Professional Documents
Culture Documents
1 ....................................................................................................................................................................................................4
1.1. Wireshark......................................................................................................................................................................................4
1.1.1. ..........................................................................................................................................................................................4
1.1.2. ..................................................................................................................................................................................................4
1.1.3. ..........................................................................................................................................................................4
1.1.4. ......................................................................................................................................................4
1.1.5. ..............................................................................................................................................................................4
1.1.6. ..............................................................................................................................................................4
1.1.7. ..........................................................................................................................................................................................4
1.1.8. Wireshark ....................................................................................................................................................................4
1.2. .....................................................................................................................................................................................................5
1.2.1. ..........................................................................................................................................................................................5
1.2.2. Microsoft Windows........................................................................................................................................................................5
1.2.3. Unix/Linux........................................................................................................................................................................................5
1.3. Wireshark......................................................................................................................................................................5
[6]
1.4. Wiresahrk ........................................................................................................................................................................................5
1.5. Wireshark ..................................................................................................................................................................................5
1.6. .................................................................................................................................................................................6
1.6.1. ..................................................................................................................................................................................................6
1.6.2. ..........................................................................................................................................................................................6
1.6.3. FAQ...................................................................................................................................................................................................6
1.6.4. ..........................................................................................................................................................................................6
1.6.5. ..........................................................................................................................................................................................6
1.6.6. UNIX/Linux ................................................................................................................................................6
1.6.7. Windows ....................................................................................................................................................6
2/ Wireshark.............................................................................................................................................................................8
2.1..............................................................................................................................................................................................................8
2.2...........................................................................................................................................................................................................8
2.3. UNIX ...................................................................................................................................................................................8
2.4. UNIX Wireshark..........................................................................................................................................................................9
2.5. UNIX ...........................................................................................................................................................................9
2.5.1. Linux RPM ...............................................................................................................................................9
2.5.2. Debian Deb .........................................................................................................................................................9
2.5.3. GentooLinux Portage..............................................................................................................................................9
2.5.4. FreeBSD ...............................................................................................................................................................9
2.6. UNIX [10].........................................................................................................................................................9
2.7. Windows ................................................................................................................................................................................9
2.8. Windows Wireshark...................................................................................................................................................................9
2.8.1. Wireshark.................................................................................................................................................................................9
2.8.2. WinPcap.........................................................................................................................................................................10
2.8.3. Wireshark...............................................................................................................................................................................10
2.8.4. WinPcap.................................................................................................................................................................................10
2.8.5. Wireshark...............................................................................................................................................................................11
2.8.6. WinPcap.................................................................................................................................................................................11
3 ...........................................................................................................................................................................................12
3.1. ...........................................................................................................................................................................................................12
3.2. Wireshark........................................................................................................................................................................................12
3.3. .......................................................................................................................................................................................................12
3.3.1. ....................................................................................................................................................................................12
3.4. .......................................................................................................................................................................................................13
3.5. "File"..................................................................................................................................................................................................13
3.6. "Edit".................................................................................................................................................................................................15
3.7. "View"...............................................................................................................................................................................................15
3.8. "Go"...................................................................................................................................................................................................17
3.9. "Capture"..........................................................................................................................................................................................18
3.10. "Analyze"........................................................................................................................................................................................18
3.11. "Statistics"......................................................................................................................................................................................19
3.12. "Help"..............................................................................................................................................................................................20
3.13. "Main".........................................................................................................................................................................................21
3.14. "Filter".........................................................................................................................................................................................22
3.15. "Pcaket List"...................................................................................................................................................................................23
3.16. "Packet Details".............................................................................................................................................................................23
3.17. "Packet Byte".................................................................................................................................................................................24
3.18. .....................................................................................................................................................................................................24
4 ...............................................................................................................................................................................25
4.1. ...........................................................................................................................................................................................................25
4.2. ...................................................................................................................................................................................................25
4.3. ...................................................................................................................................................................................................25
4.4. .......................................................................................................................................................................................25
4.5. .......................................................................................................................................................................................26
4.5.1. ............................................................................................................................................................................................26
4.5.2. ........................................................................................................................................................................27
4.5.3. ....................................................................................................................................................................................27
4.5.4. ....................................................................................................................................................................................27
