Shulou(Shulou.com)06/01 Report--

I talked about a lot of simple operations on wireshark, so let's talk about how to analyze the packets captured in wireshark.

First of all, we are familiar with the TCP stream packet, we all know that to establish a TCP connection must go through the rule of three-way handshake, so how is it reflected in wireshark? How can we see the three-way handshake in the packets captured in wireshark?

Let's take a look at the data in the following picture:

When the packet numbered 44, 192.168.1.4 requested the establishment of a TCP connection from port 50734 to 74.125.128.199. Packet 51 responded to the request. At the same time, 74.125.128.199 also requested the establishment of a TCP connection from port 50734 of 192.168.1.4. 192.168.1.4 responded to the request in packet 52. At this time, the entire TCP connection three-way handshake was completed, and the two sides successfully established a TCP connection. This can be seen from the contents of packet 54.

We can also track TCP packets, right-click one of the TCP packets, select Follow TCP Stream, in the pop-up window we can clearly see the flow information of the TCP packet.

From the figure, we can clearly see that the source address (192.168.1.104) sends a GET request to the destination address (65.55.57.27). The information contained in this GET request is part of the red font, while the blue font content responds to the request and returns some information. Through this, we can more clearly understand the role of the TCP stream package.

Let's take a look at what the ICMP package looks like:

We set the rule to crawl only ICMP packages, and then ping any website. Here, take Baidu as an example. The first packet is the source host 192.168.1.4 to the target computer, that is, Baidu 115.239. 210.26 (one of Baidu's IP) ICMP request, the second packet is Baidu's IP's response to the ICMP request of 192.168.1.4. This is the simplest ICMP package, and it is also the principle of ping command execution. A total of 4 ping requests and responses have been made in the figure, which is the most typical ping command of window system (the ping command of linux has no limit by default and will be executed continuously, while the command of window only executes 4 times by default).

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.