Reti di Calcolatori - Slide 21

7/30/2019 Reti di Calcolatori - Slide 21

http://slidepdf.com/reader/full/reti-di-calcolatori-slide-21 1/25

Corso di Laurea in Ingegneria delle Telecomunicazioni eIngegneria dell’Automazione

Corso di Reti di Calcolatori

Docente: Giorgio Ventre e Simon Pietro Romano{giorgio, spromano}@unina.it

Materiale a cura di: Vittorio [email protected]

Wireshark

(http://www.wireshark.org/)



2

• Wireshark is a network packet analyzer. A network packet analyzer will try to

capture network packets and tries to display that packet data as detailed aspossible

• Here are some examples people use Wireshark for:

• network administrators use it to troubleshoot network problems

• network security engineers use it to examine security problems

• developers use it to debug protocol implementations

• people use it to learn network protocol internals

IntroductionIntroduction



3

The main windowThe main window



4

This pane shows the protocols and protocol fields of the packet selected in the

"Packet List" pane.

The "Packet Details" paneThe "Packet Details" pane



5

• The packet bytes pane shows the data of the current packet (selected in the"Packet List" pane) in a hexdump style.

• As usual for a hexdump, the left side shows the offset in the packet data, inthe middle the packet data is shown in a hexadecimal representation and onthe right the corresponding ASCII characters (or . if not appropriate) aredisplayed.

The "Packet Bytes" paneThe "Packet Bytes" pane



6

• Live capture from many different network media

• Import files from many other capture programs• Export files for many other capture programs

• Many protocol decoders

• Open Source Software

• What Wireshark is not:

• Wireshark isn't an intrusion detection system

• Wireshark will not manipulate things on the network, it will only "measure" thingsfrom it

Wireshark featuresWireshark features



7

• The Wireshark capture engine provides the following features:

• Capture from different kinds of network hardware (Ethernet, Token Ring, ATM,...)

• Stop the capture on different triggers like: amount of captured data, capturedtime, captured number of packets

• Simultaneously show decoded packets while keep on capturing.

• Filter packets, reducing the amount of data to be captured

• Capturing into multiple files while doing a long term capture, and in addition theoption to form a ringbuffer of these files, keeping only the last x files, useful for a"very long term" capture

• The capture engine still lacks the following features:• Simultaneous capturing from multiple network interfaces (however, you can start

multiple instances of Wireshark and merge capture files later)

• Stop capturing (or doing some other action), depending on the captured data

Capturing live network dataCapturing live network data



8

• Description: The interface description provided by the operating system

• IP: The first IP address Wireshark could resolve from this interface• Packets: The number of packets captured from this interface

• Packets/s : Number of packets captured in the last second

• Stop: Stop a currently running capture

• Capture: Start a capture on this interface immediately• Options: Open the Capture Options dialog with this interface selected

• Details (Win32 only): Open a dialog with detailed information about the interface.

• Close: Close this dialog box

TheThe ““Capture InterfaceCapture Interface”” dialog boxdialog box



9

TheThe ““Capture OptionsCapture Options”” dialog box (1/2)dialog box (1/2)



10

• Buffer size: enter the buffer size to be used while capturing. This is the sizeof the kernel buffer which will keep the captured packets, until they arewritten to disk

• Capture packets in promiscuous mode: this checkbox allows you tospecify that Wireshark should put the interface in promiscuous mode whencapturing

• Limit each packet to n bytes: this field allows you to specify the maximum

amount of data that will be captured for each packet

• Capture Filter: this field allows you to specify a capture filter

• File: This field allows you to specify the file name that will be used for thecapture file

• Stop Capture... frame

• ... after n packet(s)

• ... after n megabytes(s)

• ... after n minute(s)

TheThe ““Capture OptionsCapture Options”” dialog box (2/2)dialog box (2/2)



11

• [src|dst] host <host>: this primitive allows you to filter on a host IP addressor name

• ether [src|dst] host <ehost>: this primitive allows you to filter on Ethernethost addresses

• gateway host <host>: this primitive allows you to filter on packets that usedhost as a gateway

• [src|dst] net <net> [{mask <mask>}|{len <len>}]: this primitive allows youto filter on network numbers

• [tcp|udp] [src|dst] port <port>: t his primitive allows you to filter on TCPand UDP port numbers

• less|greater <length>: this primitive allows you to filter on packets whoselength was less than or equal to the specified length

• ip|ether proto <protocol>: this primitive allows you to filter on the specifiedprotocol at either the Ethernet layer or the IP layer

• ether|ip broadcast|multicast: this primitive allows you to filter on eitherEthernet or IP broadcasts or multicasts.

