This is the 21st day of my participation in the August More Text Challenge
Do you know what is commonly used to catch the package? Fiddler, like Charles, is easy to use and allows you to see protocol data clearly. Fiddler and Charles are sufficient for common packet capture scenarios.
Why learn Wireshark?
Because Fiddler and Charles use web proxy to capture data packets, the following two scenarios cannot be completed:
- Fetching non-HTTP, HTTPS data,
- Fetch data from the server.
What is Wireshark?
The Wireshark is the most widely used network protocol analysis tool. It supports all common protocols, not only HTTP and HTTPS, but also multiple platforms, including Windows, Linux, and MAC.
Wireshark is so powerful, what do we do with it?
Users can use the Wireshark to learn various network protocols, locate and analyze network problems, and determine which protocols are used by applications.
1. Download and install
The official download address: www.Wireshark.org/download.ht…
Download it and double-click to install it.
2. Basic interface introduction
After the Wireshark is started, the page for selecting an NIC port is displayed. Select a listening network adapter as required.
After the NETWORK adapter is selected, the Wireshark automatically captures protocol data as follows:
Relationship between packets captured by the Wireshark and the 7-layer OSI model
3. The filter
The Wireshark directly captures underlying network data packets, resulting in a large number of captured data packets. The Wireshark provides two filters to facilitate packet filtering and analysis.
Filters help us quickly find the information we need in a large amount of data.
There are two types of filters: capture filter and display filter.
1. Capture filter: Set the packet rules to be captured in advance to reduce the packet volume.
Operation path: Capture –>Options –>Capture Filter
Go to Capture > Capture Filters. The Wireshark already provides some common filtering rules.
Syntax rules: syntax:
Examples of common capture filter statements:
- Only packets destined for TCP port 8080 are displayed:
tcp dst port8080 - Only data packets from 192.168.171.201 are displayed:
IP SRC host192.168.171.201 - Only packets whose destination IP address is 192.168.5.231 are displayed:
IP DST host192.168.5.231 - Only HTTP traffic for host 192.168.5.001 is captured:
Host192.168.5.001 andport80andhttp
2. Display filter: Filter the captured packets. It can be changed at any time during or after capture, which is more powerful than capture filter.
Syntax:
Enter a filter rule in the filter box
Examples of common display filtering statements:
Filter packets containing IP address 192.168.0.1
IP addr = = 192.168.0.1Copy the codeFilter packets whose source ADDRESS is 192.168.171.1
IP. SRC = = 192.168.171.1Copy the codeFilter the packets whose destination address is 192.168.171.1
IP. DST = = 192.168.0.1Copy the codeOnly packets containing port 80 are displayed
tcp.port==80
Copy the codeAll HTTP POST requests
http.request.method=="POST"
Copy the codeURL contains HTTP request of Baidu
http.request.uri contains"baidu"
Copy the codeWireshark tips for Wireshark
Tip 1: Directly select the specific data summary or detail information, right-click and select as filter.
Tip 2: Click the expression on the right of the filter rule input box and combine the rules, relationships, and values to be used.
Tip 3: Select the packet that you want to analyze specifically, then right-click “Trace Flow” and select Protocol to see all communications that are identical to the IP and port and protocol of the pair.
The Wireshark provides the powerful packet analysis function for you to learn from the Wireshark.