Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Mc tiu :
Bi hng dn gip sinh vin c th: S dng cng c bt gi tin Wireshark. Nhc li cu trc gi tin mt s giao thc c bn trong mng my tnh
Trang 1
I.2.Cch ci t
1. Gi ci t c th c download ti http://www.wireshark.org. 2. Ci t t file va download v. Trn windows qu trnh ny din ra t ng v gm bc a. Ci t b th vin WinPcap l mt b th vin trn windows cung cp chc nng bt cc gi tin trn card mng. b. Ci t phn mm wireshark s hot ng da trn b th vin ny.
y lit k tt c cc card mng m my tnh c, ta chn mt card mng mun lng nghe v khi ng qu trnh Capture . Th ping 8.8.8.8 v ta nhn c kt qu bt gi tin nh sau :
Trang 2
Menu Lnh Danh sch cc gi tin Thng tin gi tin theo cu trc ca giao thc Thng tin gi tin dng byte Sau khi thu thp cc d liu cn, ta s dng qu trnh lng nghe ti mt card mng bng cch vo menu Capture Stop
Trang 3
nhau v do 2 thnh phn khc nhau ng ra lc gi tin l WinPCap v chng trnh Wireshark nn ta s thy c s khc nhau trong ngn ng m t ca 2 chc nng ny. Sau y ta s i tm hiu c 2 phng php.
Trang 4
Hp thoi ny cho php ta ty chnh rt nhiu cc tnh nng trong qu trnh bt gi tin nh chc nng lc cc gi tin, chc nng hin th cc gi, chc nng lu tr cc gi tin v chc nng hn gi tt chng trnh. y chng ta quan tm n chc nng lc cc gi tin bt c. Vic lc cc gi tin bt c s c thc hin theo m t m ngi dng nh vo mc capture Filter. Cc gi tin s c lc theo tiu ch c m t v ch nhng gi tin tha cc tiu ch ny mi c lu li xem xt. Phng php m t cc gi tin : V vic bt cc gi tin phn ny c thc hin di s hi tr b th vin WinPcap, nn ngn ng m t y c s dng l ngn ng m t ca WinPcap. Bn c th tm thy nhiu v d http://wiki.wireshark.org/CaptureFilters . Sau y s trnh by mt cch khi qut phng php m t ny.
BM MMT&VT Khoa CNTT Trng H KHTN TPHCM
Trang 5
Cu lnh m t l s kt hp ca nhiu cu lnh m t con v c ni vi nhau bng [and|or], ta c th ph nh cu lnh m t con bng cch t ch not trc n. [not] M T [and|or] [not] M T V d : +Lc cc gi tin Telnet (port 23) t my ch 10.0.0.5 tcp port 23 and host 10.0.0.5
Cc m t thnh phn l mt trong nhng m t sau : [src|dst] host <host> L mt thnh phn cho php bn lc cc gi tin theo a ch IP hay theo tn ca ngun hay ch. Bn c th ch r a ch ngun hay ch bng cch t cc tham s ph u l src|dst . Nu trng ny khng c ch ra, v mc nh cc gi tin c a ch ngun hay ch ph hp iu kin s c nhn. ether [src|dst] host <ehost> Thnh phn ny cho php bn filter trn a ch Ethernet ca ngun hay ch. Tng t nh thnh phn trn bn c th ch r loi a ch m bn quan tm bng tham s ph l [src|dst]. [src|dst] net <net> [{mask <mask>}|{len <len>}] Thnh phn ny cho php bn tin hnh lc cc gi tin theo a ch network ca mt gi tin. Bn c th thm cc thnh phn ph nh src|dst vo nhn mnh rng bn quan tm n a ch ngun hay ch. Nu khng thm trng ny vo th cc gi tin c a ch ngun hoc ch tha yu cu s c lu li. [tcp|udp] [src|dst] port <port>
Trang 6
Cho php bn lc cc gi tin theo TCP v UDP port. Bn c th thm cc tham s src|dst v tcp|udp cho php bn nhn mnh rng quan tm n a ch port ngun hay ch, UDP hay TCP. Ch rng t tcp|udp phi xut hin trc src|dst. Nu cc tham s khng c s dng, gi tin s c la chn trn c 2 giao thc l TCP v UDP khi m a ch v port ca gi tin tha mn iu kin ra. less|greater <length> Thnh phn ny cho php bn lc cc gi tin c chiu di nh hn, hay bng hoc ln hn mt di cho trc. ip|ether proto <protocol> Thnh phn ny cho php bn lc cc gi tin mt s giao thc nht nh c tng Ethernet hay tng IP. ether|ip broadcast|multicast Cho php bn tin hnh lc cc gi tin c tng Ethernet hay IP vi broadcasts or multicasts. <expr> relop <expr> Cho php bn to ra mt iu kin lc gi tin phc tp bng cch nhn mnh bng cch ch ra mt byte hay mt khong bytes ca gi tin. Tham kho chi tit ti http://www.tcpdump.org/tcpdump_man.html.
