Wireshark网络流量分析教程：从捕获到协议分析，掌握安全与故障排查

Wireshark Network Traffic Analysis by zebbern/claude-code-guide

3,700 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/zebbern/claude-code-guide --skill 'Wireshark Network Traffic Analysis'

监控网络协议分析安全

🇨🇳中文介绍

Wireshark 网络流量分析

目的

使用 Wireshark 执行全面的网络流量分析，以捕获、过滤和检查网络数据包，用于安全调查、性能优化和故障排除。此技能支持从 PCAP 文件系统分析网络协议、检测异常和重建网络会话。

输入 / 前提条件

必需工具

已安装 Wireshark（Windows、macOS 或 Linux）
具有捕获权限的网络接口
用于离线分析的 PCAP/PCAPNG 文件
用于实时捕获的管理员/root 权限

技术要求

理解网络协议（TCP、UDP、HTTP、DNS）
熟悉 IP 地址和端口
了解 OSI 模型各层
理解常见的攻击模式

使用场景

网络故障排除和连接问题
安全事件调查
恶意软件流量分析
性能监控和优化
协议学习和教育

输出 / 交付物

主要输出

特定流量的过滤数据包捕获
重建的通信流
流量统计和可视化
事件证据文档

核心工作流程

阶段 1：捕获网络流量

开始实时捕获

在网络接口上开始捕获数据包：

1. 启动 Wireshark
2. 从主屏幕选择网络接口
3. 点击鲨鱼鳍图标或双击接口
4. 捕获立即开始

捕获控制

操作

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

阶段 2：显示过滤器

基本过滤器语法

过滤捕获的数据包进行分析：

# IP 地址过滤器
ip.addr == 192.168.1.1              # 所有进出该 IP 的流量
ip.src == 192.168.1.1               # 仅源 IP
ip.dst == 192.168.1.1               # 仅目标 IP

# 端口过滤器
tcp.port == 80                       # TCP 端口 80
udp.port == 53                       # UDP 端口 53
tcp.dstport == 443                   # 目标端口 443
tcp.srcport == 22                    # 源端口 22

按特定协议过滤：

# 常见协议
http                                  # HTTP 流量
https or ssl or tls                   # 加密的 Web 流量
dns                                   # DNS 查询和响应
ftp                                   # FTP 流量
ssh                                   # SSH 流量
icmp                                  # Ping/ICMP 流量
arp                                   # ARP 请求/响应
dhcp                                  # DHCP 流量
smb or smb2                          # SMB 文件共享

识别特定的连接状态：

tcp.flags.syn == 1                   # SYN 数据包（连接尝试）
tcp.flags.ack == 1                   # ACK 数据包
tcp.flags.fin == 1                   # FIN 数据包（连接关闭）
tcp.flags.reset == 1                 # RST 数据包（连接重置）
tcp.flags.syn == 1 && tcp.flags.ack == 0  # 仅 SYN（初始连接）

搜索特定内容：

frame contains "password"            # 包含字符串的数据包
http.request.uri contains "login"    # 包含字符串的 HTTP URI
tcp contains "GET"                   # 包含字符串的 TCP 数据包

识别潜在问题：

tcp.analysis.retransmission          # TCP 重传
tcp.analysis.duplicate_ack           # 重复 ACK
tcp.analysis.zero_window             # 零窗口（流量控制）
tcp.analysis.flags                   # 有问题的数据包
dns.flags.rcode != 0                 # DNS 错误

使用逻辑运算符进行复杂查询：

# AND 运算符
ip.addr == 192.168.1.1 && tcp.port == 80

# OR 运算符
dns || http

# NOT 运算符
!(arp || icmp)

# 复杂组合
(ip.src == 192.168.1.1 || ip.src == 192.168.1.2) && tcp.port == 443

阶段 3：跟踪流

查看完整的 TCP 会话：

1. 右键单击任何 TCP 数据包
2. 选择 Follow > TCP Stream
3. 查看重建的会话
4. 在 ASCII、Hex、Raw 视图之间切换
5. 过滤以仅显示此流

流	访问方式	使用场景
TCP 流	Follow > TCP Stream	Web、文件传输、任何 TCP
UDP 流	Follow > UDP Stream	DNS、VoIP、流媒体
HTTP 流	Follow > HTTP Stream	Web 内容、头部
TLS 流	Follow > TLS Stream	加密流量（如果密钥可用）

