Shulou(Shulou.com)06/01 Report--

GNU development tools-- WireShark network analysis tools 1. Introduction to WireShark network analysis tools 1. Introduction to WireShark

Wireshark is the most widely used open source network packet analysis software (formerly known as Ethereal) in the world. It was written by Gerald Combs and released under the GPL open source license in 1998. The function of network packet analysis software is to capture network packets and show the most detailed network packet data as much as possible.

2. WireShark architecture

GUI: handles all user input and output (all forms, dialogs, etc.)

Core: core module that connects other modules together through function calls

Epan: packet Analysis engine (WireShark Packetage Analyzing)

Protocol-Tree: responsible for the information analysis of independent packages.

Dissectors: various protocol parsers that exist in the epan/dissectors directory, supporting 700 + protocol parsing. For each protocol, the protocol field (field) is identified and the field value (field value) is displayed.

Dissector Plugins: supports the concrete implementation of the parser as a stand-alone module.

Display-Filters: displays the filtering engine, and the source code is in the epan/dfilter directory

Capture: packet capture engine interface, which uses libpcap/WinPcap to grab network packets from the bottom. Libpcap/WinPcap provides a general packet capture interface, which can obtain packets from different types of network interfaces (including Ethernet, token Ring Network, ATM Network, etc.).

The Wiretap:wiretap library is used to read and write captured files in libpcap, pcapng, or other types of file formats.

Dumpcap: capture the engine itself, and execution requires elevated privileges.

WinPcap/libpcap: a library that provides packet capture and filtering support for different platforms.

3. Introduction to libpcap

WireShark uses libpcap/WinPCAP as the interface to exchange data messages directly with the network card.

Libpcap (Packet Capture Library), that is, packet capture function library, is a network packet capture function library under Unix/Linux platform. It is an API interface for user layer packet capture independent of the system, and provides a portable framework for underlying network monitoring.

WinPcap is a libpcap-based library designed for Windows systems.

Address: http://www.winpcap.org/.

Libpcap is a c library for network packet capture and filtering, derived from the tcpdump project. The code of packet capture, filtering, capture file reading and writing in the tcpdump project is extracted into libpcap and maintained by the developers of the tcpdump project.

Libpcap is mainly composed of two parts: network tap (Network Tap) and data filter (Packet Filter). The network tap collects copies of data from the network device driver, and the filter decides whether to receive the packet. Libpcap uses BSD Packet Filter (BPF) algorithm to filter the link layer packets received by the network card. The basic idea of BPF algorithm is that in a network with BPF monitoring, the Nic driver copies a copy of the received data packet to the BPF filter, which decides whether to receive the packet and what contents of the packet need to be copied according to user-defined rules, and then gives the filtered data to the upper application associated with the filter.

The packet capture mechanism of libpcap is to add a bypass processing in the data link layer. When a packet arrives at a network interface, libpcap first uses the created Socket to obtain a copy of the packet from the link layer driver, and then sends the packet to the BPF filter through the Tap function. The BPF filter matches the packets one by one according to the filtering rules defined by the user. If the match succeeds, it will be put into the kernel buffer and passed to the user buffer. If the match fails, it will be discarded directly. If no filtering rules are set, all packets are placed in the kernel buffer and passed to the user layer buffer.

2. WireShark Quick grab package 1. WireShark main window

MENUS (menu bar): displays the path name of the open file

SHORTCUTS (toolbars, shortcuts): shortcuts to common function menus

DISPLAY FILTER (display filter): display filter settin

PACKET LIST PANE (packet list): packet list

PACKET DETAILS PANE (packet details): details of the selected packet

DISSECTOR PANE (hexadecimal data): hexadecimal data of the selected packet

MISCELLANOUS (status bar, miscellaneous)

2. Interface selection of network card

Open the menu bar Capture- > Options. The interface is as follows:

3. Grab the bag quickly

Select the network card and click the "start grabbing" button.

4. Stop grabbing bags

Click the "stop grabbing" button, and the interface is as follows:

3. WireShark display settings 1. Display settings

By setting the buttons on the display Settings toolbar, you can zoom in, out, and reset the display area of the main interface.

