Wire Shark
-
Upload
pravin-joshi -
Category
Documents
-
view
18 -
download
0
description
Transcript of Wire Shark
-
Wireshark
by
T.S.R.K. Prasad
-
References / Acknowledgements
Laura Chappells
Introduction to Ethereal, part 1 of 2
Introduction to Ethereal, part 2 of 2
(will be made available on the course site)
tcpdump (same as Wireshark) capture filters and Wireshark display filters available at
http://packetlife.net/library/cheat-sheets/
References
-
Optional Readings
[nCAP] L. Deri, nCap: Wire-speed Packet Capture and Transmission (ntop.org)
[BPF] Steven McCanne and Van Jacobson, The BSD Packet Filter: A New Architecture for User-level Packet Capture, USENIX 1993.
[Fusco] Francesco Fusco and Luca Deri, High Speed Network Traffic Analysis with Commodity Multi-core Systems, IMC- 2010.
Optional Reading
-
Presentation Overview
Advanced Features
Wireshark Filters
Wireshark UI
Placement Strategies
Introduction
Lecture Outline
-
Presentation Overview
Advanced Features
Wireshark Filters
Wireshark UI
Placement Strategies
Introduction
Lecture Outline
-
Applications of Wireshark
network administrators use it to troubleshoot network problems
network security engineers use it to examine security problems
developers use it to debug protocol implementations
people use it to learn network protocol internals
Introduction Applications
-
Features of Wireshark
Available for UNIX and Windows.
Capture live packet data from a network interface.
Display packets with very detailed protocol information.
Open and Save packet data captured.
Import and Export packet data from and to a lot of other capture programs.
Filter packets on many criteria.
Search for packets on many criteria.
Colorize packet display based on filters.
Create various statistics.
... and a lot more!
Introduction Features
-
What Wireshark Is not?
Wireshark isn't an intrusion detection system.
Wireshark will not manipulate things on the network, it will only "measure" things from the network.
Introduction Limitations
-
Presentation Overview
Advanced Features
Wireshark Filters
Wireshark UI
Placement Strategies
Introduction
Lecture Outline
-
Wireshark Placement Strategies Hubs
Switches
Port Mirroring
Hubbing Out
Routers
Target determines the strategy
Placement Strategies
-
Wireshark Placement: Hubs
No one uses hubs anymore.
Placement Strategies Hubs
-
Wireshark Placement: Switches
Only broadcast traffic seen.
Placement Strategies Switches
-
Wireshark Placement: Port Mirroring
Good for monitoring
Placement Strategies Switches
-
Wireshark Placement: Hubbing Out
Can observe one specific computer.
Placement Strategies Switches
-
Wireshark Placement: Routers
Can observe one interface of the router.
Placement Strategies Routers
-
Presentation Overview
Advanced Features
Wireshark Filters
Wireshark UI
Placement Strategies
Introduction
Lecture Outline
-
Wireshark Main UI
-
Capture Interfaces
All the traffic received by the computer
UI Capture Interfaces
-
Capture Options Capture everyones packets
Limit capture packet size
Options to store capture data in files
Capture stop triggers
Name and Address Resolution
Capture filter
Capture interface
UI Capture Options
-
Slice (Limit) the Packet Size How do we know the packet size limit?
In Capture Options
-
Capture Data Wireshark menu
Summary Window
Decode Window
Hex Window
UI Capture Data
-
Summary Window
Packet number
Relative timestamp
Packet Source (Name / Address)
Packet Destination (Name / Address)
Highest Protocol Packet Summary
UI Summary Window
-
Decode Window Capture details for the packet
MAC header
UI Decode Window
-
Decode Window 2 Network Header
Transport Header
UI Decode Window
-
Protocol Hierarchy Statistics
Tells you something about the network. Probably first thing to look at when in trouble.
UI Protocol Hierarchy
-
Analyze Menu
Useful options to narrow down the capture to interesting packets
UI Analyze Menu
-
Statistics Menu
Statistical information about the captured packets. The most useful menu in Wireshark.
UI Statistics Menu
-
Telephony Menu
With right equipment, Wireshark can also look into the telephone network. Govt. permit required to purchase the equipment.
UI Telephony Menu
-
Preferences Under the Hood
UI Preferences
-
Wireshark Coloring Rules
Visual guide to separate packets
UI Coloring Rules
-
End Points (from Statistics Menu)
List of end points for all the protocols
Example: ipv4
tcp
udp
ethernet
UI End Points
-
End Points Snapshots Active end points
UI End Points
-
Presentation Overview
Advanced Features
Wireshark Filters
Wireshark UI
Placement Strategies
Introduction
Lecture Outline
-
Where Filters are Applied?
Filters help
Select the interesting packets
Reduce the capture file size
Filters
-
Capture Filter (from Capture Options)
Filters Capture Filter
-
Display Filter
Only filtered packets are displayed.
Display filter Expression builder for display filter
Filters Filtered Summary
-
Filter Expression Builder
Filters Filter Expression Builder
-
Apply Filter A Simple Technique
Filters Apply Filter
-
Presentation Overview
Advanced Features
Wireshark Filters
Wireshark UI
Placement Strategies
Introduction
Lecture Outline
-
Wireshark IO Graphs
Advanced Features IO Graphs
-
Follow Streams A Telnet Session
Streams possible: -TCP - UDP - SSL
Dangerous
Advanced Features Follow Streams