wireshark capture tool
Learn to use wireshark capture tool
I. Introduction
1. What is wireshark
Baidu:
2, the main application
Help administrators troubleshoot network problems
Help safety engineers to detect security risks
Developers for the implementation of the test protocol
To learn network protocol
and many more.
3, characteristics
Cross-platform support for windows / unix platform
Real-time packet capture interface
Details can display detailed protocol packet
You can open / save the captured packets
Other programs can import and export data formats supported packages
Packets may be filtered in various ways
A variety of ways to find packages
By filtration in a plurality of color display package
Create a variety of statistical analysis. . .
4, a variety of network interface
You can capture multiple network interfaces, and even wireless LAN interface
5, what you can not do?
Not be used as intrusion detection systems, network transactions will not be processed, only monitors the network, the network does not send packages or other interactive things to do, but you can do name resolution
Second, the use wireshark
1, open to see the first page, where it is called the initial page
2, how to start capture
By capturing options
Above the initial page, there are two entrances can click on a toolbar in the main, a middle position is captrue options
Click captrue options icon "pop-up card capture card such as multiple network cards designated" Start capture
3, wireshark window Introduction
The main interface is divided into seven wireshark
main menu
Menu page includes file, edit, view, go, capture, analyze, statistics, help
main toolbar
Some quick navigation, such as capture, start, stop, etc.
filter
Specifies capturing condition required, such as source / destination address
Packet List
It has captured packet, source address / destination address, port; different colors representing different
Packet details
Display fields in the packet
16 prohibited data
As the name suggests
Address Bar
The address bar and miscellaneous
4, the filter conditions
Filtered through a concentrated expression rules
1)protocols
比如tcp,ether,fddi,ip,arp,rarp,decnet,lat,sca,moprc,mopdl,tcp and udp
2)direction
src, dst, src and dst, src or dst (do not specify that two-way)
3) host (the new version, the old version is no host)
net,port,host,portrange
4) logical openrations logic operation
and, or, not (below the official instances)
5, filtering relations
1) a combination of expression
Table 6.6. Display Filter Logical Operations
English | C-like | Description and example |
---|---|---|
and |
&& |
Logical AND. |
or |
|| |
Logical OR. |
xor |
^^ |
Logical XOR. |
not |
! |
Logical NOT. |
[…] |
See “Slice Operator” below. |
|
in |
See “Membership Operator” below. |
2) operational sign
Refer to the official https://www.wireshark.org/docs/wsug_html/#DispCompOps
Table 6.5. Display Filter comparison operators
English | C-like | Description and example |
---|---|---|
eq |
== |
Equal. |
born |
!= |
Not equal. |
gt |
> |
Greater than. |
lt |
< |
Less than. |
give |
>= |
Greater than or equal to. |
the |
<= |
Less than or equal to. |
contains |
Protocol, field or slice contains a value. |
|
matches |
~ |
Protocol or text field match Perl regualar expression. |
bitwise_and |
& |
Compare bit field value. |
6, common filtering requirements
1), data link layer
mac address filtering
eth.addr==00:0c:29:1c:8b:39
eth.src==00:0c:29:1c:8b:39
eth.dst==00:0c:29:1c:8b:39
2), the network layer
ip address filtering
ip.addr==192.168.216.51
ip.src==192.168.216.51
ip.dst==192.168.216.51
3), the transport layer
tcp/udp
tcp.prot==80
tcp.dstport==80
tcp.srcport==80
4), the application layer
http.request.uri contains ".php"
5), wireshark support many protocols screening, are not listed here, please see the official documentation
udp、tcp、arp、icmp、smtp、pop、dns、ip、ssl、http、ftp、telnet、ssh、rdp、rip、ospf
6), the protocol parameter filtering
tcp.flags.syn == 0x02 display data pack comprising syn flag
frame.len == 119 the entire packet length, from the beginning to the end eth
http.request.method == "get" method is displayed http get request packet
7), the logical combination of filters
||
&&
!