2. Column settings

The default list displays: sequence number, time, source, destination, protocol, length, information

A, add column

In any field in the packet details area, such as TTL, right-click the menu "Apply as Column" and add the selected field information to the packet list area as a column.

B, delete column

Right-click a column in the packet list area and select the "Remove This Column" menu item to remove the column from the list area.

C, modify column

Right-click on a column in the packet list area and select the "Edit Column" menu item to change the name of the column.

3. Time setting

A, time format setting

Click the menu bar "View- > Time Display Format" to select the appropriate time display format.

B, time reference setting

Select an item in the Time column of the packet list area, and right-click the menu "Set/Unset Time Reference" to set the data item as a time reference point. You can set multiple time reference points.

4. Name resolution

Name resolution converts MAC addresses, IP addresses, port numbers, etc., into names for easy memory. MAC address resolution is enabled by default.

Click the menu bar "Capture- > Options- > Options" and select the three check boxes for "Name Resolution", as shown below:

4. WireShark packet operation 1. Mark data packet

A, tagged / highlighted packet

Select a packet in the packet list area and right-select the "Mark/Unmark Packet" tag / unhighlight.

B. Modify packet color

Right-click in the packet list area and select the "Colorize Conversation- > Ethernet- > New Coloring Rule" menu item to make specific color matching for the Ethernet protocol.

2. Comment packet

Right-click a packet in the packet list area and select the "Packet Comment" menu item to comment on the packet.

3. Merge packets

Click the menu bar "File- > Merge" menu item, pop up the dialog box, and select the packets to merge.

WireShark needs to save the currently crawled packet as a file before it can merge with other packets.

4. Export packet

Specific packets can be exported, such as filtered specific protocol packets, tagged packets, and packets within a specific range.

You can also export packets to files in other formats.

Fifth, WireShark parameter setting 1, preference setting

Click the menu bar "Edit- > Preference" menu item

Main interface layout settings

Column information settings for the packet list area

Font and color settings

2. Set the option to grab the package.

Click the menu bar "Capture- > Options" menu item

A, network card setting

B. continuous preservation of multiple files

Create a file name and turn on continuous file saving, such as 1m per file or access to a file every 1 minute.

C, name resolution settings

When multiple files are saved continuously, you can choose the conditions to stop grabbing packets, and automatically stop grabbing packets when grabbing a certain number of packets and files. Select MAC address resolution, TCP resolution and other functions.

6. WireShark filter 1, grab bag filter

Selectively crawl packets under certain conditions through BPF (Berkeley Packet Filter) syntax.

Type: host, net, port

Direction: src, dst

Protocols: ether, ip, tcp, udp, http, ftp

Logical operators: with (& &), or (| |), not (!)

A, ethernet filter

Layer 2 filter, filtering based on mac address

Ether host XX: grab Ethernet frames whose source and destination are specified mac ether dst XX: grab Ethernet frames whose purpose is specified mac ether src XX: grab Ethernet frames whose source is specified mac ether broadcast: grab all Ethernet broadcast traffic ether multicast: grab Multicast traffic ether proto: grab Ethernet traffic of specified protocol, for example, Ethernet type is 0x0800 Ethernet proto 0800. The Ethernet type refers to the ether-type field of the Ethernet frame header, indicating the protocol type of the upper layer. 0x0800 is ipv4, 0x86dd is ipv6, and 0x0806 is arp. Ether host 00:88:ca:86:f8:0dether src host 00:88:ca:86:f8:0dether dst host 00:88:ca:86:f8:0d

