Документ взят из кэша поисковой машины. Адрес оригинального документа : http://lvk.cs.msu.su/~sveta/4-2wireshark.pdf
Дата изменения: Wed Mar 9 18:48:38 2016
Дата индексирования: Sat Apr 9 22:36:41 2016
Кодировка:
Wireshark
·
· · · ·

(Win, Mac, Linux) Open Source (http://www.wireshark.org)

·
· · ( ) ·




2 1



· # usermod ­a ­G wireshark user · wireshark root



user@host:~$telnet ya.ru 80 Trying 213.180.193.3... 1 Connected to ya.ru. Escape character is '^]'. Trololo 2 400 Bad Request

400 Bad Request

3
nginx
Connection closed by foreign host. 4




1

2 3




Find


(2)
1


(3)
http


(4)

Follow stream


(5)

HTTP GET



C : http.response.code == 404 TCP : tcp.flags.syn == 1 DNS : udp.port == 53 : ip.dst==10.30.40.0/24 : eth.addr[3-4] == 00:08 && udp.srcport==23


TCP
· Wireshark · Edit->Preferences->Protocols->TCP->Relative Sequence Numbers


(TCP)
· · yandex.ru:80 telnet, yandex.ru · · TCP- · yandex.ru · sequence number TCP-, Bad Request


(ARP)
· wireshark MAC


(ARP)
· · · · · · wlan wlan wlan, ARP ARP (ARP-), MAC-


(DHCP)
· IP-, DHCP- · : bootp


*.pcap
· Wireshark *.pcap (Packet CAPture) : · *.pcap , . .






: 1. MAC 2. MAC IP ARP 3. L4
Interface # 1 2 3 4 Domain # 1 1 Eth Address 00:00:00:00:00:0a 00:00:00:00:00:09 IPv4 Address 10.0.1.2 10.0.1.1 10.0.2.2 10.0.0.3

Flow # 1 2

Src Itf # 1:49153 3:49153

Dst Itf # 4:234 1:432

Protocol TCP UDP

Edges 1-2 1-2


...
Interface # 1 2 3 4 5 6 7 8 Flow # 1 2 3 Domain # 1 1 3 2 2 2 2 3 Src Itf # 1:49153 3:49153 4:49153 Dst Itf # 4:234 1:432 5:789 Eth Address 00:00:00:00:00:0a 00:00:00:00:00:09 00:00:00:00:00:0c 00:00:00:00:00:05 00:00:00:00:00:07 00:00:00:00:00:03 00:00:00:00:00:01 00:00:00:00:00:0b Protocol TCP UDP TCP IPv4 Address 10.0.1.2 10.0.1.1 10.0.2.2 10.0.0.3 10.0.0.4 10.0.0.2 10.0.0.1 10.0.2.1 Edges 1-2, 7-4 3-8, 6-7, 1-2 4-5



D1

D2

D3



Interface #1 00:00:00:00:00:0a 10.0.1.2

D1

Interface #4 00:00:00:00:00:05 10.0.0.3

Interface #3 00:00:00:00:00:0c 10.0.2.2
D3

D2

Interface #5 00:00:00:00:00:07 10.0.0.4



Interface #1 00:00:00:00:00:0a 10.0.1.2

D1

Interface #4 00:00:00:00:00:05 10.0.0.3

Interface #3 00:00:00:00:00:0c 10.0.2.2
D3

D2

Interface #5 00:00:00:00:00:07 10.0.0.4