Shulou(Shulou.com)06/01 Report--

This article mainly introduces "the introduction of the network grab packet usage of Wireshark under Linux". In the daily operation, I believe that many people have doubts on the introduction of the network grab packet usage of Wireshark under Linux. The editor consulted all kinds of materials and sorted out simple and easy-to-use operation methods. I hope it will be helpful to answer the doubts of "introduction of network grab packet usage of Wireshark under Linux". Next, please follow the editor to study!

Wireshark is the most popular network analysis tool in the world. This powerful tool can capture data in the network and provide users with all kinds of information about the network and upper layer protocols.

Like many other networking tools, Wireshark uses pcap network library for packet capture.

Advantages of Wireshark:

-easy to install.

An easy-to-use interface.

-provides a wealth of features.

The original name of Wireshark is Ethereal, and the new name has been used since 2006. At that time, the main developer of Ethereal decided to leave the company where he used to work and continue to develop the software. However, because the right to use the name Ethereal has been registered by the original company, the new name Wireshark came into being.

Wireshark is the most popular protocol analysis software in the world. By using it, the network binary data streams of various protocols can be translated into words and charts that are easy for people to read and understand, which greatly facilitates the monitoring, analysis and teaching experiments of network activities. It has very rich and powerful statistical analysis functions, and can be run on systems such as Windows,Linux and UNIX. This software was first developed by American Gerald Combs in 1998 and was formerly known as Ethereal. Up to now, more than 100 network experts and software personnel from all over the world are participating in the upgrade and maintenance of this software. Its name was changed from Ethereal to Wireshark in May 2006. So far, it has been updated and upgraded at a rate of about one new version every two to three months, with a version number of 0.99.6 in September 2007. However, the main functions and usage of the software remain unchanged after the upgrade. It is a free software with open source code that anyone can download freely or participate in co-development.

Wireshark network protocol analysis software can be conveniently and intuitively applied to the teaching experiment of computer network principle and network security, daily network security monitoring, network performance parameter testing, network malicious code capture and analysis, network user behavior monitoring, hacker activity tracking and so on. Therefore, it is widely used in network management experts, information security experts, software and hardware developers around the world, as well as in the teaching, scientific research and experimental work of network principles and information security technology in some well-known universities in the United States.

Some subtle differences between Ethereal and Wireshark in installing and using new and old versions of software packages are as follows:

(1) the network data acquisition software included in the Ethereal software installation package is the version of winpcap 3.0. you can only use the English file name when saving the captured data, and the default suffix is .cap.

(2) the network data acquisition software included in the Wireshark software installation package is winpcap version 4.0. the Chinese file name can be used to save the captured data, and the default suffix is .pcap. In addition, Wireshark can translate and interpret more network communication protocol data, has a better statistical analysis function for network data flow, and is more convenient to use in network security teaching and daily network supervision, but the basic use method is still the same as Ethereal.

Winpcap (windows packet capture) is a free, public network access system under the windows platform. The purpose of the project to develop winpcap is to provide win32 applications with the ability to access the underlying network.

Under Linux, when we need to grab network packets for analysis, we usually use tcpdump to grab network raw packets and save them to a file, then download them locally and use wireshark interface network analysis tools for network packet analysis.

It was recently discovered that wireshark also provides a Linux command line tool-tshark. Tshark not only has the function of grabbing packets, but also has the ability to analyze various protocols. Let's introduce the tshark tool with two examples.

1. Installation method

CentOS:

The code is as follows:

Yum install-y wireshark

Ubuntu:

The code is as follows:

Apt-get install-y tshark

2. Print the url (including domain name) of the current http request in real time

The code is as follows:

Tshark-s 512-I eth0-n-f 'tcp dst port 80'-R' http.host and http.request.uri'-T fields-e http.host-e http.request.uri-l | tr-d'\ t'

The following describes the meaning of the parameters:

-s 512: only grab the first 512 bytes of data

-I eth0: capture the eth0 network card

-n: forbids network object name resolution

-f 'tcp dst port 80': only capture packets whose protocol is tcp and destination port is 80

-R 'http.host and http.request.uri': filter out http.host and http.request.uri

-T fields-e http.host-e http.request.uri: print http.host and http.request.uri

-l: output to standard output

3. Print the current mysql query statement in real time

The code is as follows:

Tshark-s 512-I eth0-n-f 'tcp dst port 3306'-R 'mysql.query'-T fields-e mysql.query

The following describes the meaning of the parameters:

-s 512: only grab the first 512 bytes of data

-I eth0: capture the eth0 network card

-n: forbids network object name resolution

-f 'tcp dst port 3306': only capture packets whose protocol is tcp and destination port is 3306

-R 'mysql.query': filter out mysql.query

-T fields-e mysql.query: print mysql query statements

Tshark uses-f to specify capture packet filtering rules, which, like tcpdump, can be looked up by the command man pcap-filter.

Tshark uses-R to filter captured packets, which is consistent with Filter in the upper-left corner of the interface version of wireshark.

At this point, the study of "introduction to the use of network grab packets of Wireshark under Linux" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.