Shulou(Shulou.com)06/02 Report--

Use of Wireshark packet grabbing tool and packet analysis

After many years, may you have breeze and spirits, and some people will be your way home.

When you open the Wireshark package grab tool and start to grab the package, you will see the following expanded content:

Here I am grabbing the wlan. 192.168.2.112 is the ip address of my current wifi.

Click on a package to view the details, which are almost exactly for layer 5 protocols:

Frame: an overview of data frames at the physical layer.

Ethernet II: data link layer Ethernet frame header information.

Internet Protocol Version 4: Internet layer IP packet header information.

Transmission Control Protocol: the segment header information of the transport layer, here is the TCP protocol.

User Datagram Protocol:UDP protocol

Hypertext Transfer Protocol: application layer information, here is the HTTP protocol.

First, each level of analysis:

Frame, Ethernet | | and other appeals will be launched to see the specific transmission information:

1. Physical layer Frame-Frame 5: 66 bytes on wire (528 bits), 66 bytes captured (capture) (528 bits) on interface 0 / / 5 frame, the other party sends 66 bytes Actually received 66 bytes-Interface id: 0 (\ Device\ NPF_ {37239901-4A63-419C-9693-97957A8232CD}) / / Interface id is 0-Encapsulation type: Ethernet (1) / / Encapsulation Type-Arrival Time: Jul 5 2017 1515 Time delta from previous captured frame 1415 seconds 31.865685000 / / capture date and time (China Standard time)-[Time shift for this packet: 0.000000000 seconds]-Epoch Time: 1499238871.865685000 seconds- [Time delta from previous captured frame: 0.006861000 seconds] / / interval with the previous packet-[Time delta from previous displayed frame: 0.006861000 seconds]-[Time since reference or first frame: 0.613985000 seconds] / / # time interval between this packet and the first frame-Frame Number: 5 / / frame sequence number-Frame Length: 66 bytes (528 bits) / / frame length-Capture Length: 66 bytes (528 bits) / / capture byte length-[Frame is marked: False] / / whether it is marked-[Frame is ignored: False] / / ignored-[Protocols in frame: eth:ethertype:ip:tcp] / / intra encapsulated protocol Hierarchical structure-[Coloring Rule Name: HTTP] / / the protocol name of the shading tag-[Coloring Rule String: http | | tcp.port = = 80 | | http2] / / the string displayed by the coloring rule 12345678910111213141516171819202122232, Data link layer Ethernet frame header information:-Ethernet II Src: Tp-LinkT_f5:3e:62 (c0:61:18:f5:3e:62) Dst: IntelCor_09:65:a5 (58:fb:84:09:65:a5)-Destination: IntelCor_09:65:a5 (58:fb:84:09:65:a5) / / destination MAC address-Source: Tp-LinkT_f5:3e:62 (c0:61:18:f5:3e:62) / / Source MAC address (that is, my computer's MAC address)-Type: IPv4 (0x0800) / / 0x0800 indicates the use of IP protocol 123456

3. Internet layer IP packet header information: Internet Protocol Version 4, Src: 192.168.2.112, Dst: 116.211.185.142 0100. = Version: 4 / / IPV4 protocol. 0101 = Header Length: 20 bytes (5) / / Baotou length-Differentiated Services Field: 0x00 (DSCP: CS0 ECN: Not-ECT) / / DiffServ Field-Total Length: 52 / / Total IP packet length-Identification: 0x3849 (14409) / / Flag Field-Flags: 0x02 (Don't Fragment) / / tag Field-Fragment offset: 0 / min offset-Time to live: 128 / / Lifetime TTL-Protocol: TCP (6) / / the upper layer protocol encapsulated in this packet is TCP-Header checksum: 0xd100 [validation disabled] / / checksum of header data-[Header checksum status: Unverified] / / header data checksum status-Source: 192.168.2.112 / / Source IP address-Destination: 116.211.185.142 / / destination IP address-[Source GeoIP: Unknown] / / location-based IP- [Destination GeoIP: Unknown] 123456789101112131415161718

