Software overview: Wireshark is currently the most widely used open source packet capture software in the world (formerly known as Ethereal), written by Gerald Combs and released under the GPL open source license in 1998
Software features:
- Analyze network underlying protocols
- Troubleshoot network failures
- Look for cybersecurity issues
Relevant website: can learn
Chappell University | Wireshark Training
Packet capture principle:
Which network conditions can capture packets?
Local environment: directly capture the incoming and outgoing traffic of the local network card
Hub environment: flooding of traffic, same collision domain
Switch environment:
- Port mirroring: copy the traffic of one port and forward it to another interface
- ARP spoofing: Use attack means to disguise yourself as the destination host to obtain traffic and capture packets
- MAC flooding: Use attack methods to send a large number of mac addresses to the switch. After the mac address table of the switch is full, the previous mac address entries will be discarded (according to the device, some devices will not learn new mac so It is to wait for the real mac time to age, and then the switch will broadcast the data)
What is the underlying architecture of packet capture?
GTK1/2: image processing tools, processing user input and output display
Core: the core engine, which connects other modules together through function calls to play the role of linkage scheduling
Wiretap: format support, read data packets from packet capture files, support multiple file formats
Capture: packet capture engine, using libpcap/WinPcap to capture network packets from the bottom layer, libpcap/WinPcap provides a general packet capture interface, which can capture traffic from different types of network interfaces (ATM, Ethernet, etc.)
Win-/libpcap: The library files that Wireshark depends on when capturing packets