>> It's time to start sniffing packets.
>>是时候开始嗅探数据包了。
Let's open up Wireshark.
让我们打开Wireshark。
First you select the NIC of which you're going to be sniffing.
首先选择要嗅探的NIC。
So, I'm going to pick my wi-fi adapter.
我要选wi-fi适配器。
The Wireshark window's arranged into three panes, packet list,
packet details, and packet bytes.
Wireshark窗口被安排成三个窗格、包列表、包细节和包字节。
In packet list, each row corresponds to a packet and its data encapsulated in a frame,
or in some cases like ARP, just a layer two frame and its data.
在包列表中,每一行对应于一个包及其封装在帧中的数据,或者在某些情况下,如ARP,即层2帧及其数据。
The columns, which are sortable, correspond to the number of each packet captured,
a time stamp, source and destination addresses, the highest layer protocol --
for instance, SNMP is displayed here instead of UDP --
length of the entire frame and some information related to its contents.
这些列是可排序的,它们对应于捕获的每个数据包的数量、时间戳、源地址和目标地址、最高层协议(例如,这里显示的是SNMP而不是UDP)、整个帧的长度以及与它的内容相关的一些信息。
I'm going to stop the current capture by clicking the stop button.
我将通过单击stop按钮来停止当前捕获。
You can sort from beginning to end or end to beginning in each of the columns
which will be arranged numerically, alphabetically, or both.
您可以在每一列中对从开始到结束或从结束到开始进行排序,这些列将按数字、字母或两者同时排列。
[silence]
Selecting a row in packet list shows corresponding information
in the lower two panes.
在信息包列表中选择一行将在下面两个窗格中显示相应的信息。
The packet details pane shows the field names and values
in an expandable and collapsable tree.
信息包详细信息窗格显示可扩展和可折叠树中的字段名称和值。
Selecting a row in the packet details pane shows the corresponding information
in the packet bytes pane.
在信息包详细信息窗格中选择一行显示信息包字节窗格中的相应信息。
The packet bytes pane shows the actual ones and zeros captured defaulting
to base sixteen hexadecimal, although, this can be changed to binary by right clicking.
“包字节”窗格显示默认为16进制的实际捕获的1和0,不过,可以通过右击将其更改为二进制。
To the left of the hex dump, are the offsets, a numbering of each protocol,
represented with hex numbers as well.
在十六进制转储的左边是偏移量,即每个协议的编号,也用十六进制编号表示。
To the far right, we see an ASCII representation of the bits.
在最右边,我们看到的是位的ASCII表示。
Sometimes, in this area, you'll see random characters
that are just coincidental ASCII characters being displayed.
有时,在这个区域中,您会看到显示的随机字符只是巧合的ASCII字符。
Not all ASCII values have printable characters, for those values,
Wireshark puts a dot in the corresponding location.
并非所有ASCII值都具有可打印字符,对于这些值,Wireshark会在相应的位置放一个点。
The capture file can be saved
[silence]
And reopened up later in Wireshark.
捕获文件可以保存[静默],稍后在Wireshark中重新打开。
You'll notice that, without any human intervention, there's lots of traffic going
in and out of my NIC, constantly.
您会注意到,在没有任何人工干预的情况下,我的NIC经常有大量的流量进出。
There are two filters in Wireshark, a display filter and a capture filter.
Wireshark中有两个过滤器,一个显示过滤器和一个捕获过滤器。
During a live capture or after the capture has been stopped, you can enter a display filter
which just limits what's display from a capture.
在实时捕获期间或捕获停止之后,您可以输入一个显示筛选器,该筛选器仅限制捕获显示的内容。
You can use multiple criteria as well as boolean operators such as and, or, as well as not.
您可以使用多个条件以及诸如and、or和not等布尔运算符。
[silence]
Capture filters are very limited compared to display filters.
与显示过滤器相比,捕获过滤器非常有限。
Their main purpose is to reduce the size of a capture file.
它们的主要目的是减少捕获文件的大小。
Capture filters must be set before you start sniffing.
在开始嗅探之前,必须设置捕获过滤器。
[silence]
They can't be modified during a live capture.
它们不能在实时捕获期间进行修改。
If no capture filter is selected, Wireshark will grab everything that goes in and out of the NIC.
如果没有选择捕获过滤器,Wireshark将捕获NIC中进出的所有内容。
[silence]
Local Communication through Wireshark
通过Wireshark进行本地通信
>> Using a display filter of ARP or ICMP, I'm going to send the ping from my machine
to another device on the same network.
