WireShark解析数据包
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了WireShark解析数据包相关的知识,希望对你有一定的参考价值。
有哪位大神可以帮忙分析下下图的解析原理
我想问的是为什么前面蓝色这一部分能够解析成后面蓝色的部分
WireShark 安装及帧格式解析(以太帧IP包ARP包)
WireShark 安装
%22%20aria-hidden%3D%22true%22%3E%0A%3Cg%20fill%3D%22red%22%20stroke%3D%22red%22%3E%0A%3Cg%20fill%3D%22red%22%20stroke%3D%22red%22%3E%0A%3Cg%20fill%3D%22red%22%20stroke%3D%22red%22%3E%0A%3Cg%20fill%3D%22red%22%20stroke%3D%22red%22%3E%0A%3Cg%20fill%3D%22red%22%20stroke%3D%22red%22%3E%0A%3Ctext%20font-family%3D%22monospace%22%20stroke%3D%22none%22%20transform%3D%22scale(71.759)%20matrix(1%200%200%20-1%200%200)%22%3E%E8%BD%AF%3C%2Ftext%3E%0A%3C%2Fg%3E%0A%3C%2Fg%3E%0A%3C%2Fg%3E%0A%3C%2Fg%3E%0A%3C%2Fg%3E%0A%3Cg%20transform%3D%22translate(932%2C0)%22%3E%0A%3Ctext%20font-family%3D%22monospace%22%20stroke%3D%22none%22%20transform%3D%22scale(71.759)%20matrix(1%200%200%20-1%200%200)%22%3E%E4%BB%B6%3C%2Ftext%3E%0A%3C%2Fg%3E%0A%3Cg%20transform%3D%22translate(1865%2C0)%22%3E%0A%3Ctext%20font-family%3D%22monospace%22%20stroke%3D%22none%22%20transform%3D%22scale(71.759)%20matrix(1%200%200%20-1%200%200)%22%3E%E4%B8%8B%3C%2Ftext%3E%0A%3C%2Fg%3E%0A%3Cg%20transform%3D%22translate(2798%2C0)%22%3E%0A%3Ctext%20font-family%3D%22monospace%22%20stroke%3D%22none%22%20transform%3D%22scale(71.759)%20matrix(1%200%200%20-1%200%200)%22%3E%E8%BD%BD%3C%2Ftext%3E%0A%3C%2Fg%3E%0A%3Cg%20transform%3D%22translate(3731%2C0)%22%3E%0A%3Ctext%20font-family%3D%22monospace%22%20stroke%3D%22none%22%20transform%3D%22scale(71.759)%20matrix(1%200%200%20-1%200%200)%22%3E%E9%93%BE%3C%2Ftext%3E%0A%3C%2Fg%3E%0A%3Cg%20transform%3D%22translate(4664%2C0)%22%3E%0A%3Ctext%20font-family%3D%22monospace%22%20stroke%3D%22none%22%20transform%3D%22scale(71.759)%20matrix(1%200%200%20-1%200%200)%22%3E%E6%8E%A5%3C%2Ftext%3E%0A%3C%2Fg%3E%0A%3Cg%20transform%3D%22translate(5597%2C0)%22%3E%0A%3Ctext%20font-family%3D%22monospace%22%20stroke%3D%22none%22%20transform%3D%22scale(71.759)%20matrix(1%200%200%20-1%200%200)%22%3E%E6%88%91%3C%2Ftext%3E%0A%3C%2Fg%3E%0A%3Cg%20transform%3D%22translate(6530%2C0)%22%3E%0A%3Ctext%20font-family%3D%22monospace%22%20stroke%3D%22none%22%20transform%3D%22scale(71.759)%20matrix(1%200%200%20-1%200%200)%22%3E%E6%94%BE%3C%2Ftext%3E%0A%3C%2Fg%3E%0A%3Cg%20transform%3D%22translate(7462%2C0)%22%3E%0A%3Ctext%20font-family%3D%22monospace%22%20