website developers in kansas city


WiresharkHistory is quite a long time,The initial version is calledEthereal,From graduated from the University of Missouri, Kansas CityGerald CombsDeveloped for project needs,In1998YearGNU Public Licence(GPL)Open source license release。

existEtherealrelease8After year,CombsResignation and seek high,But at that time his employer companyEtherealTrademark,andCombsI have not been able to get with their employers.EtherealTrademark reached an agreement。thenCombsAnd the entire development team2006Re-crown this project during the yearWireshark。

WiresharkThen quickly achieve the favor of the public,And its cooperative development team is also growing500Person above,HoweverEtherealThe project has not advanced a step.。

If you like the first two versions,So I believe you will also like this book.。It continues the previous writing style,Analyze the interpretation with a simple and easy way。

If you miss about the network orWiresharkUpdated the latest information, not willing to try two versions before,Then you can read this book.,Because here contain new network protocol extensions and aboutWireshark 2.xUpdate information。​

(Website developers in kansas city)

website developers in kansas city

I am a very casual person.,so,When I teach you a concept,I will try to explain very casual way.。

And the language of this book will also be equipped,Although it is easy to get lost,But I already do my best to keep the text consistent and clear,Let all definitions become more clear、Straightforward,No bashus。

However, I will finally come from the great Kentucky.,So I have to pay some exaggerated voice,But if you see some coarse country diographs in this book,Please be sure to forgive me.。

If you really want to learn and master packet analysis technology,You should first grasp the concept of presentation in the first few chapters of this book.,Because they are the premise of understanding the rest of this book。

The second half of this book will be pure actual content,Maybe you don't encounter exactly the same scene in your work.,But after studying this book, you should be able to apply the concepts and technologies you have learned.,To solve the practical problems you have encountered。

Wiresharkgetting Started

1.1 WiresharkThe advantages

WiresharkMany advantages in daily applications,Whether you are an initiator or a packet analysis expert,WiresharkCan satisfy your needs through rich features。We previously presented some important judgment character for picking data package sniffing tools.,Let's check it outWiresharkIs there these characteristics?。

Supported protocol:WiresharkIn terms of support protocols are outstanding——At the time of this bookWiresharkMore than1000Support for protocol。These agreements are from the most basicIPAgreement andDHCPProtocol to advanced private agreement,for exampleDNP3andBitTorrentWait。due toWiresharkIt is developed in open source mode,So each update will add some support for new protocols.。

User-friendly:WiresharkThe interface is an interface that is easily understood in the data package sniffing tool.。It is based onGUI,And provide a clear menu bar and concise layout。In order to enhance practicality,It also provides colorful highlights similar to different protocols,And different features such as raw data details through graphics。Similar toTcpdumpThose packets to sniffing tools using complex command lines,WiresharkThe graphical interface is about the initiator of the packet analysis.,Be very convenient。

price:due toWiresharkAn open source,So it is in the price of it is unbeatable.。WiresharkFollowGPLFree software released by the agreement,No one is for private or commercial purposes,Can download and use。

software support:The success or failure of a software depends on its late support.。Although likeWiresharkThis freely distributed software rarely has official formal support,It relies on user groups in open source communities to help。But fortunately,WiresharkCommunity is one of the most active open source project communities。

WiresharkThere are many related links for many software help.,Including online documentation、Support and developmentwiki、FAQ。Many top developers are also registered and paying attention toWiresharkMail list。Riverbed TechnologyAlso providedWiresharkPaying support。

Source code:becauseWiresharkIs open source software,So you can access its source code at any time。This is a lookup programBug、Understanding the working principle of the agreement interpreter or its own contribution code has a great help。

Supported operating system:WiresharkSupport for mainstream operating systems,IncludingWindows、Mac OS XBased onLinuxsystem。You canWiresharkThe home page query allWiresharkSupported operating system list。

1.2 InstallWireshark

WiresharkThe installation process is extremely simple,But to make sure your machine is satisfied before installation.。