4.5.5. ................................................................................................................................................................................27
4.5.6. ................................................................................................................................................................................................27
4.6. .......................................................................................................................................................................27
4.7. .......................................................................................................................................................................................28
4.8. ...............................................................................................................................................................................................28
4.8.1. ........................................................................................................................................................................28
4.9. ...........................................................................................................................................................................................29
4.9.1. ........................................................................................................................................................................................29
4.9.2. ................................................................................................................................................................................29
5 ...................................................................................................................................................................30
5.1. ...........................................................................................................................................................................................................30
5.2. ...........................................................................................................................................................................................30
5.2.1. ....................................................................................................................................................................30
5.2.2. ................................................................................................................................................................................31
5.3. ...............................................................................................................................................................................................31
5.3.1. "save Capture File As/".................................................................................................................................31
5.3.2. ........................................................................................................................................................................................33
5.4. ...........................................................................................................................................................................................33
5.4.1. ............................................................................................................................................................................33
5.5. ...................................................................................................................................................................................................34
5.5.1. ............................................................................................................................................................................35
5.6. ...................................................................................................................................................................................................35
5.6.1. "Export as Plain Text File"................................................................................................................................................35
5.6.2. "Export as PostScript File" .............................................................................................................................................35
5.6.3. "Export as CSV (Comma Separated Values) File" .......................................................................................................36
5.6.4. "Export as PSML File" .....................................................................................................................................................36
5.6.5. "Export as PDML File" ....................................................................................................................................................36
5.6.6. "Export selected packet bytes" .....................................................................................................................................37
5.6.7. "Export Objects" ..............................................................................................................................................................37
5.7. .......................................................................................................................................................................................................38
5.7.1. ..................................................................................................................................................................................38
5.8. ...............................................................................................................................................................................................39
5.9. ...............................................................................................................................................................................................39
6 ...........................................................................................................................................................................40
6.1. .......................................................................................................................................................................................40
6.2. ...............................................................................................................................................................................................40
6.2.1. ................................................................................................................................................................40
6.2.2. ................................................................................................................................................................42
6.3. ...........................................................................................................................................................................................43
6.4. ...............................................................................................................................................................................44
6.4.1. ................................................................................................................................................................................44
6.4.2. ............................................................................................................................................................................................44
6.4.3. ....................................................................................................................................................................................44
6.4.4. ....................................................................................................................................................................................44
6.5. Filter Expression/.............................................................................................................................................45
6.6. ...................................................................................................................................................................................45
6.7. .......................................................................................................................................................................................................46
6.7.1. ................................................................................................................................................................................46
6.7.2. "Find Next/".......................................................................................................................................................47
6.7.3. "Find Previous/"................................................................................................................................................47
6.8. ...............................................................................................................................................................................................47
6.8.1. "GO Back".......................................................................................................................................................................47
6.8.2. "Go Forward /"..............................................................................................................................................................47
6.8.3. "Go to Packet/".............................................................................................................................................47
6.8.4. "Go to Corresponding Packet/"......................................................................................................................47
6.8.5. "Go to Firest Packet/"......................................................................................................................................47
6.8.6. "Go to Last Packet/".....................................................................................................................................47
6.9. .......................................................................................................................................................................................................47
6.10. .....................................................................................................................................................................47
6.10.1. ..................................................................................................................................................................................47
7 ..................................................................................................................................................................................................49
7.1. ...........................................................................................................................................................................................................49
1
1.1. Wireshark
Wireshark
Wireshark
Wireshark (www.codepub.com)
1.1.1.
Wireshark
Wireshark
1.1.2.
UNIX Windows
/
1.1. Wireshark
1.1.3.
Wireshark
http://wiki.wireshark.org/CaptureSetup/NetworkMedia.
1.1.4.
Wireshark ???
1.1.5.
Wieshark ???
1.1.6.
( Wireshark )???
1.1.7.
Wireshark GPL GPL
Wireshark
1.1.8. Wireshark
Wireshark
Wireshark //Wireshark
[3]
Wireshark
Wireshark ()Wireshark
1.2.
Wireshark ...
1.2.1.
[4]
100MBIT/s 750MByties/min
CPU
Wireshark http://wiki.wireshark.org/KnownBugs/OutOfMemory
Wireshark /
[5]
Windows Wireshark
GTKWinPCap
Windows 95,98 ME Wireshark Ethereal0.99.0( WinPCap3.1),
: http://ethereal.com/download.html 2006 1 11 98/ME
Windows NT 4.0 Wireshark. Wireshark0.99.4( WinPCap3.1),
http://prdownloads.sourceforge.net/wireshark/wireshark-setup-0.99.4.exe 2005 12 31 NT 4.0
Windows CE windowsNT/XP
64-bit Wireshark 32bit ( WoW64), WinPCap4.0
()
1.2.3. Unix/Linux
Wireshark UNIX Windows
APPle Mac OSX
Debian GNU/Linux
FreeBSD
NetBSD
OpenPKG
Red Hat Fedora/Enterprise Linux
rPath Linux
Sun Solaris/i386
Sun Solaris/Sparc
wireshark-dev[AT]wireshark.org .
1.3. Wireshark
Wireshark http://www.wireshark.org/download.html.
Wireshark 4-8
Wireshark Wireshark-announce 1.6.4
[6]
1.4. Wiresahrk
1997 Gerald Combs Ethereal (Wireshark )
Gilbert Ramirez
1998 10 Guy Harris TcpView Ethereal
998 TCP/IP Richard Sharpe
Ethereal
Ethereal Ethereal
The developers of Wireshark might improve your changes even more, as there's always room for improvement. Or they may implement
some advanced things on top of your code, which can be useful for yourself too.
The maintainers and developers of Wireshark will maintain your code as well, fixing it when API changes or other changes are made, and
generally keeping it in tune with what is happening with Wireshark. So if Wireshark is updated (which is done often), you can get a new
Wireshark version from the website and your changes will already be included without any effort for you.
Wireshar kits http://www.wireshark.org/download.html.
1.6.
Wireshark
1.6.1.
http://www.wireshark.org Wireshark
1.6.2.
Wireshark Wiki (http://wiki.wireshark.org) Wireshark wiki
1.6.3. FAQ
Frequently Asked Questions
Read The FAQ
FAQ
1.6.4.
Wireshark-users
Wireshark Wireshark
wireshark-announce
4-8
wireshark-dev
Wireshark
http://www.wireshark.org .
1.6.5.
Wireshark
>100KB
1.6.6. UNIX/Linux
$ gdb `whereis wireshark | cut -f2 -d: | cut -d' ' -f2` core >&bt.txt
backtrace
^D
$
[8]
GDB
wireshark-dev[AT]wireshark.org
1.6.7. Windows
Windows (.pdb),
[3]
[4]
The values below are the minimum requirements and only "rules of thumb" for use on a moderately used networkrules
of thumb
[5]
30 10
.
