mirror of
https://github.com/LCTT/TranslateProject.git
synced 2024-12-23 21:20:42 +08:00
wcnnbdk1 translated 20170214 Basics of network protocol analyzer Wireshark On Linux.md
This commit is contained in:
Jinwen Zhang
parent
bcaf34e918
commit
de5ef37ab7
@ -1,130 +0,0 @@
|
||||
wcnnbdk1 translating
|
||||
### Basics of network protocol analyzer Wireshark On Linux
|
||||
|
||||
|
||||
Contents
|
||||
|
||||
* * [1. Installation][4]
|
||||
* [2. Basic Configuration][5]
|
||||
* [2.1. Layout][1]
|
||||
* [2.2. Toolbars][2]
|
||||
* [2.3. Functionality][3]
|
||||
* [3. Capture][6]
|
||||
* [4. Reading Data][7]
|
||||
* [5. Closing Thoughts][8]
|
||||
|
||||
Wireshark is just one of the valuable tools provided by Kali Linux. Like the others, it can be used for either positive or negative purposes. Of course, this guide will cover monitoring _your own_ network traffic to detect any potentially unwanted activity.
|
||||
|
||||
Wireshark is incredibly powerful, and it can appear daunting at first, but it serves the single purpose of monitoring network traffic, and all of those many options that it makes available only serve to enhance it's monitoring ability.
|
||||
|
||||
### Installation
|
||||
|
||||
Kali ships with Wireshark. However, the `wireshark-gtk` package provides a nicer interface that makes working with Wireshark a much friendlier experience. So, the first step in using Wireshark is installing the `wireshark-gtk` package.
|
||||
```
|
||||
# apt install wireshark-gtk
|
||||
```
|
||||
Don't worry if you're running Kali on a live medium. It'll still work.
|
||||
|
||||
### Basic Configuration
|
||||
|
||||
Before you do anything else, it's probably best to set Wireshark up the way you will be most comfortable using it. Wireshark offers a number of different layouts as well as options that configure the program's behavior. Despite their numbers, using them is fairly straightforward.
|
||||
|
||||
Start out by opening Wireshark-gtk. Make sure it is the GTK version. They are listed separately by Kali.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
### Layout
|
||||
|
||||
By default, Wireshark has three sections stacked on top of one another. The top section is the list of packets. The middle section is the packet details. The bottom section contains the raw packet bytes. For most uses, the top two are much more useful than the last, but can still be great information for more advanced users.
|
||||
|
||||
The sections can be expanded and contracted, but that stacked layout isn't for everyone. You can alter it in Wireshark's "Preferences" menu. To get there, click on "Edit" then "Preferences..." at the bottom of the drop down. That will open up a new window with more options. Click on "Layout" under "User Interface" on the side menu.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
You will now see different available layout options. The illustrations across the top allow you to select the positioning of the different panes, and the radio button selectors allow you to select the data that will go in each pane.
|
||||
|
||||
The tab below, labelled "Columns," allows you to select which columns will be displayed by Wireshark in the list of packets. Select only the ones with the data you need, or leave them all checked.
|
||||
|
||||
### Toolbars
|
||||
|
||||
There isn't too much that you can do with the toolbars in Wireshark, but if you want to customize them, you can find some useful setting on the same "Layout" menu as the pane arrangement tools in the last section. There are toolbar options directly below the pane options that allow you to change how the toolbars and toolbar items are displayed.
|
||||
|
||||
You can also customize which toolbars are displayed under the "View" menu by checking and unchecking them.
|
||||
|
||||
### Functionality
|
||||
|
||||
The majority of the controls for altering how Wireshark captures packets are collected can be found under "Capture" in "Options."
