Packet capture should be the basic knowledge that every technician has mastered. Whether it is technical support, operation and maintenance personnel or research and development personnel, they will encounter situations where they need to capture packets. The used packet capture tools include fiddle and wireshark. As a person who does not often need to capture Packet personnel, it is enough to learn to use Wireshark, after all, it is the packet capture tool with the most comprehensive functions and the most users.
Wireshark (formerly known as Ethereal) is a network packet analysis software. The function of network packet analysis software is to capture network packets and display the most detailed network packet information as possible. Wireshark uses WinPCAP as an interface to directly exchange data packets with the network card.
The function of network packet analysis software can be imagined as the work of "electrician technicians use electric meters to measure current, voltage, and resistance" - just transplant the scene to the network and replace the wires with network wires. In the past, network packet analysis software was very expensive, or only belonged to commercial software. The emergence of Ethereal changed all that. Under the protection scope of the GNUGPL general license, users can obtain the software and its source code at a free cost, and have the right to modify and customize the source code. Ethereal is one of the most extensive network packet analysis software in the world.
The official download site of wireshark:http://www.wireshark.org
Wireshark is a very popular network packet analysis software with very powerful functions. Various network packets can be intercepted and detailed information of network packets can be displayed.
Wireshark is open source software and can be used with confidence. Can run on Windows and Mac OS.
What Wireshark Can't Do
For security reasons, wireshark can only view the packet, but cannot modify the contents of the packet, or send the packet.
Wireshark VS Fiddler
- Fiddler is a program running on windows, which is specially used to capture HTTP and HTTPS.
- Wireshark can obtain HTTP and HTTPS, but cannot decrypt HTTPS, so wireshark cannot see the content in HTTPS
Other tools of the same kind
- microsoft network monitor
- sniffer
Who will use wireshark
-
Network administrators use wireshark to check for network problems
-
Software test engineers use wireshark to capture packets to analyze the software they test
-
Engineers engaged in socket programming will use wireshark to debug
-
I heard that most engineers of Huawei and ZTE will use wireshark.
In short, anything related to the network may use wireshark.
wireshark starts capturing packets
start interface
Wireshark captures the network packets of a certain network card on the machine. When there are multiple network cards on your machine, you need to choose a network card.
Click Caputre->Interfaces... The following dialog box appears, select the correct network card. Then click the " Start " button to start capturing packets
Wireshark Window Introduction
WireShark is mainly divided into these interfaces
-
Display Filter (display filter), used for filtering
-
Packet List Pane (packet list), display captured packets, source address and destination address, port number. Different colors represent
-
Packet Details Pane, showing the fields in the packet
-
Dissector Pane (hexadecimal data)
-
Miscellanous (address bar, miscellaneous)
Wireshark display filtering
It is very important to use filtering. When beginners use wireshark, they will get a lot of redundant information, among thousands or even tens of thousands of records, so that it is difficult to find the part they need. Get dizzy.
Filters will help us quickly find the information we need in a large amount of data.
There are two types of filters,
- One is the display filter, which is the one on the main interface, used to find the required records in the captured records
- One is the capture filter, which is used to filter the captured packets so as not to capture too many records. Set in Capture -> Capture Filters
save filter
In the Filter field, after filling in the expression of the Filter, click the Save button and give it a name. For example, " Filter 102 ",
There is a "Filter 102" button on the Filter column.
Rules for filter expressions
expression rules
1. Protocol filtering
For example, TCP, only the TCP protocol is displayed.
2. IP filtering
For example, ip.src ==192.168.1.102the display source address is 192.168.1.102,
ip.dst==192.168.1.102, the target address is 192.168.1.102
3. Port filtering
tcp.port ==80, with port 80
tcp.srcport == 80, only display the port 80 of the TCP protocol.
4. Http mode filtering
http.request.method=="GET", to display only HTTP GET methods.
5. Logical operators are AND/OR
Common Filter Expressions
| filter expression | use |
|---|---|
| http | Only view the records of the HTTP protocol |
| ip.src 192.168.1.102 or ip.dst192.168.1.102 | The source or destination address is 192.168.1.102 |
Packet List Pane
The panel of the packet list displays, number, timestamp, source address, destination address, protocol, length, and packet information. You can see that different protocols are displayed in different colors.