[6]
[7]
XX
[8]
"Type the characters in the first line verbatim! Those are back-tics there!",Those are back-tics there!back-tics=
Linux
2 / Wireshark
2.1.
Wireshark Wireshark
Linux Wireshark UNIX Wireshark . Windows
Wireshark. Wireshark
Wireshark
1.
2. ()/
3.
2.2.
Wireshark http://www.wireshark.org.
!
Wireshark, Wireshark
2.3. UNIX
tar xvf
Libpcap tarxvf
RedHat 6.x Mandrake, RPM Linux GTK+
Glib. 2.3 RedHat Linux 6.2 RPM
RPMs
2.3. RedHat Linux 6.2 RPM
cd /mnt/cdrom/RedHat/RPMS
[9]
Windows Wireshark,
2.
3. Unix
./configure
configure. 2.6 UNIX
4. make
make
5.
make install
make install Wireshark, Wireshark
2.5. UNIX
UNIX UNIX AIX smit Tru64 UNIX
setld
2.5.1. Linux RPM
Wireshark RPM
rpm -ivh wireshark-0.99.5.i386.rpm
Wireshark REDHAT 2.3 RedHat Linux
6.2 RPM
2.5.2. Debian Deb
Debian Wireshark
apt-get install Wireshark
apt-get
2.5.3. Gentoo Linux Portage
Gentoo Linux wireshark
USE="adns gtk ipv6 portaudio snmp ssl kerberos threads selinux" emerge wireshark
2.5.4. FreeBSD
FreeBSD Wireshark
pkg_add -r wireshark
pkg_add
[10]
2.6. UNIX
configure config.log()
http://www.wireshark.org/download.html#releases Wireshark
[11]
Wireshark( GTK1 GTK2 ):
GTK2 GUI GTK1 Windows 256 8bit GTK2. GTK1
2.8.2. WinPcap
8-12 Wireshark
2.8.4. WinPcap
WinPcap WinPcap WinPcap
2.8.5. Wireshark
Wireshark,/Wireshark
Wireshark WinPcap.
WinPcap Wireshark WinPcap
2.8.6. WinPcap
WinPcap,/WinPcap
WinPcap Wireshark
[9]
Pipelin
UNIX/LINUX Wireshark
UNIX/LINUX UNIX/LINUX 1
2
Linux GTK+
libpcap. 2.3 UNIX tar zxvf
Wireshark-0.99.5-tar.gz;make;make install.
[11]
[10]
3
3.1.
Wireshark,
Wireshark
3.2. Wireshark
Shell Wireshark.
3.3.
3.1 /
3.1.
Wireshark
1. 3.4
2. ( 3.13 "Main")
3. Fiter toolbar/( 3.14 "Filter")( 6.3:)
4. Packet List 3.15 "Pcaket List"
7. 3.18
9.5
3.3.1.
Packet list Detail 3.1 3.5 "GO"
3.1.
Tab,Shift+Tab
Down
Up
Packet list
Left
Pactect Detail
Right
Packet Detail .
Backspace
Packet Detail
Return,Enter
Packet Detail
filter
3.4.
Wireshark Wireshark 3.2
3.2.
:
File
save/,Print/,Export/ Wireshark . 3.5 "File"
Edit
3.6 "Edit"
View
3.7 "View"
GO
3.8 "Go"
Capture
3.9 "Capture"
Analyze
TCP 3.10 "Analyze"
Statistics
3.11 "Statistics"
Help
3.12
"Help"
CTR+K
3.5. "File"
WireSharkFile 3.2 File
3.3. File
3.2. File
Open...
Ctr+O
5.2.1
Open Recent
Merg
5.4
Close
Ctrl+W
Wireshark
5.3.1 "save Capture File As/"
Save
Crl+S
Save As
Shift+Ctrl+S
( 5.3.1
"save Capture File As/")
, 5.5
PostScrit
5.6.2 "Export as PostScript File"
.cvs ,
5.6.3 "Export as CSV (Comma Separated Values) File"
PSML XML
5.6.4 "Export as PSML File"
PDML() XML
, 5.6.5 "Export as PDML File"
Packet byte
5.6.6 "Export selected packet bytes"
Ctr+P
5.7
Quit
Ctrl+Q
Wireshark,Wireshark
3.6. "Edit"
Wireshark "Edit" 3.3 Edit
3.4. "Edit"
3.3. Edit
Copy>As Filter
Shift+Ctrl+C
Find Packet...
Ctr+F
???
Find Next
Ctrl+N
Find packet
Find Previous
Ctr+B
Mark Packet(toggle)
Ctrl+M
6.9
Shift+Ctrl+N
Ctrl+Shift+B
Set Time
Reference(toggle)
Ctrl+T
, 6.10.1
Preferences...
Shift+Ctrl+P
Wireshark
9.5
3.7. "View"
3.4 "View" Wireshar View
3.5. "View"
3.4. "View"
Main Toolbar
Filter Toolbar
Statusbar
, 3.18
Packet List
Packet Details
Packet Bytes
-(), 6.10
6.10
6.10
, 6.10
"Automatic","Seconds""...seconds"
1 6.10
7.6
Mac
(ip ), 7.6
7.6
Zoom In
Ctrl++
Zoom Out
Ctrl+-
Normal Size
Ctrl+=
Expend Subtrees
Expand All
Collapse All
Coloring Rulues...
