使用Wireshark捕获部分报文

几天前，当我介绍Wireshark工具时，有相当多的评论，但实际上没有涉及它的特性集。我的目的是提出一些工具可能有用的情况，提到在工作场所使用工具的潜在危险，并建议读者在进入它之前，首先弄清楚他们是否被允许在工作中使用它。显然，一些读者认为，对于一篇四段的博客文章来说，这些信息是不够的。如果你像我几年前的一个研讨班的学生一样，因为在工作中使用这个程序而被解雇，你可能不会这么想!此外，请记住，这些是连续的博客帖子，而不是完整的杂志文章。无论如何，我和你一样渴望进入它，所以让我们看一看Wireshark捕获的第一步。(对于那些对慢域控制器引导问题感兴趣的人，请放心，我也将讨论这个话题。)一旦你安装了程序，你就可以启动它并看到一个包含几个部分的顶级屏幕。为了快速开始，只需点击屏幕左侧的“Capture”部分中的“Capture Options”链接。在随后的对话框中，选择要捕获其流量的网络接口。 This is at the upper right. The IP address associated with that interface shows up below it. If you want to capture packets beyond the ones that are coming into your computer or going out of it, then you can check the “Capture packets in promiscuous mode” box; otherwise, clear this box so that you don’t capture a lot of irrelevant packets. One of the most important skills in using Wireshark is to limit what you actually capture, so that you don’t have to wade through unnecessary detail later. The next thing that you should set up in this dialog box is the capture file. I find it quickest to click the Browse.. button and specify a file name and location. If you want WireShark to open automatically when you doubleclick the capture file in the future, save it with the extenstion .PCAP. You can leave all the other settings in the Capture Options dialog box at their default values for now; we’ll talk about some of them after we get the basics down. Now do something over the network – such as opening a browser window, displaying the contents of a shared folder, and so forth. You should see some packets appearing in the Wireshark window. Once you have a few, click Capture > Stop. Now you’ve got some data to begin working with. In the next posting, we’ll take a look at what the displayed packets mean, and how you can begin making some sense of them.