Wireshark Inroduction Li In
description
Transcript of Wireshark Inroduction Li In
![Page 2: Wireshark Inroduction Li In](https://reader035.fdocuments.in/reader035/viewer/2022081414/54b92f8c4a7959c37f8b45c4/html5/thumbnails/2.jpg)
2 Contents
What is WIRESHARK? Basic Network Sniffing Display filtering Capture filtering RTP Stream Analysis
![Page 3: Wireshark Inroduction Li In](https://reader035.fdocuments.in/reader035/viewer/2022081414/54b92f8c4a7959c37f8b45c4/html5/thumbnails/3.jpg)
3 What is WIRESHARK? WIRESHARK is a Network Packet Analyzer
If installed with WinPcap it can also collect packets from the network
If AirpCap(Not free) installed full USB based 802.11 capture and analysis is possible
The latest WIRESHARK version on December 2009 is 1.2.5
It is an Open Source Software project
![Page 4: Wireshark Inroduction Li In](https://reader035.fdocuments.in/reader035/viewer/2022081414/54b92f8c4a7959c37f8b45c4/html5/thumbnails/4.jpg)
4
Who needs/uses WIRESHARK?
Any regular user who wants to know what his/her computer sends to the network and receives from it.
R&D Engineers to debug their protocol implementations Signaling protocols Applications that communicate with other network
devices/applications- send/receive payloads
Network administrators to troubleshoot their networks
Network Security Engineers to discover security breaches and deficiencies
Technical personnel that want to learn the workings of the protocols – Signaling and media-
![Page 5: Wireshark Inroduction Li In](https://reader035.fdocuments.in/reader035/viewer/2022081414/54b92f8c4a7959c37f8b45c4/html5/thumbnails/5.jpg)
5
Installing WIRESHARK
Get the latest version from the official site http://www.wireshark.org/
WIRESHARK can be installed as an application or the source code can be downloaded to create a new tailored application
By using LUA,a lightweight scripting language new dissectors, properties can be added http://en.wikipedia.org/wiki/Lua_(programming_language)
![Page 6: Wireshark Inroduction Li In](https://reader035.fdocuments.in/reader035/viewer/2022081414/54b92f8c4a7959c37f8b45c4/html5/thumbnails/6.jpg)
6
Basic WIRESHARK features
WIRESHARK supports hundreds of protocols http://www.wireshark.org/docs/dfref/
Live capture and offline analysis Multiplatform support: Windows, Linux, Solaris, MAC Multi-media support: Ethernet, ATM etc. Rich VOIP analysis Captured data browsing in GUI or in TTY mode (TSHARK) R/W many different capture file formats:
tcpdump (libpcap), MS Network Monitor, Network General Sniffer®,RADCOM WAN/LAN Analyzer and many others.
Output can be exported to XML, PostScript® or simple text
![Page 7: Wireshark Inroduction Li In](https://reader035.fdocuments.in/reader035/viewer/2022081414/54b92f8c4a7959c37f8b45c4/html5/thumbnails/7.jpg)
7
Platform/Media support table
![Page 8: Wireshark Inroduction Li In](https://reader035.fdocuments.in/reader035/viewer/2022081414/54b92f8c4a7959c37f8b45c4/html5/thumbnails/8.jpg)
8
How do we capture packets from the network? Where to connect?
