Wireshark - HackMD

--- title: Wireshark tags: --- # wireshark Wireshark -> PCAP 右下方 TCP plain 右鍵 conversation filter-> TCP --------- ### Questions for this assignment 1. How many packets were captured in this trace file? 上方工具列的綠箭頭右下角的數量 2. What protocol does packet number 8 contain? (The highest-layer protocol) HTTP 3. If you just installed Wireshark for the first time, what is the name of the profile you are using? (bottom right corner) profile: default 4. Look at packet number one - what is the source IP address in this packet? 192.168.56.102 5. What is the source TCP port in this same packet? 39294 6. What TCP flag is set in this packet? transmission-> Flags-> Syn 7. What is the frame number of the next packet in this TCP conversation? 右鍵 conversation filter-> TCP 6 8. Can you set a filter for this TCP conversation? How many packets do you get? 51 --------------------- ## 客製你的wireshark 介面 :::info ### Wireshark profile ::: ### Create a new profile 除了預設還可以在左下方新增 custom profile ![](https://i.imgur.com/rI44V5d.png) :::info ### Change time ::: ### MAC view-> time display format -> seconds since first of capture ![](https://i.imgur.com/V6MganN.png) :::info ### Add a new time column ::: ### add new column for Delta time: ### windows: view-> preference ### MAC: whirshark-> preference->appearance ![](https://i.imgur.com/lKQ7L66.png) ->columns :add columns :delta time display ![](https://i.imgur.com/SaqS64b.png) :::info ### Add TTL packet column ::: 選一個封包裡面的internet protocol version TTL 右鍵 -> apply as column ![](https://i.imgur.com/qebAk21.png) ![](https://i.imgur.com/sKDpeHd.png) :::info ### Remove background color ::: ![](https://i.imgur.com/w8Mr2p0.png) :::info ### Filter TCP SYNs ::: add to a new label ![](https://i.imgur.com/k9fC5fo.png) more detail in the bottom ![](https://i.imgur.com/8C1HfAL.png) :::info ### Coloring rule :custom TCP SYNs color ::: copy `tcp.flags.syn==1` ![](https://i.imgur.com/PH1sUVk.png) ![](https://i.imgur.com/tkVwg7e.png) :::info Adjusting the Screen Layout ::: wireshark -> preference-> layout ![](https://i.imgur.com/1iqTjmE.png) 改成 packet digram: visualize data ![](https://i.imgur.com/VFxrBOx.png) ## assignment Questions for this assignment #### 1. Add a coloring rule that will make your tcp FIN packets blue. What filter will you use to do that? tcp-syn: beginning tcp-fin:end 1. tcp.flags.fin==1 ![](https://i.imgur.com/N6fFcTK.png) 2. add coring rule ![](https://i.imgur.com/JowjNJX.png) ![](https://i.imgur.com/apaiHDX.png) 調整一下順序 ![](https://i.imgur.com/xXW0uQK.png) ![](https://i.imgur.com/cSN68g1.png) 這樣就能清楚辨別TCP FIN ![](https://i.imgur.com/855c7qo.png) #### 2. Select packet number 1. Can you find the TCP segment length? Add this value as a column. Enter "done" in the answer field below when finished. ![](https://i.imgur.com/Mp90q1s.png) ![](https://i.imgur.com/uhyKFzn.png) 右鍵可以暫時更改哪些項目要顯示或是更改名稱 ![](https://i.imgur.com/qdMsaZi.png) #### 3. It would be nice to have a button that quickly filters for all TCP Errors. See if you can find the TCP Retransmission we were looking at earlier. How can you filter for all TCP errors in the trace file? What is this filter? ![](https://i.imgur.com/ZoeePNV.png) `tcp.analysis.flags` 加入標籤 ![](https://i.imgur.com/i5Sc3NR.png) #### 4. Add the TCP Errors filter as a button in this profile. Enter "done" below when finished. #### 5. It can be a little overkill to see timestamps all the way to the nanosecond. Using the View | Time Display Format menu option, can you see how to configure Wireshark to only display to the microsecond? Make this change in this profile and type "done" below. ![](https://i.imgur.com/DGUMeel.png)