TM HIU CNG C BT GI TIN WIRESHARK

Mc tiu :
Bi hng dn gip sinh vin c th: S dng cng c bt gi tin Wireshark. Nhc li cu trc gi tin mt s giao thc c bn trong mng my tnh

I. Wireshark I.1.Gii thiu

Wireshark l mt phn mm m ngun m dng bt v phn tch cc gi tin lu thng qua card mng ca my tnh. Phn mm ny c th s dng trn nhiu nn tng khc nhau nh Linux, windows, Mac OS X, Solaris Tn nguyn bn ca phn mm Wireshark l Ethereal, vo thng 5 nm 2006 d n c chuyn tn thnh Wireshark. Phn mm Wireshark gip : Ngi qun tr h thng phn tch v sa cha h thng. Ngi pht trin chng trnh xy dng cc ng dng. Sinh vin tm hiu hot ng ca cc giao thc mng. Cc tnh nng chnh ca Wireshark gm : Bt cc gi tin i qua mt card mng. Lit k mt cch chi tit cc gi tin bt c. Lu tr v m li cc thng tin bt c di dng file. Tin hnh lc cc gi tin bt c di nhiu tiu chun khc nhau. To ra cc biu thng k cc gi tin qua card mng. V nhiu cc tnh nng khc

BM MMT&VT Khoa CNTT Trng H KHTN TPHCM

Trang 1

I.2.Cch ci t
1. Gi ci t c th c download ti http://www.wireshark.org. 2. Ci t t file va download v. Trn windows qu trnh ny din ra t ng v gm bc a. Ci t b th vin WinPcap l mt b th vin trn windows cung cp chc nng bt cc gi tin trn card mng. b. Ci t phn mm wireshark s hot ng da trn b th vin ny.

I.3.Cch bt gi tin thng qua mt card mng

Khi ng chng trnh Wireshark. Lu rng wireshark khng bt ht cc gi tin ca my m ch bt cc gi tin thng qua mt card mng c chn, nn u tin l ta phi chn card mng mun lng nghe. Chn Menu Capture Interface hay phm tt l Ctr+I :

y lit k tt c cc card mng m my tnh c, ta chn mt card mng mun lng nghe v khi ng qu trnh Capture . Th ping 8.8.8.8 v ta nhn c kt qu bt gi tin nh sau :

BM MMT&VT Khoa CNTT Trng H KHTN TPHCM

Trang 2

Menu Lnh Danh sch cc gi tin Thng tin gi tin theo cu trc ca giao thc Thng tin gi tin dng byte Sau khi thu thp cc d liu cn, ta s dng qu trnh lng nghe ti mt card mng bng cch vo menu Capture Stop

I.4.Lc cc gi tin sau khi Capture

Trong qu trnh lm vic thc t thng c rt nhiu cc loi gi tin khc nhau thng qua card mng m ta kh c th kim sot ht c. Trong khi ta thng ch mun tin hnh thu thp d liu v phn tch mt s loi gi tin nht nh. Chnh v th Wireshark cung cp cho ngi dng kh nng lc cc gi tin theo cc tiu ch c th. Wireshark cung cp cho ngi dng 2 phng php lc gi tin vo 2 thi im khc nhau ca qu trnh bt gi tin. Tuy nhin, do 2 thi im lc gi tin l khc
BM MMT&VT Khoa CNTT Trng H KHTN TPHCM

Trang 3

nhau v do 2 thnh phn khc nhau ng ra lc gi tin l WinPCap v chng trnh Wireshark nn ta s thy c s khc nhau trong ngn ng m t ca 2 chc nng ny. Sau y ta s i tm hiu c 2 phng php.

I.4.1. Lc gi tin ngay khi bt:

Khi m hp thoi chn card mng, thay v bm Start bt u, ta tin nhn nt Options ty khi ng vic ty chn cho vic bt gi tin.

Hp thoi Capture Options s hin ra :

BM MMT&VT Khoa CNTT Trng H KHTN TPHCM

Trang 4

Hp thoi ny cho php ta ty chnh rt nhiu cc tnh nng trong qu trnh bt gi tin nh chc nng lc cc gi tin, chc nng hin th cc gi, chc nng lu tr cc gi tin v chc nng hn gi tt chng trnh. y chng ta quan tm n chc nng lc cc gi tin bt c. Vic lc cc gi tin bt c s c thc hin theo m t m ngi dng nh vo mc capture Filter. Cc gi tin s c lc theo tiu ch c m t v ch nhng gi tin tha cc tiu ch ny mi c lu li xem xt. Phng php m t cc gi tin : V vic bt cc gi tin phn ny c thc hin di s hi tr b th vin WinPcap, nn ngn ng m t y c s dng l ngn ng m t ca WinPcap. Bn c th tm thy nhiu v d http://wiki.wireshark.org/CaptureFilters . Sau y s trnh by mt cch khi qut phng php m t ny.
BM MMT&VT Khoa CNTT Trng H KHTN TPHCM

