Computer Network Principles Experiment_Using Network Protocol Analyzer Wireshark

1. Experiment Name: Using the Network Protocol Analyzer Wireshark

2. Experimental purpose:

　　1. Master the methods of installing and configuring the network protocol analyzer Wireshark;

　　2. Be familiar with the basic methods of using the Wireshark tool to analyze network protocols, and deepen the understanding of protocol formats, protocol layers, and protocol interaction processes.

3. Experimental content and requirements

　　1. Install and configure the network protocol analyzer Wireshark ( http://www.wireshark.org );

　　2. Use and become familiar with the interface environment of the Wireshark analysis protocol (menus, toolbars, various windows, etc.).

　　3. Learn to use Wireshark to capture protocol packets.

4. Experimental Environment

　　1. A PC running Windows 10 Professional operating system

　　2. The PC has an Ethernet card and is connected to the LAN via a twisted pair cable.

　　3. Wireshark and Cisco Packet Tracer programs installed

5. Operation methods and experimental steps

　　1. Install a network protocol analyzer

 The installation is successful and runs, and the main interface is as shown in the figure. (You can click on the picture to jump to the Wireshark official website to download) The version installed here is 3.0.9, and the interface is automatically in Chinese. Note: If your Wireshark interface does not have any local interface as shown above, it means that you have not installed Winpacp. Please install Winpacp and restart Wireshark.

　　2. Analyze the protocol using Wireshark

　　　　(1) Start the system. Click the Wireshark icon to start.

 As shown in the figure, Capture and Analyze are the most important functions.

　　　　(2) Group capture.

Before starting packet capture, select the interface to capture. The network I use is a wired network connected to the computer via a network cable, so the capture interface selected is Ethernet.

　　　　(3) Protocol analysis.

The message information obtained by monitoring the Ethernet port (the picture is coded)

Select the message information with frame number 191 for analysis. From the blue box, we can see that the source address of the message is 223.166.151.88, the destination address is 192.168.31.97, and the destination address 192.168.31.97 is my private network address (the intranet IP assigned to the laptop by the router). The source address is Shanghai, which is a public IP. It is obvious that the message is sent from the external network to my intranet.

The protocol of this message is OICQ. I didn’t know this protocol at first, but I found that the message information contained my QQ number in the middle information box. From this, I inferred that OICQ is the QQ communication protocol. After inquiry, OICQ is the communication protocol of QQ, the communication protocol from OICQ users to OICQ servers.

For more information about the OICQ protocol, please read: https://blog.csdn.net/qq_15724883/article/details/40886871

Enter the specific page of message information No. 191 (this is an experiment done on PC, please protect the IP and port, please remind me if the coding is not enough~), you can see the specific message information and the message content in hexadecimal and ASCI code.
This frame packet contains the following four types of information:
　　Frame: data frame status of the physical layer.
　　Ethernet II, Src: Ethernet frame header information of the data link layer.
　　Internet Protocol Version 4, Src: Internet layer IP packet header information.
　　Internet Control Message Protocol: Internet Control Message Protocol. The protocol used by the ping packet.
The first three layers are basically the same. TCP and UDP protocols can appear from the fourth layer, and the fifth layer may have HTTP application layer protocol, etc.

From the information in this column, we can know that the source address server port of the message is 8000, the destination port is xxxx, the message length is 127, and the total checksum is 0xe51f.

Protocol layer information, the protocol is OICQ (instant messaging software protocol) and contains information such as target, version, and data.

(4) Save packet capture information

6. Experimental data recording and result analysis

 1 Experimental data and results analysis:

 2 Frame 191: 161 bytes on wire (1288 bits), 161 bytes captured (1288 bits) on interface 0

 3 //191st frame, 161 bytes online, a total of 1288 bits, 161 bytes actually captured on interface 0

