Wireshark 用户指南（3.1.0）

目 录

Preface 序

1. Foreword 前言

2. Who should read this document? 谁适合读该文档？

3. Acknowledgements 致谢

4. About this document 关于本文档

5. Where to get the latest copy of this document? 哪里获取本文档最新副版

6. Providing feedback about this document 反馈

7. Typographic Conventions 版式约定

7.1. Admonitions 期望

7.2. Shell Prompt and Source Code Examples 源码案例

1. Introduction 简介

1.1. What is Wireshark? 什么是Wireshark

1.1.1. Some intended purposes 预期用途

1.1.2. Features  特性

1.1.3. Live capture from many different network media  不同网络介质在线抓取

1.1.4. Import files from many other capture programs  导入抓包文件

1.1.5. Export files for many other capture programs  导出抓包文件

1.1.6. Many protocol dissectors 协议剥离

1.1.7. Open Source Software  打开软件

1.1.8. What Wireshark is not

1.2. System Requirements  系统要求

1.2.1. Microsoft Windows

1.2.2. UNIX / Linux

1.3. Where to get Wireshark  如何获取Wireshark

1.4. A brief history of Wireshark  Wireshark简史

1.5. Development and maintenance of Wireshark  Wireshark开发与运维

1.6. Reporting problems and getting help  上报问题并获得帮助

1.6.1. Website

1.6.2. Wiki

1.6.3. Q&A Site

1.6.4. FAQ

1.6.5. Mailing Lists

1.6.6. Reporting Problems

1.6.7. Reporting Crashes on UNIX/Linux platforms

1.6.8. Reporting Crashes on Windows platforms

2. Building and Installing Wireshark  构建安装Wireshark

2.1. Introduction  简介

2.2. Obtaining the source and binary distributions  获取源码和二进制发行版

2.3. Installing Wireshark under Windows  Windows安装Wireshark

2.3.1. Installation Components  安装组件

2.3.2. Additional Tasks 额外任务

2.3.3. Install Location 安装位置

2.3.4. Installing Npcap 安装Npcap

2.3.5. Windows installer command line options  Windows安装命令行选项

2.3.6. Manual Npcap Installation 手动Npcap安装

2.3.7. Update Wireshark 升级Wireshark

2.3.8. Update Npcap 升级Npcap

2.3.9. Uninstall Wireshark 协助Wireshark

2.3.10. Uninstall Npcap 协助Npcap

2.4. Installing Wireshark under macOS  macOS安装Wireshark

2.5. Building Wireshark from source under UNIX  UNIX源码安装Wireshark

2.6. Installing the binaries under UNIX  UNIX二进制安装Wireshark

2.6.1. Installing from RPMs under Red Hat and alike   红帽环境下RPM安装

2.6.2. Installing from debs under Debian, Ubuntu and other Debian derivatives  Debian等环境deb安装

2.6.3. Installing from portage under Gentoo Linux  GentooLinux环境 portage安装

2.6.4. Installing from packages under FreeBSD  FreeBSD环境安装包安装

2.7. Troubleshooting during the build and install on Unix   Unix构建安装问题快照

2.8. Building from source under Windows Windows下源码安装

3. User Interface   用户界面

3.1. Introduction  简介

3.2. Start Wireshark  启动Wireshark

3.3. The Main window 主界面

3.3.1. Main Window Navigation  主界面导航

3.4. The Menu  菜单

3.5. The “File” menu   菜单-文件

3.6. The “Edit” Menu   菜单-编辑

3.7. The “View” Menu   菜单-视图

3.8. The “Go” Menu  菜单-跳转

3.9. The “Capture” menu  菜单-捕获

3.10. The “Analyze” Menu  菜单-分析

3.11. The “Statistics” Menu  菜单-统计

3.12. The “Telephony” Menu  菜单-电话

3.13. The “Tools” Menu  菜单-工具

3.14. The “Help” Menu  菜单-帮助

3.15. The “Main” Toolbar  工具栏-常规工具

3.16. The “Filter” Toolbar  工具栏-过滤

3.17. The “Packet List” Pane  面板-报文列表

3.18. The “Packet Details” Pane    面板-报文详情

3.19. The “Packet Bytes” Pane   面板-报文字节

3.20. The Statusbar  状态栏

4. Capturing Live Network Data  捕获在线网络数据

4.1. Introduction  简介

4.2. Prerequisites   前提条件

4.3. Start Capturing  开始捕获

4.4. The “Capture Interfaces” dialog box  捕获界面对话框

4.5. The “Capture Options” dialog box  捕获设置对话框

4.5.1. Capture frame  捕获

4.5.2. Capture File(s) frame  捕获文件

4.5.3. Stop Capture…​ frame  停止捕获

4.5.4. Display Options frame 显示设置

4.5.5. Name Resolution frame 域名解析