9.3
( View,Byte View )
Reload
Ctrl+R
3.8. "Go"
Wireshark "GO" 3.5 "GO"
3.6. "GO"
3.5. "GO"
Back
Alt+Left
ForWard
Alt+Right
Go to Packet
Ctrl+G
6.8
Go to Corresponding Packet
Previous Packet
Ctrl+UP
Next Packet
Ctrl+Down
First Packet
Last Packet
3.9. "Capture"
"Capture" 3.6 "Capture"
3.7. "Capture"
3.6. "Capture"
Interface...
Options...
Start
Stop
, 4.4
Ctrl+K ,( 4.5 )
Ctrl+E 4.9.1
Restart
Capture Filters...
6.6
3.10. "Analyze"
"Analyze" 3.7 "analyze"
3.8. "Analyze"
3.7. "analyze"
Display
Filters...
6.6
Apply as
Filter>...
Detail
Prepare a
Filter>...
Detail
Firewall ACL
Rules
Enable
Protocols...
[a]
3.11. "Statistics"
Wireshark "statistics" 3.8
3.9. "Statistics"
3.8.
Summary
, 8.2
Protocol Hierarchy
Conversations/
(),???
EndPoints
IO Graphs
Conversation List
Endpoint List
8.7
ANSI
8.8
GSM
8.8
H.225...
8.8
ISUP Message
8.8
Types
8.8
MTP3
8.8
RTP
8.8
GSM
8.8
SIP
8.8
VOIP Calls...
8.8
WAP-WSP...
8.8
HTTP
HTTP / 8.8
ISUP Messages
8.8
ONC-RPC Programs
8.8
8.8
3.12. "Help"
3.9
3.10.
3.9.
Contents
F1
Supported Protocols
Manaul Pages>...
Wireshark Online>
About Wireshark
Wireshark
WEB
Wireshark
3.13. "Main"
,
(.)
3.11.
3.10.
Capture/Interfaces...
, 4.3
Capture/Options
4.4
Start
Capture/Start
STOP
Capture/Stop
4.3
Restar
Caputer/Rstart
Open...
File/Open
5.2.1
( 5.3.1 "save
Capture File As/"
Save As...
File/Save As...
Close
File/Close
Reload
View/Reload
File/Print
( 5.7 )
Find packet...
Edit/Find Packet...
6.7
Go Back
Go/Go Back
Go Forward
Go/Go Forward
Go to Packet...
Go/Go to Packet...
Go To First
Packet
Go/First Packet
Go To Last
Packet
Go/Last Packet
Colorize
View/Coloreze
Auto Scroll in
Live
Zoom in
View/Zoom In
zoom out
View/Zoom Out
Normal Size
View/Normal Size
100%
()
6.6
Display Filters..
6.6
Analyze/ Filters...
9.3
Preferences...
Edit/Preferences
9.5
Help
Help/Contents
3.14. "Filter"
6.3
3.12.
3.11.
, 6.7
[a]
6.4 ,
Apply()
...
[a]
Filter 0.99.4
No.
Time 6.10
Source
Destination
Protocal
Info
6.3
3.16. "Packet Details"
"Packet Details/"()
3.14. "Packet Details/"
6.4
16 16 ASCII
Wireshark 7.5 .
3.18.
3.17.
Wireshark
3.18.
P:
D:
M: .
3.19.
"Packet Detail/"
( app.opcode)
4
4.1.
Wireshar
Wiershark
(ATM...)
...
4.8
N 4.6
Wireshark
()
()
4.2.
Wireshark
:http://wiki.wireshark.org/CaptureSetup.
[12]
root/Administrator
4.3.
"
"
wireshark -i eth0 -k
eht0 9.2 Wireshark
4.4.
"Interface..." 4.1 "Capture Interfaces"
"Capture Interfaces"/
IP
Wireshark IP IP DHCP )"Unkow", IP
().
Packets
Packets/s
Stop
Capture
Options
, 4.5
Details( Win32 )
Close
4.5.
"start..."(),Wireshark "Capture Option/" 4.2 "Capture Option/
"
4.2. "Capture Option/"
4.5.1.
Interface
non-loopback()(windows
)
-i <interface>
IP address
IP IP "unknown"
Link-layer header type
4.7
Buffer size: n megabyte(s)
Windows
Capture packets in promiscuous mode
Wireshark ()Wireshark
[13]
()
http://www.wireshark.org/faq.html#promiscsniff
Limit each packet to n bytes
[14]
"snaplen". 65535
())
IP TCP
cpu
( snpaplen )
Capture Filter
4.8
6.6
4.5.2.
4.6
File
4.6
4.5.4.
Update list of packets in real time
Wireshark Wireshark
4.5.5.
Enable MAC name resolution
Wireshark MAC 7.6
Enable network name resolution
Wireshark 7.6
4.5.6.
start , Cancel .
4.9
4.6.
libpcap (linux )() Wireshark
()"Multiple files/
"
Wireshark ()
()
???
4.1.
"File"
Mode
foo.cap
foo.cap
foo.cap
Multiple
files,continuous
foo_00001_20040205110102.cap,
foo_00002_20040205110102.cap, ...
foo.cap
Multiple files,ring
buffer
foo_00001_20040205110102.cap,
foo_00002_20040205110102.cap, ...
Multiple files,continuous
single name file
Multiple files,ring buffer
"multiple files continuous" ring buffer with n
4.7.
http://wiki.wireshark.org/CaptureFilters .
