Tips you need to know to Use WireShark

Some time ago, I wanted to share technology with my junior students in the lab. At that time, I received suggestions to popularize some computer network knowledge to them, but the theoretical knowledge lecture was certainly not attractive enough, so I learned Wireshark while making PPT and writing speeches. After two busy weeks, I still got good reviews after the sharing 😁, and I have summarized some tips in my blog, mainly for beginners

1. The WireShark is used

Purpose 1: Learn network knowledge and provide practical operation

When I studied computer network in my sophomore year, my teacher was only responsible for explaining books in class, which led to the illusion that computer network was boring, so I did not study this course seriously at that time. But later when I caught my own bag while reviewing the net knowledge, only to find that it is so interesting. I have used both the Charles and the Wireshark. I recommend the Wireshark.

There is also a popular one called Fiddler, but since I use a MAC, FIDdler is not available for MAC, so I haven’t touched it

Purpose 2: Obtain network resource information

Generally speaking, the Wireshark can capture a wide range of request types, such as HTTP, HTTPS (requiring patch download), TCP, UDP, and ARP.

Purpose 3: Analyze the network condition

For example, I have not used Wireshark to analyze network faults, so I will not mislead you. However, I recommend a book, which is also a book for me to learn Wireshark.

2. Preparations before packet capture

1. Modify the coloring rules

The first time we use the fit, the display interface might look like this

1) : Open the view option and find the coloring rule, like

2) : Modify the background color

We according to your own color preference, set different color (to match a set of beautiful color is really a hard thing to do), I’m here mainly to modify the SYN packet (green) and FIN message (gray), after the match, you can find many human interface, this could know at a glance the TCP handshake and under the request of the wave ~

2. Only the head of the bag

As we all know, a data frame is composed of several parts, for the data we want to get, we only need the first part. Click Capture–>Options on the menu bar, and then define the value of “Limit each packet to” in the window that is displayed. Generally, you can set a slightly larger number: 80 bytes, so that you can only catch the first 80 bytes. This way, information from the TCP layer, network layer, and data link layer can be included. I recommend setting 200 bytes, so that you can get HTTP, TCP, network layer protocol data.

3. Recognize lower layers

Note: Here the network layer corresponds to Ipv4, the transport layer corresponds to TCP, and the application layer corresponds to HTTP. If it is UDP, I 缟 like this

4. Data filtering skills

This is also an important little technique, will use the filter for quick positioning is still very helpful, I listed here some of the more common techniques, a general rule is 100.