Arbitrary new32Bits or64PositionCPU。

At least400MBAvailable memory(Mainly for large traffic files)。

At least300MBAvailable storage space(Does not include captured traffic files)。

Support for network cards for mixed mode。


WinPcapDriver isWindowsforpcapGeneral program interface captured by packet(API)Implementation,Simply, this driver can capture the original packet via the operating system.、Application filter,And enable the NIC to cut or cut out mixed modes。

Although you can also download and install separatelyWinPcap,But generally useWiresharkMountingWinPcap。Because of this versionWinPcapafter testing,Be able toWiresharkwork together。

1.3.1 MicrosoftWindowsInstallation in the system

By testing the currentWiresharkVersion,Ability to maintain it in MicrosoftWindowsOperating system,Including this bookWindows Vista、Windows 7、Windows 8、Windows 10 and Windows Servers 2003/2008/2012。althoughWireshark You can also in some other versionsWindows In operation(for exampleWindows XP),But these versions are not officially supported。

existWindowsInstallWiresharkThe first step isWiresharkThe official website foundDownloadpage,And choose a mirror site to download the latest version of the installation package。

After downloading the installation package,Follow the steps below。

(1)Double click.exeDocument start installation,Click on the introduction pageNext。

(2)Read the license terms,If you agree to accept this terms,ClickI Agree。

(3)Select you want to installWiresharkAssembly,Figure1-1Shown。Accept the default settings in this book,Then clickNext。

website developers in kansas city

picture1-1 Select you want to installWiresharkAssembly

(4)existAditional TasksClick in the windowNext。

(5)chooseWiresharkInstallation location and clickNext。

(6)Do you need to install when pop-upWinPcapDialog,Be sure to make sureInstall WinPcapOption has been checked,Figure1-2Shown,Then clickInstall。The installation process will start。

website developers in kansas city

picture1-2 Will installWinPcapDriveted options

(7)WiresharkThe installation process is approximately half,Will start installationWinPcap。Click on the pageNextLater,Please read the license agreement and clickI Agree。

(8)You will choose whether to install USBPcapOption。This is aUSBTools for collecting data in the device。Check the check box you want and clickNext。

(Website developers in kansas city)(9)WinPcapandUSBPcap(If you are in the previous step)It should be installed on your computer.,After the installation is complete,ClickFinish。

(10)WiresharkIt should be installed on your computer.,After the installation is complete,ClickFinish。

(11)In the installation confirmation interface,ClickFinish。

1.3.2 existLinuxInstallation in the system

WiresharkCan be based onUNIXRun in the system。You can download through the system package manager,And install the release version for your system。We only introduce several commonLinuxDistribution Edition installation steps。

Generally,If installable as system software,You need to haverootAuthority;But if you install a local software by compiling source code,So usually don't needrootPermission。

1.based onRPMsystem

For red capLinux(Red Hat Linux)UseRPMofLinuxDistribution version,for example CentOS,It is very likely to install the system default.YumPackage manager。if it is like this,You can get and quickly install from the Software Source of the release.Wireshark。What you need to do is to open a console window,And enter the following command:

$ sudo yum install wireshark

If you need to rely on components,Then you will install them through tips.。If everything is successful,You will be able to launch it with the command line and passGUI To operate it。

2.based onDEBsystem

For similarDebianandUbuntuUseDEBofLinuxDistribution version,you can useAPT Package management tool installationWireshark。To install from system software sources Wireshark,You can open a console window and type the following command.:If you need to rely on components,Then you will install them through tips.。

$ sudo apt-get install wireshark wireshark-qt

3.Compile using source code

Because of operating system architecture andWireshark Function change,Therefore, the method of installation from the source code may also change,This is also a reason for the installation of the system package manager.。

However,if yourLinuxRelease does not have automatic installation package management tool,So installationWiresharkA efficient way is to use source code compilation。

(Website developers in kansas city)The following steps give the installation method。

(1)fromWiresharkWebsite download source code package。

(2)Type the following command to extract the compressed package(Replace the file name to the name of the source package you download):

$ tar -jxvf <file_name_here>.tar.bz2

(3)In installation and setting WiresharkBefore,May need to install some dependent components。for example,Ubuntu 14.04Need some additional packages to make Wireshark Work。These dependent components can be installed with the following commands(You may need to userootAuthority,You can add it in front of the commandsudo):