4.5.6. Buttons  按钮

4.6. The “Edit Interface Settings” dialog box  编辑界面设置对话框

4.7. The “Compile Results” dialog box  编译结果对话框

4.8. The “Add New Interfaces” dialog box  增加新接口对话框

4.8.1. Add or remove pipes 新增/删除？

4.8.2. Add or hide local interfaces 新增/隐藏本地接口

4.8.3. Add or hide remote interfaces  新增/隐藏远方接口

4.9. The “Remote Capture Interfaces” dialog box  远程捕获接口对话框

4.9.1. Remote Capture Interfaces  远程捕获接口

4.9.2. Remote Capture Settings  远程捕获设置

4.10. The “Interface Details” dialog box  接口详情对话框

4.11. Capture files and file modes  捕获文件及文件模式

4.12. Link-layer header type  链接层头类型

4.13. Filtering while capturing  抓包时过滤

4.13.1. Automatic Remote Traffic Filtering 自动化远程过滤

4.14. While a Capture is running …​   抓包过程中

4.14.1. Stop the running capture  停止抓包

4.14.2. Restart a running capture  重新抓包

5. File Input, Output, and Printing 文件输入、输出、打印

5.1. Introduction  简介

5.2. Open capture files   打开抓包文件

5.2.1. The “Open Capture File” dialog box

5.2.2. Input File Formats

5.3. Saving captured packets  保存抓包

5.3.1. The “Save Capture File As” dialog box

5.3.2. Output File Formats

5.4. Merging capture files  合并抓包

5.4.1. The “Merge with Capture File” dialog box

5.5. Import hex dump 导入 hex dump

5.5.1. The “Import from Hex Dump” dialog box

5.6. File Sets  文件设置

5.6.1. The “List Files” dialog box

5.7. Exporting data  导出数据

5.7.1. The “Export as Plain Text File” dialog box

5.7.2. The “Export as PostScript File” dialog box

5.7.3. The “Export as CSV (Comma Separated Values) File” dialog box

5.7.4. The “Export as C Arrays (packet bytes) file” dialog box

5.7.5. The “Export as PSML File” dialog box

5.7.6. The “Export as PDML File” dialog box

5.7.7. The “Export selected packet bytes” dialog box

5.7.8. The “Export Objects” dialog box

5.8. Printing packets 打印包

5.8.1. The “Print” dialog box  打印对话框

5.9. The “Packet Range” frame   包范围？

5.10. The Packet Format frame   包模式？

6. Working With Captured Packets 抓包文件用途

6.1. Viewing Packets You Have Captured  查看抓包文件

6.2. Pop-up Menus  弹出式菜单

6.2.1. Pop-up Menu Of The “Packet List” Column Header  报文列表列标题弹出菜单

6.2.2. Pop-up Menu Of The “Packet List” Pane  报文列表面包弹出菜单

6.2.3. Pop-up Menu Of The “Packet Details” Pane  报文详情面板弹出菜单

6.2.4. Pop-up Menu Of The “Packet Bytes” Pane  报文字节面板弹出菜单

6.3. Filtering Packets While Viewing  显示过滤报文

6.4. Building Display Filter Expressions 创建显示过滤表达式

6.4.1. Display Filter Fields  显示过滤区

6.4.2. Comparing Values  对比值

6.4.3. Combining Expressions 组合表达式

6.4.4. Slice Operator 切片运算符

6.4.5. Membership Operator  隶属运算符

6.4.6. Functions 函数

6.4.7. A Common Mistake 常见错误

6.4.8. Sometimes Fields Change Names 字段改名

6.5. The “Filter Expression” Dialog Box  过滤表达式对话框

6.6. Defining And Saving Filters 定义及保存过滤器

6.7. Defining And Saving Filter Macros 定义及保存过滤常量

6.8. Finding Packets 查找包

6.8.1. The “Find Packet” Toolbar  查找包工具栏

6.9. Go To A Specific Packet 跳转到指定报文

6.9.1. The “Go Back” Command

6.9.2. The “Go Forward” Command

6.9.3. The “Go to Packet” Toolbar

6.9.4. The “Go to Corresponding Packet” Command

6.9.5. The “Go to First Packet” Command

6.9.6. The “Go to Last Packet” Command

6.10. Marking Packets 标记报文

6.11. Ignoring Packets 忽略报文

6.12. Time Display Formats And Time References 显示样式及时间参考

6.12.1. Packet Time Referencing  报文时间参考

7. Advanced Topics  高级应用

7.1. Introduction

7.2. Following Protocol Streams

7.3. Show Packet Bytes

7.4. Expert Information

7.4.1. Expert Info Entries

7.4.2. “Expert Info” dialog

7.4.3. “Colorized” Protocol Details Tree

7.4.4. “Expert” Packet List Column (optional)