Wireshark ( 4.2 "Capture Option/") tcpdump
tcpdump http://www.tcpdump.org/tcpdump_man.html tcpdump
(and/or) not:
[not] primitive [and|or [not] primitive ...]
4.1. telnet
tcp port 23 and host 10.0.0.5
10.0.0.5 Telnet and 4.2 10.0.0.5 telnet
10.0.0.5 telnet
4.2. 10.0.0.5 telnet
tcp host 23 and not src host 10.0.0.5
gateway host<host>
host host ip ip host
[src|dst] net <net> [{mask<mask>}|{len <len>}]
src|dst
CIDR()
[tcp|udp] [src|dst] port <port]
tcp,udp src|dst tcp|udp tcp udp tcp|udp src|dst
less|greater <length>
SSHCONNECTION(ssh)
4.3.
()
stop"
1. "
2. "Capture/
3. "
Stop"
Stop"
4. :Ctrl+E
5.
4.9.2.
:
1. "Capture/
2. "
[12]
Restart"
Restart"
Windows
Wireshak
[14]
,, Winpcap snap:len:
snapshot length,snaplen
[13]
5
5.1.
5.2.
Wireshark File/
OpenWireshark
5.2.1
Wireshark
Wireshark ()
Wireshark (libpcap tcpdump/Windump libpcap/WinPcap )Wireshark
5.2.2
5.2.1.
5.1 Wireshark
GTK+
Open/OK
Cancle Wireshark
Wireshark
()
"filter:"
filter ( 6.3
)
XXXX-we need a better description of these read filters()
7.6
5.1.
5.1. Windows
"help"
"Filter." windows (
)
: Wireshark Open
[a]
5.2. GtK
+
"-"("Home","Desktop","Filesystem"
)
Wireshark "Open"
5.3. GTK
Open
[a]
Wireshark
5.2.2.
libpcap, tcpdump and various other tools using tcpdump's capture format
Sun snoop and atmsnoop
Shomiti/Finisar Surveyor captures
Novell LANalyzer captures
Microsoft Network Monitor captures
AIX's iptrace captures
Cinco Networks NetXray captures
Network Associates Windows-based Sniffer and Sniffer Pro captures
Network General/Network Associates DOS-based Sniffer (compressed or uncompressed) captures
AG Group/WildPackets EtherPeek/TokenPeek/AiroPeek/EtherHelp/PacketGrabber captures
RADCOM's WAN/LAN Analyzer captures
Network Instruments Observer version 9 captures
Lucent/Ascend router debug output
HP-UX's nettl
Toshiba's ISDN routers dump output
ISDN4BSD i4btrace utility
traces from the EyeSDN USB S0
IPLog format from the Cisco Secure Intrusion Detection System
pppd logs (pppdump format)
the output from VMS's TCPIPtrace/TCPtrace/UCX$TRACE utilities
the text output from the DBS Etherwatch VMS utility
Visual Networks' Visual UpTime traffic capture
the output from CoSine L2 debug
the output from Accellent's 5Views LAN agents
Endace Measurement Systems' ERF format captures
Linux Bluez Bluetooth stack hcidump -w traces
Catapult DCT2000 .out files
()
wireshark
5.3.
File->Save As...
???
5.3.1. "save Capture File As/"
GTK+
5.2. "Save Capture File As"
5.4. Windows
"help"
-.pcap,Wireshark
5.5. GtK
5.6. GTK
1.
2.
3. 5.8
4. "File type/"???
()
5. "Save/OK"
6. "Cancel"
5.3.2.
Wireshark (libpcap)
7.3
Wireshark
libpcap, tcpdump and various other tools using tcpdump's capture format (*.pcap,*.cap,*.dmp)
Accellent 5Views (*.5vw)
HP-UX's nettl (*.TRC0,*.TRC1)
Microsoft Network Monitor - NetMon (*.cap)
Network Associates Sniffer - DOS (*.cap,*.enc,*.trc,*fdc,*.syc)
Network Associates Sniffer - Windows (*.cap)
Network Instruments Observer version 9 (*.bfr)
Novell LANalyzer (*.tr1)
Sun snoop (*.snoop,*.cap)
Visual Networks Visual UpTime traffic (*.*)
5.4.
(Wireshark
Wireshark )
Wireshark
5.8. GtK
5.9. GTK
5.5.
( 4.6 )"Multiple Files/".
Wirreshark
Wireshark t ?
+"_"++"_"++"test_00001_20060420183910.pcap".
("test")(:".pcap")
Wireshark
Wireshark
"File""File Set"
List Files
Next Files
Previous Files
5.5.1.
5.10.
Filename ()
Created
Last Modified
size
"...indirctory:"
Close
5.6.
Wireshark Wireshark
XXX - add detailed descriptions of the output formats and some sample output, too./
5.6.1. "Export as Plain Text File"
"plain Asc "
5.11. "Export as Plain Text File"
Export to file:
Packet Range 5.8
Packet Details ???
5.6.2. "Export as PostScript File"
PostScript PostScript
Export to file:
Packet Range: 5.8
Packet Details: ???
5.6.3. "Export as CSV (Comma Separated Values) File"
xp
CVS
Export to file
Packet Range 5.8
5.6.4. "Export as PSML File"
PSML xml PSML http://www.nbee.org/Docs/NetPDL/PSML.htm.
