internet

Wireshark

wireshark基本用法及过虑规则

Posted by kunnan on May 24, 2018

Remote Virtual Interface Tool

  • rvictl -l
devzkndeMacBook-Pro:~ devzkn$ rvictl -l

Could not get list of devices
  • rvictl -s UDID
devzkndeMacBook-Pro:~ devzkn$  rvictl -s  fa6770acd2e

Starting device fa6770acd2e0625c36a6f2a6c6 [SUCCEEDED] with interface rvi0
<!-- -x, -X		Stop a device or set of devices -->

wireshark基本用法及过虑规则

  • !mdns
<!-- mDNS即组播DNS(multicast DNS)。使用5353端口,在内网没有DNS服务器时,就会出现此组播信息。 -->

less than 小于 < lt 

小于等于 le

等于 eq

大于 gt

大于等于 ge

不等 ne

<!-- !mdns && http && ip.dst_host eq 11.190.181.63  -->
<!-- !mdns && http.request.full_uri contains  "http://...com" -->
  • 过滤端口
tcp.port eq 443
  • 过滤IP
!mdns || ip.src_host eq 58.216.8.110

分析L2TP类型VPN的连接和断开过程

  • 虚拟专用网(Virtual Private Network,VPN)的连接和断开分析
<!-- 1、连接的过程 -->
801	59.648579	192.168.2.61	114.114.114.114	DNS	81	Standard query 0xd39d A origin.guzzoni-apple.com.akadns.net
802	59.649083	192.168.2.61	114.114.114.114	DNS	59	Standard query 0x1828 A www.apple.com
803	59.649547	114.114.114.114	192.168.2.61	DNS	121	Standard query response 0xd39d A origin.guzzoni-apple.com.akadns.net CNAME sg01p01sa.guzzoni-apple.com.akadns.net A 17.252.172.5
804	59.650102	114.114.114.114	192.168.2.61	DNS	204	Standard query response 0x1828 A www.apple.com CNAME www.apple.com.edgekey.net CNAME www.apple.com.edgekey.net.globalredir.akadns.net CNAME e6858.e19.s.tl88.net A 27.148.139.136
<!-- 807	59.651656	192.168.2.61	114.114.114.114	DNS	55	Standard query 0xc06e A knip.com  就是VPN服务器-->
<!-- 808	59.652224	114.114.114.114	192.168.2.61	DNS	349	Standard query response 0xc06e A knip.com CNAME t-qc77a.knip.com A 61.160.210.234 A 61.160.210.241 A 58.216.8.107 A 61.160.210.254 A 61.160.210.235 A 58.216.8.118 A 61.160.210.214 A 61.160.233.223 A 61.160.210.244 A 58.216.8.117 A 61.160.233.239 A 61.160.233.222 A 61.160.210.223 A 61.160.210.229 A 61.160.210.221 A 61.160.210.222 A 61.160.233.240 -->
811	59.653845	192.168.2.61	61.160.210.221	ISAKMP	528	Identity Protection (Main Mode)
831	61.669742	192.168.2.61	61.160.210.221	ISAKMP	348	Quick Mode
834	61.672065	192.168.2.61	61.160.210.221	ESP	160	ESP (SPI=0x0ec12f58)

<!-- 2、断开VPN的过程 -->
29	2.030142	192.168.2.61	114.114.114.114	DNS	51	Standard query 0x553f SOA local
37	2.035028	114.114.114.114	192.168.2.61	DNS	126	Standard query response 0x553f No such name SOA local SOA a.root-servers.net
39	2.036104	192.168.2.61	114.114.114.114	DNS	63	Standard query 0x24ea A guzzoni.apple.com
40	2.036631	192.168.2.61	114.114.114.114	DNS	59	Standard query 0x04de A www.apple.com
41	2.037140	192.168.2.61	114.114.114.114	DNS	55	Standard query 0x2267 A apple.com
42	2.037740	114.114.114.114	192.168.2.61	DNS	152	Standard query response 0x24ea A guzzoni.apple.com CNAME origin.guzzoni-apple.com.akadns.net CNAME sg01p01sa.guzzoni-apple.com.akadns.net A 17.252.172.5
43	2.038264	114.114.114.114	192.168.2.61	DNS	204	Standard query response 0x04de A www.apple.com CNAME www.apple.com.edgekey.net CNAME www.apple.com.edgekey.net.globalredir.akadns.net CNAME e6858.e19.s.tl88.net A 27.148.139.136
44	2.038788	114.114.114.114	192.168.2.61	DNS	103	Standard query response 0x2267 A apple.com A 17.142.160.59 A 17.172.224.47 A 17.178.96.59
46	2.040273	192.168.2.61	61.160.210.221	ISAKMP	108	Informational

