Wireshark:修订间差异
无编辑摘要 |
无编辑摘要 |
||
(未显示同一用户的4个中间版本) | |||
第3行: | 第3行: | ||
==简介== | ==简介== | ||
===时间轴=== | ===时间轴=== | ||
===安装=== | |||
====Windows==== | |||
* 下载安装程序,https://www.wireshark.org/#download | |||
* 点击安装 | |||
{{了解更多 | |||
|[https://www.wireshark.org/docs/wsug_html_chunked/ChBuildInstallWinInstall.html Wireshark 文档:Windows下安装Wireshark] | |||
}} | |||
==快速入门== | ==快速入门== | ||
第9行: | 第19行: | ||
* 执行操作,如在命令行输入<code>ping www.baidu.com</code> 命令。 | * 执行操作,如在命令行输入<code>ping www.baidu.com</code> 命令。 | ||
* 过滤数据包只显示需要的数据包,在wireshark显示数据包上方的输入框中填入显示过滤器<code>ip.addr == 192.168.1.2 and icmp</code> | * 过滤数据包只显示需要的数据包,在wireshark显示数据包上方的输入框中填入显示过滤器<code>ip.addr == 192.168.1.2 and icmp</code> | ||
* 捕获完成后,可以点击停止捕获分组,点击保存捕获文件即可保存。 | |||
==捕获环境== | |||
{{了解更多 | |||
|[https://gitlab.com/wireshark/wireshark/-/wikis/CaptureSetup Wireshark Wiki:捕获设置] | |||
}} | |||
==实时捕获== | ==实时捕获== | ||
===捕获过滤器=== | |||
==数据包== | ==数据包== | ||
第78行: | 第96行: | ||
|} | |} | ||
== | ==显示过滤器== | ||
Wireshark有两种过滤器:捕获过滤器和显示过滤器。 | |||
{{了解更多 | |||
|[https://www.wireshark.org/docs/wsug_html_chunked/ChWorkDisplayFilterSection.html Wireshark 文档:查看时过滤数据包] | |||
|[https://www.wireshark.org/docs/wsug_html_chunked/ChWorkBuildDisplayFilterSection.html Wireshark 文档:构造过滤器] | |||
}} | |||
===比较运算符=== | |||
{| class="wikitable" | |||
|- | |||
! 名称 | |||
! 别名 | |||
! 符号 | |||
! 描述 | |||
! 示例 | |||
|- | |||
| eq | |||
| any_eq | |||
| == | |||
| Equal (any if more than one) | |||
| ip.src == 10.0.0.5 | |||
|- | |||
| ne | |||
| all_ne | |||
| != | |||
| Not equal (all if more than one) | |||
| ip.src != 10.0.0.5 | |||
|- | |||
| | |||
| all_eq | |||
| === | |||
| Equal (all if more than one) | |||
| ip.src === 10.0.0.5 | |||
|- | |||
| | |||
| any_ne | |||
| !== | |||
| Not equal (any if more than one) | |||
| ip.src !== 10.0.0.5 | |||
|- | |||
| gt | |||
| | |||
| > | |||
| Greater than | |||
| frame.len > 10 | |||
|- | |||
| lt | |||
| | |||
| < | |||
| Less than | |||
| frame.len < 128 | |||
|- | |||
| ge | |||
| | |||
| >= | |||
| Greater than or equal to | |||
| frame.len ge 0x100 | |||
|- | |||
| le | |||
| | |||
| <= | |||
| Less than or equal to | |||
| frame.len <= 0x20 | |||
|- | |||
| contains | |||
| | |||
| | |||
| Protocol, field or slice contains a value | |||
| sip.To contains "a1762" | |||
|- | |||
| matches | |||
| | |||
| ~ | |||
| Protocol or text field matches a Perl-compatible regular expression | |||
| <nowiki>http.host matches "acme\\.(org|com|net)"</nowiki> | |||
|} | |||
{{了解更多 | |||
|[https://www.wireshark.org/docs/wsug_html_chunked/ChWorkBuildDisplayFilterSection.html#_comparing_values Wireshark 文档:比较值] | |||
}} | |||
===逻辑运算符=== | |||
