Wireshark: Getting Started

本文参考《Computer Networking: A Top-Down Approach》

packet sniffer (分组嗅探器)

• The basic tool for observing the messages exchanged between executing protocol entities is called a packet sniffer.
• A packet sniffer passively copies (sniffs) messages being sent from and received by your computer; it also displays the contents of the various protocol fields (协议字段) of these captured messages.
  • A packet sniffer itself is passive. It observes messages being sent and received by applications and protocols running on your computer, but never sends packets itself.
  • Similarly, received packets are never explicitly addressed to the packet sniffer. Instead, a packet sniffer receives a $copy$ of packets that are sent/received from/by application and protocols executing on your machine.
    

如图所示，packet sniffer 分为两部分：packet capture library 通过复制数据链路层上的数据帧来监控指定链路上传输的所有网络信息；packet analyzer 则负责显示协议信息中的所有字段内容

---

• Wireshark is a free packet sniffer that runs on Windows, Linux/Unix, and Mac computers. It operates in computers using Ethernet, serial (PPP), 802.11 (WiFi) wireless LANs, and many other link-layer technologies.

Wireshark 其实是一个 packet analyzer，在安装 Wireshark 时可以勾选安装 packet capture library (pcap)

Getting Wireshark

• 下载地址：https://www.wireshark.org/#download

Running Wireshark

• 初始化界面的 Capture 栏目下，列出了若干 interfaces，可以看到我的电脑上目前有一个 WLAN 接口，双击它即可开始捕获所有该接口上的数据帧 (最后解析为相应的协议)
  
  
• 按左上角的小红方块停止抓包
  
• command menus
  • The File menu allows you to save captured packet data or open a file containing previously captured packet data and exit the Wireshark application.
  • The Capture menu allows you to begin packet capture.
• The packet-listing window displays a one-line summary for each packet captured, including the packet number (assigned by Wireshark; note that this is not a packet number contained in any protocol’s header), the time at which the packet was captured, the packet’s source and destination addresses, the protocol type, and protocol-specific information contained in the packet.
  • The packet listing can be sorted according to any of these categories by clicking on a column name.
  • The protocol type field lists the highest-level protocol that sent or received this packet.
  • By default, the value of the Time column in the packetlisting window is the amount of time, in seconds, since Wireshark tracing began. To display the Time field in time-of-day format, select the Wireshark View pull down menu, then select Time Display Format, then select Time-of-day.
• The packet-header details window provides details about the packet selected in the packet-listing window. These details include information about the Ethernet frame and IP datagram that contains this packet. If the packet has been carried over TCP or UDP, TCP or UDP details will also be displayed. Finally, details about the highest-level protocol that sent or received this packet are also provided.
• The packet-contents window displays the entire contents of the captured frame, in both ASCII and hexadecimal format.
• Towards the top of the Wireshark graphical user interface, is the packet display filter field, into which a protocol name or other information can be entered in order to filter the information displayed in the packet-listing window (and hence the packet-header and packet-contents windows).

Taking Wireshark for a Test Run

In the example below, we’ll use the packet-display filter field to have Wireshark hide packets except those that correspond to HTTP messages. Do the following:

1. Select the Capture pull down menu and select $Interfaces$. This will cause the “Wireshark: Capture Interfaces” window to be displayed.
   
2. Start up your favorite web browser, which will use the HTTP protocol to download content from a website.
3. While Wireshark is running, enter the URL: http://gaia.cs.umass.edu/wireshark-labs/INTRO-wireshark-file1.html and have that page displayed in your browser. In order to display this page, your browser will contact the HTTP server at gaia.cs.umass.edu and exchange HTTP messages with the server in order to download this page. The Ethernet or WiFi frames containing these HTTP messages will be captured by Wireshark.
4. After your browser has displayed the INTRO-wireshark-file1.html page (it is a simple one line of congratulations), stop Wireshark packet capture. You now have live packet data that contains all protocol messages exchanged between your computer and other network entities! The HTTP message exchanges with the gaia.cs.umass.edu web server should appear somewhere in the listing of packets captured. But there will be many other types of packets displayed as well.
5. Type in “$http$” (without the quotes, and in lower case – all protocol names are in lower case in Wireshark) into the display filter specification window at the top of the main Wireshark window. Then select $Apply$ or just hit $return$. This will cause only HTTP message to be displayed in the packet-listing window.