使用wireshark抓包分析TCP三次握手

wireshark是非常流行的網(wǎng)絡(luò)封包分析軟件，功能十分強大?？梢越厝「鞣N網(wǎng)絡(luò)封包，顯示網(wǎng)絡(luò)封包的詳細信息。使用wireshark的人必須了解網(wǎng)絡(luò)協(xié)議，否則就看不懂wireshark了。為了安全考慮，wireshark只能查看封包，而不能修改封包的容，或者發(fā)送封包。wireshark能獲取HTTP，也能獲取HTTPS，但是不能解密HTTPS，所以wireshark看不懂HTTPS中的容，總結(jié)，如果是處理HTTP,HTTPS還是用Fiddler,其他協(xié)議比如TCP,UDP就用wireshark.Wireshark（網(wǎng)絡(luò)嗅探抓包工具）v1.4.9中文版（包含中文手冊+主界面的操作菜單）評分:4.6類別：遠程監(jiān)控大?。?2M語言：中文查看詳細信息>>下載1690次wireshark開始抓包開始界面wireshark是捕獲機器上的某一塊網(wǎng)卡的網(wǎng)絡(luò)包，當你的機器上有多塊網(wǎng)卡的時候，你需要選擇一個網(wǎng)卡。點擊Caputre->Interfaces..出現(xiàn)下面對話框，選擇正確的網(wǎng)卡。然后點擊"Start"按鈕，開始抓包Wireshark窗口介紹WireShark主要分為這幾個界面DisplayFilter（顯示過濾器），用于過濾PacketListPane（封包列表），顯示捕獲到的封包，有源地址和目標地址，端口號。顏色不同，代表PacketDetailsPane（封包詳細信息），顯示封包中的字段DissectorPane（16進制數(shù)據(jù)）Miscellanous（地址欄，雜項）Wireshark顯示過濾

使用過濾是非常重要的，初學者使用wireshark時，將會得到大量的冗余信息，在幾千甚至幾萬條記錄中，以至于很難找到自己需要的部分。搞得暈頭轉(zhuǎn)向。過濾器會幫助我們在大量的數(shù)據(jù)中迅速找到我們需要的信息。過濾器有兩種，一種是顯示過濾器，就是主界面上那個，用來在捕獲的記錄中找到所需要的記錄一種是捕獲過濾器，用來過濾捕獲的封包，以免捕獲太多的記錄。在Capture->CaptureFilters中設(shè)置保存過濾在Filter欄上，填好Filter的表達式后，點擊Save按鈕，取個名字。比如"Filter102",Filter欄上就多了個下於「102"的按鈕。過濾表達式的規(guī)則表達式規(guī)則1.協(xié)議過濾比如TCP，只顯示TCP協(xié)議。2.IP過濾比如ip.src==02顯示源地址為02，ip.dst==02,目標地址為023.端口過濾tcp.port==80,端口為80的tcp.srcport二二80,只顯示TCP協(xié)議的愿端口為80的。4.Http模式過濾http.request.method二二"GET”,只顯示HTTPGET方法的。5.邏輯運算符為AND/OR常用的過濾表達式過濾表達式用途http只查看HTTP協(xié)議的記錄ip.src==02orip.dst==02源地址或者目標地址是02封包列表(PacketListPane)封包列表的面板中顯示，編號，時間戳，源地址，目標地址，協(xié)議，長度，以及封包信息。你可以看到不同的協(xié)議用了不同的顏色顯示。你也可以修改這些顯示顏色的規(guī)則，View->ColoringRules.No,Time SourceDestinffticinPKotocolLengthInfo26515.SAD61L0192,1&3,1,10Z74,125,120,156TCP 64LTCPDUpACK257PlM]S57T>http[ACK]Seq-37226615.89212805602T二p 14&4[TCPREtransmission][T二Fsegnentofareassett26715-8921TS019211-58.111027^,125,128.15-5TIZP 531T(ZP口upACE25F#5]H577AhlZT：口[也忖]5Uq?：3：726315.E92S10074.1Z,5.L2B.156L9?.163.1,102TCP S30[TCPRerranEmisslon][TCPeegnentofareassat26915&2S4口1^2.168.1^102748125.128,156T二F， 66[TCPDupACK2j7#6]8577>http[ACK]Seq=372270IS.557S320114.00.14?.90192.163-1.102http http/Lh0304rqoTModified27116.56BO36U02lau.163.255.118DNS 76Standardquer^0x30eeA 27216.5fiB58LQ152.168.1,102130.163.255,118DNS 75StandardqueryCi;id4beA.ww.cppblog-'^am273 5^95350192.153.1,102130.169,255.11BDNS 75Standardqueryonbaoaaxwrhuj^ang^com27d16.75D080U1^2.1^8,1,102U4.8Ci.ld2.90TCP 5d8561ahttp[ACK]Seq=20e4Ack=421Win=160^OL27516.8^434^0H4,gprH2.90]_92.