Wireshark is a powerful network packet analysis software, which displays the process of exchanging network packets and helps to monitor network requests and locate network problems. However, I have not been able to settle down to learn it. On the one hand, I am afraid of its power and professionalism, and on the other hand, I can use Fiddler and Charles packet capture to meet the needs of network debugging. Today, when I was learning network protocol, I suddenly felt that the pure theoretical knowledge point was too empty, so I wanted to catch a real network request data to compare and learn. This article is my note to use Wireshark to learn network protocol.

First, capture data packets

I am using Wireshark 2.4.0 for Mac. The goal is to crawl network data processes that request http://www.baidu.comHTML files. After the Wireshark is opened, you can view a large number of data packets that contain all network requests sent by a PC without any configuration. What we want is a complete data exchange process of a network request. Too much data is not conducive to analysis, so we need to filter out the data we care about first. I came up with the idea of using a specified IP address to filter network requests.

➜ Desktop ping www.baidu.com ping www.a.shifen.com (61.135.169.125): 56 data bytes 64 bytes from 61.135.169.125: Icmp_seq =0 TTL =53 time=2.697 ms 64 bytes from 61.135.169.125: ICmp_seq =1 TTL =53 time=2.963 ms...Copy the code

Run the ping command to obtain the IP address of www.baidu.com, and then set the Wireshark filter ip.addr == 61.135.169.125. A direct request to www.baidu.com in the browser will result in multiple requests to change the IP server, because there are images and CSS resource files in THE HTML to load. Using curl to simulate an HTTP request

➜  Desktop curl http://www.baidu.com
Copy the code

Using the curl command to simulate an HTTP request, and then using the Wireshark filter to filter out the requests that interact with the specified IP server, we get the data shown in the following figure.

Analyze data packets

As can be seen from the screenshot above, the process of an HTTP request is roughly as follows:

  1. TCP three-way handshake to establish a connection
  2. The client sends an HTTP request
  3. The server sends an HTTP response
  4. The TCP four-way handshake disconnects the connection

Four processes we’ll focus on the TCP three-way handshake. Let’s take a look at the TCP packet structure.

And a three-handshake flowchart

Wireshark

Here is the TCP packet for the second handshake. The server sends an Acknowledgment setting bit to the client, and the Acknowledgment number is set to the client sending data number plus one.

Here is the packet for the third handshake