使用Wireshark查看网络会话

在上一篇文章中，我们讨论了在Wireshark中过滤数据包，根据指定的条件来限制显示的数据包，例如“tcp。port == 3389 "查看远程桌面协议流量，" tcp。port == 80 "查看Web流量，" LDAP "查看Active Directory流量。关注感兴趣的流量的另一种方法是查看两个特定系统之间的“对话”。当然，你也可以手动输入一个过滤器，例如“(ip。Addr eq 10.10.1.50和ip。Addr eq 74.125.65.100)和(tcp。端口eq 60479和tcp。端口eq 80)”。但有一个更简单的方法。只需在包列表窗格中选择一个包，该包涉及您想要查看其对话的两个系统之间的通信，右键单击该包，并选择“conversation过滤器”。这里通常有几个选择;例如，“以太网”将使用这两个系统的MAC地址创建一个过滤器; “IP” will create a filter using IP addresses; and “TCP” will create one using both IP addresses and port numbers. This is a really quick and convenient way to view only the traffic going between two specific systems. Another right-click option in the packet list pane that I find handy is “Follow TCP stream.” This not only sets up a filter that displays only packets in the TCP stream you’ve selected, but it opens a new window showing the packet data as stream content, color-coded and in chronological order. (This view is useful, for example, when you want to view a series of HTTP request and response messages.) Just be aware that this popup window doesn’t always perfectly break between the messages, but the color coding will help you identify any little glitches.