Wireshark

Wireshark是一個免費開源的網路封包分析軟體。網路封包分析軟體的功能是截取網路封包,並盡可能顯示出最為詳細的網路封包資料。 在GNU通用公眾授權條款的保障範圍底下,使用者可以以免費的代價取得軟體與其程式碼,並擁有針對其原始碼修改及客製化的權利。

實用技巧

通用語法

條件語法:

==
!=
>
<
>=
<=
in

邏輯語法:

&&  # AND
||      # OR
!       # NOT

常用篩選:

SIP 相關

tcpdump

timeout 6m tcpdump -i eth0 host <sip-trunk-ip> -n -s 0 -vvvv  -w carrier.pcap

Wireshark

只顯示 REGISTER 行,Filter: sip.CSeq.method == REGISTER 

其他

遠端監聽指令

ssh root@192.168.0.1 tcpdump -n -i any -w- 'not \( port 22 and host 192.168.0.1 \)' |etherape -r-
Filter 速查表

wireshark_filter.jpeg

Wireshark.png

Learning

tcpdump

Capture All traffic
tcpdump -i eth0
tcpdump -i wlan0
To a File
tcpdump -i eth0 -w capture.pcap

# Set Timeout
timeout 6m tcpdump -i eth0 -w capture.pcap
Read a file (.pcap)
tcpdump -r capture.pcap
Filter
# Filter by Source IP
tcpdump src 192.168.0.1

# Filter by Destination IP
tcpdump dst 192.168.0.1

# Filter by Port
tcpdump port 80

# Filter by Protocol
tcpdump icmp

# Protocol and Port
tcpdump tcp port 443

# Source and Destination
tcpdump src 192.168.0.1 and dst 192.168.0.2

Display in ASCII
# Dispaly in ASCII
tcpdump -A

# Display in Hexadecimal
tcpdump -X
Specific Number of Packets
tcpdump -c 100
Display
# Capture and Display IPv6 Traffic
tcpdump -6

# Capture and Display Traffic in Timestamp Format
tcpdump -tttt
SSH Connections
# -l: real-time
# -e: including ethernet headers
tcpdump -i eth0 'tcp port 22' -l -e
HTTP Request and Response
tcpdump -i eth0 -s 0 -A -n 'tcp dst port 80'
IP Range and Protocol
tcpdump -i eth0 'net 192.168.0.0/24 and (tcp port 22 or icmp)'
DNS Traffic
tcpdump -i eth0 'udp port 53' -nnvvv
FTP Traffic
tcpdump -i eth0 -s 0 'tcp port 21'