：163工：102HTTP 20[TC口R01：『總門口n]HTTFyl.OMQldM3T^KidlflRE27616.B6J34.6002-L14.BO.lil2.9D-TCP 6fi[TCPDupAjCK274^1]B561>http[ACK]S&q=2OCt|27717.06152801日192.163^1.102DNS 91StandardqusryrEsponseOx.ddbed61-155.1^9.127817.0e37590192.1^3,1,102130.169,255,110DH5 77Enzandardquery0x7272awy.h]27917u066174U180.168.2S5.110192.16aalB102DNS lEgStandardqusryrEsponsaOxbaOaCMAHEw**-huji20017.0563610192.1S8,1.10213dns THscindirdquery aw*.2Bl17.0690520130.1S3.255.L10192.163.1,102DN￡ 92StandardqueryrEEponEeOxSOaeA61.155.1&9.120217.0753540192.1^8,1^102130=163.255.118DNS 71StandardqueryOxD-ilfiA.blogt39.nerL20317.H3O5S0180.1S8.255.119192.169,1.102dns 175standardqusryresponse0x7272cnwe hjer17.L45514019Z.163.1.1OZiaO.16a.255.llBDNS 75Standardquery0x5493Adawn.admin5.cam封包詳細信息(PacketDetailsPane)這個面板是我們最重要的，用來查看協(xié)議中的每一個字段。各行信息分別為Frame:物理層的數(shù)據(jù)幀概況EthernetII:數(shù)據(jù)鏈路層以太網(wǎng)幀頭部信息InternetProtocolVersion4:互聯(lián)網(wǎng)層IP部信息TransmissionControlProtocol:傳輸層T的數(shù)據(jù)段頭部信息，此處是TCPHypertextTransferProtocol:應(yīng)用層的信息，此處是HTTP協(xié)議wireshark與對應(yīng)的OSI七層模型

因Microsoft:\Device\NPF_{Ag559F22-15O4-4F4D-B067-DC61581A9F91EileEditViewGoCaptureAnalyzeStatisticsTelephonyTool;應(yīng)用層表示展會話顯HypertextTransFerProt因Microsoft:\Device\NPF_{Ag559F22-15O4-4F4D-B067-DC61581A9F91EileEditViewGoCaptureAnalyzeStatisticsTelephonyTool;應(yīng)用層表示展會話顯HypertextTransFerProtocol物理層EthernetII,src:Prodriva_26:12:bf(；00:Of:11:26:：163.720250001^2.1e8.1.1022g6.056595001^2.1e8.1.102366.03553700192.1e0.1.102496.72037400192.1e0.1.1026610.6614540192.1e0.1.1028711.34570201613111.67352300213211.68398500213311.6847080192.1S8.1.102Destination5(5(484S5(160200114.80.142.SOInternetProtocolVersion4,Src:02(:

TransmissionControlPrDestination5(5(484S5(160200114.80.142.SOTCP包的具體容QMicrewf;：iQtvKMlPU#皂聲FK-15仁TF4c,也■曰-DCflFCBlASFK】唯舊修女工展2.(SMHInternahExp"e5&iDn.aiSourceTCPltt工咯式PTffCflCOl目的端口號源端口號確認號探為我口校驗和黑急指針M充FtMieQMicrewf;：iQtvKMlPU#皂聲FK-15仁TF4c,也■曰-DCflFCBlASFK】唯舊修女工展2.(SMHInternahExp"e5&iDn.aiSourceTCPltt工咯式PTffCflCOl目的端口號源端口號確認號探為我口校驗和黑急指針M充FtMie10EH^rrtexirtternerTransmissionComralProtocol燈由33￡tahslK5TetephcwE3ainwireversion4fi;blcs5x331b/cest沖(2640b18。：0『；露1；的；[2：51rp-Llnl92.lb8.iAa241英?1后解1?工。23DSTPort:corrmlinx-avl ,口與tPoi￡ai_rcoporT!ErcrnilihvquI(11WJ&S5tinationport：httpC90)[srrsaniindex：2]Sequencenumber:1 trel^tivesequencenunberj[Necisequencenumber:278(relativesequencenjiriber)]?A^kriiwl riirmb^r1 (『。