Wireshark UI Menu Main toolbar Filter toolbar Packet
Wireshark 操作
UI
Menu Main toolbar Filter toolbar Packet List pane UI Packet Details pane Packet Bytes pane
Filter
Filter
OSI
OSI
Capture skills
MAC
ether src {Host MAC Address} 捕捉來源為 Host MAC Address 的資料 ether dst {Host MAC Address} 捕捉目的地為 Host MAC Address 的資料
IP
src host {IP Address} 捕捉來源來自 {IP Address} Host 上資料 dst host {IP Address} 捕捉目的來自 {IP Address} Host 上資料
Port
udp port 67 捕捉來自/到達 Port 67 的 UDP 資料 portrange 1 -80 捕捉來自/到達 Port 1 -80 的 UDP/TCP 資料
Tool
Display filter
點選 Expression
Statistic -> Endpoint
Conversations
Statistics -> Protocol Hierarc
Statistics -> Flow Graph
ARP Example
ARP Header Offsets Octet 0 Octet Bit 0 0 4 32 8 64 Source hardware address 12 96 Source protocol address 16 128 Destination hardware address 20 160 Destination protocol address 24 … 192 … Data 0 1 2 3 1 4 5 6 7 2 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 Hardware type Hardware address length 3 Protocol type Protocol address length Opcode
ICMP Example
ICMP Header Offsets Octet Bit 0 0 4 32 0 0 1 2 3 1 4 Type 5 6 7 8 2 3 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 Checksum Code Rest of Header Code 進一步劃分 ICMP 的類型, 該欄位用來尋找產生錯誤的原因 分 1 ~ 15
Tracert nkust 並察看結 果
TCP Example
1. Client 向 Server 發送 SYN(Seq = 100,SYN = 1) 2. SYN+ACK 1. Server 收到 Client 請求,回覆(Ack=100+1) 2. Server 向 Client 發送 SYN(seq=300)建立連 線請求 3. Client 向 Server 發送 ACK,用來確認雙方進入 ESTABLISHED Seq 為請求序號 Ack 為確認序號 SYN、ACK 是 TCP 封包中的 控制位元 (Control Bits)
TCP Header Offsets Octet 0 Octet Bit 0 0 4 32 Sequence number 8 64 Acknowledgment number (if ACK set) 12 96 16 128 20. . . 160. . . 0 1 2 3 1 4 5 6 7 8 9 2 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 Source port Data offset Reserved 0 0 0 N S C W R Checksum 3 Destination port E C E U R G A C K P S H R S T S Y N F I N Window Size Urgent pointer (if URG set) Options (if data offset > 5. Padded at the end with "0" bytes if necessary. ). . .
IP Example
PUZZLE #3 ANN’S APPLETV http: //forensicscontest. com/2009/12/28/anns-appletv
What is the MAC address of Ann’s Apple. TV?
What User-Agent string did Ann’s Apple. TV use in HTTP requests?
HTTP -> Requests What were Ann’s first four search terms on the Apple. TV (all incremental searches count)?
http. request. uri. query. parameter contains Hackers What was the title of the first movie Ann clicked on?
https: //notfalse. net/7/three-way-handshake https: //en. wikipedia. org/wiki/IPv 4 https: //github. com/CCH 0124/Network/tree/master/wireshark https: //cch 0124. github. io/arp/ http: //forensicscontest. com/puzzles
- Slides: 52