You can also modify these rules for displaying colors, View ->Coloring Rules.
Packet Details (Packet Details Pane)
This panel is our most important, used to view every field in the agreement.
Each line of information is
- Frame: Overview of data frames at the physical layer
- Ethernet II: Data link layer Ethernet frame header information
- Internet Protocol Version 4: Internet layer IP packet header information
- Transmission Control Protocol: The data segment header information of the transport layer T, here is TCP
- Hypertext Transfer Protocol: Application layer information, here is the HTTP protocol
wireshark and the corresponding OSI seven-layer model
The specific content of the TCP packet
From the figure below, you can see each field in the TCP packet captured by wireshark.
Example analysis of TCP three-way handshake process
Seeing this, I basically have a preliminary understanding of wireshak, now let's look at an example of a TCP three-way handshake
The three-way handshake process is
I have seen this picture many times. This time we use wireshark to actually analyze the process of the three-way handshake.
Open wireshark, open the browser inputhttp://www.cnblogs.com/tankxiao
Enter http filter in wireshark, then select GET /tankxiao HTTP/1.1the record, right click and click "Follow TCP Stream",
The purpose of doing this is to get the data packets related to the browser opening the website, and you will get the following picture
As can be seen in the figure, wireshark has intercepted three data packets of the three-way handshake. The fourth packet is HTTP, which shows that HTTP does use TCP to establish a connection.
first handshake packet
The client sends a TCP with the flag bit as SYN and the sequence number as 0, which means the client requests to establish a connection. As shown below
The data packet of the second handshake
The server sends back an acknowledgment packet, the flag is SYN, ACK. Set the acknowledgment number (Acknowledgment Number) to the client's ISN plus 1. That is, 0+1=1, as shown below
The data packet of the third handshake
The client sends an acknowledgment packet (ACK) again. The SYN flag is 0, and the ACK flag is 1. And put the serial number field of the ACK sent by the server + 1, put it in the confirmation field and send it to the other party. And write the ISN in the data segment +1, as shown below:
In this way, the TCP three-way handshake is passed, and the connection is established.
1. Set filter conditions
【1】http and ip.addr == 192.168.1.106 and tcp.port == 8080
[a] http: specify the network protocol
【b】ip.addr == 192.168.1.106: Specify the server ip address, please replace it according to the actual situation.
【c】tcp.port == 8080, specify the port number, please replace it according to the actual situation.
【2】Click apply
After clicking apply, two data packets can be filtered, which are HTTP request and HTTP response.
2. Check the TCP data flow——Follow TCP Stream
[1] Right-click on any data packet and select Follow TCP Stream
This step can filter out TCP data packets related to the HTTP data packet, including TCP 3-way handshake, TCP fragmentation and assembly, etc.
[2] Finally get the HTTP request and response
[a] Red background font is HTTP request, blue background font is HTTP response
[b] It can be seen from the User-Agent that the compatibility mode of the 360 browser uses the IE8 kernel (the operating system of this computer is XP, and the version of the IE browser is 8), which means that the 360 browser uses the IE kernel in the system .
The Danger of Clear Code Transmission in the Network
There are quite a lot of protocols and tools that are transmitted through clear text, typical ones are telnet, ftp, http. We use telnet for this experiment. Suppose I log in to my linux server through telnet, and then capture packets through wireshark to capture account and password information.
1. First start wireshark, and it is in Capture state. Then log in to our linux server remotely through telnet.
After entering the login interface, enter the account number and password to log in to the system.
2. Next, stop wireshark's packet interception operation, just execute the shortcut "Stop".
However, a lot of information is captured. At this time, you can use the Display Filter function to filter the displayed content, as shown in the figure below, click Expression, and then select the filter expression. Here, we can choose TELNET.
After the expression is determined, select "Apply" to filter out only the packets containing TELNET
Come on, let's check all the records of the entire telnet session, wireshark can record the session records (just like "QQ chat records" when we chat on QQ), find any telnet packet, right click to find "Follow TCP Stream", and wireshark will Returns the entire session record.
OK, we see the following data information, the red part is the DATA we sent, and the blue part is the DATA we received. j_0061.gif, tell me what you see
In order to see clearly, we filter out only the DATA we send out again. Or just received DATA.