stroke%3D%22none%22%20transform%3D%22scale(71.759)%20matrix(1%200%200%20-1%200%200)%22%3E%E5%9C%A8%3C%2Ftext%3E%0A%3C%2Fg%3E%0A%3Cg%20transform%3D%22translate(8395%2C0)%22%3E%0A%3Ctext%20font-family%3D%22monospace%22%20stroke%3D%22none%22%20transform%3D%22scale(71.759)%20matrix(1%200%200%20-1%200%200)%22%3E%E4%BA%86%3C%2Ftext%3E%0A%3C%2Fg%3E%0A%3Cg%20transform%3D%22translate(9328%2C0)%22%3E%0A%3Ctext%20font-family%3D%22monospace%22%20stroke%3D%22none%22%20transform%3D%22scale(71.759)%20matrix(1%200%200%20-1%200%200)%22%3E%E6%96%87%3C%2Ftext%3E%0A%3C%2Fg%3E%0A%3Cg%20transform%3D%22translate(10261%2C0)%22%3E%0A%3Ctext%20font-family%3D%22monospace%22%20stroke%3D%22none%22%20transform%3D%22scale(71.759)%20matrix(1%200%200%20-1%200%200)%22%3E%E6%9C%AB%3C%2Ftext%3E%0A%3C%2Fg%3E%0A%3C%2Fg%3E%0A%3C%2Fsvg%3E)
- 安装的话,直接一路默认就ok,中间有个安装路径换一下就好了。
WireShark 帧格式解析
数据链路层
Ethernet II | 以太网协议版本 II |
Source: IntelCor_49:30:59 (厂名_序号)(38:ba:f8:49:30:59) (网卡地址) | 源地址 |
Destination: TaicangT_3d:9b:a8 (厂名_序号) (6c:c6:3b:3d:9b:a8) (网卡地址) | 目的地址 |
Type: IPv4 (0x0800) | 协议类型 |
网络层
Src: 192.168.1.5 | 源地址 |
Dst: 203.119.247.189 | 目的地址 |
Version: 4 | 互联网协议 IPv4 |
Header Length: 20 bytes (5) | IP包头部长度 |
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT) | 差分服务字段 |
Total Length: 41 | IP 包的总长度 |
Identification: 0x3e8f (16015) | 标志字段 |
Flags: 0x4000, Don’t fragment | 标记字段(在路由传输时,是否允许将此IP 包分段) |
Fragment offset: 0 | 分段偏移量(将一个IP 包分段后传输时,本段的标识) |
Time to live: 128 | 生存期 ITL |
Protocol: TCP (6) | 上层协议 |
Header checksum: 0x0000 [validation disabled] | 头部数据的校验和 |
[Header checksum status: Unverified] | 头部数据的校验和状态 |
Source: 192.168.1.5 | 源IP 地址 |
Destination: 203.119.247.189 | 目的IP 地址 |
ARP
捕获一个ARP协议过程,解释相应的值
ARP 请求包
Address Resolution Protocol (request)
Hardware type: Ethernet (1) | 硬件类型 |
Protocol type: IPv4 (0x0800) | 协议类型 |
Hardware size: 6 | 硬件长度 |
Protocol size: 4 | 协议长度 |
Opcode: request (1) | 操作 |
Sender MAC address: TaicangT_3d:9b:a8 (6c:c6:3b:3d:9b:a8) | 发送方 MAC |
Sender IP address: 192.168.1.1 | 发送方 IP |
Target MAC address: 00:00:00_00:00:00 (00:00:00:00:00:00) | 目标 MAC |
Target IP address: 192.168.1.4 | 目标 IP |
ARP回应包
Address Resolution Protocol (reply)
Hardware type: Ethernet (1) | 硬件类型 |
Protocol type: IPv4 (0x0800) | 协议类型 |
Hardware size: 6 | 硬件长度 |
Protocol size: 4 | 协议长度 |
Opcode: reply (2) | 操作 |
