第五章报文捕获

capture filter语法和tcpdump相同
最基本原语变化：
[src|dst] host <host> 例子 src host 192.168.1.1 ether [src|dst] host <ehost> [src|dst] net <net> [{mask <mask>}|{len <len>}] [tcp|udp] [src|dst] port <port> 其他原语 less|greater <length> ip|ether proto <protocol> <expr> relop <expr> expr可以是报文中的某个字节
WireShark：Follow TCP Stream
可以采用 foremost这个取证工具，从二进制数据中 识别任何可以识别的二进制结构：
$ foremost -v -i example.raw Foremost started at Sun Jul 12 15:59:27 2009 Invocation: foremost -v -i example.raw Output directory: /home/stretch/test/output Configuration file: /etc/foremost.conf Processing: example.raw |-----------------------------------------------------------------File: example.raw Start: Sun Jul 12 15:59:27 2009 Length: 30 KB (31185 bytes) Num Name (bs=512) Size File Offset 0: 00000000.jpg 30 KB 330 *| Finish: Sun Jul 12 15:59:27 2009 1 FILES EXTRACTED Comment
Wireshark: HTTP Session
save, then trim away HTTP headers to retrieve image
Use: e.g., WinHex
WireShark：Follow TCP Stream
When an HTTP response and a JPEG image smooshed together in a single binary blob; this isn't of much use. 这时很难得到一个干净的图片： $ file example.raw example.raw: data
display filter
通常经过捕捉过滤器过滤后的数据还是很复杂。此时您可以使用显示过 滤器进行更加细致的查找。 它的功能比捕捉过滤器更为强大，而且在您想修改过滤器条件时，并不 需要重新捕捉一次。 Every field in the packet details pane can be used as a filter primitive，and primitives can be connected by logic and compare operator display filter support regular expression display filter support functions 例如ftp.passive.ip == 10.2.3.4
网络报文捕获
捕获特定的网络报文，搜集基本网络流量的 内容和特征，作为电子证据。
一 报文捕获软件（ethreal和wireshark）
Wireshark的特点
It
is distributed under the Gnu’s Not UNIX (GNU) General Public License (GPL) open-source license. It works in promiscuous and non-promiscuous modes. It can capture data from the network or read from a capture file. It has an easy-to-read and configurable GUI. It has rich display filter capabilities. It supports tcpdump format capture filters. It has a feature that reconstructs a Transmission Control Protocol (TCP) session and displays it in American Standard Code for Information Interchange (ASCII), Extended Binary Coded Decimal Interchange Code (EBCDIC), hexadecimal (hex) dump,or C arrays. It runs on over 20 platforms, including Uniplexed Information and Computing System (UNIX)-based operating systems (OSes) and Windows, and there are third-party packages available for Mac OS X. It supports over 750 protocols, and, because it is open source, new ones are contributed frequently. It can read capture files from over 25 different products. It can save capture files in a variety of formats (e.g., libpcap, Network Associates Sniffer, Microsoft Network Monitor (NetMon), and Sun snoop). It can capture data from a variety of media (e.g., Ethernet,Token-Ring, 802.11 Wireless, and so on). It includes a command-line version of the network analyzer called tshark. It includes a variety of supporting programs such as editcap, mergecap, and text2pcap. Output can be saved or printed as plaintext or PostScript.
最基本的原语 [proto] [dir] [type] [id] proto 协议，可以是ether, fddi, tr, ip, ip6, arp, rarp, decnet, tcp , udp中任一个或 它们的表达式组合，如果不指定，所有和后面的type一致的都考虑在内。 dir packet传输的方向，可以是src, dst中的任一个或它们的表达式组合。不指定的话， 相当于src or dst 。 type 指定后面的id是网络地址、主机地址还是端口号，可以是host, net ,port中任一个， 如果不指定，默认为host。 id 就是希望监听的网络或主机或端口地址。
capture filter语法和tcpdump相同
A capture filter takes the form of a series of primitive expressions connected by conjunctions (and/or) and optionally preceded by not: [not] primitive [and|or [not] primitive ...]
主要界面
最高层摘要
从捕获开始的 时间，以秒为 单位
报文过滤
Wireshark的过滤分为两个层次， 第一层在捕获的时候进行过滤，只捕获特定 报文。这层的过滤，实际上是利用底层的 libpcap来实现的。 第二层是在显示的时候过滤，只显示特定的 报文，由wireshark自己实现。
capture filter设置
snmp || dns || icmp Display the SNMP or DNS or ICMP traffics. ip.addr == 10.1.1.1 Displays the packets with source or destination IP address equals to 10.1.1.1. ip.src != 10.1.2.3 or ip.dst != 10.4.5.6 Displays the packets with a source IP address different from 10.1.2.3 or with a destination IP different from 10.4.5.6. ip.src != 10.1.2.3 and ip.dst != 10.4.5.6 Displays the packets with source IP different from 10.1.2.3 and in the same time with destination IP different from 10.4.5.6 tcp.port == 25 Display packets with TCP source or destination port 25. tcp.dstport == 25 Display packets with TCP destination port 25. tcp.flags Display packets having a TCP flags tcp.flags.syn == 0x02 Display packets with a TCP SYN flag.

WireShark：Follow TCP Stream
非常有用的一个功能 能够重组TCP流，发现报文之间的关系
Wireshark: Following a TCP Stream
Wireshark: FTP Control Stream
Wireshark: FTP Data Stream
Wireshark: FTP Data Stream
capture filter例子
The following list includes some examples of capture filters. ■ All HTTP Packets tcp port 80 ■ Non-HTTP Packets not tcp port 80 !tcp port 80 tcp port not 80 tcp port !80 ■ HTTP Browsing to tcp port 80 and dst ■ HTTP Browsing to Hosts Other Than tcp port 80 and not dst ■ IPX Packets ipx ■ TCP Packets tcp ip proto 5 ■ TCP SYN Packets tcp[tcpflag] & tcp-syn == tcp-syn ■ IP Packets with Total Length > 255 ip[2:2] > 0xff ■ IP or IPX Packets ip or ipx

display filter

您可以使用大量位于OSI模型第2至7层的协议。点 击"Expression..."按钮后，您可以看到它们。 比如：IP，TCP，DNS，SSH
display filter
可以选择各种表达式，然后源自and，or， not组合起来display filter例子