 4 Interface id: 0 (DeviceNPF_{7E2C33C0-0623-46BB-9126-813FB633578B}) //Interface ID: 0

 5 Interface name: DeviceNPF_{7E2C33C0-0623-46BB-9126-813FB633578B}

 6 Interface description: 344273245345244252347275221

 7 Encapsulation type: Ethernet (1) //Encapsulation type

 8 Arrival Time: Mar 13, 2020 15:22:45.526314000 China Standard Time // Arrival time

 9 [Time shift for this packet: 0.000000000 seconds] //Packet shift time

10 Epoch Time: 1584084165.526314000 seconds//Epoch time

11 [Time delta from previous captured frame: 0.027360000 seconds] //Time interval between two frames

12 [Time delta from previous displayed frame: 0.027360000 seconds] //Interval between capture and display

13 [Time since reference or first frame: 3.969859000 seconds] //Time interval between this packet and the first frame

14 Frame Number: 191//Frame number

15 Frame Length: 161 bytes (1288 bits) //Frame length

16 Capture Length: 161 bytes (1288 bits) //Captured frame length

17 [Frame is marked: False]//Frame is marked

18 [Frame is ignored: False] //Frame ignored flag

19 [Protocols in frame: eth:ethertype:ip:udp:oicq]//Protocol hierarchy encapsulated in the frame

20 [Coloring Rule Name: UDP]//Coloring marked protocol

21 [Coloring Rule String: udp]//Coloring rule display string

22 Ethernet II, Src: (my gateway MAC address), Dst: LcfcHefe_c2:10:c2 (e8:6a:64:c2:10:c2)

23 Destination: LcfcHefe_c2:10:c2 (e8:6a:64:c2:10:c2)

24 Address: LcfcHefe_c2:10:c2 (e8:6a:64:c2:10:c2)

25 .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)

26 .... ...0 .... .... .... .... = IG bit: Individual address (unicast)

27 Source: (my gateway MAC address)28 Address: (my gateway MAC address)29 .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)

30 .... ...0 .... .... .... .... = IG bit: Individual address (unicast)

31 Type: IPv4 (0x0800)

32 Internet Protocol Version 4, Src: 223.166.151.88, Dst: 192.168.31.97

33 0100 .... = Version: 4

34 .... 0101 = Header Length: 20 bytes (5)

35 Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)

36 0000 00.. = Differentiated Services Codepoint: Default (0)

37 .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)

38 Total Length: 147

39 Identification: 0x8fa2 (36770)

40 Flags: 0x4000, Don't fragment

41 0... .... .... .... = Reserved bit: Not set

42 .1.. .... .... .... = Don't fragment: Set

43 ..0. .... .... .... = More fragments: Not set

44 ... 0 0000 0000 0000 = Fragment offset: 0

45 Time to live: 52

46 Protocol: UDP (17)

47 Header checksum: 0x5faf [validation disabled]

48 [Header checksum status: Unverified]

49 Source: 223.166.151.88

50 Destination: 192.168.31.97

51 User Datagram Protocol, Src Port: 8000, Dst Port: (Destination IP)

52 Source Port: 8000 //Source IP

53 Destination Port: (Destination IP) //Destination IP

54 Length: 127//Length

55 Checksum: 0xe51f [unverified]//Checksum

56 [Checksum Status: Unverified]//Checksum status

57 [Stream index: 0]

58 [Timestamps]

59 [Time since first frame: 3.969859000 seconds]

60 [Time since previous frame: 0.031141000 seconds]

61 OICQ - IM software, popular in China//Internet Control Message Protocol

62 Flag: Oicq packet (0x02)

63 Version: 0x3859//Version information

64 Command: Heart Message (2)

65 Sequence: 17154

66 Data (OICQ Number, if sender is client): (QQ number)

67 Data: 

68 [Expert Info (Warning/Undecoded): Trailing stray characters]

69 [Trailing stray characters]

70 [Severity level: Warning]

71 [Group: Undecoded]

VII. Experimental Experience, Questions and Suggestions

Experimental experience:

When you first start learning network principles, you need to check and watch more, and watch other people's experimental processes. When I first used Wireshark, my brain was almost blank. It is very important to learn to view information in an orderly manner. You need to be sensitive to information. For example, when you encounter the OICQ protocol, you didn’t know it was an instant messaging protocol at first, but I found my QQ account in the message information, and thus inferred that OICQ is the instant messaging protocol used by QQ.