|
||||
|
||||
The top "Capture" section of the window allows you to select which networking interfaces Wireshark should monitor. This could differ greatly depending on your system and how it's configured. Just be sure to check the right boxes to get the right data. Virtual machines and their accompanying networks will show up in this list. There will also be multiple options for multiple network interface cards.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Directly below the listing of network interfaces are two options. One allows you to select all interfaces. The other allows you to enable or disable promiscuous mode. This allows your computer to monitor the traffic of all other computers on the selected network. If you are trying to monitor your whole network, this is the option you want.
|
||||
|
||||
**WARNING:** using promiscuous mode on a network that you do not own or have permission to monitor is illegal!
|
||||
|
||||
On the bottom left of the screen are the "Display Options" and "Name Resolution" sections. For "Display Options," it's probably a good idea to leave all three checked. If you want to uncheck them, it's okay, but "Update list of packets in real time" should probably remain checked at all times.
|
||||
|
||||
Under "Name Resolution" you can pick your preference. Having more options checked will create more requests and clutter up your packet list. Checking for MAC resolutions is a good idea to see the brand of the networking hardware being used. It helps you identify which machines and interfaces are interacting.
|
||||
|
||||
### Capture
|
||||
|
||||
Capture is at the core of Wireshark. It's primary purpose is it monitor and record traffic on a specified network. It does this, in its most basic form, very simply. Of course, more configuration and options can be used to utilize more of Wireshark's power. This intro section, though, will be sticking to the most basic recording.
|
||||
|
||||
To start a new capture, press the new live capture button. It should look like a blue shark fin.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
While capturing, Wireshark will gather all of the packet data that it can and record it. Depending on your settings, you should see new packets coming in on the "Packet Listing" pane. You can click on each one you find interesting and investigate in real time, or you can simply walk away and let Wireshark run.
|
||||
|
||||
When you're done, press the red square "Stop" button. Now, you can choose to either save or discard your capture. To save, you can click on "File" then "Save" or "Save as."
|
||||
|
||||
### Reading Data
|
||||
|
||||
Wireshark aims to provide you with all of the data that you will need. In doing so, it collects a large amount of data related to the network packets that it is monitoring. It tries to make this data less daunting by breaking it down in collapsible tabs. Each tab corresponds to a piece of the request data tied to the packet.
|
||||
|
||||
The tabs are stacked in order from lowest level to highest level. The top tab will always contain data on the bytes contained in the packet. The lowest tab will vary. In the case of an HTTP request, it will contain the HTTP information. The majority of packets that you encounter will be TCP data, and that will be the bottom tab.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Each tab contains data relevant data for that part of the packet. An HTTP packet will contain information pertaining to the type of request, the web browser used, IP address of the server, language, and encoding data. A TCP packet will contain information on which ports are being used on both the client and server as well as flags being used for the TCP handshake process.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
The other upper fields will contain less information that will interest most users. There is a tab containing information on whether or not the packet was transferred via IPv4 or IPv6 as well as the IP addresses of the client and the server. Another tab provides the MAC address information for both the client machine and the router or gateway used to access the internet.
|
||||
|
||||
### Closing Thoughts
|
||||
|
||||
Even with just these basics, you can see how powerful of a tool Wireshark can be. Monitoring your network traffic can help to stop cyber attacks or just improve connection speeds. It can also help you chase down problem applications. The next Wireshark guide will explore the options available for filtering packets with Wireshark.