Trang 5

Cu lnh m t l s kt hp ca nhiu cu lnh m t con v c ni vi nhau bng [and|or], ta c th ph nh cu lnh m t con bng cch t ch not trc n. [not] M T [and|or] [not] M T V d : +Lc cc gi tin Telnet (port 23) t my ch 10.0.0.5 tcp port 23 and host 10.0.0.5

Cc m t thnh phn l mt trong nhng m t sau : [src|dst] host <host> L mt thnh phn cho php bn lc cc gi tin theo a ch IP hay theo tn ca ngun hay ch. Bn c th ch r a ch ngun hay ch bng cch t cc tham s ph u l src|dst . Nu trng ny khng c ch ra, v mc nh cc gi tin c a ch ngun hay ch ph hp iu kin s c nhn. ether [src|dst] host <ehost> Thnh phn ny cho php bn filter trn a ch Ethernet ca ngun hay ch. Tng t nh thnh phn trn bn c th ch r loi a ch m bn quan tm bng tham s ph l [src|dst]. [src|dst] net <net> [{mask <mask>}|{len <len>}] Thnh phn ny cho php bn tin hnh lc cc gi tin theo a ch network ca mt gi tin. Bn c th thm cc thnh phn ph nh src|dst vo nhn mnh rng bn quan tm n a ch ngun hay ch. Nu khng thm trng ny vo th cc gi tin c a ch ngun hoc ch tha yu cu s c lu li. [tcp|udp] [src|dst] port <port>

BM MMT&VT Khoa CNTT Trng H KHTN TPHCM

Trang 6

Cho php bn lc cc gi tin theo TCP v UDP port. Bn c th thm cc tham s src|dst v tcp|udp cho php bn nhn mnh rng quan tm n a ch port ngun hay ch, UDP hay TCP. Ch rng t tcp|udp phi xut hin trc src|dst. Nu cc tham s khng c s dng, gi tin s c la chn trn c 2 giao thc l TCP v UDP khi m a ch v port ca gi tin tha mn iu kin ra. less|greater <length> Thnh phn ny cho php bn lc cc gi tin c chiu di nh hn, hay bng hoc ln hn mt di cho trc. ip|ether proto <protocol> Thnh phn ny cho php bn lc cc gi tin mt s giao thc nht nh c tng Ethernet hay tng IP. ether|ip broadcast|multicast Cho php bn tin hnh lc cc gi tin c tng Ethernet hay IP vi broadcasts or multicasts. <expr> relop <expr> Cho php bn to ra mt iu kin lc gi tin phc tp bng cch nhn mnh bng cch ch ra mt byte hay mt khong bytes ca gi tin. Tham kho chi tit ti http://www.tcpdump.org/tcpdump_man.html.

I.4.2. Lc cc gi tin sau khi bt:

Wireshark cung cp mt cch lc cc gi tin khc sau khi bt v lu tr n mt cch kh hiu qu v n gin hn. Ngn ng m t y c Wireshark xy dng mt cch n gin hn v th cho php bn c th to ra nhng iu kin lc gi tin chnh xc v hiu qu hn. Bn c th so snh gi tr ca cc trng ca mt gi tin thng qua cc biu thc mt cch trc quan. Bn c th tin hnh lc cc gi tin theo :
BM MMT&VT Khoa CNTT Trng H KHTN TPHCM

Trang 7

 VD :

Loi giao thc. S xut hin ca mt trng Gi tr ca mt trng V nhiu cc gi tr khc.

Ta tin hnh lc cc gi tin DNS t cc gi tin bt c bng cch nhp ch DNS vo trng Filter ca ca s hin th :

xy dng tt cc miu t lc gi tin bn nn tham kho chi tit ti http://wiki.wireshark.org/DisplayFilters . Sau y s trnh by mt cch s lc cch xy dng biu thc lc gi tin. Phng php m t cc gi tin : Mi trng trong khung thng tin ca Packet m Wireshark th hin u c th s dng trong Filter. V d : nu Filter l tcp th Wireshark s tin hnh lc cc gi tin c trng ny.