审查请求/响应对
识别传输的文件或数据
查找明文中的凭据
注意异常模式或命令

阶段 4：统计分析

查看协议分布：

Statistics > Protocol Hierarchy

显示：
- 每个协议的百分比
- 数据包计数
- 传输的字节数
- 协议分解树

Statistics > Conversations

标签页：
- Ethernet：MAC 地址对
- IPv4/IPv6：IP 地址对
- TCP：连接详情（端口、字节、数据包）
- UDP：数据报交换

查看活跃的网络参与者：

Statistics > Endpoints

显示：
- 所有源/目标地址
- 数据包和字节计数
- 地理信息（如果启用）

可视化数据包序列：

Statistics > Flow Graph

选项：
- 所有数据包或仅显示的数据包
- 标准流或 TCP 流
- 显示数据包时序和方向

绘制随时间变化的流量：

Statistics > I/O Graph

功能：
- 每秒数据包数
- 每秒字节数
- 自定义过滤器图表
- 多个图表叠加

阶段 5：安全分析

识别侦察活动：

# SYN 扫描检测（许多端口，同一来源）
ip.src == SUSPECT_IP && tcp.flags.syn == 1

# 查看 Statistics > Conversations 寻找异常
# 查找单个源命中许多目标端口的情况

过滤异常情况：

# 发往异常端口的流量
tcp.dstport > 1024 && tcp.dstport < 49152

# 受信任网络之外的流量
!(ip.addr == 192.168.1.0/24)

# 异常的 DNS 查询
dns.qry.name contains "suspicious-domain"

# 大数据传输
frame.len > 1400

识别 ARP 攻击：

# 重复的 ARP 响应
arp.duplicate-address-frame

# ARP 流量分析
arp

# 查找：
# - 同一 IP 对应多个 MAC
# - 无故的 ARP 泛洪
# - 异常的 ARP 模式

分析文件传输：

# HTTP 文件下载
http.request.method == "GET" && http contains "Content-Disposition"

# 跟踪 HTTP 流以查看文件内容
# 使用 File > Export Objects > HTTP 提取文件

调查 DNS 活动：

# 所有 DNS 流量
dns

# 仅 DNS 查询
dns.flags.response == 0

# 仅 DNS 响应
dns.flags.response == 1

# 失败的 DNS 查找
dns.flags.rcode != 0

# 特定域查询
dns.qry.name contains "domain.com"

阶段 6：专家信息

查看 Wireshark 的自动化发现：

Analyze > Expert Information

类别：
- Errors：关键问题
- Warnings：潜在问题
- Notes：信息性项目
- Chats：正常会话事件

发现	含义	操作
TCP 重传	数据包重发	检查数据包丢失
重复 ACK	可能丢失	调查网络路径
零窗口	缓冲区已满	检查接收方性能
RST	连接重置	检查阻塞/错误
乱序	数据包重新排序	通常正常，过多则是问题

操作	快捷键
打开文件	Ctrl+O
保存文件	Ctrl+S
开始/停止捕获	Ctrl+E
查找数据包	Ctrl+F
转到数据包	Ctrl+G
下一个数据包	↓
上一个数据包	↑
第一个数据包	Ctrl+Home
最后一个数据包	Ctrl+End
应用过滤器	Enter
清除过滤器	Ctrl+Shift+X

常见过滤器参考

# Web 流量
http || https

# 电子邮件
smtp || pop || imap

# 文件共享
smb || smb2 || ftp

# 身份验证
ldap || kerberos

# 网络管理
snmp || icmp

# 加密
tls || ssl

File > Export Specified Packets    # 保存过滤后的子集
File > Export Objects > HTTP       # 提取 HTTP 文件
File > Export Packet Dissections   # 导出为文本/CSV

仅捕获授权的网络流量
根据隐私政策处理捕获的数据
避免不必要地捕获敏感凭据
妥善保护包含敏感数据的 PCAP 文件

大型捕获会消耗大量内存
没有密钥无法查看加密流量内容
高速网络可能会丢包
某些协议需要插件才能完全解码

使用捕获过滤器限制数据收集
在长时间会话期间定期保存捕获
使用显示过滤器而不是删除数据包
记录分析发现和方法论

示例 1：HTTP 凭据分析

场景：调查潜在的明文凭据传输

1. 过滤器：http.request.method == "POST"
2. 查找登录表单
3. 跟踪 HTTP 流
4. 搜索用户名/密码参数

发现：凭据以明文形式数据传输。

示例 2：恶意软件 C2 检测

场景：识别命令与控制流量

1. 过滤器：dns
2. 查找异常的查询模式
3. 检查高频信标
4. 识别具有随机名称的域名
5. 过滤器：ip.dst == SUSPICIOUS_IP
6. 分析流量模式

