下载安装
- https://www.wireshark.org/#download
- mac homebrew安装:
- brew install --cask wireshark
- 命令行UI :brew install termshark
- linux安装
- Ubuntu :apt install wireshark wireshark-cli
- Centos:yum install wireshark wireshark-qt
https抓包设置
- app抓包,采用charles
- pc chrome https抓包
sudo /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --ssl-key-log-file=/Users/`whoami`/sslkeylog.log -ignore-certificate-errors
chmod +x /Users/`whoami`/sslkeylog.log
打开Preferences->Protocols->TLS ,在 (Pre)-Master-Secret log filename 里粘贴 /Users/[yourName]/sslkeylog.log
选中网络包,右键Follow->HTTP/2[HTTP] Stream
自定义设置
- 时间设置:Views->Time Display Format->Date and Time of Day
- 颜色自定义:Views->Coloring Rules。打开数据包颜色配置:Views->Colorize Packet List
- 协议设置:Preferences->Protocols。可以配置TCP包的序列号为相对大小Relative sequence numbers
- 用鼠标帮助过滤:选中包右键->Prepare a Filter->Selected
- Wireshark分析:Analyze
原理
- 数据包嗅探器工作原理
- 收集:它从网络线缆上收集原始二进制数据。通常情况下,通过将选定的网卡设置成混杂模式来完成抓包。在这种模式下,网卡将抓取一个网段上的所有网络通信流量,而不仅仅是发往它的数据包
- 转换:将捕获的二进制数据转换为可读模式
- 分析
混杂模式:允许网卡能够查看所有流经网络线路数据包的驱动模式。工作在混杂模式,网卡会把每一个它看到的数据包传递给主机的处理器,而无论数据包的目的地址是什么- 交换式网络捕获一个目标设备的基本方法:
- 端口镜像:让交换机把一个端口的所有通信镜像到另一个端口
- 集线器接出
- 网络分流器:放置在两个端点之间,来捕获这两个端点之间的流量
- ARP缓存污染
捕获过滤器BPF语法
- 添加规则:Capture Options->Capture Filters
- 操作符 && || !
- BPF限定词
- Type:host、net、port 指出名字或数字所代表的的意义
- Dir:src、dst 指明传输方向
- Proto:Ether、ip、tcp、udp、http、ftp、
- 主机名和地址过滤器
- 捕获所有与1.1.1.1相关的流量:host 1.1.1.1
- ether host mac地址
- 来自1.1.1.1的流量:src host 1.1.1.1
- 发往1.1.1.1的流量:dst host 1.1.1.1
- 端口过滤器
- 捕获8080端口的所有流量:port 8080
- 捕获非8080端口的所有流量:!port 8080
- 捕获访问80端口的流量:dst port 80
- 协议过滤器
- 协议域过滤器
- 目标不可达:icmp[0]=3
- 目标不可访问、主机不可达:icmp[0:2]==0x0301
- 设置FIN标志:tcp[13]&1==1
- 设置SYN标志:tcp[13]&2==2
- 设置RST标志:tcp[13]&4==4
- 设置PSH标志:tcp[13]&8==4
- 设置ACK标志:tcp[13]&16==16
- 设置URG标志:tcp[13]&32==32
- SYN-ACK包:tcp[13]==18
- 广播流量:broadcast
显示过滤器
- 添加规则:Analyze->Display Filters
- 具有syn标志的tcp包:tcp.flags.syn==1
统计
- 查看网站信息:whois google.com
- 端点流量统计:Statistics->Endpoints
- 网络会话流量统计:Statistics->Conversations
- 基于协议分层结构的统计:Statistics->Protocol Hierarchy
- 数据包长度分布统计:Statistics->Packet Lengths
- 网络吞吐量I/O图:Statistics->I/O Graphs
- 双向时间图:Statistics->TCP Stream Graph -> Round Trip Time Graph
- RTT:接收数据包确认所需的时间。通俗的讲,就是你的数据包抵达目的地以及接收到数据包确认所需的时间之和
- RTT图是单向的,可以点击Switch Direction按钮交换方向,请求时间从本地抓包,响应时间从服务器抓包
- 数据流图:Statistics->Flow Graph
命令行
tshark -D
tshark -i 1 -w packets.pcap
tcpdump -i eth0 -w packets2.pcap
tshark -r packets.pcap
tcpdump -r packets2.pcap
tshark -r packets.pcap -c10
tcpdump -r packets2.pcap -c10
tshark -r packets.pcap -V -c10
tcpdump -r packets2.pcap -c10 -vvv
tshark -xr packets.pcap -c1
tcpdump -Xr packets2.pcap -c1
tshark -ni 1
tshark -i 1 -Ntm
tshark -i 1 -w packets.pcap -f "tcp port 80"