• <expr> relop <expr>: this primitive allows you to create complex filterexpressions that select bytes or ranges of bytes in packets

PrimitivesPrimitives



12

This dialog box will inform you about the number of captured packets and thetime since the capture was started. The selection of which protocols arecounted cannot be changed

The "Capture Info" dialog boxThe "Capture Info" dialog box



13

Once you have captured some packets, or you have opened a previously saved capturefile, you can view the packets that are displayed in the packet list pane by simply clickingon a packet in the packet list pane, which will bring up the selected packet in the treeview and byte view panes

Viewing packetsViewing packets



14

• Display filters allow you to concentrate on the packets you are interested inwhile hiding the currently uninteresting ones. They allow you to select

packets by:• Protocol

• The presence of a field

• The values of fields

• A comparison between fields• ... and a lot more!

• Wireshark provides a simple but powerful display filter language that you

can build quite complex filter expressions with. You can compare values inpackets as well as combine expressions into more specific expressions

Filtering packets while viewingFiltering packets while viewing



16

• ip.addr==192.168.10.10

• ether.addr==ff.ff.ff.ff.ff.ff

• Frame.pkt_len > 1500

• Ip.len > 43000• http.request.uri==http://www.repubblica.it

• protocol=tcp

ExamplesExamples



17

• If you are working with TCP based protocols it can be very helpful to see thedata from a TCP stream in the way that the application layer sees it.

• Simply select a TCP packet in the packet list of the stream/connection you

are interested in and then select the Follow TCP Stream menu item from theWireshark Tools menu

The "Follow TCP Stream" dialog box (1/2)The "Follow TCP Stream" dialog box (1/2)



18

The "Follow TCP Stream" dialog box (2/2)The "Follow TCP Stream" dialog box (2/2)



19

Packet Reassembling

For some of the network protocols Wireshark knows of, a mechanism is implemented

to find, decode and display these chunks of data. Wireshark will try to find thecorresponding packets of this chunk, and will show the combined data as additional

pages in the "Packet Bytes" pane

Name Resolution

Name resolution tries to resolve some of the numerical address values into a humanreadable format

Checksums

Several network protocols use checksums to ensure data integrity. Wireshark willvalidate the checksums of several protocols, e.g.: IP, TCP, ... .It will do the samecalculation as a "normal receiver" would do, and shows the checksum fields in thepacket details with a comment, e.g.: [correct] [invalid, must be 0x12345678] or alike

Advanced topicsAdvanced topics



20

• General statistics:

• Summary about the capture file

• Protocol Hierarchy of the captured packets

• Endpoints e.g. traffic to and from an IP addresses

• Conversations e.g. traffic between specific IP addresses

• IO Graphs visualizing the number of packets (or similar) in time

• Protocol specific statistics:

• Service Response Time between request and response of some protocols

•Various other

protocol specific statistics

StatisticsStatistics



22

TheThe "Protocol Hierarchy" window"Protocol Hierarchy" window



23

A network endpoint is the logical endpoint of separate protocol traffic of aspecific protocol layer

EndpointsEndpoints



24

A network conversation is the traffic between two specific endpoints. Forexample, an IP conversation is all the traffic between two IP addresses.

ConversationsConversations



25

• The service response time is the time between a request and thecorresponding response. This information is available for many protocols

• Service response time statistics are currently available for the followingprotocols:

• DCE-RPC

• Fibre Channel• H.225 RAS

• LDAP

• MGCP

• ONC-RPC• SMB

Service Response TimeService Response Time

Reti di Calcolatori - Slide 21

Documents

Transcript of Reti di Calcolatori - Slide 21