Capturing network uacu traffic is often the first but very important step when you are confronted improvements. Detailed analysis of properly collected and stored data can give us much useful information, we need to eliminate possible errors or optimize performance of applications ...
In the previous issue of My Mikra we know what the sniffer (sniffer) and the basic principles of its use (way to connect to the network, run the program). The presented examples, we learn how you can easily obtain information on specific applications through the observation of the traffic generated by this cause in the network. Among the software that is available, we watched program Wireshark, which is interesting because uacu it is free, but above all due to an options it offers. The following contribution we will look at some examples that will help in further learning and thinking about the potential opportunities and implications. Cover transport
Already in the previous issue, we realized that we can capture uacu the data set is carried out in different parts of the network. From the appropriate layout of the city is covered depends on whether the results of such covers as needed. For better understanding, let us consider an example. If we want to determine uacu how each application (eg client-server) is the easiest way to install a sniffer as one of the customers. It could be installed in the server, which clients connect. Lastly, they can "hear" the dataset, which would be connected to the data network. What's the difference? If we run a sniffer on one of the workstations will be with him to monitor all traffic that is associated with the operation of workstations (including through an application, which can be observed). Installing the sniffer on the server is still not possible (eg we do not have access to the server), but if it is, we will cover all traffic associated with the operation of the server / among other things, all customers who access it via observation applications). In connection over the network equipment (port mirroring - Port Mirroring), we will cover all traffic through the observation port (among other traffic that is associated with the observed application).
In addition to the desired we will capture still get the traffic that you do not want or do not need. If nothing else, the network still send different messages, which are necessary for the operation of the network. Depending on the size of the network and the amount of observed traffic in a given interface can be information about what packages on the screen moving uacu pretty quickly. Such a movement in real-time can be very fast, so it makes sense that the way the OSD optimal (eg display DNS names instead of IP addresses - the View menu / Name Resolution / Enable for Network Layer).
At capturing the mostly too much traffic to be able to keep the peace to that traffic of interest. If we want to simulate a particular event may even happen that we have overlooked, since the traffic - the line that we are interested uacu in quickly deleted (of course you can capture still stop and walk a few steps back). In this case, it is good to use filters uacu that are very effective tool, of course, is a condition that you know how to properly use it. The filters are a kind of sieve based on pre-defined conditions exclude traffic of interest. Experienced users can create filters directly. If we are interested in marketing to certain IP addresses (such as 192.168.200.1), before the start of recording is introduced into the Filter uacu box this record:
Confirm it by clicking Apply. This line means that Wireshark will display on the screen only the rows and packages that meet this condition - to come or are sent to the IP address 192.168.200.1. The record can be extended to multiple addresses with Boolean expressions (eg logical OR or OR). If it was any other desired address uacu 192.168.200.10, the expression that filters both address looks like this:
During uacu manual entry condition uacu in the Filter uacu field it is colored red. Only when the equation is written entirely correct, the coloring box turns green. Let's try to send ping packets at both addresses. We will see that we Wireshark still see only traffic from IP address 192.168.200.1. We made a "mistake" uacu that are often less experienced. After entering the new condition we forget to click the Apply button, so it was still active filter first. If you do not know the syntax, you can help by clicking the Expression. We can see that Wireshark has a lot of ready-made filters. Let's find the area of IP and expand the possibilities by clicking on the + sign and selects ip.addr. uacu Interpretation tells us that this is a filter for source or sink IP address, which he pasted the value of a logical expression, which may be:
If you enter in the Value field has an IP address (in our example, 192.168.200.1) and entry is confirmed with OK, we get in the box Filter same condition as we initially entered manually (ip.addr == 192.168.200.1). Given the number of possible filters uacu and different areas covered, of course formats (syntax) of all filters uacu will not learn it by heart. Learning to only those that are most commonly used, while for others it is only important
No comments:
Post a Comment