tshark -i 1 -r packets.pcap -Y "tcp.dstport==80"
tcpdump -r packets2.pcap 'tcp port 80'
tshark -r packets.pcap -t ad
tshark -r packets.pcap -z conv,ip
协议
Frame 1: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface en6, id 0
Ethernet II, Src: Apple_ce:2d:da (38:f9:d3:ce:2d:da), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Address Resolution Protocol (request)
Hardware type: Ethernet (1)
Protocol type: IPv4 (0x0800)
Hardware size: 6
Protocol size: 4
Opcode: request (1)
Sender MAC address: Apple_ce:2d:da (38:f9:d3:ce:2d:da)
Sender IP address: 192.168.3.101
Target MAC address: 00:00:00_00:00:00 (00:00:00:00:00:00)
Target IP address: 192.168.3.103
Frame 7: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface en6, id 0
Ethernet II, Src: 0e:35:e4:43:85:97 (0e:35:e4:43:85:97), Dst: ASIXElec_48:a7:09 (f8:e4:3b:48:a7:09)
Address Resolution Protocol (reply)
Hardware type: Ethernet (1)
Protocol type: IPv4 (0x0800)
Hardware size: 6
Protocol size: 4
Opcode: reply (2)
Sender MAC address: 0e:35:e4:43:85:97 (0e:35:e4:43:85:97)
Sender IP address: 192.168.3.103
Target MAC address: ASIXElec_48:a7:09 (f8:e4:3b:48:a7:09)
Target IP address: 192.168.3.100
- IPv6分片:ping6 -c 1 -s 3500 2408:8207:30e5:a9f0:c50:a971:7a50:bb8f
Frame 495: 1294 bytes on wire (10352 bits), 1294 bytes captured (10352 bits) on interface en0, id 0
Ethernet II, Src: Apple_ce:2d:da (38:f9:d3:ce:2d:da), Dst: Apple_a8:10:45 (f4:5c:89:a8:10:45)
Internet Protocol Version 6, Src: 2408:8207:30e5:a9f0:20:4be6:27d9:51dc, Dst: 2408:8207:30e5:a9f0:cf3:9eac:cec9:3420
0110 .... = Version: 6
.... 0000 0000 .... .... .... .... .... = Traffic Class: 0x00 (DSCP: CS0, ECN: Not-ECT)
.... 1100 0000 0011 0000 0000 = Flow Label: 0xc0300
Payload Length: 1240
Next Header: Fragment Header for IPv6 (44)
Hop Limit: 64
Source Address: 2408:8207:30e5:a9f0:20:4be6:27d9:51dc
Destination Address: 2408:8207:30e5:a9f0:cf3:9eac:cec9:3420
Fragment Header for IPv6
Next header: ICMPv6 (58)
Reserved octet: 0x00
0000 0100 1101 0... = Offset: 154 (1232 bytes)
.... .... .... .00. = Reserved bits: 0
.... .... .... ...1 = More Fragments: Yes
Identification: 0x24b788a6
[Reassembled IPv6 in frame: 496]
Data (1232 bytes)
Frame 495: 1294 bytes on wire (10352 bits), 1294 bytes captured (10352 bits) on interface en0, id 0
Ethernet II, Src: Apple_ce:2d:da (38:f9:d3:ce:2d:da), Dst: Apple_a8:10:45 (f4:5c:89:a8:10:45)
Internet Protocol Version 6, Src: 2408:8207:30e5:a9f0:20:4be6:27d9:51dc, Dst: 2408:8207:30e5:a9f0:cf3:9eac:cec9:3420
0110 .... = Version: 6
.... 0000 0000 .... .... .... .... .... = Traffic Class: 0x00 (DSCP: CS0, ECN: Not-ECT)
.... 1100 0000 0011 0000 0000 = Flow Label: 0xc0300
Payload Length: 1240
Next Header: Fragment Header for IPv6 (44)
