Download and install
Address: www.wireshark.org/
Caught instance
1. Open Wireshark 2.6.5. The following page is displayed:
2. Choose Capture -> Option from the menu bar
Select the WLAN network adapter (select it based on the network adapter usage of your PC. The simple method is to determine the network adapter corresponding to the IP address). Click on Start. Start packet capture.
Start caught
Wireshakr Packet capture interface
Note: Different protocols in the packet list area use different colors. Coloring Rules is on the menu bar View –> Coloring Rules. As shown below.
The effect after applying the coloring is as follows:
The WireShark consists of the following interfaces
- Display Filter: This command is used to set Filter criteria for filtering packets. Menu path: Analyze –> Display Filters.
- Packet List Pane displays the captured packets, each containing the number, timestamp, source address, destination address, protocol, length, and Packet information. Packets of different protocols are displayed in different colors.
- You can select the specified Packet in the Packet list. All Packet Details are displayed in the Packet Details Pane. The Packet details panel is the most important and is used to view every field in the protocol. The lines of information are respectively
(1) Frame: data Frame overview of the physical layer
(2) Ethernet II: Data link layer Ethernet frame header information
(3) Internet Protocol Version 4: IP packet header information of the Internet layer
(4) Transmission Control Protocol: indicates the header information of the data segment at the transport layer T. In this case, IT is TCP
(5) Hypertext Transfer Protocol: information at the application layer, HTTP in this case
TCP packet details
The following figure shows each field in the TCP packet captured by the Wireshark.
- A Dissector Pane.
The Wireshark filter is configured
When a beginner uses Wireshark, he or she will have so many redundant packets that it will be difficult to find the part of the packet that he or she captured himself. The Wireshar tool comes with two types of filters, and learning to use them will help you quickly find the information you need in a large amount of data.
The menu bar path for capturing Filters is Capture –> Capture Filters. Set before capturing packets.
(2) Display filter
Display filter is used to filter packets by setting filtering conditions after capturing the packets. Generally, the setting conditions are relatively broad when capturing data packets, and the display filter is used to set the conditions for convenient analysis when capturing more data packets. In the same scenario, all data packets are captured through the network adapter without setting the capture rule, as shown below
Rules for filter expressions in the Wireshark
1. Packet capture filter syntax and examples
1. Packet capture filter syntax and examples
Packet capture filter
- Type Type (host, NET, port)
- Direction Dir (SRC, DST)
- Protocol Proto (ether, IP, TCP, UDP, HTTP, ICMP, FTP, etc.)
- Logical operators (&&, | | or,! A)
(1) Protocol filtering
You can directly enter the protocol name in the packet capture filter box.
-
TCP: Displays only the LIST of TCP packets
-
HTTP: only the list of HTTP packets is displayed
-
ICMP: Displays only the list of ICMP packets
(2) IP filtering
-
The host 192.168.1.104,
-
The SRC host 192.168.1.104,
-
DST host 192.168.1.104,
(3) Port filtering
-
port 80
-
src port 80
-
dst port 80
(4) logical operators && and | | or,! non
-
SRC host 192.168.1.104 && DST port 80 Captures the packet whose host ADDRESS is 192.168.1.80 and destination port is 80
-
Host 192.168.1.104, | | host 192.168.1.102 grab for 192.168.1.104, host or 192.168.1.102 packets
! Broadcast Does not capture broadcast packets
2. Display filter syntax and examples
(1) Comparison operator
The comparison operators are == equals,! = Not equal to, > greater than, < less than, >= Greater than or equal to, <= less than or equal to.
(2) Protocol filtering
Enter the protocol name in the Filter text box. Note: The protocol name must be in lower case.
-
TCP: Displays only the LIST of TCP packets
-
HTTP: only the list of HTTP packets is displayed
-
Icmp: Displays only the list of ICMP packets
(3) IP filtering
Ip. SRC ==192.168.1.104 The list of packets whose source IP address is 192.168.1.104 is displayed
Ip. DST ==192.168.1.104. The list of packets whose destination ADDRESS is 192.168.1.104 is displayed
Ip.addr == 192.168.1.104 Displays the list of packets whose source IP address or destination IP address is 192.168.1.104
(4) Port filtering
Tcp. port ==80, the packet list of the source host or destination host port 80 is displayed.
Tcp. srcport == 80: Displays only the list of packets whose source host port is 80.
Tcp. dstPort == 80: Only the list of TCP packets whose destination host port is 80 is displayed.
(5) Http mode filtering
Http.request. method==”GET”, only HTTP GET methods are displayed.
(6) Logical operators are and/or/not
Use and/ OR to filter multiple combinations of conditions. For example, to obtain the ICMP packet whose IP address is 192.168.1.104, the expression is ip.addr == 192.168.1.104 and ICMP
(7) Filter according to packet content. Suppose I want to filter by the content in the IMCP layer, I can click the code stream in the select interface and select the data below. The following
Reference links: blog.csdn.net/HarveyH/art…