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
via: https://linuxconfig.org/basic-of-network-protocol-analyzer-wireshark-on-linux
|
||||
|
||||
作者:[Nick Congleton][a]
|
||||
译者:[译者ID](https://github.com/译者ID)
|
||||
校对:[校对者ID](https://github.com/校对者ID)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
||||
|
||||
[a]:https://linuxconfig.org/basic-of-network-protocol-analyzer-wireshark-on-linux
|
||||
[1]:https://linuxconfig.org/basic-of-network-protocol-analyzer-wireshark-on-linux#h2-1-layout
|
||||
[2]:https://linuxconfig.org/basic-of-network-protocol-analyzer-wireshark-on-linux#h2-2-toolbars
|
||||
[3]:https://linuxconfig.org/basic-of-network-protocol-analyzer-wireshark-on-linux#h2-3-functionality
|
||||
[4]:https://linuxconfig.org/basic-of-network-protocol-analyzer-wireshark-on-linux#h1-installation
|
||||
[5]:https://linuxconfig.org/basic-of-network-protocol-analyzer-wireshark-on-linux#h2-basic-configuration
|
||||
[6]:https://linuxconfig.org/basic-of-network-protocol-analyzer-wireshark-on-linux#h3-capture
|
||||
[7]:https://linuxconfig.org/basic-of-network-protocol-analyzer-wireshark-on-linux#h4-reading-data
|
||||
[8]:https://linuxconfig.org/basic-of-network-protocol-analyzer-wireshark-on-linux#h5-closing-thoughts
|
||||
@ -0,0 +1,128 @@
|
||||
### 网络协议分析器 Wireshark 在 Linux 下使用的基础知识
|
||||
|
||||
目录
|
||||
|
||||
* * [1. 安装][4]
|
||||
* [2. 基础配置][5]
|
||||
* [2.1. 布局][1]
|
||||
* [2.2. 工具条][2]
|
||||
* [2.3. 功能][3]
|
||||
* [3. 抓包][6]
|
||||
* [4. 读取数据][7]
|
||||
* [5. 结语][8]
|
||||
|
||||
Wireshark 是 Kali 中预置的众多有价值工具中的一种。与其它工具一样,它可以被用于积极的目的同样也可以被用于消极的目的。当然,本文将会介绍如何追踪你自己的网络流量来发现潜在的非正常活动。
|
||||
|
||||
Wireshark 相当的强大,当你第一次见到它的时候可能会被它吓到,但是它的目的始终就只有一个那就是追踪网络流量,并且它所实现的所有选项都只为了加强它追踪流量的能力。
|
||||
|
||||
### 安装
|
||||
|
||||
Kali 中预置了 Wireshark 。不过,`wireshark-gtk` 包提供了一个更好的界面使你在使用 Wireshark 的时候会有更友好的体验。因此,在使用 Wireshark 前的第一步是安装 `wireshark-gtk` 这个包。
|
||||
```
|
||||
# apt install wireshark-gtk
|
||||
```
|
||||
如果你的 Kali 是从 live 介质上运行的也不需要担心,依然有效。(这里的 live 没有想出怎么翻比较合适)
|
||||
|
||||
|
||||
### 基础配置
|
||||
|
||||
在你使用 Wireshark 之前,将它设置成你使用起来最舒适的状态可能是最好的。Wireshark 提供了许多不同的布局方案和选项来配置程序的行为。尽管数量很多,但是使用起来是相当直接明确的。
|
||||
|
||||
从启动 Wireshark-gtk 开始。需要确定启动的是 GTK 版本的。在 Kali 中他们是被分别列出的。
