上QQ阅读APP看书，第一时间看更新

Wireshark

Wireshark has been the prime choice for packet capturing for many users worldwide. It is a cross-platform tool that allows you to perform packet capturing and analysis.

Some of the main features of Wireshark are as follows:

Live packet capture with analysis (offline analysis or on the fly)
Deep packet inspection
Decryption support for protocols such as SSL/TLS, IPSEC, SNMPv3, Kerberos, WPA/WPA2, and more

Within Wireshark, you have the ability to apply a capture filter and a display filter. Understanding the differences between these two filters and how to apply them will help you capture the relevant packets and filter out the noise.

Capture filters are used to reduce the size of the raw packet captures, while display filters are used to filter out what is captured and only display certain data. Capture filters are applied before the capture starts and cannot be changed during the capture. On the other hand, display filters can be applied at any time.

Some capture filters can be very basic and simple. Let's go over a few examples:

Capturing traffic for a specific host is as follows:

host 192.168.90.1

Capturing traffic for a specific subnet is as follows:

net 192.168.90.0/24

Some capture filters can be complex, such as the one to detect the heart bleed exploit:

tcp src port 443 and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4] = 0x18) and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4 + 1] = 0x03) and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4 + 2] < 0x04) and ((ip[2:2] - 4 * (ip[0] & 0x0F)  - 4 * ((tcp[12] & 0xF0) >> 4) > 69))

Display filters can also be basic. Let's go over a few examples:

Displaying traffic for communication between a specific source and its destination is done as follows:

ip.src==192.168.90.0/24 and ip.dst==192.168.90.1

Looking for traffic on a specific port is done with the following command:

tcp.port eq 445

In the following screenshot (Figure 25), I have marked the fields where you define a display and capture filter:

Figure 25: The display and capture filters

Wireshark has the ability to display credentials in clear text for unencrypted traffic. For example, while capturing Telnet traffic, we can use Follow | TCP Stream to follow the TCP stream as shown in Figure 26:

Figure 26: Using Follow | TCP Stream

Note that by using the Follow | TCP Stream option, we are able to see the Username and Password in clear text, as shown in Figure 27:

Figure 27: FTP credentials in clear text

The preceding captures were taken from http://packetlife.net/captures. You can find more packet captures that you can download for free to test out the functionality of Wireshark at http://packetlife.net/captures/Wireshark.

Having the graphical interface of Wireshark makes it easier to work with packet captures. However, if you don't have the ability to use Wireshark, then you will need to know how to leverage a command-line packet capture tool such as tcpdump.

本周热推：

社交潜规则：以孤独症视角解析社交奥秘运动损伤的预防、治疗与恢复深井效应脐针入门狡猾的细胞：癌症的进化故事与治愈之道