Hop Limit: 64
Source Address: 2408:8207:30e5:a9f0:20:4be6:27d9:51dc
Destination Address: 2408:8207:30e5:a9f0:cf3:9eac:cec9:3420
Fragment Header for IPv6
Next header: ICMPv6 (58)
Reserved octet: 0x00
0000 0100 1101 0... = Offset: 154 (1232 bytes)
.... .... .... .00. = Reserved bits: 0
.... .... .... ...1 = More Fragments: Yes
Identification: 0x24b788a6
[Reassembled IPv6 in frame: 496]
Data (1232 bytes)
Frame 497: 1510 bytes on wire (12080 bits), 1510 bytes captured (12080 bits) on interface en0, id 0
Ethernet II, Src: Apple_a8:10:45 (f4:5c:89:a8:10:45), Dst: Apple_ce:2d:da (38:f9:d3:ce:2d:da)
Internet Protocol Version 6, Src: 2408:8207:30e5:a9f0:cf3:9eac:cec9:3420, Dst: 2408:8207:30e5:a9f0:20:4be6:27d9:51dc
0110 .... = Version: 6
.... 0000 0000 .... .... .... .... .... = Traffic Class: 0x00 (DSCP: CS0, ECN: Not-ECT)
.... 0000 0000 0000 0000 0000 = Flow Label: 0x00000
Payload Length: 1456
Next Header: Fragment Header for IPv6 (44)
Hop Limit: 64
Source Address: 2408:8207:30e5:a9f0:cf3:9eac:cec9:3420
Destination Address: 2408:8207:30e5:a9f0:20:4be6:27d9:51dc
Fragment Header for IPv6
Next header: ICMPv6 (58)
Reserved octet: 0x00
0000 0101 1010 1... = Offset: 181 (1448 bytes)
.... .... .... .00. = Reserved bits: 0
.... .... .... ...1 = More Fragments: Yes
Identification: 0xac248c44
Data (1448 bytes)
Frame 498: 674 bytes on wire (5392 bits), 674 bytes captured (5392 bits) on interface en0, id 0
Ethernet II, Src: Apple_a8:10:45 (f4:5c:89:a8:10:45), Dst: Apple_ce:2d:da (38:f9:d3:ce:2d:da)
Internet Protocol Version 6, Src: 2408:8207:30e5:a9f0:cf3:9eac:cec9:3420, Dst: 2408:8207:30e5:a9f0:20:4be6:27d9:51dc
0110 .... = Version: 6
.... 0000 0000 .... .... .... .... .... = Traffic Class: 0x00 (DSCP: CS0, ECN: Not-ECT)
.... 0000 0000 0000 0000 0000 = Flow Label: 0x00000
Payload Length: 620
Next Header: Fragment Header for IPv6 (44)
Hop Limit: 64
Source Address: 2408:8207:30e5:a9f0:cf3:9eac:cec9:3420
Destination Address: 2408:8207:30e5:a9f0:20:4be6:27d9:51dc
Fragment Header for IPv6
Next header: ICMPv6 (58)
Reserved octet: 0x00
0000 1011 0101 0... = Offset: 362 (2896 bytes)
.... .... .... .00. = Reserved bits: 0
.... .... .... ...0 = More Fragments: No
Identification: 0xac248c44
Data (612 bytes)
- HTTP抓包可能只能看到TCP,由于HTTP启动了gzip压缩,需要查看完整流时才能拿到完整的数据包
TCP抓包
查看抓包的所有专家建议:Analyze->Expert Information- RST :请求不存在的服务
Frame 1890: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) on interface en6, id 0
Ethernet II, Src: ASIXElec_48:a7:09 (f8:e4:3b:48:a7:09), Dst: TendaTec_46:fb:98 (c8:3a:35:46:fb:98)
Internet Protocol Version 4, Src: 192.168.3.100, Dst: 203.205.137.52
Transmission Control Protocol, Src Port: 63095, Dst Port: 443, Seq: 1, Len: 0
Source Port: 63095
