This is the 21st day of my participation in the August More Text Challenge

Do you know what is commonly used to catch the package? Fiddler, like Charles, is easy to use and allows you to see protocol data clearly. Fiddler and Charles are sufficient for common packet capture scenarios.

Why learn Wireshark?

Because Fiddler and Charles use web proxy to capture data packets, the following two scenarios cannot be completed:

  • Fetching non-HTTP, HTTPS data,
  • Fetch data from the server.

What is Wireshark?

The Wireshark is the most widely used network protocol analysis tool. It supports all common protocols, not only HTTP and HTTPS, but also multiple platforms, including Windows, Linux, and MAC.

Wireshark is so powerful, what do we do with it?

Users can use the Wireshark to learn various network protocols, locate and analyze network problems, and determine which protocols are used by applications.

1. Download and install

The official download address: www.Wireshark.org/download.ht…

Download it and double-click to install it.

2. Basic interface introduction

After the Wireshark is started, the page for selecting an NIC port is displayed. Select a listening network adapter as required.

After the NETWORK adapter is selected, the Wireshark automatically captures protocol data as follows:

Relationship between packets captured by the Wireshark and the 7-layer OSI model

3. The filter

The Wireshark directly captures underlying network data packets, resulting in a large number of captured data packets. The Wireshark provides two filters to facilitate packet filtering and analysis.

Filters help us quickly find the information we need in a large amount of data.

There are two types of filters: capture filter and display filter.

1. Capture filter: Set the packet rules to be captured in advance to reduce the packet volume.

Operation path: Capture –>Options –>Capture Filter

Go to Capture > Capture Filters. The Wireshark already provides some common filtering rules.

Syntax rules: syntax:

Examples of common capture filter statements:

  • Only packets destined for TCP port 8080 are displayed:tcp dst port8080
  • Only data packets from 192.168.171.201 are displayed:IP SRC host192.168.171.201
  • Only packets whose destination IP address is 192.168.5.231 are displayed:IP DST host192.168.5.231
  • Only HTTP traffic for host 192.168.5.001 is captured:Host192.168.5.001 andport80andhttp
2. Display filter: Filter the captured packets. It can be changed at any time during or after capture, which is more powerful than capture filter.

Syntax:






(s)>

Enter a filter rule in the filter box

Examples of common display filtering statements:

Filter packets containing IP address 192.168.0.1

IP addr = = 192.168.0.1Copy the code

Filter packets whose source ADDRESS is 192.168.171.1

IP. SRC = = 192.168.171.1Copy the code

Filter the packets whose destination address is 192.168.171.1

IP. DST = = 192.168.0.1Copy the code

Only packets containing port 80 are displayed

tcp.port==80
Copy the code

All HTTP POST requests

http.request.method=="POST"
Copy the code

URL contains HTTP request of Baidu

http.request.uri contains"baidu"
Copy the code

Wireshark tips for Wireshark

Tip 1: Directly select the specific data summary or detail information, right-click and select as filter.

Tip 2: Click the expression on the right of the filter rule input box and combine the rules, relationships, and values to be used.

Tip 3: Select the packet that you want to analyze specifically, then right-click “Trace Flow” and select Protocol to see all communications that are identical to the IP and port and protocol of the pair.

The Wireshark provides the powerful packet analysis function for you to learn from the Wireshark.