Wireshark software usage

Wireshark Advanced features :

analyze There are expert infomation, You can see some tcp Retransmit information , You can see some warnings , Insufficient window size and other information .

statistics There are flow graph, You can see the communication of each host in the network , And communication information .

statistics There are packet length You can see , In which part of the length is there more data .

preferences There is name resolution , There are user-defined in name resolution hosts File to identify a host .

statistics There are HTTP, Corresponding http.request, You can see all the data packets caught on the domain name web page http request

statistics Inside protocol hierarchy( Protocol layer ) You can see the number of packets or requests of each protocol in the packet , such as DNS Data packets , Under normal circumstances , One DNS The request corresponds to a DNS reply , You can get the corresponding domain name IP Address

statistics Inside conversation You can see the session between every two devices , such as ipv4 conversation

When such a situation occurs , We deal with it like this . Slow network speed , Or a web page has not been loaded yet , We can go through HTTP Inside http.requests Check whether there are exceptions http request , And then through protocol hierarchy see DNS Whether the number of datagrams is abnormal , Is there anything unusual DNS analysis , And then we passed conversations Locate the abnormal dialog , May, in accordance with the bytes Sort , Check the sessions where the data sent by the local host is much larger than that received , And then through filter, Take these two ip.addr Application rules & once , Then we can check directly packet Data flow of the page .

Here I give four pictures , We can see through protocol hierarchy

We see that DNS Yes 217 A packet , And then through HTTP Inside http.requests

See all http request , Finally, we passed conversations

I saw it , My host and 74 The conversation between hosts at the beginning is abnormal , We click on this conversation , Then filter the display ,

We see a lot of messages sent by my host SYN The datagram , But I didn't receive SYN/ACK Datagram reply , As a result, my host sent a lot of TCP Retransmission , Seriously affect the network .

We host to the target IP launch TCP Connect , send out HTTP Request for web page content , For the unknown IP Conversation , Not corresponding IP Address corresponding DNS request , How do we get this IP The address? ?

That's because most systems use one DNS Caching mechanisms , This mechanism establishes the domain name in the system with IP Mapping cache between addresses , Access cached DNS Record 、 Frequently visited domain names , The system uses the local mapping cache , But do not initiate DNS request . Until these domain names and IP The mapping between addresses is out of date , Before new DNS Request to get the... Of the domain name IP Address .

When domain name and IP The address mapping relationship has changed , But the device did not initiate DNS Request to get a new address , that , The next time you visit this domain name , The device will try to connect to an invalid address ,