5.13. "Export as PSML File"
Export to file:
Packet Range: 5.8
Packet details PSML
5.6.5. "Export as PDML File"
PDML PDML xml PDML :http://www.nbee.org/Docs/NetPDL/PDML.htm
Export to file:
Packet Range: 5.8
Packet details PDML
5.6.6. "Export selected packet bytes"
5.15. "Export Selected Packet Bytes"
Name:
Save in folder:
Browser for other folders
5.6.7. "Export Objects"
HTML HTTP
Packet num
Hostname
HTTP
Content Type
HTTP
Bytes
Filename
URL ("/")"HTTP POST"
( CGI URL)
Help
(5.6.7 )
Close
Save As
filename
Save All
filename /
,Wireshark ()
5.7.
File "Print..." 5.17 "Print"
5.7.1.
5.17. "Print"
Printer
Print Text
plain text
PostScript
[15]
PostScrtipt
Output to file
Windows
lpr.You would change it to specify a particular queue if you need to print to a queue other than the default.:
lpr -Pmypostscript
Output to file,
Packet Range
5.8
Packet Format
5.19 "Packet Format"
5.8.
,()"Packet Range"
5.18. "Packet Range"
Captured Displayed
All packets
[15]
6
6.1.
6.2.
6.2.1.
6.3.
6.1.
Mark Packet(toggle)
Edit
Set Time
Reference(toggle)
Edit
Apply as Filter
Analyze
Prepare a Filter
Analyze
Conversation Filter
STCP
Analyze
TCP
Analyze
TCP SSL
Copy/Summary(TEXT)
( tab )
Copy/Summary(CVS)
(CVS ,)
Copy/As Filter
Copy/Bytes(Offset Hex
Text)
16
Copy/Bytes(Offset Text)
16
ASCII
-----
-----
File
Raw packet
Decode As...
Analyze
()
Print...
File
---
View
6.2.2.
6.4.
6.2.
Expand Subtrees
View
Expand All
View
Collapse All
View
Copy/Description
Copy/AS Filter
Edit
Copy/Bytes(Offset Hex
Text)
Hexdump-like
()
Copy/Bytes(Offset Hex) -
Hexdump-linke
()
COPY/Bytes (printable
Text Only)
ASCII
Copy/Bytes(Hex
Stream)
Copy/Bytes(Binary
Stream)
raw binary (
) MIME-typeApplication/octet-stream. GTK+1.x
File
raw packet
-----
---
Apply as Filter
analyze
Preapare a Filter
Analyze
Analyze
TCP
Analyze
WIKI
WEB
Protocol Preferences...
???
Decode As...
Analyze
()
Resolve Name...
View
Go to corresponding
Packet ...
Go
-----
-----
TNND,
6.3.
Wireshark 4.8
:
Filter ??? tcp
6.5. TCP
TCP 1-10
11
Wireshark
Add Expression.... 6.5 Filter Expression/
192.168.0.1 ip.addr==192.168.0.
Clear
6.4.
Wireshark
(c-link)
6.3.
English C-linke
eq
==
Equal
ip.addr==10.0.0.5
ne
!=
Not equal
ip.addr!=10.0.0.5
gt
>
Greate than
frame.pkt_len>10
lt
<
Less than
frame.pkt_len<128
ge
>=
le
<=
Equal
frame.pkt_len <= 0x20
6.4.3.
6.4
6.4.
English C-linke
&&
Logical AND
ip.addr==10.0.0.5 and tcp.flags.fin
or
||
Logical OR
ip.addr==10.0.0.5 or ip.addr==192.1.1.1
xor
^^
Logical XOR
tr.dst[0:3] == 0.6.29 xor tr.src[0:3] == 0.6.29
not
Logical Not
not llc
and
Substring Operator
Wireshark []()
eht.src[0:3] == 00:00:83
n:m n (0 1
)m
eth.src[1-2] == 00:83
n-m n ,m
eth.src[:4]=00:00:83:00
:m m 0:m
eth.src[4:]=20:20
n: n
eht.src[2] == 83
n n n:1
eth.src[0:3,102,:4,4:,2] == 00:00:83:00:83:00:00:83:00:20:20:83
Wireshark
[...]
6.4.4.
"!=" eth.addr,ip.addr,tcp.port,udp.port
()
6.6.
Field Name
+
Relation
is present
()
("=="),
Value
field name ( ).
Predefined values
C
Range
OK
OK
Cancel
Cancle Add Expression
6.6.
New
Filter nameFilter string "new"( filtername
)
Delete
Filter name
Filter string
Add Expression
6.5 Filter Expression/
OK
save
???
Close
6.7.
Edit Find Packet....Wireshark 6.8
"Find Packet/".
6.7.1.
6.8. "Find Packet/"
Display filter
Filter: OK()
192.168.0.1 :
ip.addr == 192.168.0.1 and tcp.flags.syn
6.3
Hex Value
"00:00"
String
UP
Down
()
6.7.2. "Find Next/"
6.8.
"Go"
6.8.1. "GO Back"
Go back web
6.8.2. "Go Forward /"
web
6.8.3. "Go to Packet/"
6.9. "GO to packet/"
()
6.8.5. "Go to Firest Packet/"
6.9.
// 5.8
Mark packet(toggle)
Mark all packets .
Unmark all packets
"Edit"Mark packet(toggle)
6.10.