规律的定时间隔
编码/加密的有效载荷
异常的端口或协议

示例 3：网络故障排除

场景：诊断缓慢的 Web 应用程序

1. 过滤器：ip.addr == WEB_SERVER
2. 检查 Statistics > Service Response Time
3. 过滤器：tcp.analysis.retransmission
4. 查看 I/O 图寻找模式
5. 检查高延迟或数据包丢失

发现：TCP 重传表明网络拥塞。

未捕获到数据包

验证选择了正确的接口
检查管理员/root 权限
确认网络适配器处于活动状态
如果问题持续，禁用混杂模式

验证过滤器语法（红色 = 错误）
检查字段名称中的拼写错误
使用 Expression 按钮查看有效字段
清除过滤器并逐步重建

使用捕获过滤器限制流量
将大型捕获拆分为较小的文件
在捕获期间禁用名称解析
关闭不必要的协议解析器

无法解密 TLS/SSL

获取服务器私钥
在 Edit > Preferences > Protocols > TLS 中配置
对于临时密钥，从浏览器捕获预主密钥
一些现代密码无法被动解密

🇺🇸English

Wireshark Network Traffic Analysis

Purpose

Execute comprehensive network traffic analysis using Wireshark to capture, filter, and examine network packets for security investigations, performance optimization, and troubleshooting. This skill enables systematic analysis of network protocols, detection of anomalies, and reconstruction of network conversations from PCAP files.

Inputs / Prerequisites

Required Tools

Wireshark installed (Windows, macOS, or Linux)
Network interface with capture permissions
PCAP/PCAPNG files for offline analysis
Administrator/root privileges for live capture

Technical Requirements

Understanding of network protocols (TCP, UDP, HTTP, DNS)
Familiarity with IP addressing and ports
Knowledge of OSI model layers
Understanding of common attack patterns

Use Cases

Network troubleshooting and connectivity issues
Security incident investigation
Malware traffic analysis
Performance monitoring and optimization
Protocol learning and education

Outputs / Deliverables

Primary Outputs

Filtered packet captures for specific traffic
Reconstructed communication streams
Traffic statistics and visualizations
Evidence documentation for incidents

Core Workflow

Phase 1: Capturing Network Traffic

Start Live Capture

Begin capturing packets on network interface:

1. Launch Wireshark
2. Select network interface from main screen
3. Click shark fin icon or double-click interface
4. Capture begins immediately

Capture Controls

Action	Shortcut	Description
Start/Stop Capture	Ctrl+E	Toggle capture on/off
Restart Capture	Ctrl+R	Stop and start new capture
Open PCAP File	Ctrl+O	Load existing capture file
Save Capture	Ctrl+S	Save current capture

Capture Filters

Apply filters before capture to limit data collection:

# Capture only specific host
host 192.168.1.100

# Capture specific port
port 80

# Capture specific network
net 192.168.1.0/24

# Exclude specific traffic
not arp

# Combine filters
host 192.168.1.100 and port 443

Phase 2: Display Filters

Basic Filter Syntax

Filter captured packets for analysis:

# IP address filters
ip.addr == 192.168.1.1              # All traffic to/from IP
ip.src == 192.168.1.1               # Source IP only
ip.dst == 192.168.1.1               # Destination IP only

# Port filters
tcp.port == 80                       # TCP port 80
udp.port == 53                       # UDP port 53
tcp.dstport == 443                   # Destination port 443
tcp.srcport == 22                    # Source port 22

Protocol Filters

Filter by specific protocols:

# Common protocols
http                                  # HTTP traffic
https or ssl or tls                   # Encrypted web traffic
dns                                   # DNS queries and responses
ftp                                   # FTP traffic
ssh                                   # SSH traffic
icmp                                  # Ping/ICMP traffic
arp                                   # ARP requests/responses
dhcp                                  # DHCP traffic
smb or smb2                          # SMB file sharing

TCP Flag Filters

Identify specific connection states:

tcp.flags.syn == 1                   # SYN packets (connection attempts)
tcp.flags.ack == 1                   # ACK packets
tcp.flags.fin == 1                   # FIN packets (connection close)
tcp.flags.reset == 1                 # RST packets (connection reset)
tcp.flags.syn == 1 && tcp.flags.ack == 0  # SYN-only (initial connection)

