如何使用Wireshark，周围最好的数据包分析器

Wireshark is the best network traffic analyzer and packet sniffer around. In this article, we will look at it in detail.

Wireshark是最好的网络流量分析器和数据包嗅探器。 在本文中，我们将详细介绍它。

Wireshark is a network analyzer that lets you see what’s happening on your network. It lets you dissect your network packets at a microscopic level, giving you in-depth information on individual packets.

Wireshark是一种网络分析器，可让您查看网络中发生的情况。 它使您可以在微观层次上剖析网络数据包，从而为您提供有关单个数据包的深入信息。

Wireshark was first released in 1998 (and was called Ethereal back then). It can run on all major operating systems. Most enterprises and government organizations now prefer Wireshark as their standard network analyzer.

Wireshark于1998年首次发布(当时称为Ethereal)。 它可以在所有主要操作系统上运行。 现在，大多数企业和政府组织更喜欢Wireshark作为其标准网络分析仪。

Wireshark is also completely open-source, thanks to the community of network engineers around the world. While most security tools are CLI based, Wireshark comes with a fantastic user interface.

由于全球网络工程师社区的支持，Wireshark也是完全开源的。 虽然大多数安全工具都基于CLI，但Wireshark带有出色的用户界面。

OSI模型 (OSI Model)

I am assuming you are new to networking, so we will go through some basics of the OSI model. This is important to understand the core functions of Wireshark.

我假设您是网络新手，因此我们将介绍OSI模型的一些基础知识。 这对于了解Wireshark的核心功能很重要。

The Open Systems Interconnection (OSI) model standardizes the way two or more devices connect with each other. The OSI Model segments network architecture into 7 layers: Application, Presentation, Session, Transport, Network, Datalink, and Physical.

开放系统互连(OSI)模型标准化了两个或多个设备相互连接的方式。 OSI模型将网络体系结构分为7层：应用程序，表示，会话，传输，网络，数据链路和物理层。

Here is what each layer does:

这是每一层的作用：

• Physical Layer — Responsible for the actual physical connection between devices. Data is transferred in the form of bits.

  物理层-负责设备之间的实际物理连接。 数据以位的形式传输。

• Data Link Layer- Makes sure the data is error-free. Data is transferred in frames.

  数据链路层-确保数据没有错误。 数据以帧传输。

• Network Layer — Takes care of finding the best (and quickest) way to send the data. Sender’s and receiver’s IP addresses are added to the header at this layer.
  网络层-负责寻找最佳(最快)发送数据的方式。 发送者和接收者的IP地址被添加到此层的标头中。

• Transport Layer — Acts as a bridge between the network and session layer. Uses protocols like TCP and UDP to send and receive data. Data at this layer is called a Segment.

  传输层-充当网络和会话层之间的桥梁。 使用TCP和UDP等协议来发送和接收数据。 该层的数据称为Segment 。

• Session Layer — Establishes and maintains a session between devices.
  会话层—在设备之间建立和维护会话。
• Presentation Layer — Data from segments are converted to a more human-friendly format here. Takes care of encryption and decryption.
  表示层-来自分段的数据在此处转换为更人性化的格式。 负责加密和解密。
• Application Layer — The layer that interacts with the user. If you are using a browser, it is on the application layer.
  应用程序层—与用户交互的层。 如果您使用的是浏览器，则它位于应用程序层。

The below diagram should help you to understand how these components work together.

下图应帮助您了解这些组件如何协同工作。

If you are interested in learning more about the OSI model, here is a detailed article for you.

如果您有兴趣了解有关OSI模型的更多信息，请参阅本文 。

包数 (Packets)

Now that you have a solid grasp of the OSI model, let’s look at network packets. When data is transferred from one computer to another, the data stream consists of smaller units called packets.

