Tutorial Wireshark (Interface Description, trapping filter expression, a display filter expression)
I. Description
1.1 Background Description
For most users just getting started with wireshark in terms of time is often the beginning of wireshark can see all packets are intercepted feel strong invincible, but face a lot of packets to ask what's the use or I want to find those packets of how I want to find (such as those packets telnet login process) is completely bewildered.
First, a bunch of window interface, what's the difference what role do not understand; the second is to capture, display filter expression shows not see any law, each filter must Baidu looking for a long time. In fact, wireshark interface is quite clear, through the filter table shows not difficult, we have to break these two problems wireshark use today.
Official website address: https://www.wireshark.org/
Download the official website: https://www.wireshark.org/#download
Installation is not to say the next step and the next general windows as downloading it. Also see Why ethereal wireshark renamed in 2006: https://www.linux.com/news/ethereal-changes-name-wireshark
1.2 interception local loop data
Also note that this machine to access the machine loop data is not through the card, such as we visit the machine to build web services on this machine, but we often have services set up in the operation of the machine often have to intercept local loopback packets analyze needs, so we want to ring bar contains loopback packets. Operates as follows.
First of all, as an administrator to run cmd (ordinary users do not have authority to operate the routing table, it will prompt "requested operation requires elevation")
Then, use the ipconfig to see the local ip and gateway:
ipconfig
And then, adding a route, using the following command specifies the loopback data is also forwarded to the first gateway (replacing step wherein the acquired present ip using the machine and the gateway <your_IP> and <gateway_IP>):
route add <your_IP> mask 255.255.255.255 <gateway_IP> metric 1
Finally, check the routes in the routing table has been added successfully:
route print
Loop back data via the gateway will further increase the pressure card, delete the route (using the front obtain this local ip substituted for <your_IP>) using the following command:
route delete <your_IP>
Two, Wireshark interface description
Writing is the core filter expression used wireshark, but before that, many beginners will encounter a problem, is feeling a lot of things on wireshark interface do not know how to see. But it is still quite clear that we would like to explain below, as shown below.
No. 1 display window is a list of all packets wireshark captured. Note that the last one Info column is a column wireshark organization is not necessarily the original packet content.
Window 2 is sub-layer protocol No. 1 shows a selected window of data packets. The background is red because wireshark open checksum verification protocol layer and the checksum is not correct due.
3, the source data window is the window number 1 of the selected data packet, wherein the left side is a right side is the hexadecimal ASCII code. Also select a field or a layer in the window No. 2, No. 3 corresponding to the position of the window will be highlighted.
Content is considered the most difficult but it is still No. 2 Expand the window do not know how to see, in fact, very clear to the IP layer as an example:
Each field of the row to be a layer protocol; row illustrates the brackets in the previous field.
Before the colon is the English name of the protocol field; after the colon is the value of the protocol field in the data packet.
Third, the capture filter expression
Before capture filter effect expression wireshark start capturing packets capture only qualified data packet, the recording does not meet the conditions of data packets.
Capture filter expression is not as obvious as the display filter expression law, but so much the wording is not difficult; but unless you want to capture all the disk space occupied achieve too much, and you are very clear filter out the packets you unwanted, or generally do not capture filter expression and a display filter expression.
In wireshark2.x version, start the welcome screen that is trapping filters, which take effect in the input filter expression to start capturing packets:
Click the figure "bookmark" sign, and then point management "Capture Filter" to see the written form of the common capture filter expression shown
Fourth, the display shows the filter expression and writing patter
Expression effect display filter after capturing Wireshark packets, all packets from the display of the captured data packet qualified, hidden from qualified packet.
Display filter shown to effect the expression "display filters" below the toolbar input box
4.1 The basic filter expressions
A basic expression by the filter to filter all the relationship, the value of three filter components.
For example ip.addr == 192.168.1.1, this expression is a filter term ip.addr, == relationship is filtered, the filter value is 192.168.1.1 (whole expression is shown means to identify the source of all protocols or ip target ip, equal to, 192.168.1.1 packets)
4.1.1 filter items
Beginners feeling of "complex filter expression", is the most important item in this filter: filter items which one does not know, and second, I do not know how to write filter items.
These two questions have a common answer ----- wireshark filter items is the "Agreement" + "." + "Protocol field" model. The port, for example, tcp port appeared in the agreement it is this filter entry port and its wording is tcp.port.