Sender MAC address: IntelCor_49:30:59 (38:ba:f8:49:30:59) | 发送方 MAC |
Sender IP address: 192.168.1.5 | 发送方 IP |
Target MAC address: TaicangT_3d:9b:a8 (6c:c6:3b:3d:9b:a8) | 目标 MAC |
Target IP address: 192.168.1.1 | 目标 IP |
链接:https://pan.baidu.com/s/1PqImWwe0FusjbYiDOBHt5A
提取码:qnhp
%22%20aria-hidden%3D%22true%22%3E%0A%3Cg%20fill%3D%22red%22%20stroke%3D%22red%22%3E%0A%3Cg%20fill%3D%22red%22%20stroke%3D%22red%22%3E%0A%3Cg%20fill%3D%22red%22%20stroke%3D%22red%22%3E%0A%20%3Cuse%20xlink%3Ahref%3D%22%23E1-MJMATHI-57%22%3E%3C%2Fuse%3E%0A%3C%2Fg%3E%0A%3C%2Fg%3E%0A%3C%2Fg%3E%0A%20%3Cuse%20xlink%3Ahref%3D%22%23E1-MJMATHI-69%22%20x%3D%221048%22%20y%3D%220%22%3E%3C%2Fuse%3E%0A%20%3Cuse%20xlink%3Ahref%3D%22%23E1-MJMATHI-72%22%20x%3D%221394%22%20y%3D%220%22%3E%3C%2Fuse%3E%0A%20%3Cuse%20xlink%3Ahref%3D%22%23E1-MJMATHI-65%22%20x%3D%221845%22%20y%3D%220%22%3E%3C%2Fuse%3E%0A%20%3Cuse%20xlink%3Ahref%3D%22%23E1-MJMATHI-53%22%20x%3D%222312%22%20y%3D%220%22%3E%3C%2Fuse%3E%0A%20%3Cuse%20xlink%3Ahref%3D%22%23E1-MJMATHI-68%22%20x%3D%222957%22%20y%3D%220%22%3E%3C%2Fuse%3E%0A%20%3Cuse%20xlink%3Ahref%3D%22%23E1-MJMATHI-61%22%20x%3D%223534%22%20y%3D%220%22%3E%3C%2Fuse%3E%0A%20%3Cuse%20xlink%3Ahref%3D%22%23E1-MJMATHI-72%22%20x%3D%224063%22%20y%3D%220%22%3E%3C%2Fuse%3E%0A%20%3Cuse%20xlink%3Ahref%3D%22%23E1-MJMATHI-6B%22%20x%3D%224515%22%20y%3D%220%22%3E%3C%2Fuse%3E%0A%3Cg%20transform%3D%22translate(5036%2C0)%22%3E%0A%3Ctext%20font-family%3D%22monospace%22%20stroke%3D%22none%22%20transform%3D%22scale(71.759)%20matrix(1%200%200%20-1%200%200)%22%3E%E4%B8%8B%3C%2Ftext%3E%0A%3C%2Fg%3E%0A%3Cg%20transform%3D%22translate(5969%2C0)%22%3E%0A%3Ctext%20font-family%3D%22monospace%22%20stroke%3D%22none%22%20transform%3D%22scale(71.759)%20matrix(1%200%200%20-1%200%200)%22%3E%E8%BD%BD%3C%2Ftext%3E%0A%3C%2Fg%3E%0A%3Cg%20transform%3D%22translate(6902%2C0)%22%3E%0A%3Ctext%20font-family%3D%22monospace%22%20stroke%3D%22none%22%20transform%3D%22scale(71.759)%20matrix(1%200%200%20-1%200%200)%22%3E%E9%93%BE%3C%2Ftext%3E%0A%3C%2Fg%3E%0A%3Cg%20transform%3D%22translate(7835%2C0)%22%3E%0A%3Ctext%20font-family%3D%22monospace%22%20stroke%3D%22none%22%20transform%3D%22scale(71.759)%20matrix(1%200%200%20-1%200%200)%22%3E%E6%8E%A5%3C%2Ftext%3E%0A%3C%2Fg%3E%0A%3C%2Fg%3E%0A%3C%2Fsvg%3E)
以上是关于WireShark解析数据包的主要内容,如果未能解决你的问题,请参考以下文章
WireShark 安装及帧格式解析(以太帧IP包ARP包)