Shulou(Shulou.com)06/03 Report--

Brief introduction

Wireshark is an open source network protocol analysis tool, is free software released in accordance with the GPL protocol, because of the above reasons, people can easily add new protocols to Wireshark, or integrate it into your program as a plug-in. Wireshark supports Linux, Windows, MacOS and other operating systems.

Wireshark stands out in terms of the number of protocols it supports-thousands of protocols are already supported, ranging from the most basic IP and DHCP protocols to advanced application-specific protocols such as AppleTalk and BitTorrent. Because Wireshark is developed in open source mode, some support for the new protocol is added with each update.

Wireshark architecture

See the figure below. Functionally, wireshark can be divided into four main modules: Capture Core,WireTap, Protocol Interpreter and Dissector, and GUIintrerface. Among them, Capture Core uses pcap (libpcap under windows for winpcap,linux) to grab network packets. After obtaining the data packets, WireTap saves it as a binary file. Interpreter and dissector shows the binary file as a text form that is easy for users to understand, in which dissector is divided into build-in and plug-in, and build-in is easy to understand. Plug-in will introduce it in detail in Section 1.3; GUIinterface, as the name implies, is the user interface.

Installation of Wireshark

It is easy to install on Windows systems.

Step 1: go to Wireshark's official website http://www.wireshark.org/ to find the download page and select a mirror point to download the desired version.

Step 2: after downloading the exe installation package, install it directly and next all the way. When popup whether you need to install WinPcap or not, be sure to check the install WinPcap option.

Use Wireshark to capture packets.

Select the Interfaces menu item of Capture from the main drop-down menu, and the pop-up window shows all possible network cards, select the network card you want to use, click the start button on the toolbar to start capturing data, and click the stop button on the toolbar to stop the capture. At this time, the corresponding data is presented in the main window of Wireshark.

The main Wireshark window is as follows

Packet Lists (packet list): shows all packets in the current capture file, including the packet sequence number, the relative time when the packet was captured, the source address, destination address, protocol, and profile information.

Packet Details (packet details): a hierarchical display of the contents of a packet, and can be expanded or contracted to show all the contents captured in the packet.

Packet Bytes (packet bytes): lists the contents of the message in both hexadecimal and ASCII codes.

.

Configuration of packet grab filter

Packet capture filter is configured before packet capture. Once configured, Wireshark will only grab data that has been filtered by packet grab filter. The grab filter configuration is derived from the syntax of tcpdump in the libpcap/WinPcap library (available from the

Http://wiki.wireshark.org/CaptureFilters finds the capture filtering example).

How to configure the packet capture filter: select Capture | Options, and the Capture Options window pops up. Double-click the selected network card to bring up the EditInterface Settints window.

The following figure shows the Edit Interface Settings window, where you can set packet capture filter conditions. If you know the syntax of the packet filter condition, enter it directly in the Capture Filter area. In case of an input error, Wireshark indicates through the red background area that the filter condition cannot be processed. Most likely, the filter condition contains input errors, or the syntax of display filter is used. Click the Capture Filter button to view and select the saved packet capture filter conditions.

Tips:

Wireshark includes some default packet capture filtering conditions. Click Edit Capture Filters in the main tool bar to jump to the saved bag filter list. You will find some common examples of packet capture filtering.

Configure Ethernet filter

The Ethernet filter is the second layer (the second layer of the OSI model) filter, that is, the packet grabbing filter that performs the filtering function according to the MAC address. Packet capture principle: the Ethernet packet capture engine will first compare the source / destination host MAC address specified by the user with the source / destination host MAC address of the captured Ethernet traffic, and then filter out the traffic that matches the source / destination host MAC address.