What do we want to capture? Packets entering/going out of our computer
Basic Architecture Packets entering/going out of any network
equipment connected to the networkNetwork Architecture
Once we know where and how to connect the computer with the WIRESHARK installed- Capturing architecture- we can start doing basic capturing
![Page 9: Wireshark Inroduction Li In](https://reader035.fdocuments.in/reader035/viewer/2022081414/54b92f8c4a7959c37f8b45c4/html5/thumbnails/9.jpg)
9
Basic Architecture Capturing
In this architecture the signaling and/or media for the communication ends/starts at the WIRESHARK computer
Connect the NIC(s) you want to collect packets from the network
Start WIRESHARK Choose the relevant NIC in WIRESHARK menu Start Collecting packets
![Page 10: Wireshark Inroduction Li In](https://reader035.fdocuments.in/reader035/viewer/2022081414/54b92f8c4a7959c37f8b45c4/html5/thumbnails/10.jpg)
10
Network Capturing Architecture
WIRESHARK
![Page 11: Wireshark Inroduction Li In](https://reader035.fdocuments.in/reader035/viewer/2022081414/54b92f8c4a7959c37f8b45c4/html5/thumbnails/11.jpg)
11
Network Capture Architecture- Both entities connected to a HUB – Shared Media
Simply start capturing
WIRESHARKHub
![Page 12: Wireshark Inroduction Li In](https://reader035.fdocuments.in/reader035/viewer/2022081414/54b92f8c4a7959c37f8b45c4/html5/thumbnails/12.jpg)
12
Network Capture Architecture- Multimedia entity/PC connected to a switch(1)
WIRESHARK
HUB
SWITCH
-Connect WIRESHARK and Network entity to HUB
-Connect HUB to SWITCH with an uplink
-Start Capturing
![Page 13: Wireshark Inroduction Li In](https://reader035.fdocuments.in/reader035/viewer/2022081414/54b92f8c4a7959c37f8b45c4/html5/thumbnails/13.jpg)
13
Network Capture Architecture- Multimedia entity/PC both connected to a switch(2)
-Configure port mirroring (spanning) on the switch
-Start capturing
WIRESHARK
SWITCH
![Page 14: Wireshark Inroduction Li In](https://reader035.fdocuments.in/reader035/viewer/2022081414/54b92f8c4a7959c37f8b45c4/html5/thumbnails/14.jpg)
14
Basic Network packet capturing-1- When you activate the WIRESHARK you get the following view
![Page 15: Wireshark Inroduction Li In](https://reader035.fdocuments.in/reader035/viewer/2022081414/54b92f8c4a7959c37f8b45c4/html5/thumbnails/15.jpg)
15
Basic Network packet capturing -2-
![Page 16: Wireshark Inroduction Li In](https://reader035.fdocuments.in/reader035/viewer/2022081414/54b92f8c4a7959c37f8b45c4/html5/thumbnails/16.jpg)
16
Basic Network packet capturing -3-
![Page 17: Wireshark Inroduction Li In](https://reader035.fdocuments.in/reader035/viewer/2022081414/54b92f8c4a7959c37f8b45c4/html5/thumbnails/17.jpg)
17
Basic Network packet capturing -4-
![Page 18: Wireshark Inroduction Li In](https://reader035.fdocuments.in/reader035/viewer/2022081414/54b92f8c4a7959c37f8b45c4/html5/thumbnails/18.jpg)
18
The GUI can be changed for GUI layout Columns Time format Coloring preferences Field values for specific protocols …….
Different profiles can be defined and saved
WIRESHARK preferences
![Page 19: Wireshark Inroduction Li In](https://reader035.fdocuments.in/reader035/viewer/2022081414/54b92f8c4a7959c37f8b45c4/html5/thumbnails/19.jpg)
19
Basic displayed/captured packet manipulations
Forcing a protocol to an unknown protocol packet
Marking a packet or a group of packets Saving all or part of the captured
packets Exporting a trace Printing all or part of the captured
packets
![Page 20: Wireshark Inroduction Li In](https://reader035.fdocuments.in/reader035/viewer/2022081414/54b92f8c4a7959c37f8b45c4/html5/thumbnails/20.jpg)
20
![Page 21: Wireshark Inroduction Li In](https://reader035.fdocuments.in/reader035/viewer/2022081414/54b92f8c4a7959c37f8b45c4/html5/thumbnails/21.jpg)
21
![Page 22: Wireshark Inroduction Li In](https://reader035.fdocuments.in/reader035/viewer/2022081414/54b92f8c4a7959c37f8b45c4/html5/thumbnails/22.jpg)
22 Display filtering
By arranging the display sort field/order changed Sort order of time/packet number Sort order per IP/MAC address of
source/destination Sort order per protocol
By marking specific packets manually By configuring filters for
