7.2.2 Decoding Network Traffic
Now that you can see the network data that's moving through your computer, you have to
figure out how to decode it.
In Ethereal, the first step, before you even end the capture session, is to look at the summary
capture screen that the program displays while it is performing the capture. For our web
browsing session, most of the packets should have been TCP packets (although if you
stopped to watch a streaming video, your UDP packet numbers will have been increased).
However, if you're capturing a simple web browsing session, and you see a large number of
ARP or ICMP packets, that could indicate a problem.
7.2.2 解碼網絡流量
現在你可以看到你電腦上流通的網絡資料了,你需要弄清楚這些資料時怎麼編碼的。
在Ethereal上,在結束攔截視窗之前,第一步,檢視攔截視窗上顯示的攔截的資料總數。我們網站浏覽器上,大多數的資料都是TCP協定資料(盡管你沒有觀看視訊,UDP協定資料數目也将會增加)。但是,如果你正截獲一個簡單的網頁浏覽器傳輸器,你會看到大量的ARP或者ICMP資料包,這說明了一個問題。
After you've ended the capture session, you're going to see output similar to this:
結束俘獲程序後,你會看到類似下面的輸出: (這個capture session一直讓我很糾結,不知道該如何翻譯才好,真是翻譯的一塌糊塗)
In this example, these twelve packets illustrate the web browser's activity as it connects with
its specified start page. The most easily decoded information is in the Source and Destination
columns. IP address 257.10.3.250 is the local computer; the other IP addresses have been
resolved to names by Ethereal. Since the web browser used was the Mozilla Firefox browser,
and since its start page was the default Mozilla Firefox page, it is not surprising to see
addresses from the mozilla.org domain. The requests sent to name.server.com were probably
generated by Ethereal when it sent DNS queries to resolve the IP addresses into names. (Note:
these accesses by the Ethereal program were caused by the options you set in the Display
Options and Name Resolution boxes. They were set to on in this example in order to produce
a more readable output. If you toggle these options to off, then you won't have this extra
data.)
Looking at source and destination information can help you spot unauthorized activity. For
example, an unfamiliar domain name that is repeatedly accessed might indicate that you
have a spyware program installed.
在這個例子中,這12個資料包說明了網頁浏覽器在連接配接指定的首頁時進行的動作。最簡單的編碼資訊是在Source和Destination那兩欄。IP位址257.10.3.250是本地電腦;Ethereal查詢到了其它IP位址的域名。因為用的網頁浏覽器是火狐浏覽器,首頁是預設的火狐首頁,是以可以在這12個IP位址中看到火狐域名。而對name.server.com的連接配接可能是由于Ethereal連接配接到該網站上進行域名查詢,是以有這條記錄産生。(注意:Ethereal程式的這些操作是由你在Display Options視窗和Name Resolution視窗中設定的,在這個例子中,為了使輸出更可信,就這麼設定了。如果你将這些功能去掉,你将不會得到這條比較特殊的記錄)
檢視source和destination資訊能檢視到未授權的行動。例如,一個不熟悉的域名重複出現在這上面,這說明你的電腦可能被安裝了一個間諜程式。
The next column is the Protocol column, which tells you what protocol the packets used.
Again, to know when something is wrong here, you're going to have to know what to expect.
In our web browsing session, we expect TCP and HTTP, and we understand why the DNS
packets are there, but, for example, a large number of ICMP packets could mean that your
machine is being pinged or traced.
The last column, Info, provides more detailed information about the packets. Packets 2, 3 and
4 show the TCP three-handed handshake of SYN, SYN/ACK, ACK, which indicates that a
connection has been made. Packet 5 shows an HTTP GET command followed in packet 7 by
a 304 Not Modified response.
If you want more information about the packets, the bottom two panes in the Ethereal screen
show detailed explanations. The middle pane shows the details of the packet header. The
bottom pane shows a hex and ascii dump of the data in the packet.
下一欄是協定欄,告訴你這些資料包使用的協定,你需要知道這些資料應該是什麼樣子的,是以當出了問題時你才會發現。在網頁浏覽器通路過程中,我們認為資料包協定一般是TCP和HTTP,我們也明白會是這樣的,但是,當大量的ICMP資料包出現,這說明你的電腦被追蹤了。
最後一欄,資訊,提供這些資料包更詳細的資訊。資料包2,3和4顯示了TCP協定的三次握手,SYN,SYN/ACK,ACK,這說明這裡進行過一次連接配接。資料包5顯示一個HTTP下載下傳指令,資料包7接着顯示了一個304未修改的回答。
如果你想知道更多關于這些資料包的資訊,Ethereal視窗底部的兩個長窗格顯示了詳細的解釋。中間的一個窗格給出了資料標頭的詳細資訊。底部的窗格顯示了資料包中資料的16進制和ascII表示。