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
### 布局
|
||||
|
||||
默认情况下,Wireshark 的信息展示分为三块内容每一块都叠在另一块上方。(这里的三部分指的是展示抓包信息的时候的那三块内容,本段配图没有展示,配图 4, 5, 6 的设置不是默认设置,与这里的描述不符)最上方的一块是所抓包的列表。中间的一块是包的详细信息。最下面那块中包含的是包的原始字节信息。通常来说,上面的两块中的信息比最下面的那块有用的多,但是对于资深用户来说这块内容仍然是重要信息。
|
||||
|
||||
每一块都是可以缩放的,可并不是每一个人都必须使用这样叠起来的布局方式。你可以在 Wireshark 的“选项(Preferences)”菜单中进行更改。这个位置就位于“编辑(Edit)”菜单下的“选项”菜单的最下方。这个选项会打开一个有更多选项的新窗口。单击侧边菜单中“用户界面(User Interface)”下的“布局(Layout)”选项。
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
你将会看到一些不同的布局方案。上方的图示可以让你选择不同的面板位置布局方案,下面的单选框可以让你选择不同面板中的数据内容。
|
||||
|
||||
下面那个标记为“列”的标签可以让你选择哪些所抓取包的信息来展示。选择那些你需要的数据信息,或者全部展示。
|
||||
|
||||
### 工具条
|
||||
|
||||
对于 Wireshark 的工具条能做的设置不是太多,但是如果你想设置的话,你依然在前文中提到的“布局”菜单中的窗口管理工具下方找到一些有用的设置选项。那些能让你配置工具条和工具条中条目的选项就在窗口选项下方。
|
||||
|
||||
你还可以在“视图(View)”菜单下勾选来配置工具条的显示内容。
|
||||
|
||||
### 功能
|
||||
|
||||
主要的用来控制 Wireshark 抓包的控制选项基本都集中在“捕捉(Capture)”菜单下的“选项(Options)”选项中。
|
||||
|
||||
在开启的窗口中最上方的部分可以让你选择 Wireshark 来监控某个具体的网络接口。(这里的翻译是依照下面的配图默认了读者打开了前一段中的选项窗口,按照这句的捕捉菜单来翻的话感觉怪怪的,因为捕捉菜单下还有一个接口选项可能会有点弄不清)这部分可能会由于你系统的配置不同而会有相当大的不同。要记得查看正确的接口才能获得正确的数据。(将这里的 boxes 翻译成前一句提到的接口,不知是否合适)虚拟机和伴随它们一起的网络接口也同样会在这个列表里显示。同样也会有多种不同的选项对应这多种不同的网络接口。
|
||||
|
||||
|
||||
|
||||
|
||||
在网络接口列表的下方是两个选项。其中一个选项是全选所有的接口。另一个选项用来选择是否开启混杂模式。这个选项可以使你的计算机监控到所选网络上的所有的计算机。(这个描述可能有问题吧,因为这个混杂模式只是可以捕获那些由于目的IP或者MAC地址非本机而会被自动丢弃的数据包吧)如果你想监控你所在的整个网络,这个选项是你所需要的。
|
||||
|
||||
**注意:** 在一个不属于你或者不拥有权限的网络上使用混杂模式来监控是非法的!
|
||||
|
||||
在窗口下方的右侧是“显示选项”和“名称解析”选项块。对于“显示选项”来说,三个选项全选可能就是一个很好的选择了。当然你也可以取消选择,但是最好还是保留选择“实时更新抓包列表”。
|
||||
|
||||
在“名称解析”中你也可以设置你的偏好。这里的选项会产生附加的请求因此选得越多就会有越多的请求产生使你的抓取的包列表显得杂乱。把 MAC 解析选项选上是个好主意,那样就可以知道所使用的网络硬件的品牌了。这可以帮助你来确定你是在与哪台设备上的哪个接口进行交互。
|
||||
|
||||
### 抓包
|
||||
|
||||
抓包是 Wireshark 的核心功能。监控和记录特定网络上的流量就是它最初产生的目的。使用它最基本的方式来作这个抓包的工作是相当简单方便的。当然,越多的配置和选项就越可以充分利用 Wireshark 的力量。这里的介绍的关注点依然还是它最基本的记录方式。
|
||||
|
||||
按下那个看起来像蓝色鲨鱼鳍的新建实时抓包按钮就可以开始抓包了。(在我的 Debian 上它是绿色的)
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
在抓包的过程中,Wireshark 会收集所有它能收集到的包的数据并且记录下来。如果没有更改过相关设置的话,在抓包的过程中你会看见不断的有新的包进入到“包列表”面板中。你可以实时的查看你认为有趣的包,或者就让 Wireshark 运行着,同时你可以做一些其它的事情。
|
||||
|
||||
当你完成了,按下红色的正方形“停止”按钮就可以了。现在,你可以选择是否要保存这些所抓取的数据了。要保存的话,你可以使用“文件”菜单下的“保存”或者是“另存为”选项。
|
||||
|
||||
### 读取数据
|
||||
|
||||