Address Protocol Protocol field value Frame length String
![Page 23: Wireshark Inroduction Li In](https://reader035.fdocuments.in/reader035/viewer/2022081414/54b92f8c4a7959c37f8b45c4/html5/thumbnails/23.jpg)
23
Display filtering- by changing display sort order
![Page 24: Wireshark Inroduction Li In](https://reader035.fdocuments.in/reader035/viewer/2022081414/54b92f8c4a7959c37f8b45c4/html5/thumbnails/24.jpg)
24
Display Filter configuration
We will configure simple filters For a specific IP address For a specific protocol For a specific field value of a protocol Compound filters
![Page 25: Wireshark Inroduction Li In](https://reader035.fdocuments.in/reader035/viewer/2022081414/54b92f8c4a7959c37f8b45c4/html5/thumbnails/25.jpg)
25
Filter elements
Filter fields (protocol fields)The full list can be found at http://www.wireshark.org/docs/dfref/
Display field comparison operators
Display filters logical operatorsThey are used to build complex filters by combining simple filters
![Page 26: Wireshark Inroduction Li In](https://reader035.fdocuments.in/reader035/viewer/2022081414/54b92f8c4a7959c37f8b45c4/html5/thumbnails/26.jpg)
26
Some basic filter field examples
ip.src Source IP address ip.dst Destination IP address ip.addr IP address (source or destination) eth.dst Destination MAC address udp,sip, HTTP,H225,H245………….. H263.dbq, sip.Method, h323.fastStart,
rtp.payload, diameter.User-Name………
![Page 27: Wireshark Inroduction Li In](https://reader035.fdocuments.in/reader035/viewer/2022081414/54b92f8c4a7959c37f8b45c4/html5/thumbnails/27.jpg)
27
Filter Comparison operators
English and C-like operators can be used (also mixed)
English operators eq Equal ne Not Equal gt Greater then lt Less then ge Greater then or equal le Less then or equal
C-like operators == != > < >= <=
![Page 28: Wireshark Inroduction Li In](https://reader035.fdocuments.in/reader035/viewer/2022081414/54b92f8c4a7959c37f8b45c4/html5/thumbnails/28.jpg)
28
Some simple filter examples
ip.addr == 234.78.12.78 ip.src != 10.0.0.2 sip.Method==REGISTER h263.unrestricted_motion_vector == 0 sip.from.addr ==
"sip:[email protected]“ h245.masterSlaveDetermination
![Page 29: Wireshark Inroduction Li In](https://reader035.fdocuments.in/reader035/viewer/2022081414/54b92f8c4a7959c37f8b45c4/html5/thumbnails/29.jpg)
29
How to build filter from the GUI
Type your filter inside the filter toolbar
Click “Apply”
![Page 30: Wireshark Inroduction Li In](https://reader035.fdocuments.in/reader035/viewer/2022081414/54b92f8c4a7959c37f8b45c4/html5/thumbnails/30.jpg)
30
How to build filter from the GUI-2-
![Page 31: Wireshark Inroduction Li In](https://reader035.fdocuments.in/reader035/viewer/2022081414/54b92f8c4a7959c37f8b45c4/html5/thumbnails/31.jpg)
31
![Page 32: Wireshark Inroduction Li In](https://reader035.fdocuments.in/reader035/viewer/2022081414/54b92f8c4a7959c37f8b45c4/html5/thumbnails/32.jpg)
32Filter save-activate
Filters can be saved/edited by clicking the edit/apply filter button
A new window opens
![Page 33: Wireshark Inroduction Li In](https://reader035.fdocuments.in/reader035/viewer/2022081414/54b92f8c4a7959c37f8b45c4/html5/thumbnails/33.jpg)
33
Display filter logical operators
These are used to build compound filters from simple expressions
When in doubt use parenthesis before applying the operator
The logical operators can have English or C-like syntax
![Page 34: Wireshark Inroduction Li In](https://reader035.fdocuments.in/reader035/viewer/2022081414/54b92f8c4a7959c37f8b45c4/html5/thumbnails/34.jpg)
34
Display filter logical operators (Contd.)
and && Logical and
or || Logical or
xor ^^ Logical XOR
not ! Logical Not
[…] Substring operator
![Page 35: Wireshark Inroduction Li In](https://reader035.fdocuments.in/reader035/viewer/2022081414/54b92f8c4a7959c37f8b45c4/html5/thumbnails/35.jpg)
35 Capture filtering
When capturing packets they are stored in temporary files on the computer
We can configure WIRESHARK to capture packets directly to a single or multiple files
For heavy traffic network capturing or long time capturing the file/buffer sizes might overwhelm the computer or might even crash it.
