Common commands for Wireshark packet capture

1. Commonly used filtering rules

Specify source address:

ip.src == 10.0.1.123

ip.src == 10.0.1.123 && udp

http

数据链路层：

筛选mac地址为04:f9:38:ad:13:26的数据包----eth.src == 04:f9:38:ad:13:26

筛选源mac地址为04:f9:38:ad:13:26的数据包----eth.src == 04:f9:38:ad:13:26

网络层：

筛选ip地址为192.168.1.1的数据包----ip.addr == 192.168.1.1

筛选192.168.1.0网段的数据---- ip contains "192.168.1"

筛选192.168.1.1和192.168.1.2之间的数据包----ip.addr == 192.168.1.1 && ip.addr == 192.168.1.2

筛选从192.168.1.1到192.168.1.2的数据包----ip.src == 192.168.1.1 && ip.dst == 192.168.1.2

传输层：

筛选tcp协议的数据包----tcp

筛选除tcp协议以外的数据包----!tcp

筛选端口为80的数据包----tcp.port == 80

筛选12345端口和80端口之间的数据包----tcp.port == 12345 && tcp.port == 80

筛选从12345端口到80端口的数据包----tcp.srcport == 12345 && tcp.dstport == 80

应用层：

过滤请求数据包----http.request

过滤响应数据包----http.response

过滤指定域名----http.host == “xxx.xxx.xxx”

筛选url中包含.php的http数据包----http.request.uri contains ".php"

筛选内容包含username的http数据包----http contains "username"

过滤请求头----http.request.method == GET

过滤请求的url----http.request.url==”/xxx/xxxx”

过滤包含HTTP错误状态码的响应数据包----http.request.code >= 400

过滤服务器端错误状态码的响应数据包----http.response.code <=599。

2.UDP message structure

3.TCP message structure

4.Key points

Let’s talk about the key points here

4.1 TCP/UDP headers checksum

You can see Checksum in the first few pictures.
The data sources for TCP data packet checksum calculation include three parts: TCP pseudo header, TCP header and TCP data. TCP calculation checksum introduces pseudo headers, including UDP introduced later. As shown in the figure below, the TCP pseudo header includes: source address (32 bit), destination address (32 bit), Zeros (8 bit), Protocol (8 bit), TCP Length (16 bit).

As can be seen from the above figure, the source address is 106.11.43.158 (6a 0b 2b 9e), the destination address is 192.168.1.105 (c0 a8 01 69), the TCP protocol number is 6, and the TCP data length is the total length of the IP data minus the IP header 52-20=32 (0x20). Next is an example of packet capture in the TCP header and data parts:

As can be seen from the above figure, the TCP checksum is 0x755E, and the calculation process is as follows:

1. Get the data of the pseudo header

Source Address Destination Address Zeros Protocol TCP Length

6a 0b 2b 9e c0 a8 01 69 00 06 00 20

2. Combine the pseudo header data into a group of 16 bits and add them

6a0b+2b9e+c0a8+0169+0006+0020=157E0

3. Get TCP data

01 bb de c0 d3 86 24 c6 0e 5f 8d 90 80 10 00 0e 75 5e 00 00 01 01 05 0a 0e 5f 8d 8f 0e 5f 8d 90

4. Set the checksum part to 00 00

01 bb de c0 d3 86 24 c6 0e 5f 8d 90 80 10 00 0e 00 00 00 00 01 01 05 0a 0e 5f 8d 8f 0e 5f 8d 90

5. Combine TCP data into groups of 16 bits and add them

01bb+dec0+d386+24c6+0e5f+8d90+8010+000e

+0000+0000+0101+050a+0e5f+8d8f+0e5f+8d90=432BC

6. Add the pseudo header and TCP data.

157E0 + 432BC = 58A9C

7. Add the high 16 bits and low 16 bits of the result of the previous step

8A9C + 5 = 8AA1

8. Subtract 8AA1 from 0xFFFF to get the checksum

0xFFFF - 0x8AA1 = 755E

9. It is consistent with the checksum comparison of the captured packets.

4.2 Use python to generate TCP\UDP messages for software development and testing

#!/usr/bin/env python

import socket

TCP_IP = '127.0.0.1'
TCP_PORT = 1337
BUFFER_SIZE = 1024
MESSAGE = 'Hello, World!'
encoded = str.encode(MESSAGE)     # b'Hello, World!'
decoded = encoded.decode()        # 'Hello, World!' 

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((TCP_IP, TCP_PORT))
s.send(encoded)
data = s.recv(BUFFER_SIZE)
s.close()

print ("received data:", data)

5. Wireshark captures TCP packets and analyzes the three-way handshake

First handshake packet

The client sends a data packet, SYN=1, ACK=0, and the sequence number starts from 0, indicating that the client requests to establish a connection.

Second handshake packet

The server sends a data packet, SYN=1, ACK=1, seq=0, ack=seq+1 indicates the number of data packets received

The third handshake packet

The client retransmits the confirmation packet, SYN=0, the server checks ACK=1, ack=seq+1=1 indicates that the number of data bits successfully received in the current segment

Important identification of the TCP layer FLAGS field

6. Some basic concepts

Reference blog

https://blog.csdn.net/qq_44281295/article/details/127110834
https://zhuanlan.zhihu.com/p/631821119
https://blog.csdn.net/to_be_better_wen/article/details/129191378