7.5. TCP Analysis

7.6. Time Stamps

7.6.1. Wireshark internals

7.6.2. Capture file formats

7.6.3. Accuracy

7.7. Time Zones

7.7.1. Set your computer’s time correctly!

7.7.2. Wireshark and Time Zones

7.8. Packet Reassembly

7.8.1. What is it?

7.8.2. How Wireshark handles it

7.8.3. TCP Reassembly

7.9. Name Resolution

7.9.1. Name Resolution drawbacks

7.9.2. Ethernet name resolution (MAC layer)

7.9.3. IP name resolution (network layer)

7.9.4. TCP/UDP port name resolution (transport layer)

7.9.5. VLAN ID resolution

7.9.6. SS7 point code resolution

7.10. Checksums

7.10.1. Wireshark checksum validation

7.10.2. Checksum offloading

8. Statistics 统计

8.1. Introduction

8.2. The “Capture File Properties” Window

8.3. Resolved Addresses

8.4. The “Protocol Hierarchy” Window

8.5. Conversations

8.5.1. The “Conversations” Window

8.6. Endpoints

8.6.1. The “Endpoints” Window

8.7. Packet Lengths

8.8. The “I/O Graph” Window

8.9. Service Response Time

8.9.1. The “Service Response Time DCE-RPC” Window

8.10. DHCP (BOOTP) Statistics

8.11. ONC-RPC Programs

8.12. 29West

8.13. ANCP

8.14. BACnet

8.15. Collectd

8.16. DNS

8.17. Flow Graph

8.18. HART-IP

8.19. HPFEEDS

8.20. HTTP Statistics

8.20.1. HTTP Packet Counter

8.20.2. HTTP Requests

8.20.3. HTTP Load Distribution

8.20.4. HTTP Request Sequences

8.21. HTTP2

8.22. Sametime

8.23. TCP Stream Graphs

8.24. UDP Multicast Graphs

8.25. F5

8.26. IPv4 Statistics

8.27. IPv6 Statistics

9. Telephony

9.1. Introduction

9.2. VoIP Calls

9.3. ANSI

9.4. GSM

9.5. IAX2 Stream Analysis

9.6. ISUP Messages

9.7. LTE

9.7.1. LTE MAC Traffic Statistics

9.7.2. LTE RLC Graph

9.7.3. LTE RLC Traffic Statistics

9.8. MTP3

9.9. Osmux

9.10. RTP Analysis

9.11. RTSP

9.12. SCTP

9.13. SMPP Operations

9.14. UCP Messages

9.15. H.225

9.16. SIP Flows

9.17. SIP Statistics

9.18. WAP-WSP Packet Counter

10. Wireless

10.1. Introduction

10.2. Bluetooth ATT Server Attributes

10.3. Bluetooth Devices

10.4. Bluetooth HCI Summary

10.5. WLAN Traffic

11. Customizing Wireshark

11.1. Introduction

11.2. Start Wireshark from the command line

11.3. Packet colorization

11.4. Control Protocol dissection

11.4.1. The “Enabled Protocols” dialog box

11.4.2. User Specified Decodes

11.4.3. Show User Specified Decodes

11.5. Preferences

11.5.1. Interface Options

11.6. Configuration Profiles

11.7. User Table

11.8. Display Filter Macros

11.9. ESS Category Attributes

11.10. MaxMind Database Paths

11.11. IKEv2 decryption table

11.12. Object Identifiers

11.13. PRES Users Context List

11.14. SCCP users Table

11.15. SMI (MIB and PIB) Modules

11.16. SMI (MIB and PIB) Paths

11.17. SNMP Enterprise Specific Trap Types

11.18. SNMP users Table

11.19. Tektronix K12xx/15 RF5 protocols Table

11.20. User DLTs protocol table

12. MATE

12.1. Introduction

12.2. Getting Started

12.3. MATE Manual

12.3.1. Introduction

12.3.2. Attribute Value Pairs

12.3.3. AVP lists

12.3.4. MATE Analysis

12.3.5. About MATE

12.4. MATE’s configuration tutorial

12.4.1. A Gop for DNS requests

12.4.2. A Gop for HTTP requests

12.4.3. Getting DNS and HTTP together into a Gog

12.4.4. Separating requests from multiple users

12.5. MATE configuration examples

12.5.1. TCP session

12.5.2. a Gog for a complete FTP session

12.5.3. using RADIUS to filter SMTP traffic of a specific user

12.5.4. H323 Calls

12.5.5. MMS

12.6. MATE’s configuration library

12.6.1. General use protocols

12.6.2. VoIP/Telephony

12.7. MATE’s reference manual

12.7.1. Attribute Value Pairs

12.7.2. Attribute/Value Pair List (AVPL)

12.8. Configuration AVPLs

12.8.1. Pdsu’s configuration actions

A. Wireshark Messages