Set data scraping options
Click the Settings button in the common buttons, and the Settings Options dialog box will pop up. In this dialog box, we can select the interface that needs to be monitored, set the promiscuous mode, and set the filter conditions for capturing data packets. As shown below:
Note: Promiscuous mode is set to capture all data packets in the LAN.
Wireshark and the corresponding OSI seven-layer model
From the figure below, you can see each field in the TCP packet captured by wireshark.
Adjust time format
Commonly used application display filters:
snmp || dns || icmp //Display SNMP or DNS or ICMP packets.
ip.addr == 10.1.1.1 //Display packets with source or destination IP address 10.1.1.1.
ip.src != 10.1.2.3 or ip.dst != 10.4.5.6 //Display packets whose source is not 10.1.2.3 or whose destination is not 10.4.5.6.
ip.src != 10.1.2.3 and ip.dst != 10.4.5.6 //Display packets whose source is not 10.1.2.3 and whose destination IP is not 10.4.5.6.
tcp.port == 25 //Display all packets with TCP port number 25.
tcp.dstport == 25 //Display packets with destination TCP port number 25.
tcp.flags //Display packets containing TCP flags.
tcp.flags.syn == 0×02 //Display packets containing the TCP SYN flag.
ip.addr==10.15.8.34 and ip.addr==19.18.16.5 and tcp.port==443 //https two-end process
If the syntax of the filter is correct, the background of the expression is green. If it's red, the expression is wrong.
Filter source ip and destination ip: search for packets with destination address 192.168.101.8, ip.dst==192.168.101.8; search for source address ip.src==1.1.1.1
Protocol filtering: directly enter the protocol name, such as filtering HTTP protocol
http mode filtering: such as filtering get packets, http.request.method=="GET", filtering post packets, http.request.method=="POST"
and the use of connectors: such as filtering ip to 192.168.101.8 And for the http protocol, ip.src==192.168.101.8 and http // ip.src==10.112.21.1 and tcp.port==443. The
above is just packet capture and simple filtering. In fact, if you want to achieve When analyzing the requirements of these network packets, you also need to understand the markers of some data packets, such as the TCP
three-way handshake that we often say. The establishment of a
virtual connection is achieved through a three-way handshake.
1. (Client) – > [SYN] –> (Server)
First handshake : Host A sends the bit code syn=1 and randomly generates a data packet with seq number=1234567 to the server. Host B knows SYN=1, and A requests to establish connection 2
. (Client) < – [SYN/ACK] < – (Server)
Second handshake: Host B needs to confirm the connection information after receiving the request, and sends ack number=(host A’s seq+1), syn=1, ack=1 to A, and randomly generates a packet of seq=7654321; 3. (Client
) - > [ACK] - > (Server)
Third handshake : After receiving it, host A checks whether the ack number is correct (that is, the seq number + 1 sent for the first time, and whether the bit code ack is 1). If it is correct, host A will Then send ack number=(host B’s seq+1), ack=1. After receiving it, host B confirms the seq value and ack=1, then the connection is successfully established. At this point, the three-way handshake is completed and a TCP connection is completed.
Note: An ACK packet is a TCP packet with only the ACK flag set to 1. It should be noted that when the three handshakes are completed and the connection is established, each packet of the TCP connection will have the ACK bit set.
Four-way Handshake
Four-way Handshake is used to close the established TCP connection
1. (Client) –> ACK/FIN –> (Server)
2. (Client) <– ACK <– (Server)
3. (Client) ) <– ACK/FIN <– (Server)
4. (Client) –> ACK –> (Server)
Note: Since the TCP connection is a two-way connection, closing the connection needs to be done in both directions. ACK/FIN packets (with the ACK and FIN flags set to 1) are usually considered FIN (final) packets . However, since the connection has not been closed, FIN packets are always marked with an ACK flag.
Packets with no ACK mark but only a FIN mark are not legitimate packets and are generally considered malicious.
Resetting a connection
The four-way handshake is not the only way to close a TCP connection. Sometimes, if the host needs to close the connection as soon as possible (or the connection times out, the port or the host is unreachable), an RST (Reset) packet will be sent.
Note: Because of the RST packet It is not a necessary part of the TCP connection. You can only send RST packets (that is, without the ACK mark). But in a normal TCP connection, the RST packet can carry the ACK confirmation mark. Invalid TCP flags Invalid TCP Flags Summary of common flags:
SYN
:
Synchronization Request
ACK: Confirmation
FIN: Termination (connection closed)
RST: Connection reset
PSH (Push): There is DATA data transmission
URG (Urgent): Emergency
Sequence number: Sequence number
Acknowledge number: Confirmation number
UDP (User Datagram Protocol) )
UDP has no marking and acknowledgment mechanisms to confirm acceptance. Packet loss processing is done at the application layer. (or accidental arrival).
