Wireshark 用戶指南（3.1.0）

目 錄

Preface 序

1. Foreword 前言

2. Who should read this document? 誰適合讀該文檔？

3. Acknowledgements 致謝

4. About this document 關於本文檔

5. Where to get the latest copy of this document? 哪里獲取本文檔最新副版

6. Providing feedback about this document 反饋

7. Typographic Conventions 版式約定

7.1. Admonitions 期望

7.2. Shell Prompt and Source Code Examples 源碼案例

1. Introduction 簡介

1.1. What is Wireshark? 什么是Wireshark

1.1.1. Some intended purposes 預期用途

1.1.2. Features  特性

1.1.3. Live capture from many different network media  不同網絡介質在線抓取

1.1.4. Import files from many other capture programs  導入抓包文件

1.1.5. Export files for many other capture programs  導出抓包文件

1.1.6. Many protocol dissectors 協議剝離

1.1.7. Open Source Software  打開軟件

1.1.8. What Wireshark is not

1.2. System Requirements  系統要求

1.2.1. Microsoft Windows

1.2.2. UNIX / Linux

1.3. Where to get Wireshark  如何獲取Wireshark

1.4. A brief history of Wireshark  Wireshark簡史

1.5. Development and maintenance of Wireshark  Wireshark開發與運維

1.6. Reporting problems and getting help  上報問題並獲得幫助

1.6.1. Website

1.6.2. Wiki

1.6.3. Q&A Site

1.6.4. FAQ

1.6.5. Mailing Lists

1.6.6. Reporting Problems

1.6.7. Reporting Crashes on UNIX/Linux platforms

1.6.8. Reporting Crashes on Windows platforms

2. Building and Installing Wireshark  構建安裝Wireshark

2.1. Introduction  簡介

2.2. Obtaining the source and binary distributions  獲取源碼和二進制發行版

2.3. Installing Wireshark under Windows  Windows安裝Wireshark

2.3.1. Installation Components  安裝組件

2.3.2. Additional Tasks 額外任務

2.3.3. Install Location 安裝位置

2.3.4. Installing Npcap 安裝Npcap

2.3.5. Windows installer command line options  Windows安裝命令行選項

2.3.6. Manual Npcap Installation 手動Npcap安裝

2.3.7. Update Wireshark 升級Wireshark

2.3.8. Update Npcap 升級Npcap

2.3.9. Uninstall Wireshark 協助Wireshark

2.3.10. Uninstall Npcap 協助Npcap

2.4. Installing Wireshark under macOS  macOS安裝Wireshark

2.5. Building Wireshark from source under UNIX  UNIX源碼安裝Wireshark

2.6. Installing the binaries under UNIX  UNIX二進制安裝Wireshark

2.6.1. Installing from RPMs under Red Hat and alike   紅帽環境下RPM安裝

2.6.2. Installing from debs under Debian, Ubuntu and other Debian derivatives  Debian等環境deb安裝

2.6.3. Installing from portage under Gentoo Linux  GentooLinux環境 portage安裝

2.6.4. Installing from packages under FreeBSD  FreeBSD環境安裝包安裝

2.7. Troubleshooting during the build and install on Unix   Unix構建安裝問題快照

2.8. Building from source under Windows Windows下源碼安裝

3. User Interface   用戶界面

3.1. Introduction  簡介

3.2. Start Wireshark  啟動Wireshark

3.3. The Main window 主界面

3.3.1. Main Window Navigation  主界面導航

3.4. The Menu  菜單

3.5. The “File” menu   菜單-文件

3.6. The “Edit” Menu   菜單-編輯

3.7. The “View” Menu   菜單-視圖

3.8. The “Go” Menu  菜單-跳轉

3.9. The “Capture” menu  菜單-捕獲

3.10. The “Analyze” Menu  菜單-分析

3.11. The “Statistics” Menu  菜單-統計

3.12. The “Telephony” Menu  菜單-電話

3.13. The “Tools” Menu  菜單-工具

3.14. The “Help” Menu  菜單-幫助

3.15. The “Main” Toolbar  工具欄-常規工具

3.16. The “Filter” Toolbar  工具欄-過濾

3.17. The “Packet List” Pane  面板-報文列表

3.18. The “Packet Details” Pane    面板-報文詳情

3.19. The “Packet Bytes” Pane   面板-報文字節

3.20. The Statusbar  狀態欄

4. Capturing Live Network Data  捕獲在線網絡數據

4.1. Introduction  簡介

4.2. Prerequisites   前提條件

4.3. Start Capturing  開始捕獲

4.4. The “Capture Interfaces” dialog box  捕獲界面對話框

4.5. The “Capture Options” dialog box  捕獲設置對話框

4.5.1. Capture frame  捕獲

4.5.2. Capture File(s) frame  捕獲文件

4.5.3. Stop Capture…​ frame  停止捕獲

4.5.4. Display Options frame 顯示設置

4.5.5. Name Resolution frame 域名解析