52	2.044263	192.168.2.61	114.114.114.114	DNS	71	Standard query 0x0680 A 35-courier.push.apple.com
53	2.044977	114.114.114.114	192.168.2.61	DNS	288	Standard query response 0x0680 A 35-courier.push.apple.com CNAME 35.courier-push-apple.com.akadns.net CNAME china-courier.push-apple.com.akadns.net A 17.252.156.218 A 17.252.156.53 A 17.252.156.51 A 17.252.156.37 A 17.252.157.22 A 17.252.156.63 A 17.252.157.30 A 17.252.156.221




79	2.062457	192.168.2.61	61.160.210.221	L2TP	70	Control Message - CDN (tunnel id=12764, session id=1)

协议知识补充

<!-- ISAKMP:Internet Security Association and Key Management Protocol, -->

Internet 安全关联和密钥管理协议. 一种协议框架,定义了有效负载的格式、实现密钥交换协议的机制以及SA协商。 使用TCP和UDP的端口500,一般使用UDP。

<!-- ESP,封装安全载荷协议(Encapsulating SecurityPayloads), -->
是一种Ipsec协议,用于对IP协议在传输过程中进行数据完整性度量、来源认证、加密以及防回放攻击。

<!-- IP in IP, 又被称为 ipencap,是将IP协议封装入传输用的IP协议的一个例子, -->

<!-- IP隧道是指一种可在两网络间用网际协议进行通信的通道。在该通道里,会先封装其他网络协议的数据包,之后再传输信息。 -->
若IP隧道与两个或多个IPSec一起使用时,可以创建虚拟专用网(Virtual Private Network,VPN)


<!-- SSL(Secure Sockets Layer,安全套接层),及其继任者TLS(Transport Layer Security,传输层安全) -->
 是为网络通信提供安全及数据完整性的一种安全协议。TLS与SSL在传输层对网络连接进行加密。
  • VPN
1、Cisco IPSec,此协议通过密码、RSA SecurID 或 CRYPTOCard 进行用户认证,并通过共享密钥和证书进行机器认证。对于在设备配置期间指定的域,Cisco IPSec 支持“请求 VPN 域”。

2、L2TP/IPSec,此协议通过 MS-CHAPV2 密码、RSA SecurID 或 CRYPTOCard 进行用户认证,并通过共享密钥进行机器认证。

3、PPTP,此协议通过 MS-CHAPV2 密码和 RSA SecurID 或 CRYPTOCard 进行用户认证。

See Also

/Users/devzkn/bin/knpost Wireshark wireshark基本用法及过虑规则 -t internet
#原来""的参数,需要自己加上""

转载请注明: > Wireshark

Search
    CATALOG
      FEATURED TAGS
      iOS Debug Open_Source_Framework RunLoop Swift Xcode ReactiveCocoa Runtime Mac Efficiency Terminal Git objc CocoaPods ruby shell iosre Cycript OutlineOfChineseHistory Workplace GoogleMethodology Search CocoaTouchStaticLibrary ReadaBookEveryDay miniprogram es6 internet py Xiang_Shuai_Beida_Finance_Course frida WebScoket note MobileSubstrate security dyld MGCopy Logical_thinking Knowledge_is_power jb How_to_be_a_master_of_network_management hook DeviceInfo Video
      FRIENDS