如何使用Wireshark捕获,过滤和检查数据包
Wireshark, a network analysis tool formerly known as Ethereal, captures packets in real time and display them in human-readable format. Wireshark includes filters, color coding, and other features that let you dig deep into network traffic and inspect individual packets.
Wireshark是以前称为Ethereal的网络分析工具,它实时捕获数据包并以人类可读的格式显示它们。 Wireshark包括过滤器,颜色编码和其他功能,可让您深入研究网络流量并检查单个数据包。
This tutorial will get you up to speed with the basics of capturing packets, filtering them, and inspecting them. You can use Wireshark to inspect a suspicious program’s network traffic, analyze the traffic flow on your network, or troubleshoot network problems.
本教程将使您快速掌握捕获数据包,过滤和检查数据包的基本知识。 您可以使用Wireshark检查可疑程序的网络流量,分析网络上的流量,或对网络问题进行故障排除。
获取Wireshark (Getting Wireshark)
You can download Wireshark for Windows or macOS from its official website. If you’re using Linux or another UNIX-like system, you’ll probably find Wireshark in its package repositories. For example, if you’re using Ubuntu, you’ll find Wireshark in the Ubuntu Software Center.
您可以从其官方网站上下载适用于Windows或macOS的Wireshark。 如果您使用的是Linux或其他类似UNIX的系统,则可能会在其软件包存储库中找到Wireshark。 例如,如果您使用的是Ubuntu,则可以在Ubuntu软件中心找到Wireshark。
Just a quick warning: Many organizations don’t allow Wireshark and similar tools on their networks. Don’t use this tool at work unless you have permission.
快速警告:许多组织不允许在其网络上使用Wireshark和类似工具。 除非获得许可,否则请勿在工作中使用此工具。
捕获数据包 (Capturing Packets)
After downloading and installing Wireshark, you can launch it and double-click the name of a network interface under Capture to start capturing packets on that interface. For example, if you want to capture traffic on your wireless network, click your wireless interface. You can configure advanced features by clicking Capture > Options, but this isn’t necessary for now.
下载并安装Wireshark之后,您可以启动它并双击“捕获”下的网络接口名称,以开始捕获该接口上的数据包。 例如,如果要捕获无线网络上的流量,请单击您的无线接口。 您可以通过单击“捕获”>“选项”来配置高级功能,但这不是必需的。
As soon as you click the interface’s name, you’ll see the packets start to appear in real time. Wireshark captures each packet sent to or from your system.
单击接口名称后,您将立即看到数据包开始实时显示。 Wireshark捕获发送到系统或从系统发送的每个数据包。
If you have promiscuous mode enabled—it’s enabled by default—you’ll also see all the other packets on the network instead of only packets addressed to your network adapter. To check if promiscuous mode is enabled, click Capture > Options and verify the “Enable promiscuous mode on all interfaces” checkbox is activated at the bottom of this window.
如果启用了混杂模式(默认情况下已启用),那么您还将看到网络上的所有其他数据包,而不仅仅是发送给网络适配器的数据包。 要检查是否启用了混杂模式,请单击捕获>选项,并确认此窗口底部的“在所有接口上启用混杂模式”复选框已**。
Click the red “Stop” button near the top left corner of the window when you want to stop capturing traffic.
如果要停止捕获流量,请单击窗口左上角附近的红色“停止”按钮。
颜色编码 (Color Coding)
You’ll probably see packets highlighted in a variety of different colors. Wireshark uses colors to help you identify the types of traffic at a glance. By default, light purple is TCP traffic, light blue is UDP traffic, and black identifies packets with errors—for example, they could have been delivered out of order.
您可能会看到以各种不同颜色突出显示的数据包。 Wireshark使用颜色帮助您一眼识别流量类型。 默认情况下,浅紫色表示TCP流量,浅蓝色表示UDP流量,而黑色表示有错误的数据包-例如,它们可能是乱序发送的。
To view exactly what the color codes mean, click View > Coloring Rules. You can also customize and modify the coloring rules from here, if you like.