Wireshark 的目标是向你提供你所需要的所有数据。这样做时,它会在它监控的网络上收集大量的与网络包相关的数据。它使用可折叠的标签来展示这些数据使得这些数据看起来没有那么吓人。每一个标签都对应于网络包中一部分的请求数据。
|
||||
|
||||
这些标签是按照从最底层到最高层一层层堆起来的。顶部标签总是包含数据包中包含的字节的数据。(这句没理解,机翻的,不知是否合适)最下方的标签可能会是多种多样的。在下图的例子中是一个 HTTP 请求,它会包含 HTTP 的信息。您遇到的大多数数据包将是TCP数据,HTTP 请求数据展示在底部标签页中。(这句我理解的是,前半句讲的是总体上的抓取的数据包类型,后半句讲的是下图中展示的那个数据包的信息和在它右侧的点开的 HTTP 请求标签页)
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
每一个标签页都包含了抓取包中对应部分的相关数据。一个 HTTP 包可能会包含与请求类型相关的信息,如所使用的网络浏览器,服务器的 IP 地址,语言,编码方式等的数据。一个 TCP 包会包含服务器与客户端使用的端口信息和 TCP 三次握手过程中的标志位信息。
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
在上方的其它标签中所包含的信息对于大多数用户来说其中只有少量的信息是有用的。(这一句的处理不知是否合适)其中一个标签中包含了数据包是通过 IPv4 或者 IPv6 传输的信息与客户端和服务器端的 IP 地址。另一个标签中包含了客户端与路由器或者网关接入因特网的 MAC 地址的信息。(这里有点不太明白作者说的接入因特网是什么意思,MAC地址只到下一台机器啊似乎跟是否接入因特网没有什么关系啊)
|
||||
|
||||
### 结语
|
||||
|
||||
即使只使用这些基础选项与配置,你依然可以发现 Wireshark 会是一个多么强大的工具。监控你的网络流量可以帮助你识别,终止网络攻击或者提升连接速度。它也可以帮你找到问题应用。下一篇 Wireshark 指南我们将会一起探索 Wireshark 的包过滤选项。
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
via: https://linuxconfig.org/basic-of-network-protocol-analyzer-wireshark-on-linux
|
||||
|
||||
作者:[Nick Congleton][a]
|
||||
译者:[译者ID](https://github.com/wcnnbdk1)
|
||||
校对:[校对者ID](https://github.com/校对者ID)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
||||
|
||||
[a]:https://linuxconfig.org/basic-of-network-protocol-analyzer-wireshark-on-linux
|
||||
[1]:https://linuxconfig.org/basic-of-network-protocol-analyzer-wireshark-on-linux#h2-1-layout
|
||||
[2]:https://linuxconfig.org/basic-of-network-protocol-analyzer-wireshark-on-linux#h2-2-toolbars
|
||||
[3]:https://linuxconfig.org/basic-of-network-protocol-analyzer-wireshark-on-linux#h2-3-functionality
|
||||
[4]:https://linuxconfig.org/basic-of-network-protocol-analyzer-wireshark-on-linux#h1-installation
|
||||
[5]:https://linuxconfig.org/basic-of-network-protocol-analyzer-wireshark-on-linux#h2-basic-configuration
|
||||
[6]:https://linuxconfig.org/basic-of-network-protocol-analyzer-wireshark-on-linux#h3-capture
|
||||
[7]:https://linuxconfig.org/basic-of-network-protocol-analyzer-wireshark-on-linux#h4-reading-data
|
||||
[8]:https://linuxconfig.org/basic-of-network-protocol-analyzer-wireshark-on-linux#h5-closing-thoughts
|
||||
Loading…
Reference in New Issue
Block a user