preface
WireShark is arguably the most powerful packet capture tool to date. Mastering it is a great help in learning network protocols.
The wireShare is wireShare.
Capturing network Packets
To open wireShark, click CatPure -> Options on the menu bar to open the Capture interface window
The capture interface window is as follows:
There are four areas to focus on:
1. Interface: displays the network interface of the local computer. For example, the Wi-Fi interface and Loopback interface are the local Loopback addresses. If you want to access 127.0.0.1 or localhost, select this interface for packet capture.
2. Input and Options: Detailed below
3. Traffic: shows the traffic that passes through the current nic interface.
4. Capture filter: Enter the format of the packets that you want to capture
Input (Output)
1. During packet capture, packets are either stored in temporary files or permanent files. If it is a permanent File, a permanent File can be opened in File, and the Output format is optional.
2. If the file is temporary, you can click Create a new file Automatically. For example, how many bytes, how many seconds to change a new file, etc.
Temporary files can also be used with a ring buffer. For example, if you select two files, they will be recycled. When both files are written, reuse the first file to start recording.
Option (Options) :
The main focus is on two parts:
1. Some options to display. For example, whether to update the group list in real time.
2, automatic stop capture. Such as how many bytes, how many seconds to stop capturing.
Click Start to capture packets.
WireShark panel
After capturing packets, view the functions of the wireShark panel.
1. Toolbar: Divided into 5 categories through 4 vertical lines.
2. Display filter: displays only the packets to be displayed.
3. Packet list: it contains a lot of information, such as how many packets there are, when the packets are obtained, IP address and so on. Details that are displayed in the details box when one of the packets is clicked.
The default time of packets is 0s.
This can be converted in View -> Time Display Format.
If you want to Set the relative Time of a packet as zero Time, you can right-click the Reference packet and choose Set/Unset Time Reference.
A token in the packet list
4. Packet details: There is a concept of layering.
- Frame is wireShark’s own layer
- Ethernet Ethernet
- Internet Protocol Indicates the network layer
- Transmission Control Protocol Indicates the Transmission layer.
Click on the corresponding layer to see the corresponding details. 5. Packet byte stream: You can see that the byte stream on the left corresponds to the parsed message on the right.
To track the flow
WireShark provides a convenient way to find interested packet sessions from such a large amount of data packets: tracing traffic
For example, right-click the packet you are interested in and choose Follow ->TCP Stream
Stream eq 12 is the same operation as typing tcp.stream eq 12 in the display filter.
Capture filter
Capture filters are also called BPF filters.
- Berkeley Packet Filter provides a Packet capture Filter interface at the device driver level. Most Packet capture tools support this syntax
- Expression Expression: Consists of multiple primitives.
So you just need to understand the primitives to know how to use filters.
Primitives: Consists of a name or number and qualifiers describing them. * Qualifiers * Types: Set the type indicated by the number or name, such as host www.baidu.com * host, POST * net, set the subnet, Net 192.168.0.0 mask 255.255.255.0 is equivalent to net 192.168.0.0/24 * portrange, setting the portrange, such as portrange 6000-8000 * Dir: Example: DST port 80 * SRC, DST, SRC or DST, SRC and DST (SRC: source port, DST: destination port) * Proto: Specify the protocol type, such as UPD * ether, FDDI, TR, WLAN, IP, IP6, ARP, RARP, DECnet, TCP, UDP, ICMP, IGMP, ICMP, IGRP, PIM, AH, ESP, VRRP * Other * gateway: Indicates the gateway IP address, equivalent to ether host'ehost' and not host 'host'Broadcast: broadcast packets, such as ether broadcast or IP broadcast * multicast: multi-broadcast packets, such as IP multicast or IP6 multicast * less or greater: Less than or greater than the * * and primitive operator: && or and * or: | | or the or * not:! Or not: SRC or DST portrange 6000-8000 && TCP or ip6 means that the source or destination portrange is from 6000 to 8000 and is a TCP or ipv6 protocolCopy the codeDisplay filter
The capture filter format can be applied to many software applications, whereas the display filter can only be applied to wireShark.