$ sudo apt-get install pkg-config bison flex qt5-default libgtk-3-dev

libpcap-dev qttools5-dev-tools

(4)Enter the folder created after decompression。

(5)rootLevel user use./configureCommand Configure the source code to make it easy to compile。If you don't want to use the default settings,Then you can specify the installation option at this time.;If the relevant software support is missing,Then you should get relevant error messages;If the installation is successful,Then you should get a successful reminder,Figure1-3Shown。

website developers in kansas city

picture1-3 Depend on./configureSuccessful output obtained by the command

(Website developers in kansas city)(6)TypemakeThe command compiles the source code into binary files。

(7)usesudo make installCommand completion of the final installation。

(8)runsudo/sbin/ldconfigTo end the installation。

1.3.3 existMac OS XInstallation in the system

existOS XInstallation in the systemWireshark,Please follow the steps below。

(1)fromWiresharkOn the website and download Mac OS X System package。

(2)Run the installer and install it according to the guide。Only accept the user license,Can you continue to install?。

(3)Complete installation guidance。

1.4 WiresharkInitial introduction

It is successfully installed in the system.WiresharkLater,You can start learning to use it.。When you finally open this powerful packet sniffer,Will find that you can't see anything!

(Website developers in kansas city)All right,WiresharkIt's really not very fun when just opened.,Only after getting some data will become interesting。

1.4.1 First capture data package

In order to makeWiresharkGet some packets,You can start the first packet capture experiment.。You may want to think:“When there is no problem, there is no problem.,How can I capture a packet??”

First,Network always has problems。If you don't believe,So please send a message to all users on the network.,Tell them everything work very well。

second,Packet analysis does not have to wait until there is a problem.。In fact,Most packet analysts spend more time spent on network traffic, no problem.。In order to solve the network problem efficiently,You also need to get a benchmark to compare。for example,If you want to solve the network trafficDHCPThe problem,So you need at least you needDHCPWhat is the data flow in normal operation?。

Broadly,In order to be able to find an abnormality of daily network activities,You must master the situation of daily network activities。When your network is running normally,Use this as a baseline,You can know that the network traffic is in normal conditions.。

Leisure,Let us catch some packets.!


(2)Select from the primary drop-down menuCapture,AfterwardsInterface。

At this point you should be able to see a dialog,List all the various devices you can use to capture packets,And theirIPaddress。

(Website developers in kansas city)(3)Select the device you want to use,Figure1-4Shown,Then clickStart,Or directly click on the welcome screenInterface ListA device under the equipment。Subsequent data will appear in the window。

website developers in kansas city

picture1-4 Select the port you want to capture packet capture

(4)Soonl minabout,When you intend to stop capturing and view your data,existCaptureClick in the drop-down menuStopButton。

When you finish the steps and completed the capture of the packet,WiresharkThe corresponding data should have been present in the main window.,But at this point you may feel a headache for those data.,This is what we putWiresharkThe reason why a whole main window is split

1.4.2 WiresharkMain window

WiresharkThe main window will split the packet you captured and presented more easily.,It will also be where you spend more time.。We use the data packet just captured to introduce it.WiresharkMain window,Figure1-5Shown。

website developers in kansas city

picture1-5 WiresharkThe design of the main window is used.3Panel

Main window3There is a relationship between panels。If you wantPacket DetailsView a concrete content of a separate packet in the panel,Then you have toPacket ListPanel Click the selected packet。

After selecting the packet,You canPacket DetailsSelect a field of the packet in the panel,ThusPacket BytesView the byte information of the corresponding field in the panel。

DownThe surface introduces the contents of each panel。

Packet List(Packet list):This top panel is used to display all the packets in the current capture file.,These include data package serial number、The relative time when the packet is captured、Data package source address and destination address、Packet protocol and listings such as profile information found in the packet。

Packet Details(Detail of packet):This middle panel is hierarchically displayed in a packet.,And can display all the content captured in this packet by expanding or shrinking。