4.5.6. Buttons  按鈕

4.6. The “Edit Interface Settings” dialog box  編輯界面設置對話框

4.7. The “Compile Results” dialog box  編譯結果對話框

4.8. The “Add New Interfaces” dialog box  增加新接口對話框

4.8.1. Add or remove pipes 新增/刪除？

4.8.2. Add or hide local interfaces 新增/隱藏本地接口

4.8.3. Add or hide remote interfaces  新增/隱藏遠方接口

4.9. The “Remote Capture Interfaces” dialog box  遠程捕獲接口對話框

4.9.1. Remote Capture Interfaces  遠程捕獲接口

4.9.2. Remote Capture Settings  遠程捕獲設置

4.10. The “Interface Details” dialog box  接口詳情對話框

4.11. Capture files and file modes  捕獲文件及文件模式

4.12. Link-layer header type  鏈接層頭類型

4.13. Filtering while capturing  抓包時過濾

4.13.1. Automatic Remote Traffic Filtering 自動化遠程過濾

4.14. While a Capture is running …​   抓包過程中

4.14.1. Stop the running capture  停止抓包

4.14.2. Restart a running capture  重新抓包

5. File Input, Output, and Printing 文件輸入、輸出、打印

5.1. Introduction  簡介

5.2. Open capture files   打開抓包文件

5.2.1. The “Open Capture File” dialog box

5.2.2. Input File Formats

5.3. Saving captured packets  保存抓包

5.3.1. The “Save Capture File As” dialog box

5.3.2. Output File Formats

5.4. Merging capture files  合並抓包

5.4.1. The “Merge with Capture File” dialog box

5.5. Import hex dump 導入 hex dump

5.5.1. The “Import from Hex Dump” dialog box

5.6. File Sets  文件設置

5.6.1. The “List Files” dialog box

5.7. Exporting data  導出數據

5.7.1. The “Export as Plain Text File” dialog box

5.7.2. The “Export as PostScript File” dialog box

5.7.3. The “Export as CSV (Comma Separated Values) File” dialog box

5.7.4. The “Export as C Arrays (packet bytes) file” dialog box

5.7.5. The “Export as PSML File” dialog box

5.7.6. The “Export as PDML File” dialog box

5.7.7. The “Export selected packet bytes” dialog box

5.7.8. The “Export Objects” dialog box

5.8. Printing packets 打印包

5.8.1. The “Print” dialog box  打印對話框

5.9. The “Packet Range” frame   包范圍？

5.10. The Packet Format frame   包模式？

6. Working With Captured Packets 抓包文件用途

6.1. Viewing Packets You Have Captured  查看抓包文件

6.2. Pop-up Menus  彈出式菜單

6.2.1. Pop-up Menu Of The “Packet List” Column Header  報文列表列標題彈出菜單

6.2.2. Pop-up Menu Of The “Packet List” Pane  報文列表面包彈出菜單

6.2.3. Pop-up Menu Of The “Packet Details” Pane  報文詳情面板彈出菜單

6.2.4. Pop-up Menu Of The “Packet Bytes” Pane  報文字節面板彈出菜單

6.3. Filtering Packets While Viewing  顯示過濾報文

6.4. Building Display Filter Expressions 創建顯示過濾表達式

6.4.1. Display Filter Fields  顯示過濾區

6.4.2. Comparing Values  對比值

6.4.3. Combining Expressions 組合表達式

6.4.4. Slice Operator 切片運算符

6.4.5. Membership Operator  隸屬運算符

6.4.6. Functions 函數

6.4.7. A Common Mistake 常見錯誤

6.4.8. Sometimes Fields Change Names 字段改名

6.5. The “Filter Expression” Dialog Box  過濾表達式對話框

6.6. Defining And Saving Filters 定義及保存過濾器

6.7. Defining And Saving Filter Macros 定義及保存過濾常量

6.8. Finding Packets 查找包

6.8.1. The “Find Packet” Toolbar  查找包工具欄

6.9. Go To A Specific Packet 跳轉到指定報文

6.9.1. The “Go Back” Command

6.9.2. The “Go Forward” Command

6.9.3. The “Go to Packet” Toolbar

6.9.4. The “Go to Corresponding Packet” Command

6.9.5. The “Go to First Packet” Command

6.9.6. The “Go to Last Packet” Command

6.10. Marking Packets 標記報文

6.11. Ignoring Packets 忽略報文

6.12. Time Display Formats And Time References 顯示樣式及時間參考

6.12.1. Packet Time Referencing  報文時間參考

7. Advanced Topics  高級應用

7.1. Introduction

7.2. Following Protocol Streams

7.3. Show Packet Bytes

7.4. Expert Information

7.4.1. Expert Info Entries

7.4.2. “Expert Info” dialog

7.4.3. “Colorized” Protocol Details Tree

7.4.4. “Expert” Packet List Column (optional)

