Shulou(Shulou.com)06/01 Report--

Wireshark is a network packet analysis tool (traffic analysis, protocol analysis, packet analysis, network eavesdropping, etc.). Its main function is to try to capture network packets and try to display packets in as much detail as possible.

Wireshark doesn't handle network transactions, it just "measures" (monitors) the network.

Wireshark is an open source software project, so you don't have to worry about licensing and payment.

A brief history of Wiresahrk

After 1997, Gerald Combs needed a tool to track network problems and wanted to learn network knowledge, so he began to develop Ethereal

Ethereal is the first edition, after several developments, pauses, 1998, after such a long time, patches, Bug reports, and a lot of encouragement, version 0.2.0 was born. This is how Ethereal succeeds.

Shortly thereafter, Gilbert Ramirez discovered its potential and provided it with low-level analysis

In October 1998, Guy Harris was looking for a better tool than TcpView. He began to improve Ethereal and provide analysis.

Since 1998, Richard Sharpe, who is teaching TCP/IP, has paid attention to its role in these courses. And began to study whether the software was the protocol he needed. If not, the new protocol support should be easy to add, and he began to engage in Ethereal analysis and improvement.

Since then, more and more people have helped Ethereal, almost all starting with protocols that are not yet supported by Ethereal, so they have copied existing parsers and provided improvement feedback to the team

Project Moved House in 2006 and renamed it: Wireshark.

Wiresahrk structure

GTK1/2: an image processing tool that handles the user's input and output display

Core: core engine that connects other modules together through function calls to play the role of linkage scheduling

Wiretap: format support, read packets from grab files, support multiple file formats

Capture: packet capture engine, which uses libpcap/WinPcap to grab network packets from the bottom layer, provides a general packet capture interface, and can obtain packets from network interfaces that cannot be of any type.

The library files that Win-/libpcap:Wireshark depends on when grabbing packages

Wireshark uses WinPCAP as the interface to exchange data messages directly with the network card, which will not modify the content of the network packet, it will only reflect the current packet information. Wireshark itself will not send packets to the network.

How the network sniffer works

Collect: collect binary information from the network card (set the network card to promiscuous mode, the default setting of the packet grabbing tool)

Conversion: converting captured binary information into readable form

Analysis: analysis of captured and converted data

Promiscuous port: a machine that can receive all data streams, whether its destination address is it or not, and is mainly used to diagnose network problems

The premise of grasping the packet needs to set the network card to hybrid mode.

Bag grabbing principle:

1. Grab the traffic of the local network card in and out of the network, but not the entire LAN for your own network card.

2. Hub network, which is a network layer device that does not learn packets and broadcasts all interfaces (such an environment is rare)

3. Mirror the port, copy the data to a port, the switch is a layer 2 device, the first broadcast, the second learning address forwarding

4. The switch has a disadvantage. It needs the broadcast address to learn the MAC address for the first time before it can be forwarded, which is easy to be used.

5. ARP deception

Port mirroring Note: pay attention to the traffic load capacity of a single port when multiple ports are mirrored to one port at the same time

Related documents

Chris Sanders, the second edition of wireshark packet Analysis

Laura Chappell, second edition of wireshark Network Analysis

"TCP/IP Protocol Stack detailed decryption one" W.Richard Stevens

Related website

Https://www.wireshark.org

Https://www.wiresharkbook.com

Https://wiki.wiresharkbook.com

Sniffer

Fiddler, httpwatch for http protocol

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.