Packet Bytes(Packet byte):This bottom of the top panel may be the most confusing,Because it shows the original sample that a packet is not processed,That is, it is like propagating on the link.。These raw data look uncomfortable and not easy to understand。

1.4.3 Wiresharkfirst choice

WiresharkProvide some preference settings to make you customize as needed。If you need to setWiresharkfirst choice,Then you need to choose in the primary drop-down menu.EditClickPreferences,Then you can see a dialog box for a preference,There are some options that can be customized,Figure1-6Shown。

website developers in kansas city

picture1-6 you can usePreferencesOptions in dialog box customWiresharkConfiguration

WiresharkPreferences are divided into6Main part,Plus1Advanced option。

Appearance(Exterior):These options determineWiresharkHow to display data。You can adjust most options according to personal preferences,For example, if you save a window location、3Layout of a major window、Rolling strip、Packet ListPlace in panel、Show fonts that capture data、Foreground color and background color, etc.。

Capture(capture):These options allow you to make special settings for your own data packets.,For example, the device you use by default、Whether to use mixed mode by default、Is it real-time update?Packet ListPanel, etc.。

(Website developers in kansas city)Filter Expressions(Filter expression):We will explore in the following chapters Wireshark How to let you break the flow based on the setting standard。The options in this section allow you to generate and manage these filters。

Name Resolutions(Name analysis):Through these settings,You can openWiresharkPut address(includeMAC、Network and transmission name resolution)Resolution into a more easily distinguished name,And you can set the maximum number of concurrent processing name resolution requests。

(Website developers in kansas city)Protocols(protocol):The options in this section allow you to adjust about capture and display variousWiresharkDecoding data packets。Although it is not for each protocol, it can be adjusted.,But some protocols can be changed。Unless you have special reasons to modify these options,Otherwise it is best to keep their default values.。

(Website developers in kansas city)Statistics(statistics):This part providesWiresharkSetting options for the statistics function。In the first5Chapter We will conduct more deeper learning。

Advanced(advanced):Above6The settings that have not been made in some part will be classified here.。Usually these settings are onlyWiresharkAdvanced users will be modified。

1.4.4 Packet color highlight

If you like colorful objects like me,Then you shouldPacket ListDifferent colors in the panel are excited。Figure1-7Shown(Although the illustration is black and white,But you should be able to understand),Those colors look like random allocation to each packet,But it is not like this.。

(Website developers in kansas city)

website developers in kansas city

picture1-7 WiresharkColorful highlights help quickly identify protocols

(Website developers in kansas city)Each packet's color is quite,These colors correspond to the protocol used by the packet。for example,allDNSThe traffic is blue,andHTTPThe traffic is green。

Color packets are highlighted,Allows you to quickly separate the packets of different protocols,Do not need to view each packetPacket ListProtocol in panel。You will find this when you browse larger capture files,Can save time。

Figure1-8Shown,Wiresharkpass throughColoring Rules(Coloration rules)The window can easily view the color corresponding to each protocol。If you want to open this window,So you can choose in the primary drop-down menu.ViewClickColoring Rules。

website developers in kansas city

(Website developers in kansas city)You can create your own coloring rules,Or modify existing settings。for example,Use the following steps toHTTPThe default background of traffic green is changed to lavender。

(Website developers in kansas city)(1)OpenWireshark,And openColoring Ruleswindow(View->Coloring Rules)。

(2)Find in the list of colored rulesHTTPColoring rules and click。

(3)ClickEditButton,You will see oneEdit Color Filterwindow,Figure1-9Shown。​

picture1-8 You canColoring RulesView and change the color of the packet in the window

website developers in kansas city

picture1-9 When editing a color filter,The foreground color and background colors can be changed

(4)ClickBackground ColorButton。

(5)Select a color you want to use with color rollers,Then clickOK。

(6)Again click againOKTo apply change,Back to the main window。The main window should have been overloaded at this time.,And use the changed color style。

When used on the networkWiresharkTime,Maybe you will find that you have more jobs for a certain agreement than other protocols.。At this time, the color-high-bright packet makes your work more convenient.。

for example,If you think that there is a malicious in your networkDHCPServer is distributedIP,Then you can simply modifyDHCPColoring rules of the agreement,Make it a bright yellow(Or other ease-identified colors)。