A combination of conditions "and"
ip.src==192.168.216.51&&ip.dst==192.168.216.52
Combination conditions "or"
ip.src==192.168.216.51||ip.src==192.168.216.52
A combination of conditions "not"
!(ip.src==192.168.216.51)
Third, the new version differences
The new version and the old version, there are many differences as
1, Example 1-mac
2, the exemplary 2-ip
3, an example of 3-tcp
4, an example of 4-http
Fourth, the analysis of three-way handshake tcp
1, a simple three-way handshake icon
2, the first handshake
Client requests to establish a connection, send a request packet, flags SYN, numbered 0
3, second handshake
The server returns confirmation flags SYN, ACK, provided the initial sequence number Y = 0, X + 1 = 0 + 1 = 1, this is a acknowledgement number (acknowledgment number)
4, third handshake
The client sent from the server receives the correct acknowledgment number, the client once again sends an acknowledgment ACK, SYN flag bit is 0, ACK flag bit is 1, confirmation ID = y + 1 = 0 + 1, transmission bit sequence number x + 1 = 1 , the server receives the acknowledgment sequence number value ack = 1 connection is established, data transmission starts
Five, four wave
That is four times waved tcp connection was disconnected when there was four waved process
Why do we need four wave that?
Because tcp protocol is a connection-oriented, reliable, based on the byte stream transport layer communication protocol, and a full duplex mode, both sides of the connections are closed, this session tcp considered completely closed, so that four wave tcp connection It can be reliably terminated, and also so that the data residual timed_wait transmits to the network the connection is dropped and a new connection will not be received after the connection is terminated, this approach also safer
1, a four wave
2, capture protocols illustrated exemplary waving
3, the first wave
Attributes:
ACK + FIN: Flag
Seq = 23: SEQ ID NO
ACK = 29: reception sequence number + SYN packet, i.e. acknowledged sequence number
The first wave, the client tcp packets sent to the server, client to disable data transmission server transmits FIN ACK packets seq = 23 ack = 29
4, the second wave
The second wave, the server receives FIN, sends back an ACK, Seq = 29, ack = 23
5, the third wave
Close the server and the client is connected, sending a FIN, seq = 24, ack = 29
6, the fourth wave
The fourth wave, FIN client after receipt sent by the server, sends back ACK acknowledgment, acknowledgment number plus 1, that is 30, where the completely disconnected.
Please indicate the source: https://www.cnblogs.com/zhangxingeng/p/11200063.html
I. Introduction
1. What is wireshark
Baidu:
2, the main application
Help administrators troubleshoot network problems
Help safety engineers to detect security risks
Developers for the implementation of the test protocol
To learn network protocol
and many more.
3, characteristics
Cross-platform support for windows / unix platform
Real-time packet capture interface
Details can display detailed protocol packet
You can open / save the captured packets
Other programs can import and export data formats supported packages
Packets may be filtered in various ways
A variety of ways to find packages
By filtration in a plurality of color display package
Create a variety of statistical analysis. . .
4, a variety of network interface
You can capture multiple network interfaces, and even wireless LAN interface
5, what you can not do?
Not be used as intrusion detection systems, network transactions will not be processed, only monitors the network, the network does not send packages or other interactive things to do, but you can do name resolution
Second, the use wireshark
1, open to see the first page, where it is called the initial page
2, how to start capture
By capturing options
Above the initial page, there are two entrances can click on a toolbar in the main, a middle position is captrue options
Click captrue options icon "pop-up card capture card such as multiple network cards designated" Start capture
3, wireshark window Introduction
The main interface is divided into seven wireshark
main menu
Menu page includes file, edit, view, go, capture, analyze, statistics, help
main toolbar
Some quick navigation, such as capture, start, stop, etc.