The display filter function is also very powerful, which means that learning costs are not cheap.
The first thing to figure out is what properties does the display filter support?
Generally, any field name parsed in the packet details panel can be used as the filtering attribute.
For example, this Source Post
But that’s not the case with names as filter attributes. This Source Post corresponds to tcp. srcPOST.
Open view -> Internals -> Supported Protocols
Find the filter attribute for the name
Filter attribute comparison symbol
| English | symbol | Description and Examples |
|---|---|---|
| eq | = = | SRC == 10.0.0.5 |
| ne | ! = | Is not equal to IP. SRC! = 10.0.0.5 |
| gt | > | Len > 10 |
| lt | < | Len < 128 |
| ge | > = | Len GE 0x100 |
| le | < = | Frame. Len le 0x20 |
| contains | Contains.sip.To contains ‘a1763’ | |
| matches | ~ | Host matches ‘acme.(org)’ |
| bitwise_and | & | Bit and operation. Tcp.flags & 0x02 |
Filter attribute type
- Unsigned Integer: an Unsigned integer, for example, ip.len le 1500
- Signed INTEGER: Signed integer
- Boolean: A Boolean value, for example, tcp.flags.syn
- Ethernet address: can be:, – or. Separated 6-byte addresses, for example, eth. DST == ff:ff:ff:ff
- IPv4 address: For example, ip.addr == 192.168.0.1
- IPv6 address: For example, ipv6.addr == ::1
- Test string: For example, http.request.uri == ‘www.wireshark.org/’
A combination of expressions
| English | symbol | Significance and Examples |
|---|---|---|
| and | && | SRC == 10.0.0.5 AND tcp.flags.fin |
| or | ||
| xor | ^ ^ | XOR logic XOR. Tr. DST (3-0) = = 0.6.29 XOR tr. SRC = = 0.6.29 [3-0] |
| nor | ! | NOT Logical NOT NOT LLC |
| […]. | Slice operator | |
| in | Set operator |
Other commonly used operators
1. The brace {} collection operator
- For example, tcp.port in {443 4430.. . 4434}, equivalent to the TCP port 443 = = | | (TCP > = 4430 && TCP port < = 4434)
2, parentheses []Slice operator
- [n:m] indicates that n is the initial offset and m is the section length, for example, eth. SRC [0:3] == 00:00:83
- [n-m] indicates that n is the start offset and m is the cut-off offset, for example, eth. SRC [1-2] == 00:83
- [:m] indicates the offset from the start to the m cutoff, such as eth. SRC [:4] == 00:00:83:00
- [m:] indicates that m is the start offset to the end of the field, for example, eth. SRC [4:] == 20:20
- [m] indicates the byte at the offset m, for example, eth. SRC [2] == 83
- [,] The preceding methods can be used at the same time when using commas
What if you can’t remember so much? Don’t worry. WireShark provides a visual expression box that displays filters
Open Analyze -> Display Filter Expression
Specific operations are as follows
Decrypting TLS Messages
Wireshark decrypts TLS messages.
Principle: The handshake information in Chrome DEBUG logs is used to generate keys.
Steps:
- Configure Chrome to output DEBUG logs
- This topic describes how to parse DEBUG logs in the Wireshark
On a MAC:
- Start by creating an output file to receive DEBUG logs, for example
/Users/username/sslkeylogs/output.log - Then configure the environment variable SSLKEYLOGFILE:
export SSLKEYLOGFILE=/Users/username/sslkeylogs/output.log - To configure the Wireshark, choose Protocol > SSL, and select Output
At the end
The above is just my humble opinion, welcome to add to the discussion.
For more articles, please go to Github, if you like, please click star, which is also a kind of encouragement to the author