The important thing to note here is: under normal circumstances, when a UDP packet arrives at a closed port, a UDP reset packet will be returned. Since UDP is not connection-oriented, there is no confirmation information to confirm whether the packet reached the destination correctly. So if your firewall drops UDP packets, it will open all UDP ports (?).
Since some packets will be discarded under normal circumstances on the Internet, even some UDP packets sent to closed ports (non-firewall) will not reach their destination, and they will return a reset UDP packet.
For this reason, UDP port scanning is always imprecise and unreliable.
It seems that fragmentation of large UDP packets is a common form of DOS (Denial of Service) attacks.
ICMP (Internet Control Message Protocol)
As the name suggests, ICMP is a protocol used to transfer control information between hosts/routers. . ICMP packets can contain diagnostic information (ping, traceroute - note that traceroute in unix systems currently uses UDP packets instead of ICMP), error information (network/host/port unreachable), information (timestamp, timestamp, Address mask address mask request, etc.), or control information (source quench, redirect, etc.).
Although ICMP is generally harmless, there are some types of ICMP messages that need to be discarded.
Redirect (5), Alternate Host Address (6), Router Advertisement (9) can be used to forward traffic.
Echo (8), Timestamp (13) and Address Mask Request (17) can be used to determine whether the host is up, local time and address mask respectively. Note that they are related to the type of information returned. They themselves cannot be exploited, but the information they leak can be useful to attackers.
ICMP messages are sometimes used as part of a DOS attack (for example: flood ping, flood ping, death ping? Haha, interesting ping of death)?/p> Packet Fragmentation Note About Packet Fragmentation If the size of a packet
exceeds
TCP The maximum segment length MSS (Maximum Segment Size) or MTU (Maximum Transmission Unit), the only way to send this packet to the destination is to fragment this packet. Since packet fragmentation is normal, it can be exploited for malicious purposes.
Because the first fragment of a fragmented packet contains a header, it is impossible for the packet filter to detect additional packet fragments without the reassembly function of the packet fragments. Typical attacks involve in overlapping the packet data in which packet header is normal until is it overwritten with different destination IP (or port) thereby bypassing firewall rules. Packet fragmentation can be used as part of a DOS attack, which can crash older IP stacks or overwhelm CPU connectivity.
--------------------------------------------------------
Data link layer:
Filter packets with mac address 04:f9:38:ad:13:26----eth.src == 04:f9:38:ad:13:26 and
filter source mac address 04: Data packet of f9:38:ad:13:26----eth.src == 04:f9:38:ad:13:26
Network layer:
Filter the data packets with IP address 192.168.1.1----ip.addr == 192.168.1.1
to filter the data of 192.168.1.0 network segment----ip contains "192.168.1"
to filter 192.168.1.1 and 192.168 .Data packets between 1.2----ip.addr == 192.168.1.1 && ip.addr == 192.168.1.2
Filter packets from 192.168.1.1 to 192.168.1.2----ip.src == 192.168 .1.1 && ip.dst == 192.168.1.2
IP source address----ip.src 192.168.1.1
IP destination address----ip.dst 192.168.1.1
Transport layer:
Filter the data packets of the tcp protocol----tcp
filters the data packets except the tcp protocol----!tcp
filters the data packets with port 80----tcp.port == 80
filters the 12345 port and 80 Packets between ports----tcp.port == 12345 && tcp.port == 80
Filter packets from port 12345 to port 80----tcp.srcport == 12345 && tcp.dstport == 8TCP Port: tcp.port==80
TCP destination port----tcp.dstport == 80
TCP source port----tcp.srcport == 80
UDP port----udp.port eq 15000
TCP 1-80 The port between ----tcp.port >= 1 and tcp.port <= 800
Application layer:
Special instructions----http.request in http represents the first line in the request header (such as GET index.jsp HTTP/1.1), http.response represents the first line in the response header (such as HTTP/1.1 200 OK), other headers are in the form of http.header_name.
Filter http packets that contain .php in the URL----http.request.uri contains ".php"
Filter http packets that contain username----http contains "username"
http.request.method=="POST ”
|| One of the conditions is met
&& Both conditions are met