This can make you find allDHCPflow,And make your packet analysis work more efficient。You can also create coloring rules based on customized filters,To expand these coloring rules。

1.4.5 Profile

When we want to change the settings directly,clearWireshark Where to store the configuration file is very helpful。To find the file,You can click on the primary drop-down menu.HelpAnd chooseAbout Wireshark,Then clickFoldersLabel card。This window is as shown1-10Shown。

(Website developers in kansas city)

website developers in kansas city

picture1-10 positionWiresharkProfile location

WiresharkThe most important position of personalization settings is personal and global settings directory。The global setup directory contains all the default configuration options。Personal Settings Contents only contain configuration options for your account。Any new configuration you do will use the name you provide and store in the subdirectory of your personal configuration folder.。

(Website developers in kansas city)The difference between global and personal configuration directories is important,Because any changes to global settings will affect each in the systemWiresharkUser。

1.4.6 Configuration

learnedWireshark After the parameter configuration,Sometimes you will find that you are using a configuration scheme but soon to switch to another configuration scenario.。In fact, we don't have to set these options every time.,Wireshark Personalized configuration solution,Let users save a set of configurations。

(Website developers in kansas city)A configuration solution stores the following settings。

Preferences Parameter option。

Capture filters Capture filter。

(Website developers in kansas city)Display filters Display filter。

Coloring rules Coloration rules。

(Website developers in kansas city)Disabled protocols Disabled protocol。

Forced decodes Forced decoding。

Recent settings Recently set,Such as the size of the pane、Menu setup and column width。

Protocol-specific tablesTable of specific protocols,E.gSNMPUser and customizationHTTPhead。

To view a list of configuration scenarios,Can click on the main drop-down menuEdit,And choose Configuration Profiles Option。Another way is to right click on the lower right corner of the screen and selectManage ProfilesOption。

(Website developers in kansas city)When the window is in the configuration scheme,You will seeWiresharkPreset configuration solution,It contains pictures1-11Shown“default”、“Bluetooth”and“classic”plan。in“Latency Investigation”The program is my own solution,It is displayed as a physical,And other systems globally or default protocols are shown as slope。

website developers in kansas city

picture1-11 View configuration solution

Configuration scenario window allows you to create、copy、Delete and Application Configuration。Creating a new configuration is very simple。

(1)BundleWiresharkSet the configuration you want to store。

(2)Click on the main drop-down menu Edit,And choose Configuration Profiles Option,Take the configuration scenario window。

(3)Click the plus sign(+)Button and name it to the scheme。

(4)Click OK。

When you want to switch the configuration scheme,Select the scheme name under the configuration scenario,Then click OK I.e.。There is a faster way,That is to click the configuration file on the bottom right corner of the screen.,Then choose the solution you want.,Figure1-12Shown。

website developers in kansas city(Website developers in kansas city)

(Website developers in kansas city)picture1-12 Quick conversion configuration solution

(Website developers in kansas city)One of the particularly useful features is,Each configuration solution is stored in a separate directory,This means you can easily back up and share it to others.。

Figure1-10Shown folders Label card provides paths for global and personal profiles。You only need to copy the entire directory of that configuration scheme to the same path,You can share the current configuration to other computers.。

After that, you may need to create some special configuration solutions.,To solve the common problem、Find the source and investigation of network delay。Don't be scared by frequent switching configuration.。Contrary,This is a very labor-saving skill。I know that many masters have a bunch of different configuration solutions to deal with different scenes.。

Now yoursWiresharkIt should have been installed and run.,You are ready to analyze the packet.。

website developers in kansas city

《WiresharkPacket analysis actual combat(First3Version)》

[beautiful]Chris ▪ Sanders(Chris Sanders) write

WiresharkIs the most popular network sniffing software,This book is based on the previous versionWireshark 2.0.5andIPv6Update,And through a large number of real casesWiresharkUse a detailed explanation,Aim to help readers understandWiresharkCapturedPCAPFormat packet,In order to troubleshoot problems in the network。