Wireshark - HackMD

# Wireshark [wireshark man pages](https://www.wireshark.org/docs/man-pages/) ## SETTINGS * profile : a set of configuration or setting ( filtreng, color...) * create new one * position : ont the right corner * ![](https://hackmd.io/_uploads/Hk9lg9AFn.png) * adjust column: * position : tool bar * ![](https://i.imgur.com/SmRFKxL.png) * adjust layout: * [Edit] -> [references] -> [layout] * ![](https://i.imgur.com/BPCzdMs.png) * ![](https://i.imgur.com/LAV2Ujx.png) * 視覺化 * add column: * [Edit] -> [references] -> [columns] * 新增 Delta time ( packet 之間的時間，troubleshooting 有用) * ![](https://i.imgur.com/ihHtBAp.png) * 可設定時間代表的意義 : * ![](https://i.imgur.com/HOGmuhC.png) * column certain things: * tcp syn : * [View] -> [color rules begining] * name : `TCP SYN` Filter : `tcp.flags.syn==1` * background * :-1: 移到 Bad TCP column 下面的欄位 (因為如果 retransmit 的話會先綠色再來黑色) * refresh * 快速過濾 (2種): 1. ![](https://i.imgur.com/KIdVQvb.png) 2. add button ![](https://i.imgur.com/1mX45EV.png) ## CAPTURE * about wireshark * ![](https://i.imgur.com/5TqVAZx.png) * capture option: * mange interfaces : (有太多介面，用不到可以先刪掉) * output: * pcap : packet capture * after `500` megabytes add a new packet capture: * name test * time stamps * :-1: ring buffer : `10 files` * 當 capture 10 個 500 megabytes files，開始覆寫 (不會讓檔案一直增增加)? timestamps ## command line to capture * dump cap : Dumpcap is a network traffic dump tool. It lets you capture packet data from a live network and write the packets to a file. * 設定環境變數 : 系統要到哪些路徑底下找執行檔 * dumpcap -h : 詳細資訊 * dumpcap -D : show interface * dumpcap -i [num] : select which interface to capture(根據 -D 編號) * dumpcap -i [num] -w [路徑+檔名] : write * dumpcap -b : size, amount (ring buffer) * `dumpcap -i 10 -w d:\Users\user\Downloads\sample.pcapng -b filesize:500000 -b files:10` 以上 7/14 教的部分 ---------- ## syntax * port [num] : ex, DNS port=53 -> `port 53` * DNS : * ![](https://hackmd.io/_uploads/BJPor-Ws3.png) * host [num] : ex, ipv4 or ipv6 -> `host 192.0.2.1` or `host 2001:db8::1` * tcp: * ![](https://hackmd.io/_uploads/rkgnuZZj3.png) * ![](https://hackmd.io/_uploads/HySBq-Wjh.png) * 這幾次交握的訊息中還藏著「序列號碼」（seq, sequence number）及「確認號」（ack, acknowledgement number）。由於一筆資料可能會很大，並且 IP 這個協定有限制每個封包的最大大小，因此 TCP 用序列號碼來記錄被分割後的每一份小資料。 * 有了序列號碼之後，在交握同時會附帶這個訊息，對方收到後的回覆則會包含「確認號」，也就是對方期待收到的下個序列號碼為何，藉此來確保封包是連續的。 * ![](https://hackmd.io/_uploads/BkvpOZbj2.png) * ![](https://hackmd.io/_uploads/BkzCO-bj2.png) * ![](https://hackmd.io/_uploads/Sy6COWZj2.png) * ![](https://hackmd.io/_uploads/SJoJF-Zsh.png) * ![](https://hackmd.io/_uploads/rJcgFW-jn.png) * [參考1](http://dns2.asia.edu.tw/~wzyang/slides/info_net/info_B/CH10TCP.pdf) * [參考2](https://ithelp.ithome.com.tw/m/articles/10274640) --- capture filter * ip.addr == 10.52.20.69 * quick filtering * ![](https://i.imgur.com/XsJlw3x.png) * ![](https://i.imgur.com/7mHos29.png) * 訊息處 : * ![](https://i.imgur.com/NjJ2AVL.png) * ![](https://i.imgur.com/2kw8wnu.png) * [!] or [not] * ![](https://i.imgur.com/P4eldQp.png) * 群組 * ![](https://i.imgur.com/b8Z6OUd.png) * string * frame contains "google" * ![](https://i.imgur.com/UQmtkyG.png) * 大小寫不一樣 * frame matches "Google" * 不管大小寫 --- ## Name Resolution * ![](https://i.imgur.com/ncGYi8O.png) [v] Resolve transport names * ![](https://i.imgur.com/eJaTxPo.png) `show transport names` * ![](https://i.imgur.com/e2Oz3ea.png) [v] Resolve network(IP) address * ![](https://i.imgur.com/x6rOBsb.png) * ![](https://i.imgur.com/ROGHeVq.png) * ![](https://i.imgur.com/d0QL4sK.png) * 如果將 pcapng 傳送給某人，也會沿用自定義的名字 * 如何將 edit resolved name store in profile * :::warning ![](https://i.imgur.com/UhH5QvH.png) <not found> :::