Trang 7
VD :
Ta tin hnh lc cc gi tin DNS t cc gi tin bt c bng cch nhp ch DNS vo trng Filter ca ca s hin th :
xy dng tt cc miu t lc gi tin bn nn tham kho chi tit ti http://wiki.wireshark.org/DisplayFilters . Sau y s trnh by mt cch s lc cch xy dng biu thc lc gi tin. Phng php m t cc gi tin : Mi trng trong khung thng tin ca Packet m Wireshark th hin u c th s dng trong Filter. V d : nu Filter l tcp th Wireshark s tin hnh lc cc gi tin c trng ny.
Trang 8
Mt bng danh sch y cc trng c th tin hnh lc c th hin Menu Internals Supported Protocals
Tin hnh so snh cc trng : Ta c th tin hnh so snh cc trng ca mt gi tin theo cc gi tr c th. Bn c th s dng t vit tt cho ting anh hay s dng cc php so snh ca ngn ng C th hin vic so snh. Bng cc php so snh c gi tr c lit k bn di:
Trang 9
English eq
==
C Bng
ip.src==10.0.0.5
nh ngha v v d
Khc ne
!= ip.src!=10.0.0.5
Ln hn gt
> frame.len > 10
B hn lt
< frame.len < 128
Ln hn hay bng ge
>= frame.len ge 0x100
B hn hay bng le
<= frame.len <= 0x20
Bng sau th hin cc trng m bn c th tin hnh so snh cng nh cch s dng chng :
Type Gi tr s khng du (8ip.len le 1500 bit, 16-bit, 24-bit, 32ip.len le 02734 bit)
ip.len le 0x436
Example
Ta c th tin hnh so snh cc gi tr s vi vi trn h 10 hay h 16
Nhn mnh mt trng no ca gi tin c tn ti hay khng. Nu trng tn ti, gi tr tr ra l True v gi tin tha iu kin lc. Boolean VD : Lc cc gi tin c c SYN ca giao thc TCP tcp.flags.syn Du ngn cch s dng y c th l du hai chm (:), du chm (.), du gch ngang (-).
eth.dst == ff:ff:ff:ff:ff:ff eth.dst == ff-ff-ff-ff-ff-ff eth.dst == ffff.ffff.ffff
a ch Ethernet (6 bytes)
Trang 10
Example
English Cnh ngha v v d and && ip.src==10.0.0.5 and tcp.flags.fin or xor not || !
ip.scr==10.0.0.5 or ip.src==192.1.1.1
Phn on Wireshark cho php bn chia cc tham s thnh cc on so snh vi mt cch kh phc tp. Sau trng so snh, bn c th t du [] v ch ra khong m bn mun s dng so snh. VD: [n:m] gi tr so snh ly t v tr n v ly m gi tr [...]
eth.src[0:3] == 00:00:83]
[n-m] Ly t v tr th n n v tr th m
eth.src[1-2] == 00:83
Trang 11
English C-
Wireshark cho php bn ni cc gi tr ny li vi nhau bng du phy ngn cch gia chng.
eth.src[0:3,1-2,:4,4:,2] == 00:00:83:00:83:00:00:83:00:20:20:83
Trang 12
II.3.Gi tin IP
Trang 13
II.5.ARP Packet:
Trang 14
Trang 15
Trang 16