Wireshark and TCPDump
TCP/IP五层回忆
see every router your packets pass through by using the traceroute tool.
ex: traceroute www.virginia.edu
Viewing Packets in Wireshark
Here is the structure of a Wireshark filter:
[Protocol].[header/field] [operator: +,==,!=] [value]
ex:ip.src == 192.168.1.101
Wireshark also allows you to filter packets based on their content.
find packets that contain terms like password, email, or @virginia. You can search all TCP packets for the term login using the following filter:
ex:tcp contains login
Wireshark lets you reconstruct this data from a packet stream by
clicking a packet and selecting Follow ▶TCP Stream
结果:
Port 80 is almost always used for HTTP communication, whereas port 443 is commonly used for encrypted HTTPS traffic.
在pfSense主机上,进入shell
输入tcpdump命令,结果解释如下
capture only TCP packets on port 443
ex: tcpdump tcp port 443 -n
Instead of displaying the packets in the terminal, you also can write them to a file that you then can analyze in Wireshark:
tcpdump -i <interface> -s <number of packets to capture> -w <file.pcap>
for instance :em0 interface
Once you’ve collected the data, you can view the file in Wireshark. Analyzing these traces can often be very tedious.
Online tools like https://packettotal.com will analyze .pcap files for you and flag suspicious activity.
log in to pf Sense by entering the router’s IP address into the URL bar.
username admin and password pfsense
进入后是可以做配置的,如DNS(我在命令行写了半天,原来有Web界面的)
Click Status and select Dashboard from the drop-down menu.
For example, click the plus icon and select Traffic graphs to add a real-time traffic graph.
exercise:
Download the Wireshark capture of our ARP spoofing attack
(arpspoof.pcap) from this book’s Git Hub page at
https://github.com/The-Ethical-Hacking-Book/ARP-pcap-files.
find other packet captures to analyze by visiting
https://www.netresec.com/index.ashx?page=Pcap Files/.
扫一扫
2975
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
