Shulou(Shulou.com)06/01 Report--

When we use wireshark to capture packets, we sometimes need to count the traffic of each endpoint's IP address, so we need to use the function of viewing endpoints in wireshark. When we finish capturing the packet, select Endpoints in Statistics to see the traffic statistics of each endpoint (IP address), as shown below:

Through this function of wireshark, we can directly see the statistics of captured traffic, which is of great help to us to analyze the current network behavior.

If we want to know the session traffic statistics between address An and address B, we can select Conversation in Statistics and the following window appears:

Through this window, we can get a good view of the session traffic between addresses, and we can also roughly analyze the conversation behavior between addresses through these session traffic. 、

We sometimes need to analyze the distribution of protocols in the captured traffic, such as TCP, ICMP and so on. In wireshark, we can choose Protocol Hierarchy in Statistics. In the pop-up window, we can clearly see the proportion of each protocol traffic. As shown in the figure:

This feature will have a good effect in use, and it will be of great help when we initially judge whether the network is malfunctioning. For example, ARP traffic in the network usually accounts for 10%, but if the proportion of ARP in the traffic we capture is too large or too small, then we will know what must be wrong, and we can further analyze the problem.

In traffic analysis, sometimes protocol parsing failures or errors may occur, because the parser in wireshark parses each protocol with the default protocol port number, such as port 443 by default for SSL traffic. When the session host changes the default port, it may lead to incorrect parsing. If the FTP traffic is transmitted through port 443, in the traffic captured by wireshark, what is supposed to be FTP traffic will be displayed as SSL traffic. How can we analyze and know that this is FTP traffic?

As long as we look at the traffic, we can find that the account name or password appears in the plaintext. At this time, we can know that this is the protocol traffic transmitted in plaintext such as FTP.

So how to solve this problem? In fact, we can force wireshark to parse the packet using the FTP protocol parser, which is called forced decoding.

First, we select a packet, right-click Decode As, select destination (443) from the drop-down menu in the pop-up dialog box, and select FTP in Transport, so that wireshark will decode all TCP traffic with port number 443 using FTP parser.

In the captured traffic, we often track TCP traffic, and it is too troublesome to view and analyze a packet slowly. A very convenient TCP flow tracking feature is provided in wireshark. Just right-click one of the TCP or HTTP packets, select Follow TCP Stream, and you can clearly see the direction of the TCP traffic in the pop-up window, as shown in the figure:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.