Ether host lets Wireshark grab only Ethernet frames originating from or destined for the Ethernet host specified by the identifier Ethernethost

For example: ether host00:24:d6:ab:98:b6

Ether dst asks Wireshark to grab only Ethernet frames destined for the Ethernet host specified by the identifier Ethernethost

For example: ether dst00:24:d6:ab:98:b6

Ether src asks Wireshark to grab only Ethernet frames sent by the Ethernet host specified by the identifier Ethernethost

For example: ether src 00:24:d6:ab:98:b6

Ether broadcast tells Wireshark to grab only all Ethernet broadcast traffic

For example: ether broadcast

Ether multicast lets Wireshark capture only all Ethernet multicast traffic

For example: ether multicast

The Ethernet protocol type number of the Ethernet traffic captured by ether proto, which matches the Ethernet protocol type number defined by the identifier protocol

For example: ether proto 0800

Vlan asks Wireshark to grab only the traffic of the VLAN specified by the identifier vlan_id

For example: vlan 9999

To make the string in the grab filter counterproductive, add the keyword not or the symbol "!" before the original word.

Configure a host or network filter

Host or network filters are layer 3 filters based on IP addresses. Principle: if you filter based on the hostname, wireshark translates the hostname entered by the user into an iP address and grabs the traffic relative to this IP address.

Host lets Wireshark grab only IP traffic that originates from or is destined for the hostname or IP address specified by the identifier host.

For example: host 101.10.10.2 host funshion.game.com

Dst host tells Wireshark to grab only IP traffic destined for the hostname or IP address specified by the identifier host.

For example: dst host 101.10.10.2

Src host lets Wireshark grab only IP traffic from the hostname or IP address specified by the identifier host.

For example: src host 101.10.10.2

Net lets Wireshark capture only traffic originating from or destined for the IPv4/IPv6 network number identified by the identifier net

For example: net 192.168.1.0 Universe 24

Dst tells Wireshark to grab only traffic destined for the IPv4/IPv6 network number identified by the identifier net

Src lets Wireshark grab only traffic from the IPv4/IPv6 network number identified by the identifier net

Broadcast asked Wireshark to grab only IP broadcast packets.

Multicast asked Wireshark to grab only IP multicast packets.

Ip proto allows Wireshark to crawl only packets whose protocol type field value of the IP header is equal to a specific value (for example, TCP packet is 6, IP packet is 17, TCP packet is 1)

For example: ip proto 1

Icmp [icmptype] = = Let Wireshark only crawl ICMP packets of a specific type [icmptype]

For example: icmp [icmptype] = = icmp-echo or icmp [icmptype] = = 8

Ip [2:2] = = is used to crawl packets of a specific length

Configure TCP/UDT and port filter

Filter according to the port number of the layer 4 protocol TCP/UDT, the principle: the fourth protocol (mainly refers to TCP/UPD) interconnects the protocol of the end application, for TCP and UPD, the port number is the code used to identify the application.

The source or destination port number of the packet captured by port Wireshark will match the port number indicated by the identifier port

For example: port 5080

The destination port number of the packet captured by dst port Wireshark will match the port number indicated by the identifier port

For example: dst port 80 or dst port http

The source port number of the packet captured by src port Wireshark will match the port number indicated by the identifier port

Tcp portrange-or udp portrange-used to capture TCP live UDP packets with source or destination port numbers between p1 and p2

For example: tcpportrange 2000-2500

Tcp src portrange-or udp src portrange-is used to grab TCP live UDP packets with source port numbers between p1 and p2

Tcp dst portrange-or udp dst portrange-used to grab TCP live UDP packets with destination port numbers between p1 and p2

Less asks Wireshark to crawl only packets that are not longer than the length specified by the identifier length, which is equivalent to len =

Compound filter

Example 1: let Wireshark grab only the packets used to initiate or terminate the connection in the TCP connection

Tcp [tcpflags] & (tcp-syn | tcp-fin)! = 0

Example 2: let Wireshark grab http traffic from game.funshion.com

Hostgame.funshion.com and port 80

Configure byte offset or load matching filter

As far as filtering function is concerned, byte offset or load matching filters are more flexible, and custom packet grabbing filters can be configured.

Format: proto filters based on some field values in the TCP, UDP, IP, and other protocol headers

Ip implements filtering for the ip layer

Tcp filters certain field values in the TCP header

Udp filters certain field values in the UDP header

For example, let Wireshark grab TCP packets with a destination port range of 50mm 100.

Tcp [2:2] > 50 and tcp [2:2] or gt

For example, frame.time_relative > 1 displays a message that is 1 second behind the arrival time of the previous message.

4. = or ge

For example: dns.count.answers > = 10 displays a DNS response message containing more than 10 answer

6.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.