ping Baidu; set filter rules and specify IP:
icmp || ip.addr==39.156.66.14 (Baidu's IP address)
Common filtering commands:
Filter IP:
source IP or target IP is equal to a certain IP
ip.src == 192.168.191.2 and ip.dst == 203.119.244.222
ip.src ==xxxx 过滤请求发起源
ip.dst ==xxx 过滤目标ip
过滤端口:
tcp.port >= 1 and tcp.port <= 80 //过滤端口范围
tcp.dstport == 80 // 只显tcp协议的目标端口80
tcp.srcport == 80 // 只显tcp协议的来源端口80
tcp.port ==80 // 不管端口是来源的还是目标的都显示
Press Enter to get the filtered information:
- Interpretation of icmp packets
(1) Frame: 物理层的数据帧概况
(2) Ethernet II: 数据链路层以太网帧头部信息(包含数据包的mac地等)
(3) Internet Protocol Version 4: 互联网层IP包头部信息(IPV4信息)
(4) Internet Control Message Protocol: icmp信息
ICMP protocol analysis request packet (Request):
Internet Control Message Protocol
Type: 8 (Echo (ping) request)
Code: 0 协议类型8,代码0,表示回显请求,ping请求。
Checksum: 0x3513 [correct] 校验和,用于检查错误
[Checksum Status: Good] 校验状态Good。
Identifier (BE): 13969 (0x3691)
Identifier (LE): 37174 (0x9136) ID值应答包中返回该字段
Sequence Number (BE): 1 (0x0001)
Sequence Number (LE): 256 (0x0100) 序列号和id值一起返回
[Response frame: 9] 响应帧序列号:9
Timestamp from icmp data: Nov 8, 2022 17:15:51.000000000 CST
[Timestamp from icmp data (relative): 0.919064170 seconds]
Data (48 bytes) 填充的数据,48个字节
ICMP protocol analysis response packet (reply):
Internet Control Message Protocol
Type: 0 (Echo (ping) reply)
Code: 0 应答包协议类型为0,代码为0表示回显应答报文
Checksum: 0x3d13 [correct] 校验和
[Checksum Status: Good]
Identifier (BE): 13969 (0x3691)
Identifier (LE): 37174 (0x9136)
Sequence Number (BE): 1 (0x0001)
Sequence Number (LE): 256 (0x0100)
[Request frame: 8] 请求帧的序列号:8
[Response time: 29.970 ms] 响应时间
Timestamp from icmp data: Nov 8, 2022 17:15:51.000000000 CST
[Timestamp from icmp data (relative): 0.949034665 seconds]
Data (48 bytes) 数据填充
- Working process:
The machine sends an ICMP Echo Request packet, and the receiver returns an ICMP Echo Reply, which includes the received data copy and some other instructions.
In ICMP communication, it mainly uses different types (Type) and code (Code) to allow the machine to identify different connection conditions.
4. The experience of learning and using Wireshark
By learning and using wireshark, I can better learn various protocols in the computer network. On the basis of theoretical study, I can better understand the working principles of various protocols through hands-on practice. And have a deeper memory.