To prevent accumulating huge file/files if we know what we are looking for we should apply capture filtering
![Page 36: Wireshark Inroduction Li In](https://reader035.fdocuments.in/reader035/viewer/2022081414/54b92f8c4a7959c37f8b45c4/html5/thumbnails/36.jpg)
36
Capture filtering-2-
WIRESHARK utilizes the libpcap filter language for capture filtering
Details for libpcap can be found at http://www.tcpdump.org/tcpdump_man.html
Any type of display filter can also be defined for capture but with a different syntax and different activation procedure
![Page 37: Wireshark Inroduction Li In](https://reader035.fdocuments.in/reader035/viewer/2022081414/54b92f8c4a7959c37f8b45c4/html5/thumbnails/37.jpg)
37
Capture filtering – 3 -
![Page 38: Wireshark Inroduction Li In](https://reader035.fdocuments.in/reader035/viewer/2022081414/54b92f8c4a7959c37f8b45c4/html5/thumbnails/38.jpg)
38
Choose the relevant capture filter in “options”
Start capturing
Capture filtering – 4 – Activating capture filter
![Page 39: Wireshark Inroduction Li In](https://reader035.fdocuments.in/reader035/viewer/2022081414/54b92f8c4a7959c37f8b45c4/html5/thumbnails/39.jpg)
39
Capture filtering – 5 –
![Page 40: Wireshark Inroduction Li In](https://reader035.fdocuments.in/reader035/viewer/2022081414/54b92f8c4a7959c37f8b45c4/html5/thumbnails/40.jpg)
40
Capture filtering – 6 –
![Page 41: Wireshark Inroduction Li In](https://reader035.fdocuments.in/reader035/viewer/2022081414/54b92f8c4a7959c37f8b45c4/html5/thumbnails/41.jpg)
41
Capture filter syntax by examples
host 192.168.122.23 Capture packets from/to IP address 192.168.122.23
src host 10.0.0.5Capture packets from IP 10.0.0.5
tcp port 23 and host 10.0.0.5 ether src 00:11:6b:80:47:96 tcp port 23 and not src host 10.0.0.5 ip multicast
![Page 42: Wireshark Inroduction Li In](https://reader035.fdocuments.in/reader035/viewer/2022081414/54b92f8c4a7959c37f8b45c4/html5/thumbnails/42.jpg)
42Basic Capture filter syntax
[src|dst] host <host> ether [src|dst] host <ehost> [src|dst] net <net> [{mask <mask>}|{len <len>}] [tcp|udp] [src|dst] port <port> less|greater <length>
![Page 43: Wireshark Inroduction Li In](https://reader035.fdocuments.in/reader035/viewer/2022081414/54b92f8c4a7959c37f8b45c4/html5/thumbnails/43.jpg)
43
Statistics and data analysis
We can get graphical or written statistics real-time or from captured file
Statistics per protocol
VOIP pairs visualization
RTP stream analysis
![Page 44: Wireshark Inroduction Li In](https://reader035.fdocuments.in/reader035/viewer/2022081414/54b92f8c4a7959c37f8b45c4/html5/thumbnails/44.jpg)
44
Statistics menu –
StatisticsSummary
![Page 45: Wireshark Inroduction Li In](https://reader035.fdocuments.in/reader035/viewer/2022081414/54b92f8c4a7959c37f8b45c4/html5/thumbnails/45.jpg)
45
Statistics menu – StatisticsHierarchy Statistics
![Page 46: Wireshark Inroduction Li In](https://reader035.fdocuments.in/reader035/viewer/2022081414/54b92f8c4a7959c37f8b45c4/html5/thumbnails/46.jpg)
46
I/O Statistics – Real-time or offline
![Page 47: Wireshark Inroduction Li In](https://reader035.fdocuments.in/reader035/viewer/2022081414/54b92f8c4a7959c37f8b45c4/html5/thumbnails/47.jpg)
47
VOIP statistics
StatisticsVOIP
![Page 48: Wireshark Inroduction Li In](https://reader035.fdocuments.in/reader035/viewer/2022081414/54b92f8c4a7959c37f8b45c4/html5/thumbnails/48.jpg)
48
VOIP statistics StatisticsVOIP (Contd.)
![Page 49: Wireshark Inroduction Li In](https://reader035.fdocuments.in/reader035/viewer/2022081414/54b92f8c4a7959c37f8b45c4/html5/thumbnails/49.jpg)
49
WIRESHARK can identify separate RTP streams
RTP parameters can be retrieved Total RTP packets sent Delay Jitter
RTP Stream Analysis
![Page 50: Wireshark Inroduction Li In](https://reader035.fdocuments.in/reader035/viewer/2022081414/54b92f8c4a7959c37f8b45c4/html5/thumbnails/50.jpg)
50
RTP streams – Outline StatisticsRTP Show all Streams
![Page 51: Wireshark Inroduction Li In](https://reader035.fdocuments.in/reader035/viewer/2022081414/54b92f8c4a7959c37f8b45c4/html5/thumbnails/51.jpg)
51
RTP streams – Outline StatisticsRTP Show all Streams
Choose one of the streams Analyze
![Page 52: Wireshark Inroduction Li In](https://reader035.fdocuments.in/reader035/viewer/2022081414/54b92f8c4a7959c37f8b45c4/html5/thumbnails/52.jpg)
52
![Page 53: Wireshark Inroduction Li In](https://reader035.fdocuments.in/reader035/viewer/2022081414/54b92f8c4a7959c37f8b45c4/html5/thumbnails/53.jpg)
53
References and important URLs
http://www.wireshark.org/ http://www.wireshark.org/docs/ http://www.winpcap.org/ http://wiki.wireshark.org/
CaptureSetup/NetworkMedia http://wiki.wireshark.org/Preferences. http://www.wireshark.org/lists/
wireshark-bugs/ http://www.cs.columbia.edu/irt/
software/rtptools/