7.3
3.5 "File"
:
Date and Time of Day: 1970-01-01 01:02:03.123456
Time of Day: 01:02:03.123456
Seconds Since Beginning of Capture: 123.123456 (
6.10.1 )
Seconds Since Previous Captured Packet: 1.123456
Seconds Since Previous Displayed Packet: 1.123456
( 10 )
Automatic ()
Seconds, Deciseconds, Centiseconds, Milliseconds, Microseconds or Nanoseconds
0.
Seconds Since Previous Packet 1.123456."Automatic"
libpcap () 1(nanoseconds), 1.123456000.
6.10.1.
,
time *REF*( 10 )
[16]
16 190
7
7.1.
Wireshark
7.2. "Follow TCP Stream"
TCP Tcp "Following TCP streams" telnet
TCP Wireshark "Following TCP streams"
TCP Wireshark "Following TCP Streams"()
Wireshark TCP 7.1 "Follow TCP Stream"
A B B A
"Edit/Preferences""Colores"
XXX - What about line wrapping (maximum line length) and CRNL conversions?
TCP
1. Save As
2. Print
3. Direction ("Entire conversation", "data from A to B only" or "data from B to A only").
4. Filter out this stream TCP
5. Close
libpcap ()Wireshark
7.3.3.
"Wireshark "Wireshark
()
USB USB
[17]
USB ( USB )
7.4.
:-)
()
7.1.
?
6 2000.
( UTC+05:30)
http://en.wikipedia.org/wiki/time_zone http://en.wikipedia.org/wiki/Coordinated_Universal_Time
7.2.
DST?
Daylight Saving Time(DST),(
) DST UTC ( 2 )
DST
DST UTC
http://en.wikipedia.org/wiki/Daylight_saving.
7.4.1.
1.
2.
7.3. UTC
Los Angeles New York Madrid London Berlin Tokyo
Capture File(UTC)
10:00
10:00
10:00
10:00
10:00 10:00
-8
-5
-1
+1
+9
05:00
09:00
10:00
11:00 19:00
"Packet Bytes"
1. (TCP)
2. (:HTTP)
tooltip
7.6.
/()/ Wireshark
???
7.6.1.
Wireshark
()
DNS Wireshark Wireshark DNS
Wireshark wireshark wireshark
Wireshark DHCP Wireshark (
DNS dns )
"View/Reload"
7.6.2. (mac )
MAC (e.g. 00:09:5b:01:02:03)"Human readable"
ARP () Wireshark IP (e.g. 00:09:5b:01:02:03->192.168.0.1)
Ethernet codes(ethers file) ARP Wireshark ethers mac
(e.g. 00:09:5b:01:02:03 -> homerouter).
Ethernet manufacturer codes (manuf file) ARP ethers Wireshark mac
mac IEEE (
)(e.g.
00:09:5b:01:02:03 -> Netgear_01:02:03).
7.6.3. IP ()
IP (e.g. 216.239.37.99)/"Human readable"
Wireshark wireshark
ADNS
DNS vs. ADNS ip "Human readable"() DNS gethostname()
hosts (e.g. /etc/hosts,/windows/system32/drivers/etc/hosts) DNS
redundancy check()
100%
CRC32
http://en.wikipedia.org/wiki/Checksum
7.7.1. Wireshark
Wireshark TCPIP
"normal receiver".e.g.:[correct], [invalid, must be 0x12345678]
Wireshark
IP checksum offloading
Checksum offloading
[19]
checksum offloading
Wireshark
[17]
: Wireshark
[19]
Windows ->->->-
[18]
8
8.1.
Wireshark
()( HTPP )
o Summary
o Protocal Hierarchy:
o Endpoints ip
o Conversations IP
o IO Graphs
o Service Response Time
o Various other
8.2.
8.1. "Summary"
File
Time
Capture
()
Display
Traffic
Captured Displayed
8.3. "Protocol Hierarchy"
+/-
Protocol
%Packets
Packet
Bytes
MBit/s
End Packets
End Bytes
End MBit/s
IP (
ip IP )
8.4. "Endpoints"
Hostlist/ Endpoint
8.4.1. Endpoint?
Wireshark :
Ethernet
MAC
Fibre Channel
FDDI
FDDI FDDI MAC
IPV4
IP IP
IPX
TCP
TCP IP TCP IP TCP
Token Ring
Token Ring() Token Ring MAC
UDP
UDP IP UDP UDP IP UDP
Broadcast / multicast endpoints/
/()
8.4.2. "Endpoints"
8.3. "Endpoints"
()
8.4.3. "Endpoint List"
Before the combined window described above was available, each of its pages were shown as separate windows. Even though the combined
window is much more convenient to use, these separate windows are still available. The main reason is, they might process faster for very large
capture files. However, as the functionality is exactly the same as in the combined window, they won't be discussed in detail here.
8.5. /conversations
8.5.1. /conversation?
IP IP
8.5.2. "Conversations/" window
8.4.2 "Endpoints"
8.4. "Conversations"
Graphs
Graph 1-5: 1-5 ( graph 1)
Color: ()
Filter:(only the packets that pass this filter will be taken into account for that graph)
Style:(Line/Impulse/FBar)
X Axis
Tick interval X (10/1/0.1/0.01/0.001 seconds))
Pixels per tick X 10/5/2/1 px
Y Axis
Unit y (Packets/Tick, Bytes/Tick, Bits/Tick, Advanced...)
Ssale Y (10,20,50,100,200,500,...)
XXX - describe the Advanced feature.
8.7.