Content Filters

Search for specific content:

frame contains "password"            # Packets containing string
http.request.uri contains "login"    # HTTP URIs with string
tcp contains "GET"                   # TCP packets with string

Analysis Filters

Identify potential issues:

tcp.analysis.retransmission          # TCP retransmissions
tcp.analysis.duplicate_ack           # Duplicate ACKs
tcp.analysis.zero_window             # Zero window (flow control)
tcp.analysis.flags                   # Packets with issues
dns.flags.rcode != 0                 # DNS errors

Combining Filters

Use logical operators for complex queries:

# AND operator
ip.addr == 192.168.1.1 && tcp.port == 80

# OR operator
dns || http

# NOT operator
!(arp || icmp)

# Complex combinations
(ip.src == 192.168.1.1 || ip.src == 192.168.1.2) && tcp.port == 443

Phase 3: Following Streams

TCP Stream Reconstruction

View complete TCP conversation:

1. Right-click on any TCP packet
2. Select Follow > TCP Stream
3. View reconstructed conversation
4. Toggle between ASCII, Hex, Raw views
5. Filter to show only this stream

Stream Types

Stream	Access	Use Case
TCP Stream	Follow > TCP Stream	Web, file transfers, any TCP
UDP Stream	Follow > UDP Stream	DNS, VoIP, streaming
HTTP Stream	Follow > HTTP Stream	Web content, headers
TLS Stream	Follow > TLS Stream	Encrypted traffic (if keys available)

Stream Analysis Tips

Review request/response pairs
Identify transmitted files or data
Look for credentials in plaintext
Note unusual patterns or commands

Phase 4: Statistical Analysis

Protocol Hierarchy

View protocol distribution:

Statistics > Protocol Hierarchy

Shows:
- Percentage of each protocol
- Packet counts
- Bytes transferred
- Protocol breakdown tree

Conversations

Analyze communication pairs:

Statistics > Conversations

Tabs:
- Ethernet: MAC address pairs
- IPv4/IPv6: IP address pairs
- TCP: Connection details (ports, bytes, packets)
- UDP: Datagram exchanges

Endpoints

View active network participants:

Statistics > Endpoints

Shows:
- All source/destination addresses
- Packet and byte counts
- Geographic information (if enabled)

Flow Graph

Visualize packet sequence:

Statistics > Flow Graph

Options:
- All packets or displayed only
- Standard or TCP flow
- Shows packet timing and direction

I/O Graphs

Plot traffic over time:

Statistics > I/O Graph

Features:
- Packets per second
- Bytes per second
- Custom filter graphs
- Multiple graph overlays

Phase 5: Security Analysis

Detect Port Scanning

Identify reconnaissance activity:

# SYN scan detection (many ports, same source)
ip.src == SUSPECT_IP && tcp.flags.syn == 1

# Review Statistics > Conversations for anomalies
# Look for single source hitting many destination ports

Identify Suspicious Traffic

Filter for anomalies:

# Traffic to unusual ports
tcp.dstport > 1024 && tcp.dstport < 49152

# Traffic outside trusted network
!(ip.addr == 192.168.1.0/24)

# Unusual DNS queries
dns.qry.name contains "suspicious-domain"

# Large data transfers
frame.len > 1400

ARP Spoofing Detection

Identify ARP attacks:

# Duplicate ARP responses
arp.duplicate-address-frame

# ARP traffic analysis
arp

# Look for:
# - Multiple MACs for same IP
# - Gratuitous ARP floods
# - Unusual ARP patterns

Examine Downloads

Analyze file transfers:

# HTTP file downloads
http.request.method == "GET" && http contains "Content-Disposition"

# Follow HTTP Stream to view file content
# Use File > Export Objects > HTTP to extract files

DNS Analysis

Investigate DNS activity:

# All DNS traffic
dns

# DNS queries only
dns.flags.response == 0

# DNS responses only
dns.flags.response == 1

# Failed DNS lookups
dns.flags.rcode != 0

# Specific domain queries
dns.qry.name contains "domain.com"

Phase 6: Expert Information

Access Expert Analysis

View Wireshark's automated findings:

Analyze > Expert Information

Categories:
- Errors: Critical issues
- Warnings: Potential problems
- Notes: Informational items
- Chats: Normal conversation events

Common Expert Findings

Finding	Meaning	Action
TCP Retransmission	Packet resent	Check for packet loss
Duplicate ACK	Possible loss	Investigate network path
Zero Window	Buffer full	Check receiver performance
RST	Connection reset	Check for blocks/errors
Out-of-Order	Packets reordered	Usually normal, excessive is issue