推广到其他协议,如eth、ip、udp、http、telnet、ftp、icmp、snmp等等其他协议都是这么个书写思路。当然wireshark出于缩减长度的原因有些字段没有使用协议规定的名称而是使用简写(比如Destination Port在wireshark中写为dstport)又出于简使用增加了一些协议中没有的字段(比如tcp协议只有源端口和目标端口字段,为了简便使用wireshark增加了tcp.port字段来同时代表这两个),但思路总的算是不变的。而且在实际使用时我们输入“协议”+“.”wireshark就会有支持的字段提示(特别是过滤表达式字段的首字母和wireshark在上边2窗口显示的字段名称首字母通常是一样的),看下名称就大概知道要用哪个字段了。wireshark支持的全部协议及协议字段可查看官方说明。
4.1.2 过滤关系
过滤关系就是大于、小于、等于等几种等式关系,我们可以直接看官方给出的表。注意其中有“English”和“C-like”两个字段,这个意思是说“English”和“C-like”这两种写法在wireshark中是等价的、都是可用的。
4.1.3 过滤值
过滤值就是设定的过滤项应该满足过滤关系的标准,比如500、5000、50000等等。过滤值的写法一般已经被过滤项和过滤关系设定好了,只是填下自己的期望值就可以了。
4.2 复合过滤表达示
所谓复合过滤表达示,就是指由多条基本过滤表达式组合而成的表达示。基本过滤表达式的写法还是不变的,复合过滤表达示多出来的东西就只是基本过滤表达示的“连接词”
我们依然直接参照官方给出的表,同样“English”和“C-like”这两个字段还是说明这两种写法在wireshark中是等价的、都是可用的。
4.3 常见用显示过滤需求及其对应表达式
数据链路层:
筛选mac地址为04:f9:38:ad:13:26的数据包----eth.src == 04:f9:38:ad:13:26
筛选源mac地址为04:f9:38:ad:13:26的数据包----eth.src == 04:f9:38:ad:13:26
网络层:
筛选ip地址为192.168.1.1的数据包----ip.addr == 192.168.1.1
筛选192.168.1.0网段的数据---- ip contains "192.168.1"
筛选192.168.1.1和192.168.1.2之间的数据包----ip.addr == 192.168.1.1 && ip.addr == 192.168.1.2
筛选从192.168.1.1到192.168.1.2的数据包----ip.src == 192.168.1.1 && ip.dst == 192.168.1.2
传输层:
筛选tcp协议的数据包----tcp
筛选除tcp协议以外的数据包----!tcp
筛选端口为80的数据包----tcp.port == 80
筛选12345端口和80端口之间的数据包----tcp.port == 12345 && tcp.port == 80
筛选从12345端口到80端口的数据包----tcp.srcport == 12345 && tcp.dstport == 80
应用层:
特别说明----http中http.request表示请求头中的第一行(如GET index.jsp HTTP/1.1),http.response表示响应头中的第一行(如HTTP/1.1 200 OK),其他头部都用http.header_name形式。
筛选url中包含.php的http数据包----http.request.uri contains ".php"
筛选内容包含username的http数据包----http contains "username"
一、说明
1.1 背景说明
对于大多数刚开始接触wireshark的使用者而言,经常是开始的时候时候看到wireshark能把所有数据包都拦截下来觉得强无敌,但是面对一大堆的数据包要问有什么用或者说想要找到我想要的那些数据包怎么找(比如telnet登录过程的那些数据包)则完全是一脸茫然。
一是界面一堆窗口,什么作用什么区别看不懂;二是捕获、显示过滤器表达示看不出有什么规律,每次过滤都要百度找半天。其实wireshark界面还是比较清晰的,过滤器表过示也不困难,我们今天就来破解这wireshark使用的两大难题。
官网地址:https://www.wireshark.org/
官网下载地址:https://www.wireshark.org/#download
安装就不多说了和一般windows一样下一步下一下装就可以了。另外ethereal为什么在2006年更名wireshark参见:https://www.linux.com/news/ethereal-changes-name-wireshark
1.2 拦截本地回环数据
另外注意本机访问本机的回环数据是不经过网卡的,比如我们在本机访问搭建在本机上的web服务,但我们经常有服务搭建在本机的操作也经常有拦截本地回环数据包加以分析的需求,所以我们环要拦载回环数据包。操作如下。
首先,以管理员身份运行cmd(普通用户没有路由表操作权限,会提示“请求的操作需要提升”)
然后,使用ipconfig查看本机ip和网关:
ipconfig
再然后,使用以下命令添加路由,指定回环数据也要先转发到网关(使用上一步获取本的本机ip和网关替换其中的<your_IP>和<gateway_IP>):
route add <your_IP> mask 255.255.255.255 <gateway_IP> metric 1
最后,查看路由表中路由是否已添加成功:
route print
回环数据经网关再回来会增加网卡的压力,可使用以下命令删除路由(使用前边获取本的本机ip替换其中的<your_IP>):
route delete <your_IP>
二、Wireshark界面说明
过滤器表达式书写是wireshark使用的核心,但在此之前,很多初学者还会碰到一个难题,就是感觉wireshark界面上很多东西不懂怎么看。其实还是挺明了的我们下面简单说一下,如下图。