既然您对OSI模型有了扎实的了解，让我们看一下网络数据包。 当数据从一台计算机传输到另一台计算机时，数据流由称为数据包的较小单元组成。

When you download a file from the internet, the data is sent from the server as packets. These packets are re-assembled by your computer to give you the original file.

当您从Internet下载文件时，数据将以数据包的形式从服务器发送。 这些数据包将由您的计算机重新组合以提供原始文件。

A packet can contain the following data:

数据包可以包含以下数据：

• source and destination IP addresses
  源和目标IP地址
• protocol
  协议
• source and destination ports
  源端口和目标端口
• data
  数据
• length, flags, TTL, and so on
  长度，标志，TTL等

Each packet contains valuable information about the devices involved in a packet transfer. Each data transfer involves thousands or even millions of these packets of data being sent between the source and the destination devices.

每个数据包都包含有关数据包传输中涉及的设备的重要信息。 每次数据传输都涉及源设备和目标设备之间发送的数千个甚至数百万个数据包。

Now you can understand the importance of Wireshark. Wireshark lets you capture each of these packets and inspect them for data.

现在您可以了解Wireshark的重要性。 利用Wireshark，您可以捕获每个数据包并检查它们的数据。

Wireshark, to a network engineer, is similar to a microscope for a biologist. Wireshark lets you ‘listen’ to a live network (after you establish a connection to it), and capture and inspect packets on the fly.

对于网络工程师而言，Wireshark类似于生物学家的显微镜。 利用Wireshark，您可以“侦听”实时网络(在建立连接后)，并且可以实时捕获和检查数据包。

As a network engineer or ethical hacker, you can use Wireshark to debug and secure your networks. As a malicious hacker (which I don’t recommend), you can "sniff" packets in the network and capture information like credit card transactions.

作为网络工程师或道德黑客，您可以使用Wireshark调试和保护网络。 作为恶意黑客(我不建议这样做)，您可以“嗅探”网络中的数据包并捕获诸如信用卡交易之类的信息。

This is why it is unwise to connect to a public network like Starbucks and perform financial transactions or access private data. Even though sites with HTTPS can encrypt your packets, it is still visible over the network. If someone really wants to crack it, they can.

这就是为什么连接到星巴克之类的公共网络并进行金融交易或访问私人数据是不明智的。 即使使用HTTPS的站点可以加密您的数据包，它仍然可以在网络上看到。 如果有人真的想破解它，他们可以。

Wireshark基础 (Wireshark Basics)

Now let's look at how you can play with Wireshark. Download and install Wireshark from here.

现在让我们看看如何使用Wireshark。 从此处下载并安装Wireshark 。

Wireshark has an awesome GUI, unlike most penetration testing tools. Here’s how Wireshark looks when you load it.

与大多数渗透测试工具不同，Wireshark具有出色的GUI。 这是Wireshark加载时的外观。

Wireshark lists out the networks you are connected to and you can choose one of them and start listening to the network.

Wireshark列出了您连接到的网络，您可以选择其中之一并开始收听网络。

There are three panes in Wireshark.

Wireshark中有三个窗格。

数据包列表窗格 (Packet List Pane)

This pane displays the packets captured. Each line represents an individual packet that you can click and analyze in detail using the other two panes.

此窗格显示捕获的数据包。 每行代表一个单独的数据包，您可以使用其他两个窗格单击并详细分析。

数据包详细信息窗格 (Packet Details Pane)

You can select a packet and then look at the packet information in more detail using the Packet Details pane. It displays information such as IP addresses, ports, and other information contained within the packet.

您可以选择一个数据包，然后使用“数据包详细信息”窗格来更详细地查看数据包信息。 它显示信息，例如IP地址，端口以及数据包中包含的其他信息。

数据包字节窗格 (Packet Bytes Pane)

This pane gives the raw data of the selected packet in bytes. The data is displayed as a hex dump, which is displaying binary data in hexadecimal.

