wireshark

官网下载，无脑安装
wireshark主界面可以分为如下七个部分：1：主菜单栏、2：快捷方式、3：过滤栏、4：数据包列表区、5：数据包详细信息区、6：比特区、7：数据包统计区域

Wireshark is a network packet/protocol analyzer.
– A network packet analyzer will try to capture network
packets and tries to display that packet data as detailed as
possible.
• Wireshark is perhaps one of the best open source
packet analyzers available today for UNIX and
Windows.
file --open–address 打开wireshark文件
菜单栏选项介绍
(1)、flie（文件）栏用于打开，合并文件，保存，另存，导出为特殊文件等等操作
(2)、Edit（编辑）菜单栏，查询数据包，数据包标志、时间设置等操作
(3)、view（试图）菜单栏调整主界面信息
(4)、Capture（捕获）菜单栏，选择网卡，开始，停止抓包，过滤器等操作(
5)、Analyze（分析）菜单栏，显示过滤器，tcp、udp包追踪等功能
(6)、Statistics（统计）栏，数据汇总信息，会话选项，节点统计，IO图，流量图等，做出很多会话报表
(7)、Telephony（电话）支持语音流量功能
(8)、Tools（工具）
(9)、help帮助界面
Cature filter
– Capture Traffic that match capture filter rule 捕捉使用过滤器规则
– save disk space 存储
– prevent packet loss 防止丢失
• Display filter过滤
• Tweak appearance调整外观
Apply Filters
• ip.addr == 10.0.0.1 [Sets a filter for any packet with 10.0.0.1, as either the source or dest]
• ip.addr10.0.0.1 && ip.addr10.0.0.2 [sets a conversation filter between the two defined IP addresses] 两个之间
• http or dns [sets a filter to display all http and dns] • tcp.port4000 [sets a filter for any TCP packet with 4000 as a source or dest port]
• tcp.flags.reset1 [displays all TCP resets]
• http.request [displays all HTTP GET requests]
• tcp contains rviews [displays all TCP packets that contain the word ‘rviews’. Excellent when searching on a specific string or user ID]
• !(arp or icmp or dns) [masks out arp, icmp, dns, or whatever other protocols may be background noise. Allowing you to focus on the traffic of interest]