Destination Port: 443
[Stream index: 32]
[Conversation completeness: Incomplete (35)]
[TCP Segment Len: 0]
Sequence Number: 1 (relative sequence number)
Sequence Number (raw): 3992776559
[Next Sequence Number: 1 (relative sequence number)]
Acknowledgment Number: 0
Acknowledgment number (raw): 0
0101 .... = Header Length: 20 bytes (5)
Flags: 0x004 (RST)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...0 .... = Acknowledgment: Not set
.... .... 0... = Push: Not set
.... .... .1.. = Reset: Set
[Expert Info (Warning/Sequence): Connection reset (RST)]
[Connection reset (RST)]
[Severity level: Warning]
[Group: Sequence]
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
[TCP Flags: ·········R··]
Window: 0
[Calculated window size: 0]
[Window size scaling factor: 64]
Checksum: 0xc132 [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
[Timestamps]
[Community ID: 1:mSkFcZBYXOIr4LEhHDylRIPUsO8=]
- 乱序TCP Out-Of-Order:147包seq为3901,148包seq为2601,发生了乱序,151包启动重复确认
Frame 147: 359 bytes on wire (2872 bits), 359 bytes captured (2872 bits) on interface en6, id 0
Ethernet II, Src: TendaTec_46:fb:98 (c8:3a:35:46:fb:98), Dst: ASIXElec_48:a7:09 (f8:e4:3b:48:a7:09)
Internet Protocol Version 4, Src: 103.235.46.39, Dst: 192.168.3.100
Transmission Control Protocol, Src Port: 443, Dst Port: 63070, Seq: 3901, Ack: 518, Len: 305
Transport Layer Security
[Community ID: 1:E4c4wrxpXcLOBqG1Bh1BSnNLV1Q=]
Frame 148: 1354 bytes on wire (10832 bits), 1354 bytes captured (10832 bits) on interface en6, id 0
Ethernet II, Src: TendaTec_46:fb:98 (c8:3a:35:46:fb:98), Dst: ASIXElec_48:a7:09 (f8:e4:3b:48:a7:09)
Internet Protocol Version 4, Src: 103.235.46.39, Dst: 192.168.3.100
Transmission Control Protocol, Src Port: 443, Dst Port: 63070, Seq: 2601, Ack: 518, Len: 1300
[3 Reassembled TCP Segments (3779 bytes):
[Community ID: 1:E4c4wrxpXcLOBqG1Bh1BSnNLV1Q=]
Frame 151: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface en6, id 0
Ethernet II, Src: ASIXElec_48:a7:09 (f8:e4:3b:48:a7:09), Dst: TendaTec_46:fb:98 (c8:3a:35:46:fb:98)
Internet Protocol Version 4, Src: 192.168.3.100, Dst: 103.235.46.39
Transmission Control Protocol, Src Port: 63070, Dst Port: 443, Seq: 518, Ack: 2601, Len: 0
Source Port: 63070
Destination Port: 443
[Stream index: 13]
[Conversation completeness: Incomplete, DATA (15)]
[TCP Segment Len: 0]
Sequence Number: 518 (relative sequence number)
Sequence Number (raw): 3604195829
[Next Sequence Number: 518 (relative sequence number)]
Acknowledgment Number: 2601 (relative ack number)
Acknowledgment number (raw): 1027481932
1000 .... = Header Length: 32 bytes (8)
Flags: 0x010 (ACK)
Window: 4075
[Calculated window size: 260800]
[Window size scaling factor: 64]