B, host and network filter, layer 3 filter

Ip or ipv6: crawling ipv4 or ipv6 traffic

Host: capture traffic from specified hostname (URL) or ip dst host: capture traffic from specified hostname (URL) or ip src host: capture traffic from specified hostname (URL) or ip gateway: capture traffic passing through the gateway, host must be the host name. Net: capture the traffic whose source or destination is a specified network number, such as net 192.168.1 or net 192.168.1.0 dst net: capture the traffic whose purpose is the specified network number src net: capture the traffic from the specified network number net mask: capture the traffic from the ipv4 network number specified by net and mask, and the ipv6 traffic is invalid. For example: net 192.168.1.0 mask 255.255.255.0 dst net mask: capture the traffic of the ipv4 network number specified by both net and mask, and the ipv6 traffic is invalid. Src net mask: capture the traffic from the ipv4 network number specified by net and mask, and the ipv6 traffic is invalid. Net /: capture traffic with specified network and length, such as: net 192.168.1.0: 24 dst net /: traffic with specified network and length, src net /: traffic with specified network and length, broadcast: grab ip broadcast packets, usually such as: ip broadcast multicast: grab ip multicast packets ip proto: grab packets whose ip header protocol type field value is equal to a specific value. For example, tcp is 6, ipv6 UDP is 17, ICMP is 1 ip6 proto: grab the ipv6 packet in which the value of the next header field in the header is equal to a specific value. You cannot use this word to perform filtering based on the relevant field values in the ipv6 extension header chain. Icmp [icmptype] = =: grab a specific type of [icmptype] icmp packet, which represents the type field value in the icmp header, such as 0 (icmp echo reply packet) or 8 (icmp echo request packet). For example: ip [icmptype] = = icmp-echo or icmp [icmptype] = = 8 ip [2:2] = =: crawling ip packets of specified length (number represents the total length field value of ip packets in the ip header) ip [8] =: crawling ip packets with the specified ttl (number represents the ttl field value in the ip header) ip [9] =: crawling ip packets of the specified protocol type (number represents the protocol type field in the ip header) Value) ip [12:4] = ip [16:4]: indicates that the source and destination ip of the packet are the same Note: the number in square brackets indicates the content of the relevant protocol header The first number refers to the number of bytes in the protocol header, and the second number represents the number of bytes to be concerned about. Host 192.168.1.1src host 192.168.1.1dst host 192.168.1.1

C, tcp and udp and port filtering, layer 4 filter

Port: matches the port number specified by port, such as port 80 or port http dst port: the destination port number is the specified port number src port: the source port number is the specified port number tcp portrange-or udp portrange -: used to crawl tcp or udp packets with port ranges between p1 and p2. Tcp src portrange-or udp dst portrange -. Tcp [tcpflags] & (tcp-syn | tcp-fin)! = 0: grabs the packet used in the tcp connection to initiate the connection (syn tag location 1) or terminate the connection (FIN tag location 1). Tcp [tcpflags] & (tcp-rst)! = 0: grab all TCP packets at position 1 of the RST tag, the RST flag bit is used to remove the connection immediately, and the PSH is used to indicate that the data is submitted to the end process for processing. Less: grab packets of no longer than the specified length, which is equivalent to: len = tcp portrange 2000-2500: grab tcp packets with ports within this range. Tcp [13] & 0x00=0: grabs all tcp traffic where the flag bit is not set to 1 (used when an empty scan is suspected). Tcp [13] & 0x01=1: grab TCP traffic at FIN location 1 but ACK location 0 tcp [13] & 0x03=3: grab TCP traffic with both SYN and FIN bits 1 tcp [13] & 0x05=5: grab TCP traffic tcp with RST and FIN bits 1 at the same time [13] & 0x06=6: grab TCP traffic tcp [13] & 0x08=8: grab PSH location 1, but TCP traffic at ACK location 0 refers to the marked field in the TCP header The number after the'= 'sign indicates the setting of the tcp tag bit. 0 means that none of the marker bits have 1Magee 1, but ACK position 0Power1 means FIN position 1, but ACK position 0Power1 indicates that SYN and FIN bits have 1Power4 at the same time, RST and FIN have 1Magazine 4 at the same time, SYN and RST have 1Power8 at the same time, PSH position 1 is set at the same time, ACK is 0. Port 80! Port 80dst port 80src port 80

D, compound filtering:

Host 192.168.1.100 & & port 8080

Grab the bag filter in the menu bar "Capture- > Options"

2. Display filter

The captured packets are filtered out some specific packets through the display filter.

Logical operators: and, or, xor, not

Comparison operators: =,! =, >, =,

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.