>>使用ARP或ICMP的显示过滤器,我将把ping从我的机器发送到同一网络上的另一个设备。
[silence]
As soon as I sent the ping, my machine sent an ARP request, got an ARP reply back,
and sent four ICMP echo requests, which each received an ICMP echo reply.
当我发送ping时,我的机器发送了一个ARP请求,得到一个ARP回复,并发送了四个ICMP回显请求,每个ICMP回显请求都收到一个ICMP回显回复。
The first section in Packet Details, although it says "frame," is not the actual frame,
but rather, information about the frame.
包细节的第一部分虽然说“帧”,但不是实际的帧,而是关于帧的信息。
[silence]
WinPcap is not able to show the wireless 802.11 frame headers.
WinPcap无法显示无线802.11帧报头。
I'm on a wireless NIC, but you'll notice the Ethernet II frame format listed here,
which is for wired LANs.
我使用的是无线网卡,但是您会注意到这里列出的以太网II帧格式,它是用于有线局域网的。
This is a complete fabrication by Wireshark, but let's go through the fields anyway.
这是Wireshark制作的一个完整的模型,但是我们还是先来看看这个领域。
The Destination MAC Address field has the Layer 2 broadcast address, all F's,
so that all NICs on this LAN will see the ARP request and read it.
目标MAC地址字段具有第2层广播地址,都是F,因此该LAN上的所有nic都将看到ARP请求并读取它。
The Source MAC Address field contains the MAC address of the NIC
that I'm sending this traffic from.
源MAC地址字段包含我发送此流量的NIC的MAC地址。
The Type field lists the protocol that's encapsulated inside
of the Ethernet frame -- in this case, ARP.
Type字段列出了封装在以太网框架内的协议——在本例中是ARP。
Let's look at the ARP fields.
让我们看看ARP字段。
The hardware type is Ethernet.
硬件类型是以太网。
The size of a MAC address, six bytes.
一个MAC地址的大小,6字节。
The protocol type is IPv4.
协议类型是IPv4。
The size of an IPv4 address, four bytes.
IPv4地址的大小,四个字节。
This is a request that's indicated by the opcode of one.
这是一个由one的操作码指示的请求。
Replies will have an opcode of two.
回复的操作码为2。
Then, we see what I call the scoreboard.
然后,我们看到我所谓的记分牌。
My NIC lists its MAC address and the IP address it's bound to,
leaving the Target MAC Address field blank with all zeros,
but populating the Target IP Address field --
in this case, with the IP address of the device it's trying to communicate with.
我的网卡列出了它的MAC地址和它绑定的IP地址,将目标MAC地址字段留空,所有的0都是空的,但是填充了目标IP地址字段——在本例中,填充的是它试图与之通信的设备的IP地址。
Don't confuse the ARP field, target MAC address of all zeros,
with the Ethernet Frame Header field, destination MAC address of all F's.
不要混淆ARP字段,所有0的目标MAC地址,和以太网帧头字段,所有F的目标MAC地址。
This Destination MAC Address field found in the Ethernet frame header instructs all NICs
on this network to open up the frame and read it.
在以太网帧头中找到的目标MAC地址字段指示该网络上的所有nic打开帧并读取它。
This field, Target MAC Address, found in ARP, instructs just the NIC bound to the IP address
of 192.168.1.137 to fill in its MAC address right here.
在ARP中找到的这个字段Target MAC Address只指示绑定到192.168.1.137的IP地址的NIC在这里填写它的MAC地址。
And that's how Wireshark is able to turn this into a human conversation.
这就是Wireshark将其转化为人类对话的方法。
Who has 192.168.1.137?
谁有192.168.1.137 ?
Tell 192.168.1.101.
告诉192.168.1.101。
Let's take a look at the ARP reply.
让我们看看ARP的回复。
An opcode of two specifies this as a reply.
两个操作码将此指定为应答。
You'll notice that in our scoreboard, the roles have been flipped.
您会注意到,在我们的记分牌中,角色已经翻转。
The device that sent the ARP request is now the target in the ARP reply.
发送ARP请求的设备现在是ARP应答中的目标。
The device that saw its IP address listed in the Target IP Address field
in the ARP request now puts its IP address and requested MAC address in the Sender fields.
在ARP请求的目标IP地址字段中看到其IP地址的设备现在将其IP地址和请求的MAC地址放在Sender字段中。
That's how Wireshark is able to turn this into a human conversation again.
这就是Wireshark如何将其再次转化为人类对话的方法。
192.168.1.137 is at 98 fe 94 42 5e 1c.
192.168.1.137在98fe9425e1c。
You'll also notice that the Destination MAC Address field
in the ARP reply is the MAC address of my NIC that sent the ARP request.
