This is the second day of my participation in the More text Challenge. For more details, see more text Challenge
caught
1. Only the head of the bag
The maximum length of a packet that can be captured (it is more accurate to call it a Frame, but for the sake of expression, this book may often use “packet” instead of “Frame” and “segment”) is 1514 bytes. With Jumbo Frame enabled, the maximum length can be 9000 bytes or more. Most of the time we only need the IP header or TCP header to analyze. You can capture a packet header in this manner on the Wireshark.
The Options dialog box in the Wireshark of the new version (later than 2.x) changes greatly. You can use the following methods to limit single packets: Capture -> option, find the interface to capture the packet, select it, find the capture length (B) in the list header, click the corresponding column, find the output state, enter the Limit of single packet size (same as the old version of Limi each packet to) “Limit each packet to” value.
Generally, a large number is set: 80 bytes, that is, only the first 80 bytes of each packet are captured. In this way, information from the TCP layer, network layer, and data link layer can be included.
If the problem involves the application layer, the length of the application layer protocol header should be added. If, like me, you often forget the lengths of different protocol headers, enter a larger value. Even at 200**** bytes, this is much smaller than 1514 bytes.
You can use the “s” parameter to capture packets using the tcpdump command. For example, the following command captures only the first 80 bytes of each packet on etho and stores the results in the/TMP /tcpdump.cap file.
[root@server/]#tcpdump -i eth0 -s 80 -w /tmp/tcpdump.cap
Copy the code2. Grab only what you need
You can apply a capture filter before the capture begins so that unwanted packets can be filtered out
You can also use the “host” parameter to capture packets using the tcpdump command. For example, the following command captures only the package that communicates with 1.1.1.1 and saves the result in the **/ TMP /tepdump.cap** file.
[root@server-1/]#tcpdump -i eth0 host 1.1.1.1 -w /tmp/tcpdump.cap
Copy the codeNote: Think twice before setting filter traps to avoid filtering out useful packets, especially broadcast packets that are easily ignored. Of course, sometimes it will be miscalculated no matter how to consider, for example, I once set the IP address of the other party as filter, but no packet was caught. Finally, you can only delete the filter and then capture the IP address of the peer. The NAT device changes the IP address of the peer.
3. Mark data packets
In addition to capturing small packets, it is best to mark each step. Such a bag is clear and pleasing to the eye. Such as
To catch a three-step problem on Windows, I would do it like this.
ping <IP> -n 1 -l 1
ping <IP> -n 1 -l 2
ping <IP> -n 1 -l 3
ping <IP> -n 1 -l 4
Copy the code
The number of bytes indicates the number of steps, so that there is no confusion even in the case of many steps.
Personalization
1. Set the time
I often have to refer to the log times on the server to find the network packet when the problem occurs. Therefore, set the time format of the Wireshark to the same as that of the server.
You can do this by clicking the view ****-> Time Display Format -> select the corresponding time format.
2. Customize the packet color
Different types of network packets can be specified with different colors. For example, network administrators may set the most prominent colors for packets related to OSPF or the Spanning Tree Protocol.
File server administrators are more concerned with the color of the FTP, SMB, and NFS protocols. We can set the color by going to View -> Coloring Rules.
If you already have a color scheme that works well for your work, you can export it and import it into Wireshark.
3. More Settings
More Settings can be done in the Edit -> Preferences window.
This window can be set to the accuracy of some protocol details. Clicking Protocols–>TCP in this window, for example, reveals multiple TCP-related options, each of which is described in detail by hovering over it. If Sequence numbers are often added or subtracted, select Relative Sequence numbers. This will make the Sequence Number look much smaller than it really is.
filter
A lot of times, the problem solving process is filtering through until you find the key package. You have described the Capture Filter function for packet Capture. In fact, after the packet is captured, it can be further filtered, and the filtering function of this layer is more powerful.
You could write a pamphlet about the effects and techniques of filtering. Limited by space, this article can only “filter” out the most suitable for beginners.
1. Filtering rules
The simplest usage is to directly enter the protocol to be filtered. For example, if you enter ARP directly, arp packets will be filtered out
2. Track the flow
IP address plus port number is the most common filtering method. In addition to manually entering ip.addreq
Filter expressions such as && tcporteq **<**** port number >**
Wireshark also provides an even faster way to right-click the packet of interest and select the trace stream (TCP or UDP depending on the transport layer protocol)
The Stream is automatically filtered, and the Stream’s conversation content is displayed in a new pop-up window.
People often ask in the forums what filters out a TCP/UDP Stream?
The answer is: IP plus port at both ends.
To see all the streams in Wireshark, click statistics >Conversations and then click the TCP or UDP TAB.
3. Mouse help filter
Wireshark sometimes bothers us, not because it’s not powerful enough, but because it’s too powerful to handle. For example, in filtering, there are thousands of conditions to choose from, but how to write grammar? Although www.wireshark.org/docs/dfref/ provides reference, but, after all, often look for is too time consuming.
Wireshark takes this requirement into account by right-clicking on the content of interest in Wireshark and selecting apply as a filter ****-> Selected to automatically generate a filter expression in Fiter. In case of complex requirements, you can also select And, Or And other options to generate a combined filter expression.
Enable the Wireshark to automatically analyze the data
For some types of problems, we don’t need to study the details in the package at all, but just send them to Wireshark for analysis.
1. Click Analysis > Expert Information in the Wireshark. You can view information of different levels under different labels. Such as retransmission statistics, connection establishment and reset statistics, and so on. This feature is often needed when analyzing network performance and connectivity issues.
2. Click ****->Service Response Time and select a protocol name to obtain a statistical table of the Response Time. We often need this statistic when measuring server performance.
3. Click Statistics ->TCP Flow Graph to generate several types of statistics graphs.
4. Click Statistics -> Capture File Properties. You can see some statistics, such as average traffic, which can help us to predict the load status. For example, the network packet in the figure is only 35kbit/s, indicating that the traffic is very low.
5. You can use Statistics -> Traffic Graph to view the communication process more directly
You can start by writing a filtering rule
Select limit Display filter in the traffic graph window to see the direct communication between the two IP addresses
The most accessible search feature
Like many software programs, Wireshark can search for keywords using the Control+F command. If we suspect that the packet contains the word “error”, we can press “Control+F”, select “String”, radio button, and then enter “error” in Filter to search. Many application layer errors can be locked by this method.
The IP address is resolved into a domain name
Go to Edit -> Preferences ->Name Resolution->resolve Network (IP) addresses to resolve an IP address to a domain Name
