One 、 Preface

Study various network protocols and local and remote packet capturing analysis , Indispensable Wireshark Or similar tools .
Here to 3 Do a simple packet capture in this scenario .

Two 、3 A bag capturing scene

2.1、 Packet capture local http

The first set Wireshark filter ip.dst == 124.223.54.92 and tcp.port == 8116, Start capturing .
Then open the PC（ Local IP：192.168.0.102） Browser , Visit a traditional Chinese medicine information website that you practice yourself ：http://124.223.54.92:8116/, And search for “ Sheraton ”,

Some relevant results are found above , Check again Wireshark Captured content ,

You can only see the browser -> One way request from the server （No=64, Left arrow → representative src->dst The client side 192.168.0.102-> Server side 124.223.54.92 Request ）, The corresponding data cannot be captured .
If you want a response , Next, change the filter to ip.addr == 124.223.54.92 and tcp.port == 8116（ip.addr representative src or dst Can be this ip）, After applying the new filter, check the capture results as follows ,

No=108, Left arrow ← representative source->dest The service side 124.223.54.92-> client 192.168.0.102 Response .
The previous search request is GET request , Then try again POST request http://124.223.54.92:8116/api/echo, This echo The interface request body returns whatever response it sends , as follows ,

curl --location --request POST 'http://124.223.54.92:8116/api/echo' \
--header 'Content-Type: text/plain' \
--data-raw '{ "name": "Jay" }'

Also go to Wireshark See the corresponding req and resp, And the clear text business response data can also be seen below ,

2.2、 Grab your cell phone http

stay PC Of Wireshark You can't directly capture mobile traffic on , Even though PC It's the same as the mobile phone WIFI. because Wireshark To capture packets, you need to select the network card for monitoring , Related to this network card , Or the traffic or network packets passing through the selected network card will be caught . So if you grab your mobile phone , Obviously, the network card of the mobile phone should be monitored , Or the network card of the server . So it can't be directly in PC Grab the bag on the mobile phone .

But there are 2 Methods ,

• firstly ,PC Open a sharing hotspot to connect your mobile phone
• second , stay PC Upper use Charles And other tools to open the network agent , And set the agent on the mobile phone

The second way is used here , First step , Download and install Charles after , Set up Proxy->Proxy Settings->HTTP Proxy Of Port=8888, as follows ,

The second step , Connect your cell phone to PC The same WIFI Next , Connected at WIFI Set the proxy host name to PC Of ip, The proxy port is Charles Set up 8888, as follows ,

After setting up the proxy , The flow of mobile phones goes PC Agent , It is no longer sent directly to the router .
The picture above shows the mobile phone ip yes 192.168.0.100, So in Wireshark catalog filter ip.addr == 192.168.0.100, And start capturing .
Then open the mobile browser to access http://124.223.54.92:8116/, And search for ,

Back to Wireshark Check whether the information has been captured , as follows No=43, Captured the request ,

as follows No=153, Also captured the response ,

Again ,Charles As itself and Wireshark Similar tools , At the same time, the request and response are also obtained , as follows ,

2.3、 Remote bag capture

Above 2.1 and 2.2 Examples of local and mobile packet capturing are given respectively , Capturing packets on mobile phones is also a scenario of remote capturing packets , But it still needs to be with PC Under the same LAN , So it can be considered that it is not completely remote .
There must be a completely remote scenario , Such as remote server 192.168.2.15 Upper a process , Need constant and remote server 192.168.2.22 Upper b The process goes on p2p Handshake communication , In this case, if verification is required 2 Is the handshake between processes encrypted or unencrypted , How to verify .
explain ：a The process and b The process is used to shake hands p2p Ports are all 34000.
First step , stay 192.168.2.15 Upper use tcpdump command , Will work with 192.168.2.22 Between tcp Packages are saved to cap file ,

tcpdump tcp port 34000 and host 192.168.2.22 -w ./target.cap

The second step , take cap Put files locally PC, And import Wireshark analysis , as follows , You can see the relationship between the two processes p2p The handshake agreement is TLSv1.2 Encrypted , The message content is also displayed as Application Data, Represents being encrypted .