If you still can't use Wireshark after watching this, come to me

Wireshark (2) : Use the Wireshark to observe basic network protocols

TCP:

TCP/IP establishes a connection through a three-way handshake. The three types of packets are SYN, SYN/ACK, and ACK.

The first step is to find the first SYN packet sent by the PC to the network server, which marks the beginning of the TCP three-way handshake.

If you cannot Find the first SYN Packet, select Edit -> Find Packet menu options. Select Display Filter and enter the Filter criteria: tcp.flags. You will see a list of flags to select. Select the appropriate flag, tcp.flags.syn and add ==1. Click Find, and the first SYN packet in the trace is highlighted.

Review images

Note: Find Packet can also be used to search for hexadecimal characters, such as malware signals, or for strings, such as protocol commands in Packet capture files.

A quick way to filter TCP Packet streams is to right-click packets in the Packet List Panel and select Follow TCP Stream. This creates an automatic filter that displays only TCP session packets.

This step displays a session display window, which by default contains THE ASCII code of the TCP session. The client packets are red and the server packets are blue.

A window similar to the one shown below is useful for reading protocol payloads such as HTTP, SMTP, and FTP.

Review images

Change to hexadecimal Dump mode to view the hexadecimal code of the payload, as shown below:

After the window is closed, only the selected TCP packet flows are displayed in the Wireshark. It is now easy to distinguish the three handshakes.

Review images

Note: Here Wireshark automatically creates a display filter for this TCP session. (ip.addr eq 192.168.1.2 and ip.addr eq 209.85.227.19) and (tcp.port eq 80 and tcp.port eq 52336);

The SYN packet:

In the figure, packet no. 5 is a SYN packet sent from the client to the server. This packet is used to establish synchronization with the server to ensure that the communication between the client and server is transmitted in sequence. A SYN packet has a 32-bit sequence number in its header. The bottom dialog box displays useful information about the packet, such as the packet type and serial number.

The SYN/ACK packet:

Packet 7 is the response from the server. Once the server receives the client’s SYN packet, just read the serial number of the message and use this number as a response, that is to say it to inform the client, the server receives the SYN packet, based on the original SYN packet sequence number plus one and number as a response to implement, and then the client will know that the server can receive communications.

ACK message:

Packet no. 8 is an acknowledgement packet sent by the client to the server, informing the server that the client has received a SYN/ACK packet and adding one to the sequence number. After the packet is sent, the client and server enter the ESTABLISHED state and complete the three-way handshake.

ARP, ICMP:

Example Enable Wireshark packet capture. Open the Windows Console window and use the ping command line tool to check the connection status with the neighboring machine.

Review images

After packet capture is stopped, the Wireshark displays the following figure.

ARP and ICMP packets are difficult to identify, so you need to create a filter condition that displays only ARP and ICMP packets.

Review images

ARP message:

Address Resolution Protocol (ARP) is a TCP/IP Protocol that obtains physical addresses based on IP addresses. The host broadcasts the ARP request to all hosts on the network, receives the return message, determines the physical address of the destination IP address, saves the IP address and hardware address in the ARP cache, and queries the ARP cache for the next request.

The initial ARP request from the PC determines the MAC address of IP address 192.168.1.1 and receives an ARP reply from the neighboring system. After an ARP request is received, ICMP packets are displayed.

The ICMP message:

Internet Control Message Protocol (ICMP) is used to send Control messages on the TCP/IP network and provide feedback on various problems that may occur in the communication environment. Through the information, managers can diagnose the problems. Then take appropriate measures to solve the problem.

The PC sends an Echo request and receives an Echo response, as shown in the preceding figure. The ping packet is marked as Type 8, and the reply packet is marked as Type 0.

If you ping the same system repeatedly and delete ARP cache from the PC, you can run the following ARP command to generate a new ARP request.

C: \ > ping 192.168.1.1

. ping output …

C: \ > arp – d *

HTTP:

HTTP protocol is the most widely used basic protocol at present, which benefits from the fact that many applications are based on the WEB, which is easy to implement and easy to develop and deploy software. It can be used by browsers without additional clients. This process begins by requesting the server to transfer the network file.

Review images

The figure above shows that the packet contains a GET command. After HTTP sends the initial GET command, TCP continues the data transmission process. In the following connection process, HTTP requests data from the server and uses TCP to send data back to the client. Before transmitting the data, the server notifies the client that the request is valid by sending an HTTP OK message. If the server does not have permission to send the target to the client, 403 Forbidden is returned. If the server cannot find the target requested by the client, a 404 is returned.

If there is no more data, the connection can be terminated, similar to the SYN and ACK packets of the TCP three-way handshake, in which FIN and ACK packets are sent. When the server finishes transmitting data, it sends a FIN/ACK packet to the client to terminate the connection. The client then returns an ACK packet and increses the sequence number in the FIN/ACK packet by one. This terminates communication from the server side. To end the process the client must re-initiate the process to the server. The FIN/ACK process must be initiated and confirmed on both the client and server sides.

Appendix: Network protocol packet structure and packet capture example

TCP/IP protocol stack

Review images

Ethernet Frame Example

Review images

IP datagram format

View pictures View pictures

IP Packet Example

Review images

UDP frame structure

Review images

TCP message structure

Review images

TCP Packet Example

Review images

mo4tech.com (Moment For Technology) is a global community with thousands techies from across the global hang out!Passionate technologists, be it gadget freaks, tech enthusiasts, coders, technopreneurs, or CIOs, you would find them all here.

If you still can’t use Wireshark after watching this, come to me

If you still can’t use Wireshark after watching this, come to me

Related Posts

How are risks handled in software development?

Mac computers can not be shut down or restarted by selecting Shutdown or restart from the System menu, and can only be shut down by pressing the power button and open the application often stuck problem and solution

ModuleNotFoundError: No module named ‘PIP’