How to use WireShark to capture packets and see through network requests

[[385882]]

This article is reprinted from the WeChat public account "Java Geek Technology", the author is a fan of Yaxue. Please contact the Java Geek Technology public account to reprint this article.

Some time ago, because a colleague needed to analyze data, he used WireShark. However, the guy didn’t quite know how to capture the data, so he asked Afen. Afen taught him step by step how to use WireShark for packet capture and analysis, and I’d like to share it with everyone here.

1. What is WireShark

WireShark actually has a predecessor, which is called Ethereal. It is a network packet analysis software, which is commonly known as a packet capture tool in our daily life. Its biggest feature is that it can display as much detailed network packet information as possible. WireShark uses WinPCAP as an interface to directly exchange data packets with the network card.

2. Download and install WireShark

First I'll put the URL for everyone on 'https://www.wireshark.org/', the download URL is here,

Here I recommend to everyone that it is best to use the corresponding version of your system. After all, 64-bit is 64-bit, and 32-bit is 32-bit. Different versions correspond to different systems. Don't think about compatibility. You have to know that the emergence of a strange problem may cause all your previous preparations to be wasted.

If you feel that your download is slow, you can reply in the background, capture the packet, use WireShark, and get the download address of Baidu Cloud.

After the download is complete, install it and click Next all the way. But please note that if you want to switch the installation path, the path should be in English. Even if you don’t mind the trouble of writing the entire abc, it is better than the two words “capture package”, because Chinese paths are also prone to problems and do not agree to be detected.

Wait for the installation to complete and the logo to appear on the desktop, then let’s click on it and see how to use it.

3. Use of WireShark

As you can see from the picture, Ah Fen is using a laptop, because there are fluctuations in the line graph, and the rest are the contents of the virtual network card. Just as Ah Fen said just now, WireShark uses WinPCAP as an interface to directly exchange data packets with the network card, and you can see the names on the line graph, there are several network cards that Ah Fen uses to play with virtual machines.

Try to find a WLAN?

In the WLAN connection, the data in the interface will be successfully captured by WireShark. Let's analyze what is in it.

• Display Filter, used to filter
• Packet List Pane displays the captured packets, including source address, destination address, and port number. Different colors represent
• Packet Details Pane, which displays the fields in the packet
• Dissector Pane (hexadecimal data)
• Miscellanous (address bar, miscellaneous)

When we capture packets, we cannot search for content from a large amount of packet data. We must filter them. You can search for types from the filter.

• arp displays all ARP packets
• dns displays all DNS packets
• ftp displays all FTP packets
• http displays all HTTP packets
• ip displays all IPv4 packets
• ipv6 Display all IPv6 packets
• tcp displays all TCP-based packets

We capture packets using HTTP, as shown below.

Let's take a look at what's in the packet details.

• Frame Physical layer data frame
• Ethernet II data link layer Ethernet frame header information
• Internet Protocol Version 4 Internet layer IP packet header information
• Transmission Control Protocol transport layer data segment header information
• Hypertext Transfer Protocol application layer information, here is the HTTP protocol

Oh, the Src is very interesting, shenzhen_3a, and the target's Mac address, not bad.

What you need to learn most about WireShark

That is the rule of our filter. If you do not set this rule well, you will not be able to accurately find the location and analyze it when capturing packets.

We can't just type in HTTP and then look for it there, we have to learn to work efficiently.

For example, if we know the IP address, we can:

 ip.src == 192.168.1.8

We know the port number is 8080, so we can:

 tcp.port == 8080

For example, let's handle the "Get" request in HTTP:

http.request.method=="GET" , same for POST method.

After learning this, we can already perform WireShark packet capture. If you are interested, you can use WireShark to capture and analyze the TCP three-way handshake and four-wave handshake verification mentioned by Ah Fen before.

Address sent: What the hell are three-way handshakes and four-way waves?

References

《WireShark Official Website DOC》