您还会注意到ARP应答中的目标MAC地址字段是发送ARP请求的NIC的MAC地址。
ARP requests are broadcasts, but ARP replies are unicasts.
ARP请求是广播,但ARP应答是单播。
Since the ARP requests contain the MAC address of the requesting machine,
the reply can be unicasted directly to that machine.
由于ARP请求包含请求计算机的MAC地址,因此可以将应答直接单传到该计算机。
So to summarize what we've seen so far, my device determined that the destination was
on the same subnet and sent an ARP request looking for the MAC address of the destination
because you talk directly to devices on your same network.
总结一下到目前为止我们所看到的,我的设备确定目标在同一个子网上,并发送了一个ARP请求来寻找目标的MAC地址,因为您直接与同一网络上的设备通信。
The ARP reply came back with the requested information.
ARP的回复返回了所请求的信息。
And now, my device can send a Layer 3 ICMP echo request encapsulated inside
of a Layer 3 IP packet, which is encapsulated inside of a Layer 2 Ethernet frame.
现在,我的设备可以发送一个层3 ICMP回波请求封装在层3 IP包中,层3 IP包封装在层2以太网帧中。
Notice the source MAC address and the source IP address are both of my machine, the sender.
注意,源MAC地址和源IP地址都是我的机器,发送方。
And notice that the destination MAC address as well as the destination IP address are both
of that other device on my network that I'm communicating with directly.
注意,目标MAC地址和目标IP地址都是我网络上直接通信的设备。
In the ARP reply, the roles once again are flipped.
在ARP回复中,角色再次翻转。
The source MAC address as well as the source IP address are of that other Apple device
on my network, whereas the destination MAC address as well
as the destination IP address are both of my machine.
源MAC地址和源IP地址都是我网络上的其他苹果设备的,而目标MAC地址和目标IP地址都是我的机器。
Let's take a look again at the Windows command-line interface,
specifically the line pinging 192.168.1.137 with 32 bytes of data.
让我们再次查看Windows命令行界面,特别是带有32字节数据的行ping 192.168.1.137。
If we expand the ICMP fields, we can see the 32 bytes of data.
如果展开ICMP字段,可以看到32字节的数据。
Windows sends 32 lowercase letters, A through W and A through I, in each of its four pings.
Windows发送32个小写字母,A到W, A到I,在它的四个ping中。
Six one in hex corresponds to the lowercase a ASCII or Unicode character.
十六进制中的61对应于ASCII或Unicode字符的小写形式。
Six two corresponds to lowercase b. Other operating systems implement ICMP
through pings differently.
62对应于小写的b。其他操作系统通过ping实现ICMP的方式不同。
The payload that you're seeing in the ICMP echo reply is the exact payload
that was specified in the ICMP echo request.
您在ICMP echo应答中看到的负载是ICMP echo请求中指定的确切负载。
That's how the source knows the destination can hear it.
这就是来源如何知道目的地可以听到它。
Remote Communication through Wireshark
通过Wireshark进行远程通信
[Silence]
>> I've just cleared my ARP cache and sent a ping to 8888, one of the Google public DNS IP addresses.
我刚刚清空了我的ARP缓存,并发送了一个ping到8888,一个谷歌公共DNS IP地址。
This time, the source realized that the destination was on a different subnet
and once again sent an ARP request.
这一次,源意识到目的地在另一个子网上,并再次发送了一个ARP请求。
This ARP request is not looking for the MAC address of the destination 8888; in this case,
the source concluded that the destination is on a different network.
此ARP请求不寻找目标8888的MAC地址;在这种情况下,源断定目的地在另一个网络上。
Therefore, the ARP request is looking for the MAC address of the default gateway.
因此,ARP请求正在寻找默认网关的MAC地址。
The ARP reply comes back with the requested information.
ARP回复将返回所请求的信息。
As far as the ICMP echo request goes, the source MAC address
and the source IP address are of the host sending the pings.
就ICMP回显请求而言,源MAC地址和源IP地址是发送ping的主机。
The destination IP address is the actual destination
but now the destination MAC address is the answer found in the ARP reply--
the MAC address of the default gateway.
目标IP地址是实际的目标,但现在目标MAC地址是在ARP应答中找到的答案——默认网关的MAC地址。
The ICMP echo replies have the Layer 2 and Layer 3 addresses flipped.
ICMP回波响应将第2层和第3层地址翻转。
The source MAC address of all remote communications coming back
in is the MAC address of the router.
所有远程通信返回的源MAC地址是路由器的MAC地址。
扫一扫
8484
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