Checksum: 0x6fd8 [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), SACK
[Timestamps]
[SEQ/ACK analysis]
[iRTT: 0.169471000 seconds]
[TCP Analysis Flags]
[This is a TCP duplicate ack]
[Duplicate ACK
[Duplicate to the ACK in frame: 150]
[Expert Info (Note/Sequence): Duplicate ACK (
[Duplicate ACK (
[Severity level: Note]
[Group: Sequence]
[Community ID: 1:E4c4wrxpXcLOBqG1Bh1BSnNLV1Q=]
- 超时重传TCP Retransmission
- 快速重传TCP Fast Retransmission:当接收到三个重复确认,启动快速重传
1066 14.221662 192.168.3.100 123.125.110.63 TCP 90 [TCP Dup ACK 712
1067 14.221663 192.168.3.100 123.125.110.63 TCP 90 [TCP Dup ACK 712
1068 14.221663 192.168.3.100 123.125.110.63 TCP 90 [TCP Dup ACK 712
1069 14.221663 192.168.3.100 123.125.110.63 TCP 90 [TCP Dup ACK 712
1070 14.221664 192.168.3.100 123.125.110.63 TCP 90 [TCP Dup ACK 712
1071 14.221664 192.168.3.100 123.125.110.63 TCP 90 [TCP Dup ACK 712
Frame 1075: 1466 bytes on wire (11728 bits), 1466 bytes captured (11728 bits) on interface en6, id 0
Ethernet II, Src: TendaTec_46:fb:98 (c8:3a:35:46:fb:98), Dst: ASIXElec_48:a7:09 (f8:e4:3b:48:a7:09)
Internet Protocol Version 4, Src: 123.125.110.63, Dst: 192.168.3.100
Transmission Control Protocol, Src Port: 443, Dst Port: 63077, Seq: 384894, Ack: 1412, Len: 1412
Source Port: 443
Destination Port: 63077
[Stream index: 20]
[Conversation completeness: Incomplete, DATA (15)]
[TCP Segment Len: 1412]
Sequence Number: 384894 (relative sequence number)
Sequence Number (raw): 3855425301
[Next Sequence Number: 386306 (relative sequence number)]
Acknowledgment Number: 1412 (relative ack number)
Acknowledgment number (raw): 704110825
0101 .... = Header Length: 20 bytes (5)
Flags: 0x010 (ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
[TCP Flags: ·······A····]
Window: 1386
[Calculated window size: 177408]
[Window size scaling factor: 128]
Checksum: 0xd3eb [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
[Timestamps]
[SEQ/ACK analysis]
[iRTT: 0.002886000 seconds]
[Bytes in flight: 220271]
[Bytes sent since last PSH flag: 381240]
[TCP Analysis Flags]
[Expert Info (Note/Sequence): This frame is a (suspected) fast retransmission]
[This frame is a (suspected) fast retransmission]
[Severity level: Note]
[Group: Sequence]
[Expert Info (Note/Sequence): This frame is a (suspected) retransmission]
[This frame is a (suspected) retransmission]
[Severity level: Note]
[Group: Sequence]
TCP payload (1412 bytes)
TCP segment data (924 bytes)
TCP segment data (414 bytes)
[7 Reassembled TCP Segments (8221 bytes):
Transport Layer Security
Transport Layer Security
[Community ID: 1:xFkD7jpxQoEmzz2YEDLoiIEqKOc=]
参考
- Wireshark数据包分析实战(第三版)Chris Sanders
- Wireshark网络分析就这么简单 林沛满
- wireshark官方文档
|