1二上30白^-dkFiiiffl舊力廣)Headerlengchs2Qbyte石Flags：:OxO±B(P3M?及Qwindowsizevalue:4350[calculatedwindowsize:17280][wrindwsizesealingfactorid]ChecksumsQ，5ddSi[val1d.Efclondisabled][s&cb'^Kdnilysis][ByresInflight:2GDestindtiDn22O.1S1,156.24Pratoto!LengthHTTP331實例分析TCP三次握手過程看到這，基本上對wireshak有了初步了解，現(xiàn)在我們看一個TCP三次握手的實例三次握手過程為客戶端發(fā)送注n報文，并置發(fā)送序號為x服務(wù)端發(fā)送垓K服務(wù)端發(fā)送垓K報文，并置發(fā)送序號為上在確這圖我都看過很多遍了，這次我們用wireshark實際分析下三次握手的過程。打開wireshark,打開瀏覽器輸入.cr173.在wireshark中輸入http過濾，然后選中GET/tankxiaoHTTP/1.1的那條記錄，右鍵然后點擊"FollowTCPStream",這樣做的目的是為了得到與瀏覽器打開相關(guān)的數(shù)據(jù)包，將得到如下圖MCapturny-ron-,MiCrOWhRM&NPFJfl站59F"-1534-4F4D-8067-DC511A9F9C>rnhcrk1.8.2(SVNRev44520Re/mnk-L制]RbEditWlewGoCaptureAnalyzeStdtlsttsTelephonyTootinterrabHelp穹薇嬴舞0曳臉X整昌上，手吟?而生：回國,aQa0圾瑞!口Filter: tep.streameq5 Eypress-ion...ClearApplySaveFilter102No.Time Source DeTtin^tian Protacol1cngiliInfo5820.6O151DO1M.16B.1.8 61.155.16Q116TCP66Foliocarp>http[5YN]Seq=DWin=K192Len=DM!5920-61&736051.155-16&.116192.163.1.；f TCPhup>follocorp[5th,alk]seq=0Ack=lv/1n=3i5Q20.^199200192.1^0.1.S 51.155.163116TCP5Wfollocarpahitp[ACK]Seq-1Ack-1n-16944.1-1見6244760192.3■弭LE 611155^^.116HTTP&48GETAankxiaaHTTR/l."]-S220.6729870SI.155.IfiS.116 132.1^9.1.8 TCP 1466[TCPsequent 口t areaiseinbledPDU]6Mncl47M了45口6i.：L55.：LEg,：L：L后 8 TCP 1466[TCPsaguarrt uf areissamblEdpdu]6420.色7兆4601寬.：16口二.g 155.：L6g.1L6TUP Mfoliocarpyhttp[ACK]Seq-B95Ack-2E25Wln-H“一―/,『_EFrame61:_小陽￥4型9/Ire(758^blisj,948bytescapiured〔75陰blts'ioninterfaceQI0Ethernet_^e_26:12:tfl：00:0f:ll:26:12:bf3BDst:HuaweiDe_65:bc:c6C54:a5:lfa:65:bc:c6)IETntErnEtnuuiu^o.六一?門日，5rc:192.168.1,3(1M.16B.1.83?Dst:61.155.16^.116(16)ETransmissionconirolppolocd!ssreport:follocorp(2242)》dstpopt:hiizp(80),seq:1^flek:lsLen:89>SlnypBrtGKtTranswerProtocol圖中可以看到wireshark截獲到了三次握手的三個數(shù)據(jù)包。第四個包才是HTTP的，這說明HTTP的確是使用TCP建立連接的。第一次握手數(shù)據(jù)包客戶端發(fā)送一個TCP,標志位為SYN,序列號為0,代表客戶端請求建立連接。如下⑷Captjringf「口"iiMirrcstt： PF_{Ag59F22-1.504-1F4D-53C7-□<E二期1A￡F9門審ire5harkL.S.2(5VWR...0回iFileEditWewGoCaptureAnalyzeStatisticsTelephonyTjzds『itern肱HeJp目源驟修蚓[麴索然翳昌I久&畛宓零盤||邕HldQR臼T例圖蚓髯I回filter:tcp.strEanneq5 ▼Expreseicm- CledrApplySaveHo=Time Source Destination ProtocolLengthInfo5820. 6015100 16 TCP 66 foliocorp?-http [5YH] 5eq=0win=81!l-l5920. &19756051.155.169.LIS 192.L6S.L.3 TCP 66 hltp>follocorp [￡YN, ACK]Saq=QAi6020. 