Good evening, I'm Lao Yang.
Wireshark is a very popular network packet analysis software.
Various network packets can be intercepted and detailed information of network packets can be displayed .
The software function is very powerful, and the operation is not complicated.
Many friends are asking in the background if they can publish a complete packet capture analysis post , and I will arrange it for you today.
01 Introduction to Wireshark
Wireshark is a very popular network packet analysis software, referred to as "little shark", which is very powerful.
Various network packets can be intercepted and detailed information of network packets can be displayed.
Wireshark is open source software and can be used with confidence. Can run on Windows and Mac OS.
Correspondingly, the packet capture tool under linux is tcpdump. People who use wireshark must understand the network protocol, otherwise they will not understand wireshark.
01 Common application scenarios of Wireshark
1. The network administrator will use wireshark to check the network problems
2. Software test engineers use wireshark to capture packets to analyze the software they test
3. Engineers engaged in socket programming will use wireshark to debug
4. Operation and maintenance personnel are used for daily work, emergency response, etc.
In short, anything related to the network may use wireshark.
If you want to get the download and installation package directly, please private message me and note "wireshark" to get 2 download methods.
02 Wireshark packet capture principle
Wireshark uses WinPCAP as an interface to directly exchange data packets with the network card.
The environment used by Wireshark is roughly divided into two types, one is the stand-alone environment where the computer is directly connected to the network, and the other is the network environment with more applications, that is, the situation of connecting to a switch.
In the stand-alone case:
Wireshark directly captures the network traffic of the local network card.
In case of switch:
Wireshark obtains network traffic in the LAN through port mirroring and ARP spoofing.
Port mirroring:
Use the interface of the switch to forward the network traffic of the LAN to the network card of the designated computer.
ARP spoofing:
The switch forwards data according to the MAC address and disguises the MAC addresses of other terminals to obtain the network traffic of the LAN.
03 Wireshark packet capture example
Let me first introduce an example of using the wireshark tool to capture the ping command operation, so that you can get started to experience the specific process of capturing packets.
1. Open wireshark, the main interface is as follows:
2. Select Capture -> Options on the menu bar, and check the WLAN network card. Here you need to choose according to the usage of the computer network card. The simple way is to look at the network card corresponding to the used IP.
Click Start to start packet capture.
3. After wireshark starts, wireshark is in the state of capturing packets.
4. Perform operations that require packet capture, such as ping http://www.baidu.com in the cmd window .
5. After the operation is completed, the relevant data packets will be captured, and you can click the button to stop capturing packets.
6. In order to avoid other useless data packets affecting the analysis, you can filter the data packet list by setting filter conditions in the filter column, and the obtained results are as follows.
Explanation: ip.addr == 183.232.231.172 and icmp means only display the data packets of ICPM protocol and the host IP is 183.232.231.172. Note: The protocol name icmp should be lowercase.
7. Wireshark completes the packet capture, and saves the results of this packet capture or analysis, it's that simple.
The wireshark display filter conditions, packet capture filter conditions, and how to view the detailed content of the packet will be introduced later.
04 Wireshark packet capture interface introduction
The main interface of Wireshark consists of 6 parts:
Menu bar: for debugging, configuration
Toolbar: Shortcuts to frequently used functions
Filter bar: specify filter conditions, filter data packets
Data packet list: core area, each line is a data packet
Packet Details: Detailed data of the packet
Packet bytes: the byte stream corresponding to the data packet, binary
Note: Different protocols use different colors in the packet list area. The protocol color identification is located in the menu bar View --> Coloring Rules.
As follows:
WireShark is mainly divided into these interfaces:
01 Display Filter
It is used to set filter conditions for packet list filtering. Menu path: Analysis --> Display Filters.
02 Packet List Pane
Display captured data packets, each data packet contains number, time stamp, source address, destination address, protocol, length, and data packet information.
Packets of different protocols are displayed in different colors.
03 Packet Details Pane (packet details)
Select the specified data package in the data package list, and all the detailed information of the data package will be displayed in the data package details.
The packet details panel is the most important, used to view every field in the protocol.
The lines of information are:
(1) Frame: Overview of data frames at the physical layer
(2) Ethernet II: Data link layer Ethernet frame header information
(3) Internet Protocol Version 4: Internet layer IP packet header information
(4) Transmission Control Protocol: The data segment header information of the transport layer T, here is TCP
(5) Hypertext Transfer Protocol: Application layer information, here is the HTTP protocol
The specific content of the TCP packet: From the figure below, you can see each field in the TCP packet captured by wireshark.