BM MMT&VT Khoa CNTT Trng H KHTN TPHCM

Trang 8

Mt bng danh sch y cc trng c th tin hnh lc c th hin Menu Internals Supported Protocals

Tin hnh so snh cc trng : Ta c th tin hnh so snh cc trng ca mt gi tin theo cc gi tr c th. Bn c th s dng t vit tt cho ting anh hay s dng cc php so snh ca ngn ng C th hin vic so snh. Bng cc php so snh c gi tr c lit k bn di:

BM MMT&VT Khoa CNTT Trng H KHTN TPHCM

Trang 9

English eq
==

C Bng
ip.src==10.0.0.5

nh ngha v v d

Khc ne
!= ip.src!=10.0.0.5

Ln hn gt
> frame.len > 10

B hn lt
< frame.len < 128

Ln hn hay bng ge
>= frame.len ge 0x100

B hn hay bng le
<= frame.len <= 0x20

Bng sau th hin cc trng m bn c th tin hnh so snh cng nh cch s dng chng :
Type Gi tr s khng du (8ip.len le 1500 bit, 16-bit, 24-bit, 32ip.len le 02734 bit)
ip.len le 0x436

Example
Ta c th tin hnh so snh cc gi tr s vi vi trn h 10 hay h 16

Nhn mnh mt trng no ca gi tin c tn ti hay khng. Nu trng tn ti, gi tr tr ra l True v gi tin tha iu kin lc. Boolean VD : Lc cc gi tin c c SYN ca giao thc TCP tcp.flags.syn Du ngn cch s dng y c th l du hai chm (:), du chm (.), du gch ngang (-).
eth.dst == ff:ff:ff:ff:ff:ff eth.dst == ff-ff-ff-ff-ff-ff eth.dst == ffff.ffff.ffff

a ch Ethernet (6 bytes)

BM MMT&VT Khoa CNTT Trng H KHTN TPHCM

Trang 10

Type ip.addr == 192.168.0.1 IPv4

Example

Tin hnh lc IP t mt min xc nh : ip.addr == 129.111.0.0/16

IPv6 IPX Chui

ipv6.addr == ::1 ipx.addr == 00000000.ffffffffffff http.request.uri == "http://www.wireshark.org/"

Cc php lin kt gia cc biu thc :

English Cnh ngha v v d and && ip.src==10.0.0.5 and tcp.flags.fin or xor not || !
ip.scr==10.0.0.5 or ip.src==192.1.1.1

^^ tr.dst[0:3] == 0.6.29 xor tr.src[0:3] == 0.6.29

not llc

Phn on Wireshark cho php bn chia cc tham s thnh cc on so snh vi mt cch kh phc tp. Sau trng so snh, bn c th t du [] v ch ra khong m bn mun s dng so snh. VD: [n:m] gi tr so snh ly t v tr n v ly m gi tr [...]
eth.src[0:3] == 00:00:83]

[n-m] Ly t v tr th n n v tr th m
eth.src[1-2] == 00:83

[:m] ly cc gi tr t v tr bt u cho n v tr th m. iu ny tng ng vi [0:m]

eth.src[:4] == 00:00:83:00

BM MMT&VT Khoa CNTT Trng H KHTN TPHCM

Trang 11

English C-

nh ngha v v d [n:] Ly cc gi tr t im n tr v sau.

eth.src[4:] == 20:20

[n] ly chnh xc gi tr ti v tr th n. Tng ng vi [n:1]

eth.src[2] == 83

Wireshark cho php bn ni cc gi tr ny li vi nhau bng du phy ngn cch gia chng.
eth.src[0:3,1-2,:4,4:,2] == 00:00:83:00:83:00:00:83:00:20:20:83

II. Cu trc cc gi tin thng dng II.1.Gi tin TCP:

. Chi tit tham kho ti http://en.wikipedia.org/wiki/Transmission_Control_Protocol

BM MMT&VT Khoa CNTT Trng H KHTN TPHCM

Trang 12

II.2.Gi tin UDP

Chi tit tham kho ti http://en.wikipedia.org/wiki/User_Datagram_Protocol

II.3.Gi tin IP

Chi tit tham kho ti http://en.wikipedia.org/wiki/Internet_Protocol

BM MMT&VT Khoa CNTT Trng H KHTN TPHCM

Trang 13

II.4.Gi tin ICMP

Chi tit tham kho ti http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol

II.5.ARP Packet:

Chi tit tham kho ti http://en.wikipedia.org/wiki/Address_Resolution_Protocol

BM MMT&VT Khoa CNTT Trng H KHTN TPHCM

Trang 14

II.6. Gi tin DHCP:

Chi tit tham kho ti http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol

BM MMT&VT Khoa CNTT Trng H KHTN TPHCM

Trang 15

II.7. Gi tin DNS:

Chi tit tham kho ti http://en.wikipedia.org/wiki/Domain_Name_System

BM MMT&VT Khoa CNTT Trng H KHTN TPHCM

Trang 16