60.99200 16 TCP 54 foliocorp>http [AjCK] 5eq=lAck=l；blZ'J.O2AZ/hi_1UJ.IhM.1.Moi._35._Oz-._L-：HII- JdSGkl/TirkXISOHIIP.<L一 .4IT- iii 卜田Frame58;66bytesonwire(528bi?66bytescaptured(528bits)oninterface013EthernetIIs5rc:Prodrive_26:12:bf(OD:Of:11:26:12:faf),Dst:HuaweiDe_b5:bc:<6Q5Asa5:lb:65:bcSIInternetProtocolVersion4,5r■匚:192,168,1.SC192,168,1.8),Dst:61,155.169-116(61,155,169,111□[TransmissionControlPratocol,SrcPort:follocorpQI34",DstPort:http(80^?三白q:0?Len:0Sourceport;foliocorpC2242)□estinafiunport:http[80J TCP第次握不[Streamindex;5]EequencBnumber:|Q[(relitlvasequBncenumber)Headerlength,32byte3Eflags:Dx002 |Windowsizevaiue;6192[c.alcu-latedwindow三彳工白：日192]Fcheckjijiti:0K4baE[validateondisabled]EOptlans:(12bytesj3htiKiniumsegmentsize?ND-dperationfNOPj3Windawsc.ile3Mo-Oper.itiontwoI第二次握手的數(shù)據(jù)包服務(wù)器發(fā)回確認包，標志位為SYN,ACK.將確認序號(AcknowledgementNumber)設(shè)置為客戶的ISN加1為即0+1=1,如下圖區(qū)ICaptLr Mi廣g溝t\Ce^.ce\N?F_g9559F2Z-13CJ-4FJ口-號：：-□工E]咫1A萌9C}[Wir宅卜白吐1.S.2[5V7R.曲Edit岷*socaottreAnalyzeiiatlstlcsTelephonyijpdsinternalsHelp鬻：瓶熬黑鬣恭昌I，去除。豆必圓y&Q助已端回例客I回Filter：tcp.stneameq5 區(qū)Expression..-Clearapply SaveNa.Tim白 Source Deftination ProtocolLengthInFo5820.6015100 16TCP 66foliocorp>http[SYN]Seq-0win-ai(5920.-1QT^nun：.155.Ind.1,■=,：>7..nn.；fi |in rn|r1p->fulimr「卜，M,山b<2||=\L*6020.6199200 61.155.16&.116TCP 5Wfolnocarp>http[ACKJSeq-1Ack-1\&120.6244780192.16S.1.S 16HTTP M8GET/tankzlaoHTTP/1.1 -d1-蓿 _1 卜0國0ElFrame59:66bytesonv/ire(_52Bbits)P66bytescaptured(528bits)oninterface0EtherneT工工，src:HuaweiDe_65:bc:cet；54:a5:1b:65:bc;c&)?Dst:Prodr1ue_26：L2:bf(口口：口「：121：26：工2irrternetProtocolVersion4,Src:16(16^sDst:192,168.1,8(192.L68A.：Transmissionccmrrolprorocol3srcpori:hrrp(80),dstporrifol1ocorp(2242),seq:口,a匚ktL?TCP第一次握;TCP第一次握;rDesflnaLlonporr:follocorp(22^2)[streamindex:51_sequencenunber:|0~| Crelai1vesequencenumber)Acknoviedgmentnumber|(relatweacknumber)HeaderIgncit':W2bvtE5E[Flags:0x0121[SYM,KK)Window5izevaiue;[calculatE日windovsize:8192]ChecksLin;D>8ebdEv/alidationdisabled]Options:[12bytesj)?M.ax1intnisegments1ze?No-dparatIonCNOP；)?Windowscale;iNo-Dpsration(NOl[5EQ/A匚Kanalyst]第三次握手的數(shù)據(jù)包客戶端再次發(fā)送確認包(ACK)SYN標志位為0,ACK標志位為1.并且把服務(wù)器發(fā)來ACK的序號字段+1,放在確定字段中發(fā)送給對方.并且在數(shù)據(jù)段放寫ISN的+1,如下圖：⑷LapturngfromMicrosaiti\Device\NPFJAQ559F22-LSCW^F^D-SOB7-DC616S1A9F9C}[Wireshark1.8.2(SVNR...!FiteEditviewgocapnxeAnalyzestatisticsTelephonyTedsinternalsHelp翩藕索修?醺荒莪勰昌I久事