1号窗口展示的是wireshark捕获到的所有数据包的列表。注意最后一列Info列是wireshark组织的说明列并不一定是该数据包中的原始内容。
2号窗口是1号窗口中选定的数据包的分协议层展示。底色为红色的是因为wireshark开启校验和验证而该层协议校验和又不正确所致。
3号窗口是1号窗口中选定的数据包的源数据,其中左侧是十六进制表示右侧是ASCII码表示。另外在2号窗口中选中某层或某字段,3号窗口对应位置也会被高亮。
被认为最难的其实还是2号窗口展开后的内容不懂怎么看,其实也很明了,以IP层为例:
每一行就对应该层协议的一个字段;中括号行是前一字段的说明。
冒号前的英文是协议字段的名称;冒号后是该数据包中该协议字段的值。
三、捕获过滤器表达式
捕获过滤器表达式作用在wireshark开始捕获数据包之前,只捕获符合条件的数据包,不记录不符合条件的数据包。
捕获过滤器表达式没有像显示过滤器表达式那样明显的规律,但写法不多所以也不难;而且除非全部捕获要占用的磁盘空间实现太大,且你非常明确过滤掉的数据包是你不需要的,不然一般都不用捕获过滤器表达式而用显示过滤器表达式。
在wireshark2.x版本,启动后欢迎界面即有捕获过滤器,在其中输入过滤表达式开始捕获数据包时即会生效:
点击图中“书签”标志,再点管理“捕获筛选器”,即可看到常用捕获过滤表达示的书写形式
四、显示过滤器表达示及其书写规律
显示过滤器表达式作用在在wireshark捕获数据包之后,从已捕获的所有数据包中显示出符合条件的数据包,隐藏不符合条件的数据包。
显示过滤表达示在工具栏下方的“显示过滤器”输入框输入即可生效
4.1 基本过滤表达式
一条基本的表达式由过滤项、过滤关系、过滤值三项组成。
比如ip.addr == 192.168.1.1,这条表达式中ip.addr是过滤项、==是过滤关系,192.168.1.1是过滤值(整条表达示的意思是找出所有ip协议中源或目标ip、等于、192.168.1.1的数据包)
4.1.1 过滤项
初学者感觉的“过滤表达式复杂”,最主要就是在这个过滤项上:一是不知道有哪些过滤项,二是不知道过滤项该怎么写。
这两个问题有一个共同的答案-----wireshark的过滤项是“协议“+”.“+”协议字段”的模式。以端口为例,端口出现于tcp协议中所以有端口这个过滤项且其写法就是tcp.port。
推广到其他协议,如eth、ip、udp、http、telnet、ftp、icmp、snmp等等其他协议都是这么个书写思路。当然wireshark出于缩减长度的原因有些字段没有使用协议规定的名称而是使用简写(比如Destination Port在wireshark中写为dstport)又出于简使用增加了一些协议中没有的字段(比如tcp协议只有源端口和目标端口字段,为了简便使用wireshark增加了tcp.port字段来同时代表这两个),但思路总的算是不变的。而且在实际使用时我们输入“协议”+“.”wireshark就会有支持的字段提示(特别是过滤表达式字段的首字母和wireshark在上边2窗口显示的字段名称首字母通常是一样的),看下名称就大概知道要用哪个字段了。wireshark支持的全部协议及协议字段可查看官方说明。
4.1.2 过滤关系
过滤关系就是大于、小于、等于等几种等式关系,我们可以直接看官方给出的表。注意其中有“English”和“C-like”两个字段,这个意思是说“English”和“C-like”这两种写法在wireshark中是等价的、都是可用的。
4.1.3 过滤值
过滤值就是设定的过滤项应该满足过滤关系的标准,比如500、5000、50000等等。过滤值的写法一般已经被过滤项和过滤关系设定好了,只是填下自己的期望值就可以了。
4.2 复合过滤表达示
所谓复合过滤表达示,就是指由多条基本过滤表达式组合而成的表达示。基本过滤表达式的写法还是不变的,复合过滤表达示多出来的东西就只是基本过滤表达示的“连接词”
我们依然直接参照官方给出的表,同样“English”和“C-like”这两个字段还是说明这两种写法在wireshark中是等价的、都是可用的。
4.3 常见用显示过滤需求及其对应表达式
数据链路层:
筛选mac地址为04:f9:38:ad:13:26的数据包----eth.src == 04:f9:38:ad:13:26
筛选源mac地址为04:f9:38:ad:13:26的数据包----eth.src == 04:f9:38:ad:13:26
网络层:
筛选ip地址为192.168.1.1的数据包----ip.addr == 192.168.1.1
筛选192.168.1.0网段的数据---- ip contains "192.168.1"
筛选192.168.1.1和192.168.1.2之间的数据包----ip.addr == 192.168.1.1 && ip.addr == 192.168.1.2
筛选从192.168.1.1到192.168.1.2的数据包----ip.src == 192.168.1.1 && ip.dst == 192.168.1.2
传输层:
筛选tcp协议的数据包----tcp
筛选除tcp协议以外的数据包----!tcp
筛选端口为80的数据包----tcp.port == 80
筛选12345端口和80端口之间的数据包----tcp.port == 12345 && tcp.port == 80
筛选从12345端口到80端口的数据包----tcp.srcport == 12345 && tcp.dstport == 80
应用层:
特别说明----http中http.request表示请求头中的第一行(如GET index.jsp HTTP/1.1),http.response表示响应头中的第一行(如HTTP/1.1 200 OK),其他头部都用http.header_name形式。
筛选url中包含.php的http数据包----http.request.uri contains ".php"
筛选内容包含username的http数据包----http contains "username"