4. Header information of TCP data segment in the transport layer:

Transmission Control Protocol, Src Port: 60606, Dst Port: 80, Seq: 0 Len: 0-Source Port: 60606 / / Source port number (ecbe)-Destination Port: 80 / destination port number (0050)-[Stream index: 0]-[TCP Segment Len: 0]-Sequence number: 0 (relative sequence number) / / Serial number (relative serial number) (four bytes fd 3e dd a2)-Acknowledgment number: 0 / / confirmation number (four bytes 00 00 00)-Header Length: 32 bytes / / header length (0x80)-Flags: 0x002 (SYN) / / TCP tag field-Window size value: 8192 / / flow control window size (20 00)-[Calculated window size: 8192]-Checksum: 0x97ad [unverified] / / data segment checksum (97ad)-[Checksum Status: Unverified]-Urgent pointer: 0 / / Emergency pointer (00)-Options: (12 bytes) Maximum segment size, No-Operation (NOP), Window scale, No-Operation (NOP), No-Operation (NOP), SACK permitted / / option (variable length) 1234567891011121314151617UDP segment header:

User Datagram Protocol, Src Port: 7273 Dst Port: 15030-Source Port: 7273 / / Source port (1c69)-Destination Port: 15030 / / destination port (3a 6b)-Length: 1410 / / length (05.82)-Checksum: 0xd729 [unverified] / / checksum (d729)-[Checksum Status: Unverified]-[Stream index: 6335] 12345678 II, Wireshark analysis packet: 1, Add a filter to the filter to get the relevant information when visiting Baidu:

Protocol (Protocol):

Possible values: ether, fddi, ip, arp, rarp, decnet, lat, sca, moprc, mopdl, tcp and udp.

If no specific protocol is specified, all supported protocols are used by default.

Direction (direction):

Possible values: src, dst, src and dst, src or dst

If no source or destination is specified, "src or dst" is used as the keyword by default.

For example, "host 10.2.2.2" is the same as "src or dst host 10.2.2.2".

Host (s):

Possible values: net, port, host, portrange.

If this value is not specified, the "host" keyword is used by default.

For example, "src 10.1.1.1" is the same as "src host 10.1.1.1".

Logical Operations (logical operation):

Possible values: not, and, or.

No ("not") has the highest priority. Or ("or") and ("and") have the same priority and operate from left to right.

For example:

"not tcp port 3128 and tcp port 23" is the same as "(not tcp port 3128) and tcp port 23".

"not tcp port 3128 and tcp port 23" is different from "not (tcp port 3128 and tcp port 23)".

The format is:

Ip.addr = = www.baidu.com

Several common filtering methods of Wireshark

Then you can get information such as Baidu's IP address.

2. Filter out dns information

Enter dns in the display filter box to filter out all dns information:

At frame 220234 of the interface, it is DNS that parses the www.baidu.com into a packet with an IP address (called an "A" record). Frame 238 represents an IP response packet that returns an DNS address associated with the hostname. If the client supports IPv4 and IPv6, you will see looking up an IPv6 address (called a "AAAA" record) in this interface. At this point, the DNS server will respond to an IPv6 address or mixed message.

Description: frame 238 is the process that the client requests Baidu to resolve the IP address through the DNS server. Identified as an "A" record.

3. Filter out tcp packet analysis:

Enter: ip.dst==180.97.33.108 or ip.src==180.97.33.108 in the display filter box

The TCP communication process is roughly as follows:

The TCP three-way handshake between the client and the server (4941, 4942, 4943 frames)-- > the GET main page requested by the client (4944 frames)-> the server receives the request (4945 frames)-> sends the response packet (4946 frames).

Description:

The client sends a TCP request to the server to establish a connection. Identified as SYN.

The process by which the server responds to the confirmation packet to the client after receiving the request. Identified as SYN,ACK.

The client responds to the process of sending an acknowledgement packet from the server and establishes a connection with the server. Identified as ACK.

The process by which a client sends HTTP request content to a server. Identified as GET.

The server receives the request according to the process of the client request. Identified as ACK.

4946 frame is the process by which the server responds to the client.

Reference blog: https://my.oschina.net/u/1585857/blog/479306

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.