使用逻辑运算符可以将过滤器进行组合。 | |||
{| class="wikitable" | |||
|- | |||
! 名称 | |||
! 运算符 | |||
! 描述 | |||
! 示例 | |||
|- | |||
| and | |||
| && | |||
| Logical AND | |||
| ip.src==10.0.0.5 and tcp.flags.fin | |||
|- | |||
| or | |||
| <nowiki>||</nowiki> | |||
| Logical OR | |||
| ip.src==10.0.0.5 or ip.src==192.1.1.1 | |||
|- | |||
| xor | |||
| ^^ | |||
| Logical XOR | |||
| tr.dst[0:3] == 0.6.29 xor tr.src[0:3] == 0.6.29 | |||
|- | |||
| not | |||
| ! | |||
| Logical NOT | |||
| not llc | |||
|- | |||
| […] | |||
| | |||
| Subsequence | |||
| eth.src[0:3] == 00:00:83 | |||
|- | |||
| in | |||
| | |||
| Set Membership | |||
| http.request.method in {"HEAD", "GET"} | |||
|} | |||
{{了解更多 | |||
|[https://www.wireshark.org/docs/wsug_html_chunked/ChWorkBuildDisplayFilterSection.html#_combining_expressions Wireshark 文档:组合表达式] | |||
| | |||
}} | |||
===函数=== | |||
{| class="wikitable" | |||
|- | |||
! 函数 | |||
! 描述 | |||
! 示例 | |||
|- | |||
| upper | |||
| 转化为大写字母 | |||
| | |||
|- | |||
| lower | |||
| 转化为小写字母 | |||
| <code>lower(http.server) contains "apache"</code> | |||
|- | |||
| len | |||
| Returns the byte length of a string or bytes field. | |||
| | |||
|- | |||
| count | |||
| Returns the number of field occurrences in a frame. | |||
| <code>count(ip.addr) > 2</code> | |||
|- | |||
| string | |||
| Converts a non-string field to a string. | |||
| | |||
|- | |||
| max | |||
| Return the maximum value for the arguments. | |||
| | |||
|- | |||
| min | |||
| Return the minimum value for the arguments. | |||
| | |||
|- | |||
| abs | |||
| Return the absolute value for the argument. | |||
| | |||
|} | |||
{{了解更多 | |||
|[https://www.wireshark.org/docs/wsug_html_chunked/ChWorkBuildDisplayFilterSection.html#_functions Wireshark 文档:函数] | |||
}} | |||
==资源== | ==资源== | ||
===官网=== | ===官网=== | ||
*Wireshark 官网:https://www.wireshark.org/ | *Wireshark 官网:https://www.wireshark.org/ | ||
*Wireshark | *Wireshark 文档:https://www.wireshark.org/docs/wsug_html_chunked/ | ||
*Wireshark | *Wireshark 文档(单页版):https://www.wireshark.org/docs/wsug_html/ | ||
*Wireshark 源代码:https://gitlab.com/wireshark/wireshark | *Wireshark 源代码:https://gitlab.com/wireshark/wireshark | ||
*Wireshark Wiki:https://gitlab.com/wireshark/wireshark/-/wikis/home | |||
*Wireshark Wiki:https://wiki.wireshark.org/ | |||
===网站=== | ===网站=== | ||
[[分类:网络]] |
2022年11月22日 (二) 12:24的最新版本
Wireshark是一个开源的网路数据包分析软件,支持实时捕获数据包和离线分析。
简介
时间轴
安装
Windows
- 下载安装程序,https://www.wireshark.org/#download
- 点击安装
了解更多 >> Wireshark 文档:Windows下安装Wireshark
快速入门
- 启动wireshark
- 选择所需要抓包的网口,双击该网口就会启动实时捕获。所有经过该网口数据包都会被捕获。
- 执行操作,如在命令行输入
ping www.baidu.com
命令。 - 过滤数据包只显示需要的数据包,在wireshark显示数据包上方的输入框中填入显示过滤器
ip.addr == 192.168.1.2 and icmp