Quick Reference

Keyboard Shortcuts

Action	Shortcut
Open file	Ctrl+O
Save file	Ctrl+S
Start/Stop capture	Ctrl+E
Find packet	Ctrl+F
Go to packet	Ctrl+G
Next packet	↓
Previous packet	↑
First packet	Ctrl+Home
Last packet	Ctrl+End
Apply filter	Enter
Clear filter	Ctrl+Shift+X

Common Filter Reference

# Web traffic
http || https

# Email
smtp || pop || imap

# File sharing  
smb || smb2 || ftp

# Authentication
ldap || kerberos

# Network management
snmp || icmp

# Encrypted
tls || ssl

Export Options

File > Export Specified Packets    # Save filtered subset
File > Export Objects > HTTP       # Extract HTTP files
File > Export Packet Dissections   # Export as text/CSV

Constraints and Guardrails

Operational Boundaries

Capture only authorized network traffic
Handle captured data according to privacy policies
Avoid capturing sensitive credentials unnecessarily
Properly secure PCAP files containing sensitive data

Technical Limitations

Large captures consume significant memory
Encrypted traffic content not visible without keys
High-speed networks may drop packets
Some protocols require plugins for full decoding

Best Practices

Use capture filters to limit data collection
Save captures regularly during long sessions
Use display filters rather than deleting packets
Document analysis findings and methodology

Examples

Example 1: HTTP Credential Analysis

Scenario : Investigate potential plaintext credential transmission

1. Filter: http.request.method == "POST"
2. Look for login forms
3. Follow HTTP Stream
4. Search for username/password parameters

Finding : Credentials transmitted in cleartext form data.

Example 2: Malware C2 Detection

Scenario : Identify command and control traffic

1. Filter: dns
2. Look for unusual query patterns
3. Check for high-frequency beaconing
4. Identify domains with random-looking names
5. Filter: ip.dst == SUSPICIOUS_IP
6. Analyze traffic patterns

Indicators :

Regular timing intervals
Encoded/encrypted payloads
Unusual ports or protocols

Example 3: Network Troubleshooting

Scenario : Diagnose slow web application

1. Filter: ip.addr == WEB_SERVER
2. Check Statistics > Service Response Time
3. Filter: tcp.analysis.retransmission
4. Review I/O Graph for patterns
5. Check for high latency or packet loss

Finding : TCP retransmissions indicating network congestion.

Troubleshooting

No Packets Captured

Verify correct interface selected
Check for admin/root permissions
Confirm network adapter is active
Disable promiscuous mode if issues persist

Filter Not Working

Verify filter syntax (red = error)
Check for typos in field names
Use Expression button for valid fields
Clear filter and rebuild incrementally

Performance Issues

Use capture filters to limit traffic
Split large captures into smaller files
Disable name resolution during capture
Close unnecessary protocol dissectors

Cannot Decrypt TLS/SSL

Obtain server private key
Configure at Edit > Preferences > Protocols > TLS
For ephemeral keys, capture pre-master secret from browser
Some modern ciphers cannot be decrypted passively

Weekly Installs

–

Repository

zebbern/claude-…de-guide

GitHub Stars

3.7K

First Seen

–

Security Audits

Gen Agent Trust HubPass SocketPass SnykWarn

Better Auth 最佳实践指南：集成、配置与安全设置完整教程

30,300 周安装

开始/停止捕获	Ctrl+E	切换捕获开/关
重新开始捕获	Ctrl+R	停止并开始新的捕获
打开 PCAP 文件	Ctrl+O	加载现有捕获文件
保存捕获	Ctrl+S	保存当前捕获

Wireshark网络流量分析教程：从捕获到协议分析，掌握安全与故障排查

🇨🇳中文介绍

Wireshark 网络流量分析

目的

输入 / 前提条件

必需工具

技术要求

使用场景

输出 / 交付物

主要输出

核心工作流程

阶段 1：捕获网络流量

开始实时捕获

捕获控制

相关 Skills

捕获过滤器

阶段 2：显示过滤器

基本过滤器语法

协议过滤器

TCP 标志过滤器

内容过滤器

分析过滤器

组合过滤器

阶段 3：跟踪流

TCP 流重建

流类型

流分析技巧

阶段 4：统计分析

协议层次结构

会话

端点

流图

I/O 图

阶段 5：安全分析

检测端口扫描

识别可疑流量

ARP 欺骗检测

检查下载

DNS 分析