Wireshark

by

T.S.R.K. Prasad

References / Acknowledgements

Laura Chappells

Introduction to Ethereal, part 1 of 2

Introduction to Ethereal, part 2 of 2

(will be made available on the course site)

tcpdump (same as Wireshark) capture filters and Wireshark display filters available at

http://packetlife.net/library/cheat-sheets/

References

Optional Readings

[nCAP] L. Deri, nCap: Wire-speed Packet Capture and Transmission (ntop.org)

[BPF] Steven McCanne and Van Jacobson, The BSD Packet Filter: A New Architecture for User-level Packet Capture, USENIX 1993.

[Fusco] Francesco Fusco and Luca Deri, High Speed Network Traffic Analysis with Commodity Multi-core Systems, IMC- 2010.

Optional Reading

Presentation Overview

Advanced Features

Wireshark Filters

Wireshark UI

Placement Strategies

Introduction

Lecture Outline

Presentation Overview

Advanced Features

Wireshark Filters

Wireshark UI

Placement Strategies

Introduction

Lecture Outline

Applications of Wireshark

network administrators use it to troubleshoot network problems

network security engineers use it to examine security problems

developers use it to debug protocol implementations

people use it to learn network protocol internals

Introduction Applications

Features of Wireshark

Available for UNIX and Windows.

Capture live packet data from a network interface.

Display packets with very detailed protocol information.

Open and Save packet data captured.

Import and Export packet data from and to a lot of other capture programs.

Filter packets on many criteria.

Search for packets on many criteria.

Colorize packet display based on filters.

Create various statistics.

... and a lot more!

Introduction Features

What Wireshark Is not?

Wireshark isn't an intrusion detection system.

Wireshark will not manipulate things on the network, it will only "measure" things from the network.

Introduction Limitations

Presentation Overview

Advanced Features

Wireshark Filters

Wireshark UI

Placement Strategies

Introduction

Lecture Outline

Wireshark Placement Strategies Hubs

Switches

Port Mirroring

Hubbing Out

Routers

Target determines the strategy

Placement Strategies

Wireshark Placement: Hubs

No one uses hubs anymore.

Placement Strategies Hubs

Wireshark Placement: Switches

Only broadcast traffic seen.

Placement Strategies Switches

Wireshark Placement: Port Mirroring

Good for monitoring

Placement Strategies Switches

Wireshark Placement: Hubbing Out

Can observe one specific computer.

Placement Strategies Switches

Wireshark Placement: Routers

Can observe one interface of the router.

Placement Strategies Routers

Presentation Overview

Advanced Features

Wireshark Filters

Wireshark UI

Placement Strategies

Introduction

Lecture Outline

Wireshark Main UI

Capture Interfaces

All the traffic received by the computer

UI Capture Interfaces

Capture Options Capture everyones packets

Limit capture packet size

Options to store capture data in files

Capture stop triggers

Name and Address Resolution

Capture filter

Capture interface

UI Capture Options

Slice (Limit) the Packet Size How do we know the packet size limit?

In Capture Options

Capture Data Wireshark menu

Summary Window

Decode Window

Hex Window

UI Capture Data

Summary Window

Packet number

Relative timestamp

Packet Source (Name / Address)

Packet Destination (Name / Address)

Highest Protocol Packet Summary

UI Summary Window

Decode Window Capture details for the packet

MAC header

UI Decode Window

Decode Window 2 Network Header

Transport Header

UI Decode Window

Protocol Hierarchy Statistics

Tells you something about the network. Probably first thing to look at when in trouble.

UI Protocol Hierarchy

Analyze Menu

Useful options to narrow down the capture to interesting packets

UI Analyze Menu

Statistics Menu

Statistical information about the captured packets. The most useful menu in Wireshark.

UI Statistics Menu

Telephony Menu

With right equipment, Wireshark can also look into the telephone network. Govt. permit required to purchase the equipment.

UI Telephony Menu

Preferences Under the Hood

UI Preferences

Wireshark Coloring Rules

Visual guide to separate packets

UI Coloring Rules

End Points (from Statistics Menu)

List of end points for all the protocols

Example: ipv4

tcp

udp

ethernet

UI End Points

End Points Snapshots Active end points

UI End Points

Presentation Overview

Advanced Features

Wireshark Filters

Wireshark UI

Placement Strategies

Introduction

Lecture Outline

Where Filters are Applied?

Filters help

Select the interesting packets

Reduce the capture file size

Filters

Capture Filter (from Capture Options)

Filters Capture Filter

Display Filter

Only filtered packets are displayed.

Display filter Expression builder for display filter

Filters Filtered Summary

Filter Expression Builder

Filters Filter Expression Builder

Apply Filter A Simple Technique

Filters Apply Filter

Presentation Overview

Advanced Features

Wireshark Filters

Wireshark UI

Placement Strategies

Introduction

Lecture Outline

Wireshark IO Graphs

Advanced Features IO Graphs

Follow Streams A Telnet Session

Streams possible: -TCP - UDP - SSL

Dangerous

Advanced Features Follow Streams