filter
Specifies capturing condition required, such as source / destination address
Packet List
It has captured packet, source address / destination address, port; different colors representing different
Packet details
Display fields in the packet
16 prohibited data
As the name suggests
Address Bar
The address bar and miscellaneous
4, the filter conditions
Filtered through a concentrated expression rules
1)protocols
比如tcp,ether,fddi,ip,arp,rarp,decnet,lat,sca,moprc,mopdl,tcp and udp
2)direction
src, dst, src and dst, src or dst (do not specify that two-way)
3) host (the new version, the old version is no host)
net,port,host,portrange
4) logical openrations logic operation
and, or, not (below the official instances)
5, filtering relations
1) a combination of expression
Table 6.6. Display Filter Logical Operations
English | C-like | Description and example |
---|---|---|
and |
&& |
Logical AND. |
or |
|| |
Logical OR. |
xor |
^^ |
Logical XOR. |
not |
! |
Logical NOT. |
[…] |
See “Slice Operator” below. |
|
in |
See “Membership Operator” below. |
2) operational sign
Refer to the official https://www.wireshark.org/docs/wsug_html/#DispCompOps
Table 6.5. Display Filter comparison operators
English | C-like | Description and example |
---|---|---|
eq |
== |
Equal. |
born |
!= |
Not equal. |
gt |
> |
Greater than. |
lt |
< |
Less than. |
give |
>= |
Greater than or equal to. |
the |
<= |
Less than or equal to. |
contains |
Protocol, field or slice contains a value. |
|
matches |
~ |
Protocol or text field match Perl regualar expression. |
bitwise_and |
& |
Compare bit field value. |
6, common filtering requirements
1), data link layer
mac address filtering
eth.addr==00:0c:29:1c:8b:39
eth.src==00:0c:29:1c:8b:39
eth.dst==00:0c:29:1c:8b:39
2), the network layer
ip address filtering
ip.addr==192.168.216.51
ip.src==192.168.216.51
ip.dst==192.168.216.51
3), the transport layer
tcp/udp
tcp.prot==80
tcp.dstport==80
tcp.srcport==80
4), the application layer
http.request.uri contains ".php"
5)、wireshark支持筛选的还有很多协议,这里不一一列举,请查看官方文档
udp、tcp、arp、icmp、smtp、pop、dns、ip、ssl、http、ftp、telnet、ssh、rdp、rip、ospf
6)、协议参数过滤
tcp.flags.syn==0x02 显示包含syn标志位的数据包
frame.len==119 整个数据包长度,从eth开始到最后
http.request.method=="get" 显示http请求中method值为get的包
7)、逻辑条件组合筛选
||
&&
!
组合条件“与”
ip.src==192.168.216.51&&ip.dst==192.168.216.52
组合条件“或”
ip.src==192.168.216.51||ip.src==192.168.216.52
组合条件“非”
!(ip.src==192.168.216.51)
三、新版本差异
新版和老版本是存在很多差异的如
1、示例1-mac
2、示例2-ip
3、示例3-tcp
4、示例4-http
四、分析tcp三次握手
1、三次握手简单图示
2、第一次握手
客户端请求建立连接,发送请求包,标志位SYN,序号为0
3、第二次握手
服务端返回确认,标志位SYN,ACK,设置初始序列号Y=0, X+1=0+1=1,这个就是acknowledgement number了(确认序号)
4、第三次握手
客户端收到服务器发来的确认号正确,客户端再次发送确认ACK,SYN标志位为0,ACK标志位是1,确认序号=y+1=0+1,发送序号位x+1=1,服务器收到确认序号值与ack=1连接建立成功,开始传输数据
五、四次挥手
四次挥手即tcp断开连接得时候会有四次挥手得过程
Why do we need four wave that?
Because tcp protocol is a connection-oriented, reliable, based on the byte stream transport layer communication protocol, and a full duplex mode, both sides of the connections are closed, this session tcp considered completely closed, so that four wave tcp connection It can be reliably terminated, and also so that the data residual timed_wait transmits to the network the connection is dropped and a new connection will not be received after the connection is terminated, this approach also safer
1, a four wave
2, capture protocols illustrated exemplary waving
3, the first wave
Attributes:
ACK + FIN: Flag
Seq = 23: SEQ ID NO
ACK = 29: reception sequence number + SYN packet, i.e. acknowledged sequence number
The first wave, the client tcp packets sent to the server, client to disable data transmission server transmits FIN ACK packets seq = 23 ack = 29
4, the second wave
The second wave, the server receives FIN, sends back an ACK, Seq = 29, ack = 23
5, the third wave
Close the server and the client is connected, sending a FIN, seq = 24, ack = 29
6, the fourth wave
The fourth wave, FIN client after receipt sent by the server, sends back ACK acknowledgment, acknowledgment number plus 1, that is 30, where the completely disconnected.
Please indicate the source: https://www.cnblogs.com/zhangxingeng/p/11200063.html