7.5. TCP Analysis

7.6. Time Stamps

7.6.1. Wireshark internals

7.6.2. Capture file formats

7.6.3. Accuracy

7.7. Time Zones

7.7.1. Set your computer’s time correctly!

7.7.2. Wireshark and Time Zones

7.8. Packet Reassembly

7.8.1. What is it?

7.8.2. How Wireshark handles it

7.8.3. TCP Reassembly

7.9. Name Resolution

7.9.1. Name Resolution drawbacks

7.9.2. Ethernet name resolution (MAC layer)

7.9.3. IP name resolution (network layer)

7.9.4. TCP/UDP port name resolution (transport layer)

7.9.5. VLAN ID resolution

7.9.6. SS7 point code resolution

7.10. Checksums

7.10.1. Wireshark checksum validation

7.10.2. Checksum offloading

8. Statistics 統計

8.1. Introduction

8.2. The “Capture File Properties” Window

8.3. Resolved Addresses

8.4. The “Protocol Hierarchy” Window

8.5. Conversations

8.5.1. The “Conversations” Window

8.6. Endpoints

8.6.1. The “Endpoints” Window

8.7. Packet Lengths

8.8. The “I/O Graph” Window

8.9. Service Response Time

8.9.1. The “Service Response Time DCE-RPC” Window

8.10. DHCP (BOOTP) Statistics

8.11. ONC-RPC Programs

8.12. 29West

8.13. ANCP

8.14. BACnet

8.15. Collectd

8.16. DNS

8.17. Flow Graph

8.18. HART-IP

8.19. HPFEEDS

8.20. HTTP Statistics

8.20.1. HTTP Packet Counter

8.20.2. HTTP Requests

8.20.3. HTTP Load Distribution

8.20.4. HTTP Request Sequences

8.21. HTTP2

8.22. Sametime

8.23. TCP Stream Graphs

8.24. UDP Multicast Graphs

8.25. F5

8.26. IPv4 Statistics

8.27. IPv6 Statistics

9. Telephony

9.1. Introduction

9.2. VoIP Calls

9.3. ANSI

9.4. GSM

9.5. IAX2 Stream Analysis

9.6. ISUP Messages

9.7. LTE

9.7.1. LTE MAC Traffic Statistics

9.7.2. LTE RLC Graph

9.7.3. LTE RLC Traffic Statistics

9.8. MTP3

9.9. Osmux

9.10. RTP Analysis

9.11. RTSP

9.12. SCTP

9.13. SMPP Operations

9.14. UCP Messages

9.15. H.225

9.16. SIP Flows

9.17. SIP Statistics

9.18. WAP-WSP Packet Counter

10. Wireless

10.1. Introduction

10.2. Bluetooth ATT Server Attributes

10.3. Bluetooth Devices

10.4. Bluetooth HCI Summary

10.5. WLAN Traffic

11. Customizing Wireshark

11.1. Introduction

11.2. Start Wireshark from the command line

11.3. Packet colorization

11.4. Control Protocol dissection

11.4.1. The “Enabled Protocols” dialog box

11.4.2. User Specified Decodes

11.4.3. Show User Specified Decodes

11.5. Preferences

11.5.1. Interface Options

11.6. Configuration Profiles

11.7. User Table

11.8. Display Filter Macros

11.9. ESS Category Attributes

11.10. MaxMind Database Paths

11.11. IKEv2 decryption table

11.12. Object Identifiers

11.13. PRES Users Context List

11.14. SCCP users Table

11.15. SMI (MIB and PIB) Modules

11.16. SMI (MIB and PIB) Paths

11.17. SNMP Enterprise Specific Trap Types

11.18. SNMP users Table

11.19. Tektronix K12xx/15 RF5 protocols Table

11.20. User DLTs protocol table

12. MATE

12.1. Introduction

12.2. Getting Started

12.3. MATE Manual

12.3.1. Introduction

12.3.2. Attribute Value Pairs

12.3.3. AVP lists

12.3.4. MATE Analysis

12.3.5. About MATE

12.4. MATE’s configuration tutorial

12.4.1. A Gop for DNS requests

12.4.2. A Gop for HTTP requests

12.4.3. Getting DNS and HTTP together into a Gog

12.4.4. Separating requests from multiple users

12.5. MATE configuration examples

12.5.1. TCP session

12.5.2. a Gog for a complete FTP session

12.5.3. using RADIUS to filter SMTP traffic of a specific user

12.5.4. H323 Calls

12.5.5. MMS

12.6. MATE’s configuration library

12.6.1. General use protocols

12.6.2. VoIP/Telephony

12.7. MATE’s reference manual

12.7.1. Attribute Value Pairs

12.7.2. Attribute/Value Pair List (AVPL)

12.8. Configuration AVPLs

12.8.1. Pdsu’s configuration actions

A. Wireshark Messages