04 Dissector Pane (packet byte area)
The original content of the message.
05 Wireshark filter settings
When beginners use wireshark, they will get a large list of redundant packets, so that it is difficult to find the part of the packets that they need to capture.
The wireshark tool comes with two types of filters. Learning to use these two filters will help us quickly find the information we need in a large amount of data.
01 Packet capture filter
The menu bar path of the capture filter is Capture --> Capture Filter. Used to set before grabbing packets.
How to use it? The settings are as follows.
ip host 183.232.231.172 indicates that only the data packets whose host IP is 183.232.231.172 are captured.
The obtained results are as follows:
02 Display filter
The display filter is used to set filter conditions to filter data packets after capturing data packets.
Usually, when the conditions are relatively broad when capturing data packets or if there is no setting, the content of the captured data packets is large, use the display filter to set conditional filtering to facilitate analysis.
In the same scenario as above, capture all packets directly through the network card without setting a packet capture filter rule during capture.
The list of data packets obtained by executing ping http://www.baidu.com is as follows:
Observe that the above obtained packet list contains a large amount of invalid data.
At this time, you can extract and analyze information by setting display filter conditions.
ip.addr == 183.232.231.172, and filter.
The above describes the basic usage of packet capture filter and display filter.
In the case of an uncomplicated network or low traffic, using the display filter for packet capture and post-processing is sufficient for our use.
Here's a look at the syntax between the two and how they differ.
06 Rules for Wireshark filter expressions
01 Capture filter syntax and examples
Packet capture filter type Type (host, net, port), direction Dir (src, dst), protocol Proto (ether, ip, tcp, udp, http, icmp, ftp, etc.), logical operators (&& and, || or, !non)
(1) Protocol filtering
It is relatively simple, just enter the protocol name directly in the packet capture filter box.
tcp: only display the packet list of TCP protocol
http: only view the packet list of the HTTP protocol
icmp: Only display the packet list of ICMP protocol
(2) IP filtering
host 192.168.1.104
src host 192.168.1.104
dst host 192.168.1.104
(3) Port filtering
port 80
src port 80
dst port 80
(4) Logical operators && and, || or, ! No
src host 192.168.1.104 &&dst port 80 captures packets with host address 192.168.1.80 and destination port 80
host 192.168.1.104 || host 192.168.1.102 Capture the data packets with host 192.168.1.104 or 192.168.1.102
! broadcast does not capture broadcast packets
02 Show filter syntax and examples
(1) comparison operator
== is equal to, ! = not equal to, > greater than, < less than, >= greater than or equal to, <= less than or equal to
(2) Protocol filtering
It is relatively simple, just enter the protocol name directly in the Filter box.
Note: The protocol name needs to be entered in lowercase.
tcp: only display the packet list of TCP protocol
http: only view the packet list of the HTTP protocol
icmp: Only display the packet list of ICMP protocol
(3) IP filtering
ip.src ==112.53.42.42 Display the list of packets whose source address is 112.53.42.42.
ip.dst==112.53.42.42, display the list of packets whose destination address is 112.53.42.42.
ip.addr == 112.53.42.42 Display a list of packets with source IP address or destination IP address 112.53.42.42.
(4) Port filtering
tcp.port ==80, display the list of packets whose source host or destination host port is 80.
tcp.srcport == 80, only display the list of packets whose source host port of TCP protocol is 80.
tcp.dstport == 80, only display the list of data packets whose destination host port of TCP protocol is 80.
(5) HTTP mode filtering
http.request.method=="GET", only display HTTP GET method.
(6) Logical operators are and/or/not
When filtering a combination of multiple conditions, use and/or.
For example, the expression for obtaining an ICMP packet with an IP address of 192.168.0.104 is ip.addr == 192.168.0.104 and icmp
(7) Filter according to the content of the data packet
Assuming that I want to filter by the content in the ICMP layer, I can click the code stream in the selection interface to select the data below.
After right-clicking to select it, the following interface appears:
When selected, it is displayed in the filter as follows:
The following conditional expressions need to be filled in by yourself.
As follows, I want to filter out data streams that contain "abcd" content in data packets.
The keyword is contains, and the complete conditional expression is data contains "abcd".
Seeing this, I basically have a preliminary understanding of wireshak.
