How to use Wireshark network packet capture under Linux

Time:2021-2-25

Wireshark is the most popular network analysis tool in the world. This powerful tool can capture the data in the network and provide users with all kinds of information about the network and upper layer protocols.
Like many other network tools, Wireshark also uses pcap network library to capture packets.

Advantages of Wireshark:

-Easy to install.

-Easy to use interface.

-Provide rich functions.

Wireshark’s original name is ethereal, and its new name came into use in 2006. At that time, ethereal’s main developer decided to leave his original company and continue to develop the software. However, since ethereal has been registered by the original company, the new name Wireshark came into being.

Wireshark is currently the most popular protocol analysis software in the world. It can translate the captured network binary data streams of various protocols into words and charts that people can easily read and understand, which greatly facilitates the monitoring and analysis of network activities and teaching experiments. It has very rich and powerful statistical analysis function, and can run on windows, Linux, UNIX and other systems. This software was first developed by Gerald combs of the United States in 1998, formerly known as ethereal. So far, more than 100 network experts and software personnel around the world are participating in the upgrading, improvement and maintenance of this software. Its name was changed from ethereal to Wireshark in May 2006. So far, it has been updated and upgraded at a rate of about every 2-3 months. The version number in September 2007 was 0.99.6. However, the main functions and usage of the upgraded software remain unchanged. It is an open source free software that anyone can download freely or participate in joint development.

Wireshark network protocol analysis software can be easily and intuitively applied to the teaching experiment of computer network principle and network security, daily network security monitoring, network performance parameter testing, network malicious code capture and analysis, network user behavior monitoring, hacker activity tracking, etc. Therefore, it is widely used in the teaching, research and experiment of network principles and information security technology in some famous universities in the United States, among the network management experts, information security experts, software and hardware developers all over the world.

In the process of installing and using the old and new software packages, ethereal differs slightly from Wireshark as follows:

(1) The network data acquisition software included in ethereal software installation package is WinPcap 3.0 version. When saving the captured data, only the English file name can be used. The default suffix of the file name is. Cap

(2) The current network data acquisition software included in Wireshark software installation package is WinPcap version 4.0. When saving the captured data, the Chinese file name can be used, and the default suffix of the file name is. Pcap. In addition, Wireshark can translate and interpret more network communication protocol data, has better statistical analysis function for network data flow, and is more convenient to use in network security teaching and daily network supervision, while the basic use method is still the same as ethereal.

WinPcap (Windows packet capture) is a free and public network access system under Windows platform. The purpose of developing WinPcap is to provide the ability to access the bottom layer of the network for Win32 applications.

In Linux, when we need to grab the network packet analysis, we usually use tcpdump to grab the network raw packet, save it to a file, and then download it to the local, and use Wireshark interface network analysis tool for network packet analysis.
Recently, I found out that Wireshark also provides a Linux command-line tool – tshark. Tshark not only has the function of capturing packets, but also has the ability to parse various protocols. Let’s introduce the tshark tool with two examples.
1. Installation method
CentOS:

Copy code

The code is as follows:

yum install -y wireshark

Ubuntu:

Copy code

The code is as follows:

apt-get install -y tshark

2. Real time printing of current HTTP request URL (including domain name)

Copy code

The code is as follows:

tshark -s 512 -i eth0 -n -f ‘tcp dst port 80’ -R ‘http.host and http.request.uri’ -T fields -e http.host -e http.request.uri -l | tr -d ‘\t’

The following describes the meaning of parameters:
-S 512: grabs only the first 512 bytes of data
-I eth0: capture eth0 network card
-N: prohibit network object name resolution
-F ‘TCP DST port 80’: only capture packets whose protocol is TCP and destination port is 80
-R ‘ http.host and http.request.uri ’: filter out http.host and http.request.uri
-T fields -e http.host -e http.request.uri : Print http.host and http.request.uri
-l: Output to standard output
3. Print the current MySQL query in real time

Copy code

The code is as follows:

tshark -s 512 -i eth0 -n -f ‘tcp dst port 3306’ -R ‘mysql.query’ -T fields -e mysql.query

The following describes the meaning of parameters:
-S 512: grabs only the first 512 bytes of data
-I eth0: capture eth0 network card
-N: prohibit network object name resolution
-F ‘TCP DST port 3306’: only capture packets whose protocol is TCP and destination port is 3306
-R ‘ mysql.query ’: filter out mysql.query
-T fields -e mysql.query : print MySQL query statements
Tshark uses – F to specify the capture packet filtering rules. Like tcpdump, the rules can be found by the command man pcap filter.
Tshark uses – r to filter the captured packets, which is consistent with the upper left corner filter of interface version Wireshark.

Recommended Today

Rust and python: why rust can replace Python

In this guide, we compare the rust and python programming languages. We will discuss the applicable use cases in each case, review the advantages and disadvantages of using rust and python, and explain why rust might replace python. I will introduce the following: What is rust? What is Python? When to use rust When to […]