1. Getting Started
Environment: Win8 laptop, wireless network
1.1. Wireless network card settings
Because you need to capture data packets on the wireless network card, you need to make a setting. If you want to capture data packets on the wired network card, no setting is required.
Open the wireshark menu item “Capture” > “Capture Options”;
Turn on the Promiscuous Mode option.
Reason: If this setting is not made, data packets cannot be captured because wireless networks are different from wired networks. Wireless networks use the CSMA/CA method, which is half-duplex and cannot send and receive at the same time. However, data packets transmitted in wired network cards can be captured directly without setting the network card to promiscuous mode.
Most wireless network cards do not support promiscuous mode, and wireless network cards that support promiscuous mode are very expensive.
Promiscuous mode: A network term that refers to whether the network card only receives data packets destined for the local machine. In promiscuous mode, all data packets in the LAN can be monitored.
2. Use
2.1. Simple use and storage
Wireshark >> Capture >> Start, and it will start capturing data packets.
File>Save can save the captured data as a file.
Filters
There are two types of filters:
capturefilters: determines what kind of data packets to capture and is set before starting capture;
displayfilters: The logical expression determines the part of the content of the captured result displayed in the window, which can be modified arbitrarily without affecting the captured data.
2.3. Filtering rules
2.3.1. Filter IP
ip.src == 192.168.1.107 or ip.dst == 192.168.1.107
ip.addr eq 192.168.1.107 // Both source and destination IPs can be displayed
2.3.2. Filtering ports
tcp.port eq 80 // Display both source and destination ports
tcp.port == 80
tcp.port eq 2722
tcp.port eq 80 or udp.port eq 80
tcp.dstport == 80 // Display only the destination port 80 of the tcp protocol
tcp.srcport == 80 // Display only the source port 80 of the tcp protocol
udp.port eq 15000
Filter port range
tcp.port >= 1 and tcp.port <= 80
2.3.3. Filtering Protocol
tcp udp arp icmp http etc.
Exclude arp packets, such as !arp or not arp
2.3.4. Filter MAC
eth.dst == A0:00:00:04:C5:84 // Filter target mac
eth.src eq A0:00:00:04:C5:84 // Filter source mac
eth.dst==A0:00:00:04:C5:84
eth.dst==A0-00-00-04-C5-84
eth.addr eq A0:00:00:04:C5:84 // Filter source MAC and target MAC are equal to A0:00:00:04:C5:84
less than less than < lt
less than or equal to le
equal to eq
greater than gt
greater than or equal to ge
not equal to ne
2.3.5. Packet length filtering
udp.length == 26 This length refers to the sum of the fixed length of udp itself, 8, plus the data packet below udp
tcp.len >= 7 refers to the IP data packet (the data below TCP), not including TCP itself
ip.len == 94 Except for the Ethernet header, which has a fixed length of 14, all other lengths are considered ip.len, i.e., from the ip itself to the end.
frame.len == 119 The entire data packet length, from the beginning of eth to the end
eth —> ip or arp —> tcp or udp —> data
2.3.6. http protocol filtering
http.request.method == “GET”
http.request.method == “POST”
http.request.uri == “/img/logo-edu.gif”
http contains “GET”
http contains “HTTP/1.”
// GET packet
http.request.method == “GET” && http contains “Host: “
http.request.method == “GET” && http contains “User-Agent: “
// POST packet
http.request.method == “POST” && http contains “Host: “
http.request.method == “POST” && http contains “User-Agent: “
// Response packet
http contains “HTTP/1.1 200 OK” && http contains “Content-Type: “
http contains “HTTP/1.0 200 OK” && http contains “Content-Type: “
Must include the following
Content-Type:
2.3.7. TCP parameter filtering
tcp.flags Displays packets containing TCP flags.
tcp.flags.syn == 0x02 shows packets containing the TCP SYN flag.
tcp.window_size == 0 && tcp.flags.reset != 1
2.3.8. Packet Content Filtering
tcp[20] means starting from 20, take 1 character
tcp[20:] means starting from 20, take 1 character or more
Note: The contents between the two dashed lines did not pass the test on my wireshark (linux).
tcp[20:8] means starting from 20, take 8 characters
tcp[offset,n]
udp[8:3]==81:60:03 // offset 8 bytes, take 3 more numbers, is it equal to the data after ==?
udp[8:1]==32 If I guess correctly, it should be udp[offset: number of intercepts]=nValue
eth.addr[0:3]==00:06:5B
example:
Determine whether the first three bits of the data packet below upd are equal to 0x20 0x21 0x22
We all know that UDP has a fixed length of 8
udp[8:3]==20:21:22
Determine whether the first three bits of the TCP packet are equal to 0x20 0x21 0x22
TCP generally has a length of 20, but sometimes it is not 20
tcp[8:3]==20:21:22
If you want to get the most accurate, you should first know the TCP length
Matches and Contains Syntax
ip.src==192.168.1.107 and udp[8:5] matches “\x02\x12\x21\x00\x22″ ——???——–
ip.src==192.168.1.107 and udp contains 02:12:21:00:22
ip.src==192.168.1.107 and tcp contains “GET”
udp contains 7c:7c:7d:7d matches UDP packets containing 0x7c7c7d7d in the payload, not necessarily from the first byte.
2.3.9. DHCP Filtering
Note: The retrieval rule of the DHCP protocol is not dhcp/DHCP, but bootp
Take the example of finding a fake DHCP server to introduce the usage of Wireshark. Add filtering rules to the display filter.
Display all information that is not from the DHCP server and bootp.type==0x02 (Offer/Ack/NAK):
bootp.type==0x02 and not ip.src==192.168.1.1