From here, we can capture the account number and password information exactly. login:wireshark Password:123456, in addition to these, we can further know what websites or private files others are viewing, and privacy will not be guaranteed.
Note: In order to avoid these situations and prevent interested people from monitoring important information, you can use encryption protocols such as SSH, SSL, TSL, HTTPS to encrypt important data, and then transmit it on the network. If it is intercepted by someone, the content you see is also is encrypted.
Commonly used filter rules:
- Capture Filters (CaptureFilters): Used to decide what information to record in the capture results. Needs to be set before starting capture.
- Display Filters (DisplayFilters): Detailed search in the captured results. They can be modified at will after getting the capture result.
capture filter
Protocol (protocol) :
Possible values: ether , fddi , ip , arp , rarp , decnet , lat , sca , moprc , mopdl , tcp and udp .
If no protocol is specified, all supported protocols are used by default.
Direction :
Possible values: src , dst , src and dst , src or dst
If no source or destination is specified, " src or dst" is used as the keyword by default.
For example, " host 10.2.2.2" src or dst host 10.2.2.2is the same as " ".
Host(s):
Possible values: net , port , host , portrange .
If this value is not specified, the "host" keyword is used by default.
For example, " src 10.1.1.1" src host 10.1.1.1is the same as " ".
Logical Operations :
Possible values: not, and, or.
No ("not") has the highest priority. Or ("or") and and ("and") have the same precedence, and operations are performed from left to right.
For example,
"not tcp port 3128 and tcp port 23" is the same as "(not tcp port 3128) and tcp port 23".
"not tcp port 3128 and tcp port 23" is not the same as "not (tcp port 3128 and tcp port 23)".
example:
tcp dst port 3128//Capture the packet whose destination TCP port is 3128.
ip src host 10.1.1.1//Capture the packet whose source IP address is 10.1.1.1.
host 10.1.2.3//Capture packets whose destination or source IP address is 10.1.2.3.
ether host e0-05-c5-44-b1-3c//Capture the packet whose destination or source MAC address is e0-05-c5-44-b1-3c. If you want to capture the data packets between this machine and all external networks, you can replace the mac address here with the mac address of the route.
src portrange 2000-2500//Capture the packets whose source is UDP or TCP, and the port number is in the range of 2000 to 2500.
not imcp//Display all packets except icmp. (icmp is usually used by ping tools)
src host 10.7.2.12 and not dst net 10.200.0.0/16//Display the packets whose source IP address is 10.7.2.12, but the destination is not 10.200.0.0/16.
(src host 10.4.1.12 or src net 10.6.0.0/16) and tcp dst portrange 200-10000 and dst net 10.0.0.0/8//Capture all packets whose source IP is 10.4.1.12 or source network is 10.6.0.0/16, the destination TCP port number is between 200 and 10000, and the destination is within the network 10.0.0.0/8.
src net 192.168.0.0/24
src net 192.168.0.0 mask 255.255.255.0//Capture all packets whose source address is 192.168.0.0 network.
show filter
example:
snmp || dns || icmp//Display SNMP or DNS or ICMP packets.
ip.addr == 10.1.1.1//Display the packets whose source or destination IP address is 10.1.1.1.
ip.src != 10.1.2.3 or ip.dst != 10.4.5.6//Display packets whose source is not 10.1.2.3 or destination is not 10.4.5.6.
In other words, the displayed packets will be:
Source IP: any except 10.1.2.3; destination IP: any
as well as
Source IP: any; Destination IP: any except 10.4.5.6
ip.src != 10.1.2.3 and ip.dst != 10.4.5.6//Display packets whose source is not 10.1.2.3 and destination IP is not 10.4.5.6.
In other words, the displayed packets will be:
Source IP: any except 10.1.2.3; at the same time must be satisfied, destination IP: any except 10.4.5.6
tcp.port == 25//Display the packets whose source or destination TCP port number is 25.
tcp.dstport == 25//Display the packets whose destination TCP port number is 25.
tcp.flags//Display packets containing TCP flags.
tcp.flags.syn == 0×02//Display packets containing the TCP SYN flag.
If the syntax of the filter is correct, the background of the expression is green. If it is red, the expression is incorrect.