- 捕获完成后,可以点击停止捕获分组,点击保存捕获文件即可保存。
捕获环境
了解更多 >> Wireshark Wiki:捕获设置
实时捕获
捕获过滤器
数据包
数据包详情
数据包列表点击某个数据包,会显示详情。
名称 | 描述 |
---|---|
Frame | 显示数据包概览信息。如数据包大小、接口类型、接口ID、时间等。 |
Ethernet II | 显示第二层数据链路层信息, 设备MAC地址 Src, Dst |
Internet Protocol Version 4 | 显示第三层网络层信息, |
Internet Control Message Protocol | |
Transmission Control Protocol | |
数据包列表
启动捕获时,会显示捕获到的数据包列表。查看或设置颜色规则:视图》着色规则。数据包列表每列含义:
名称 | 描述 | 示例 |
---|---|---|
No. | 序号 | 1 |
Time | ||
Source | 数据包源地址 | 192.168.1.100 |
Destination | 数据包目的地址 | |
Protocol | 协议名称 | TCP、TLSv1.2 |
Length | 50 | |
Info | 数据包信息摘要 | Application Data |
显示过滤器
Wireshark有两种过滤器:捕获过滤器和显示过滤器。
比较运算符
名称 | 别名 | 符号 | 描述 | 示例 |
---|---|---|---|---|
eq | any_eq | == | Equal (any if more than one) | ip.src == 10.0.0.5 |
ne | all_ne | != | Not equal (all if more than one) | ip.src != 10.0.0.5 |
all_eq | === | Equal (all if more than one) | ip.src === 10.0.0.5 | |
any_ne | !== | Not equal (any if more than one) | ip.src !== 10.0.0.5 | |
gt | > | Greater than | frame.len > 10 | |
lt | < | Less than | frame.len < 128 | |
ge | >= | Greater than or equal to | frame.len ge 0x100 | |
le | <= | Less than or equal to | frame.len <= 0x20 | |
contains | Protocol, field or slice contains a value | sip.To contains "a1762" | ||
matches | ~ | Protocol or text field matches a Perl-compatible regular expression | http.host matches "acme\\.(org|com|net)" |
了解更多 >> Wireshark 文档:比较值
逻辑运算符
使用逻辑运算符可以将过滤器进行组合。
名称 | 运算符 | 描述 | 示例 |
---|---|---|---|
and | && | Logical AND | ip.src==10.0.0.5 and tcp.flags.fin |
or | || | Logical OR | ip.src==10.0.0.5 or ip.src==192.1.1.1 |
xor | ^^ | Logical XOR | tr.dst[0:3] == 0.6.29 xor tr.src[0:3] == 0.6.29 |
not | ! | Logical NOT | not llc |
[…] | Subsequence | eth.src[0:3] == 00:00:83 | |
in | Set Membership | http.request.method in {"HEAD", "GET"} |
了解更多 >> Wireshark 文档:组合表达式
函数
函数 | 描述 | 示例 |
---|---|---|
upper | 转化为大写字母 | |
lower | 转化为小写字母 | lower(http.server) contains "apache"
|
len | Returns the byte length of a string or bytes field. | |
count | Returns the number of field occurrences in a frame. | count(ip.addr) > 2
|
string | Converts a non-string field to a string. | |
max | Return the maximum value for the arguments. | |
min | Return the minimum value for the arguments. | |
abs | Return the absolute value for the argument. |
了解更多 >> Wireshark 文档:函数
资源
官网
- Wireshark 官网:https://www.wireshark.org/
- Wireshark 文档:https://www.wireshark.org/docs/wsug_html_chunked/
- Wireshark 文档(单页版):https://www.wireshark.org/docs/wsug_html/
- Wireshark 源代码:https://gitlab.com/wireshark/wireshark
- Wireshark Wiki:https://gitlab.com/wireshark/wireshark/-/wikis/home
- Wireshark Wiki:https://wiki.wireshark.org/