此窗格以字节为单位提供所选数据包的原始数据。 数据显示为十六进制转储，以十六进制显示二进制数据。

筛选器 (Filters)

Wireshark has filters that help you narrow down the type of data you are looking for. There are two main types of filters: Capture filter and Display filter.

Wireshark的过滤器可帮助您缩小所需数据的类型。 过滤器主要有两种：捕获过滤器和显示过滤器。

捕获过滤器 (Capture Filter)

You can set a capture filter before starting to analyze a network. When you set a capture filter, it only captures the packets that match the capture filter.

您可以在开始分析网络之前设置捕获过滤器。 设置捕获过滤器时，它仅捕获与捕获过滤器匹配的数据包。

For example, if you only need to listen to the packets being sent and received from an IP address, you can set a capture filter as follows:

例如，如果您只需要侦听从IP地址发送和接收的数据包，则可以如下设置捕获过滤器：

host 192.168.0.1

Once you set a capture filter, you cannot change it until the current capture session is completed.

设置捕获过滤器后，您将无法更改它，直到当前捕获会话完成。

显示过滤器 (Display Filters)

Display filters are applied to capture packets. For example, if you want to display only the requests originating from a particular ip, you can apply a display filter as follows:

显示过滤器用于捕获数据包。 例如，如果只想显示来自特定ip的请求，则可以按如下所示应用显示过滤器：

ip.src==192.168.0.1

Since display filters are applied to captured data, they can be changed on the fly.

由于显示过滤器已应用于捕获的数据，因此可以随时更改它们。

In short, capture filters enable you to filter the traffic while display filters apply those filters on the captured packets. Since Wireshark can capture hundreds of packets on a busy network, these are useful while debugging.

简而言之，捕获过滤器使您能够过滤流量，而显示过滤器会将这些过滤器应用于捕获的数据包。 由于Wireshark可以在繁忙的网络上捕获数百个数据包，因此在调试时很有用。

Wireshark的核心功能 (Core Features of Wireshark)

Now that you have a good grasp of Wireshark basics, let's look at some core features. With Wireshark, you can:

既然您已经掌握了Wireshark的基础知识，那么让我们看一下一些核心功能。 使用Wireshark，您可以：

• Identify security threats and malicious activity on a network
  识别网络上的安全威胁和恶意活动
• Observe network traffic for debugging complex networks
  观察网络流量以调试复杂的网络
• Filter traffic based on protocols, ports, and other parameters
  根据协议，端口和其他参数过滤流量
• Capture packets and save them to a Pcap file for offline analysis
  捕获数据包并将其保存到Pcap文件中以进行离线分析
• Apply coloring rules to the packet list for better analysis
  将着色规则应用于数据包列表以进行更好的分析
• Export captured data to XML, CSV, or plain text file.
  将捕获的数据导出到XML，CSV或纯文本文件。

结论 (Conclusion)

Wireshark is always ranked among the top 10 network security tools every year. With its simple yet powerful user interface, Wireshark is easy to learn and work with. It is a valuable asset in every penetration tester’s toolkit.

Wireshark每年始终被评为十大网络安全工具之一。 凭借其简单而强大的用户界面，Wireshark易于学习和使用。 这是每个渗透测试人员工具包中的宝贵资产。

Hope this article helped you to get a solid grasp of Wireshark. I recently wrote an article on the top 10 tools you should know as a cybersecurity engineer. Do check it out if you are into cybersecurity.

希望本文能帮助您对Wireshark有所了解。 我最近写了一篇关于您作为网络​​安全工程师应该知道的十大工具的文章。 如果您喜欢网络安全，请检查一下。

I regularly write about Machine Learning, Cyber Security, and DevOps. You can signup for my weekly newsletter here.

我定期撰写有关机器学习，网络安全和DevOps的文章。 您可以 在这里 注册我的 每周新闻 。

翻译自: https://www.freecodecamp.org/news/how-to-use-wireshark-packet-analyzer/