DCE-RPC
Fibre Channel
H.225 RAS
LDAP
MGCP
ONC-RPC
SMB
DCE-RPC
Windows ()
8.7.1. "Service Response Time DCE-RPC"
DCE-RPC
8.6. "Compute DCE-RPC statistics"
Each row corresponds to a method of the interface selected (so the EPM interface in version 3 has 7 methods). For each method the number of calls,
and the statistics of the SRT time is calculated.
8.8.
The protocol specific statistics windows display detailed information of specific protocols and might be described in a later version of this document.
Some of these statistics are described at the http://wiki.wireshark.org/Statistics pages.
9 Wireshark
Wireshark Wireshark()()
Wireshark Wireshark (
files 0 0)
duration Wireshark
duration:value
Value
filesize:value
value kilobytes (kelobyte 1000bytes, 1024bytes)
files:value
value
-B <capture buffer size (Win32 only)>
Win32:( MB, 1MB).
-g <packet number>
-r
-h
-h Wireshark ()
-i <capture interface>
-n
( TCP,UDP )
-N <name resolving flags>
m MAC n t
-n -N -n C ()DNS
-o <preference/recent settings>
Preference/recent file
prefname:value,prefnmae ( preference/recent file )value -o <preference
settings>
wireshark -o mgcp.display_dissect_tree:TRUE
???
-p
-p
-Q
Wireshark -c -i -w
-r <infile>
Wireshark
-R <read(display) filter>
6.3
-s <capture snaplen>
Wireshark <snaplen>
-S
Wireshark "Update list of packets in
real time/"
-t <time stamp format>
r
a absolute,
ad
d delta
e epoch epoch (1970 1 1 00:00:00 )
-v
Wireshark
-w <savefile>
savefile
-y <capture link type>
-k -y The values reported by -L are the values that can be used.
-X <eXtension option>
TShark eXtension extension_key:extension_key:
lua_script:lua_script_filename, Wireshark Lua scripts.
-z <statistics-string>
Wireshark
9.3.
Packet colorization() Wireshark Wireshark
(
) UDP DNS DNS ( DNS UDP UDP
netscreen )
NEW???
9.2. "Edit Color Filter"
OK
You must select a color in the colorbar next to the colorwheel to load values into the RGB values. Alternatively, you can set the values to
select the color you want.
9.4 Wireshark
[Coloring Rule Name: ...] and [Coloring Rule String: ...]
9.4. Wireshark
9.4.
[20]
,wireshark ("routes"
"guessing"), TCP Wireshark
HTTP 800 80
IP Ethernet,IP,TCP HTTP
IP IP TCP,HTTP
9.5. "Enabled Protocols"
enable/disable
1. Enable All
2. Disable All
3. Invert enable/disable
4. OK
5. Apply
6. Save
7. Cancel
9.4.2.
"packet list""Decode As" Decode As
9.6. "Decode As"
Wireshark
1. Decode
2. Do not decode
3. Link/Network/Transport
4. Show Current
5. OK
6. Apply
7. Cancel
9.4.3.
1. OK
2. Clear
9.5.
Wireshark "Edit""Preferences..." Preferences ???:"User interface"
OK Apply Save
OK
Apply
Save
Cancel
9.8. preferences
[21]
9.6.
9.3
9.7.
Display Filter Macros tcp_conv ( (ip.src == $1and ip.dst
== $2 and tcp.srcpt == $3 and tcp.dstpt == $4) or (ip.src == $2and ip.dst == $1 and tcp.srcpt == $4 and tcp.dstpt == $3) )
${tcp_conv:10.1.1.2;10.1.1.3;1200;1400}
9.6 Display Filter Macros View (
User table)
name
text
$1,$2,$3...
1. tcp_conv
2.
ip.src == $1and ip.dst == $2 and tcp.srcpt == $3 and tcp.dstpt == $4,$1,$2,$3,$4
ip $1,$2,$3,$4,
3. ${: 1; 2; 3;....}
${tcp_conv:10.1.1.2;10.1.1.3;1200;1400},tcp_conv 10.1.1.2 $1
Wireshark
9.8. Tektronics K12xx/15 RF5
Tektronix's K12xx/15 rf5 helper files(*.stk)Wireshark stk (
)
Stk 9.6 ,
match
a partial match for an stk filename, the first match wins, so if you have a specific case and a general one the specific one must appear first in
the list
protos
This is the name of the encapsulating protocol (the lowest layer in the packet data) it can be either just the name of the protocol (e.g. mtp2,
eth_witoutfcs, sscf-nni ) or the name of the encapsulation protocol and the "application" protocol over it separated by a colon (e.g sscop:sscf-nni,
sscop:alcap, sscop:nbap, ...) (www.codepub.com)
9.9. DLTs
pcap DLTs (147 to 162) ,Wireshark DLT
9.6 DLT
encap
dlts
payload_proto
payload()
header_size
header ( payload ) Wireshark header 0 header protocol.
header_proto
header ("data")
trailer_size
trailer ( paylod ) 0
trailer_proto
trailer ("data")
9.10. SNMP
Wireshark SNMP SNMPv3
9.6
engine_id
engine id, engine id 16 0102030405
userName
SNMP-engines if you need a catch all engine-id (empty) that
entry should be the last one.
,(MD5 SHA1)
authPassword
"\xDD" 16 "\xDD"16 010203040506
'\x01\x02\x03\x04\x05\x06'.
priv_proto
(DES AES)
privPassword
"\xDD" 16 "\xDD"16 010203040506
'\x01\x02\x03\x04\x05\x06'.
[20]
dissector:dissct decode
[21]