Shulou(Shulou.com)06/01 Report--

How to use wireshark software, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.

1. Introduction

This paper introduces an easy to use packet grabbing tool Wireshark, which is used to obtain network data packets, including HTTP, TCP, UDP and other network protocol packets.

Start interface

Wireshark is a network packet that captures a network card on a machine. When you have multiple network cards on your machine, you need to choose a network card. Just double-click one of the network cards above.

2. Wireshark window

Introduction to the Wireshark window:

WireShark is mainly divided into these interfaces:

1. Display Filter (display filter) for filtering.

2. Packet List Pane (packet list), showing captured packets, active and destination addresses, and port numbers. Different colors represent.

3. Packet Details Pane (packet details), which displays the fields in the packet.

4. Dissector Pane (hexadecimal data)

5. Miscellanous (address bar, miscellaneous).

Common operation button

① start capture, ② stop capture, ③ recapture

3. Wireshark display filtering

It is very important to use filtering. When beginners use wireshark, they will get a lot of redundant information, in thousands or even tens of thousands of records, so that it is difficult to find the parts they need. I'm confused.

Filters will help us quickly find the information we need in a large amount of data.

For example, the filtering method in the figure above will only show traffic packets with TCP port 5005.

Note: what is set here is to show whether the filter is displayed only. In fact, wireshark will still crawl all the packets on this network card.

There are two types of filters:

1. Display filter

The one on the main interface that is used to find the desired record in the captured record.

2. Capture filter

Used to filter captured packets to avoid capturing too many records, set in the capture-> capture filter. This is suitable for communication that grabs only a certain channel.

Save display filter

Usually, every time we open wireshark at work, we grab the same type of data. For example, the default port of TCP for company products is 5005, which is tcp.port== 5005 above. We don't want to re-enter the filter expression every time we open wireshark, we can save it.

After entering the expression, click the bookmark button on the left and choose to save this filter.

And then change the name.

The next time you click on the left bookmark, you can directly select the save display filter without having to repeat the input.

4. Rules for filtering expressions

1. Protocol filtering

TCP, for example, shows only the TCP protocol.

2. IP filtering

For example, ip.src = = 192.168.1.102 shows that the source address is 192.168.1.102.

Ip.dst==192.168.1.102, the destination address is 192.168.1.102.

3. Port filtering

Tcp.port = = 80, port 80.

Tcp.srcport = = 80, only shows that the TCP protocol is port 80.

4. Http mode filtering

Http.request.method== "GET", showing only the HTTPGET method.

5. The logical operator is AND/ OR

Commonly used filter expressions:

5. Packet details

The packet details (Packet Details Pane) panel is our most important and is used to view every field in the protocol.

The information for each line is:

Frame: an overview of data frames at the physical layer.

Ethernet II: data link layer Ethernet frame header information.

Internet Protocol Version 4: Internet layer IP packet header information.

Transmission Control Protocol: the segment header information of the transport layer, here is TCP.

Data: application layer information.

Wireshark and corresponding TCP/IP four-tier model

Use wireshark to crawl data packets, analyze IP header bytes of TCP/IP protocol suite, TCP header bytes, and so on, please see the column "STM32 Network Development".

6. Save automatically

In development, we sometimes need to grab a period of data during the operation of a device, which may be a few days, or even more than ten days. If we follow the above method, grab the data and run it for a period of time, wireshark has been grabbing the data, and after a few hours of running, it will crash on the PC with little memory. At this time, we need wireshark to grab it for a period of time and save it automatically.

Setting method: capture-> options-> output.

In the actual project, some embedded devices do not communicate with PC, but may communicate with another embedded device. At this time, we need to use the switch with port image for data monitoring. As shown in the following figure, configuring the switch port as a mirror of 3 is 2, and with the auto-save function of wireshark, you can monitor all packets of a network device.

7. Statistical function of Wireshark

One of the powerful features of Wireshark lies in its statistical tools. We have various types of tools to choose from when using Wireshark.

Such as protocol grading. The protocol rating statistics window shows that all protocols and tree branches contained in the file are captured; the percentage of packets is always based on the same protocol layer.

For example, you can show the throughput of TCP.

These statistical functions are important functions of wireshark, which are often used by operation and maintenance staff and network maintenance personnel. Embedded or single-chip microcomputer network development is still based on TCP/IP protocol cluster packet analysis. Detailed statistical functions are not described in detail here.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.