03 Commonly used display filter requirements and their corresponding expressions
data link layer:
Filter packets with mac address 04:f9:38:ad:13:26
eth.src == 04:f9:38:ad:13:26
Filter packets whose source mac address is 04:f9:38:ad:13:26 ----
eth.src == 04:f9:38:ad:13:26
Network layer:
Filter packets with ip address 192.168.1.1
ip.addr == 192.168.1.1
Filter the data of the 192.168.1.0 network segment
ip contains "192.168.1"
transport layer:
Filter packets with port 80
tcp.port == 80
Filter packets between port 12345 and port 80
tcp.port == 12345 &&tcp.port == 80
Filter packets from port 12345 to port 80
tcp.srcport == 12345 &&tcp.dstport == 80
Application layer:
Special note: http.request in http means the first line in the request header (such as GET index.jsp HTTP/1.1) http.response means the first line in the response header (such as HTTP/1.1 200 OK), other headers are Use the http.header_name form.
Filter the http packets containing .php in the url
http.request.uri contains ".php"
Filter the http packets containing username
http contains "username"
07 Wireshark packet capture analysis TCP three-way handshake
01 TCP three-way handshake connection establishment process
Step1: The client sends a SYN=1, ACK=0 packet to the server, requesting a connection, which is the first handshake;
Step2: If the server receives the request and allows the connection, it will send a SYN=1, ACK=1 packet to the sender, telling it that communication is possible, and let the client send a confirmation packet, which is second handshake;
Step3: The server sends a SYN=0, ACK=1 packet to the client, telling it that the connection has been confirmed, which is the third handshake. The TCP connection is established and communication begins.
02 Wireshark captures packets to obtain access to specified server data packets
Step1: Start wireshark to capture packets, open a browser and enter http://www.baidu.com .
Step2: Use ping http://www.baidu.com to get the IP.
Step3: Enter the filter condition to obtain the list of packets to be analyzed ip.addr == 183.232.231.172
As can be seen in the figure, wireshark has intercepted three data packets of the three-way handshake.
The fourth packet is HTTPS, which means that HTTPS does use TCP to establish a connection.
The first handshake packet:
The client sends a TCP with the flag bit as SYN and the sequence number as 0, which means the client requests to establish a connection.
The key attributes of the packet are as follows:
SYN: Flag bit, indicating a request to establish a connection
Seq = 0: The initial connection value is 0, and the relative sequence number of the data packet starts from 0, indicating that no data has been sent yet
Ack =0: The initial connection value is 0, and the number of packets has been received, indicating that no data is currently received
The data packet of the second handshake:
The server sends back a confirmation packet, the flag bit is SYN, ACK. Add 1 to the Acknowledgment Number field, that is, 0+1=1.
The key attributes of the packet are as follows:
[SYN + ACK]: Flag bit, agree to establish a connection, and send back SYN+ACK
Seq = 0: The initial establishment value is 0, indicating that no data has been sent yet
Ack = 1: Indicates the number of data bits successfully received by the current end. Although the client has not sent any valid data, the confirmation number is still increased by 1 because it contains the SYN or FIN flag. (It will not affect the count of valid data, because packets containing SYN or FIN flag bits do not carry valid data)
The data packet of the third handshake:
The client sends an acknowledgment packet (ACK) again. The SYN flag is 0, and the ACK flag is 1. And put the serial number field +1 of the ACK sent by the server into the confirmation field and send it to the other party, and write the +1 of the ACK in the Flag section:
The key attributes of the packet are as follows:
ACK: flag bit, indicating that the record has been received
Seq = 1: Indicates that 1 data has been sent currently
Ack = 1: Indicates the number of data bits successfully received by the current end. Although the server has not sent any valid data, the confirmation number is still increased by 1, because it contains the SYN or FIN flag (it will not affect the count of valid data, because Packets containing SYN or FIN flags do not carry valid data).
In this way, the TCP three-way handshake is passed and the connection is established.
Start data interaction:
08 Common Operations for Wireshark Analysis
Adjust the timestamp display format in the packet list.
The adjustment method is View --> Time Display Format --> Date and Time. The adjusted format is as follows:
Generally, Wireshark software can also be used together with the simulators of various mainstream manufacturers, which is more suitable for accurate project configuration.
Finishing: Lao Yang 丨 10-year senior network engineer, more network workers to improve dry goods, please pay attention to the official account: Network Engineer Club