This article introduces another useful packet capture tool, wireshark, used to obtain network data packets, including http, TCP, UDP, and other network protocol packets.
I remember I learned the TCP three-time handshake protocol when I was in college. At that time, I just knew that although I had read a lot of TCP and UDP materials in the book, I had never really seen these data packets. I always felt like I was floating on the cloud and I was not learning steadily. With wireshark, these network packets can be intercepted and each field in the packet can be clearly seen. It can further deepen our understanding of network protocols.
For me, wireshark is the best tool to learn network protocols.
Reading Contents
Introduction to wireshark
Wireshark's official download website: http://www.wireshark.org/
Wireshark is a very popular network packet analysis software with very powerful functions. Various network packets can be intercepted and detailed information of network packets can be displayed.
Wireshark is an open source software that can be used with confidence. Can run on Windows and Mac OS.
People who use wireshark must understand the network protocol, otherwise they will not understand wireshark.
What Wireshark can't do
For security reasons, wireshark can only view the packet, but cannot modify the content of the packet, or send the packet.
Wireshark VS Fiddler
Fiddler is a program running on Windows, specifically used to capture HTTP and HTTPS.
Wireshark can obtain HTTP and HTTPS, but cannot decrypt HTTPS, so wireshark cannot understand the content in HTTPS.
In summary, if you are using HTTP, HTTPS or Fiddler, other protocols such as TCP and UDP, use wireshark
Other tools of the same type
Microsoft's network monitor
sniffer
Who would use wireshark
1. Network administrators will use wireshark to check network problems
2. Software testing engineers use wireshark to capture packets to analyze the software they tested
3. Engineers engaged in socket programming will use wireshark to debug
4. I heard that most engineers at Huawei and ZTE use wireshark.
In short, wireshark may be used for things related to the Internet.
wireshark starts grabbing
Start the interface
Wireshark is a network package that captures a certain network card on the machine. When there are multiple network cards on your machine, you need to choose a network card.
Click Caputre->Interfaces.. The following dialog box appears and select the correct network card. Then click the "Start" button to start grabbing
Wireshark window introduction
WireShark is mainly divided into these interfaces
1. Display Filter, used for filtering
2. Packet List Pane (packet list), displays the captured packet, the active address and the destination address, and the port number. Different colors represent
3. Packet Details Pane (packet details), displaying fields in the packet
4. Dissector Pane (hexadecimal data)
5. Miscellanous (address bar, miscellaneous)
Wireshark display filtering
Using filtering is very important. When beginners use wireshark, they will get a lot of redundant information, which is so difficult to find the part they need in thousands or even tens of thousands of records. It made me dizzy.
Filters will help us quickly find the information we need in a large amount of data.
There are two types of filters.
One is the display filter, which is the one on the main interface, used to find the required records in the captured records.
One is a capture filter, which is used to filter captured packets to avoid capturing too many records. Settings in Capture -> Capture Filters
Save Filter
On the Filter column, after filling in the Filter expression, click the Save button and give it a name. For example, "Filter 102",
There is an additional "Filter 102" button on the Filter bar.
Rules for filtering expressions
Expression rules
1. Protocol filtering
For example, TCP only displays the TCP protocol.
2. IP filtering
For example, ip.src ==192.168.1.102 shows that the source address is 192.168.1.102.
ip.dst==192.168.1.102, the target address is 192.168.1.102
3. Port filtering
tcp.port ==80, port 80
tcp.srcport == 80, only displays that the wish port of the TCP protocol is 80.
4. Http mode filtering
http.request.method=="GET", only displays the HTTP GET method.
5. The logical operator is AND/OR
Commonly used filter expressions
| Filter expressions | use |
| http | View only the HTTP protocol records |
| ip.src ==192.168.1.102 or ip.dst==192.168.1.102 | The source address or destination address is 192.168.1.102 |
Packet List Pane
The package list displays the number, timestamp, source address, destination address, protocol, length, and packet information in the panel. You can see that different protocols are displayed in different colors.
You can also modify these display colors rules, View ->Coloring Rules.
Packet Details Pane
This panel is our most important thing to view every field in the protocol.
The information in each line is
Frame: Overview of data frames for physical layer
Ethernet II: Data link layer Ethernet frame header information
Internet Protocol Version 4: Internet layer IP package header information
Transmission Control Protocol: The data segment header information of the transport layer T, here is TCP
Hypertext Transfer Protocol: Application layer information, here is the HTTP protocol
Wireshark and corresponding OSI seven-layer model
Specific content of TCP package
From the figure below, you can see each field in the TCP package captured by wireshark.
Example analysis of TCP three-time handshake process
Seeing this, I have basically gained a preliminary understanding of wireshak. Now let's look at an example of TCP three-time handshake.
The three-time handshake process is
I have seen this picture many times. This time we use wireshark to actually analyze the process of three handshakes.
Open wireshark, open the browser and enter http://www.cnblogs.com/tankxiao
Enter http to filter in wireshark, then select the record of GET /tankxiao HTTP/1.1, right-click and click "Follow TCP Stream",
The purpose of this is to get the data packets related to opening the website by the browser. You will get the following picture
In the figure, you can see that wireshark intercepted three data packets of three handshakes. The fourth package is HTTP, which shows that HTTP does use TCP to establish connections.
First handshake packet
The client sends a TCP with the flag bit SYN and the serial number is 0, which represents the client's request to establish a connection. The following figure
Data packet for the second handshake
The server sends back the confirmation packet, the flag is SYN and ACK. Set the confirmation number (Acknowledgement Number) to the client's ISN plus 1. That is, 0+1=1, as shown in the figure below
The data packet for the third handshake
The client sends the acknowledgement packet (ACK) again. The SYN flag bit is 0 and the ACK flag bit is 1. And the server sends the ACK number field +1 and puts the confirmation field to the other party. And puts the +1 of the ISN in the data segment, as shown in the figure below:
In this way, the TCP handshake was passed three times and the connection was established.
The above is the basic introduction to Wireshark and learning TCP three times. We will continue to organize relevant knowledge in the future. Thank you for your support for this site!