要准确查看颜色代码的含义,请单击查看>着色规则。 如果愿意,还可以从此处自定义和修改着色规则。
样品采集 (Sample Captures)
If there’s nothing interesting on your own network to inspect, Wireshark’s wiki has you covered. The wiki contains a page of sample capture files that you can load and inspect. Click File > Open in Wireshark and browse for your downloaded file to open one.
如果您自己的网络上没有什么值得检查的东西,那么Wireshark的Wiki可以满足您的要求。 Wiki包含一个示例捕获文件页面,您可以加载和检查该页面。 单击文件>在Wireshark中打开,然后浏览以下载文件以打开一个文件。
You can also save your own captures in Wireshark and open them later. Click File > Save to save your captured packets.
您也可以将自己的捕获保存在Wireshark中,以后再打开。 单击文件>保存以保存捕获的数据包。
过滤数据包 (Filtering Packets)
If you’re trying to inspect something specific, such as the traffic a program sends when phoning home, it helps to close down all other applications using the network so you can narrow down the traffic. Still, you’ll likely have a large amount of packets to sift through. That’s where Wireshark’s filters come in.
如果您要检查某些特定内容,例如程序在打电话回家时发送的流量,则有助于关闭使用网络的所有其他应用程序,以便缩小流量。 尽管如此,您仍可能会筛选大量数据包。 那就是Wireshark的过滤器出现的地方。
The most basic way to apply a filter is by typing it into the filter box at the top of the window and clicking Apply (or pressing Enter). For example, type “dns” and you’ll see only DNS packets. When you start typing, Wireshark will help you autocomplete your filter.
应用过滤器的最基本方法是,将其输入到窗口顶部的过滤器框中,然后单击“应用”(或按Enter)。 例如,键入“ dns”,您将仅看到DNS数据包。 当您开始键入内容时,Wireshark将帮助您自动完成过滤器。
You can also click Analyze > Display Filters to choose a filter from among the default filters included in Wireshark. From here, you can add your own custom filters and save them to easily access them in the future.
您也可以单击分析>显示过滤器以从Wireshark包含的默认过滤器中选择一个过滤器。 在这里,您可以添加自己的自定义过滤器并将其保存,以方便将来使用。
For more information on Wireshark’s display filtering language, read the Building display filter expressions page in the official Wireshark documentation.
有关Wireshark的显示过滤语言的更多信息,请阅读Wireshark官方文档中的Building display过滤器表达式页面。
Another interesting thing you can do is right-click a packet and select Follow > TCP Stream.
您可以做的另一件事是右键单击数据包,然后选择“关注”>“ TCP流”。
You’ll see the full TCP conversation between the client and the server. You can also click other protocols in the Follow menu to see the full conversations for other protocols, if applicable.
您将看到客户端和服务器之间的完整TCP对话。 您也可以在“关注”菜单中单击其他协议,以查看其他协议的完整对话(如果适用)。
Close the window and you’ll find a filter has been applied automatically. Wireshark is showing you the packets that make up the conversation.
关闭窗口,您会发现过滤器已自动应用。 Wireshark正在向您显示构成对话的数据包。
检查数据包 (Inspecting Packets)
Click a packet to select it and you can dig down to view its details.
单击一个数据包以将其选中,然后可以向下挖掘以查看其详细信息。
You can also create filters from here — just right-click one of the details and use the Apply as Filter submenu to create a filter based on it.
您也可以从此处创建过滤器-只需右键单击其中一个详细信息,然后使用“应用为过滤器”子菜单即可基于它创建过滤器。
Wireshark is an extremely powerful tool, and this tutorial is just scratching the surface of what you can do with it. Professionals use it to debug network protocol implementations, examine security problems and inspect network protocol internals.
Wireshark是一个功能非常强大的工具,本教程只是介绍您可以使用它做些什么。 专业人员使用它来调试网络协议实现,检查安全问题并检查网络协议内部。
You can find more detailed information in the official Wireshark User’s Guide and the other documentation pages on Wireshark’s website.
您可以在Wireshark官方网站的《用户指南》和其他文档页面中找到更多详细信息。
翻译自: https://www.howtogeek.com/104278/how-to-use-wireshark-to-capture-filter-and-inspect-packets/