So What is WireShark?

Transcription

1 Drinking from the network hose So What is WireShark? Packet sniffer/protocol analyzer Open Source Network Tool Latest version of the ethereal tool 1

2 Source: A packet is a chunk of data enclosed in a wrapper Stuff we won t cover What s a network? What s an IP address? What s a MAC address? What s a router? What do you mean capture? Can this make Elite run faster? What s open source? How can one man look so bald? 2

3 Ok why would I want to use it? Analyze network problems (worms, viruses, malware, etc.) Detect network intrusion attempts Monitor network usage Gather and report network statistics Filter suspect content for management review Spy on network users Reverse engineer protocols and network applications Debug client/server e communications cat o Find chatty devices (like printers) Find hacked computers on your network Look for heavy users of the Internet Find missing computers and devices Determine network loads (after baselining of course) Find misconfigured computers and devices Identify non-used protocols that are turned on by accident Learn more about how networks work Identify application dependencies Impress your friends with your inner geekdom 3

4 libpcap Installation on Windows wireshark-setup.exe /S /desktopicon=yes /quicklaunchicon=no Note: Be sure winpcap is already installed if you install by command line. During a GUI install, you have the option to install winpcap. Help File Version 1.0 of WireShark was recently released. It is distributed with an older Helpfile (24665 ver ). To get the latest help file, download it from separately. 4

5 Installation on Linux CENTOS Ubuntu Red Hat yum install wireshark apt-get install wireshark rpm iv wireshark*rpm In most cases dependencies (like libpcap) are installed automatically because Linux installers rock tshark C:\Program Files\Wireshark>tshark -help TShark Dump and analyze network traffic. See for more information. Copyright Gerald Combs and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Usage: tshark [options]... Capture interface: -i <interface> name or idx of interface (def: first non-loopback) -f <capture filter> packet filter in libpcap filter syntax -s <snaplen> packet snapshot length (def: 65535) -p don't capture in promiscuous mode -B <buffer size> size of kernel buffer (def: 1MB) -y <link type> link layer type (def: first appropriate) -D print list of interfaces and exit -L print list of link-layer types of iface and exit Capture stop conditions: -c <packet count> stop after n packets (def: infinite) -a <autostop cond.>... duration:num - stop after NUM seconds filesize:num - stop this file after NUM KB files:num - stop after NUM files.. 5

6 With traffic Summary Window 6

7 Decode Window HEX Window Menu Bar 7

8 Button Bar Status Bar 8

9 Status Bar Location, Location, Location Hub 9

10 Hubs If you re capturing on a hub you should see all traffic passing on layer 2 network Dual Speed hub = bad There are lots of issues with these due to internal caching of data. Stay away from them, or at least check the WireShark Wiki for ones that are known to work. Switches Switches isolate traffic On a switch you will only see broadcast traffic and traffic destined for the existing PC SPAN or Mirroring ports copy traffic from another port or group of ports Switch with a SPAN port 10

11 TAP Which is better? A hub, TAP or a SPAN port? It depends 11

12 HUBS Switch interface FastEthernet0/1 port monitor FastEthernet0/2 VLAN Monitoring interface FastEthernet0/1 port monitor VLAN1 12

13 Types of TAPs Copper & Optical Conversion TAPs Aggregator TAPs Full-Duplex TAPs Hub Technically a hub is a half duplex TAP, but you may miss critical layer 1 events Why to use a TAP Physical layer errors aren t seen by SPAN SPAN increase the CPU on your switch Timestamps are more accurate when using a TAP SPAN ports hide jitter (loss of synchronicity) After 50% port utilization you begin to drop packets (if you monitor both transmit & receive) sometimes you can fix this They are non-intrusive It makes you look really cool ARP Cache Poisoning 13

14 My rules of thumb If you are concerned about a specific device, use a TAP. If you want to see more then one device traffic use a SPAN port. If it s a busy line, use a TAP or you risk drops Setting promiscuous mode Simple Capture 14

15 Capture Interfaces Capture Options Capture Filters (Pre-Filters) Capture filters (sometimes called prefilters or ingress filters) watch all incoming traffic for specific patterns or characteristics. Only data matching the filter gets through The format is based on tcpdump filter language 15

16 Capture Filter examples host This filter will capture all data where the ip address appears in the packet source or destination field. host and host This filter will capture all ip data between host and tcp port http This filter will capture all http, (TCP port 80) traffic. ip This filer will capture all IP traffic, regardless of IP address. not broadcast not multicast Uh.hum.everything but broadcasts and multicasts ;) ether host 00:04:13:00:09:a3 All traffic from and to the MAC address defined above Capture Filter Capture Options 16

17 Capture Interfaces Interface Details: Characteristics Interface Details: Statistics 17

18 Interface Details: (Ethernet) Interface Details: Task Offload Checksum A checksum is a form of redundancy check, a simple way to protect the integrity of data by detecting errors in data that are sent through space or time. It works by adding up the basic components of a message, typically the assorted bits, and storing the resulting value. Anyone can later perform the same operation on the data, compare the result to the authentic checksum, and (assuming that the sums match) conclude that the message was most likely not corrupted. Source: Wikipedia.com 18

19 Checksum offload This can cause false positive issues on some network cards. If you see tons of incorrect checksum messages turn off checksum offload. Turning off Checksum offload On Linux (as root) ethtool -K eth0 rx off tx off (choose correct network interface if not eth0) On FreeBSD (as root): ifconfig em0 -rcxsum -tcxsum (choose correct network interface if not em0) On MacOS (as root): sysctl -w net.link.ether.inet.apple_hwcksum_tx=0 sysctl -w net.link.ether.inet.apple_hwcksum_rx=0 Turning off Checksum offload 19

20 Stopping the Packet Capture Filters Display Filters (Post-Filters) Display filters (also called post-filters) only filter the view of what you are seeing. All packets in the capture still exist in the trace Display filters use their own format and are much more powerful then capture filters 20

21 Display Filter Display Filter Examples ip.src== all ip traffic with the source address of ip.addr== && ip.addr== Traffic which is between IP and tcp.port==80 tcp.port==3389 Traffic from any machine but it will only be TCP Port 80 (HTTP) or TCP Port 3389 (RDP)!(ip.addr== && ip.addr== ) Traffic except the traffic between these two machines. (ip.addr== && ip.addr== ) && tcp.port==445 tcp.port==139 SMB traffic between these two machines. (ip.addr== && ip.addr== ) && (udp.port==67 udp.port==68) DHCP Traffic between these two machines Protocol Hierarchy 21

22 Protocol Hierarchy Follow TCP Stream Follow TCP Stream red - stuff you sent blue - stuff you get 22

23 Expert Info Expert Info Conversations 23

24 Conversations IOGraphs IOGraphs 24

25 IOGraphs IOGraphs IOGraphs 25

26 Flow Graphs Flow Graphs Flow Graphs 26

27 Right Click Filtering Right Click Filtering Prepare loads the Display filter box, but doesn t apply it Apply load they filter AND applies it Export HTTP 27

28 Export HTTP Objects Triggered Stops Triggered Stops 28

29 Service Response Time - SMB Service Response Time - SMB Service Response Time - SMB 29

30 VOIP VOIP Calls VOIP Call Graph 30

31 VOIP RTP Player SIP Analysis SIP Analysis 31

32 HTTP Analysis HTTP Analysis Load Distribution HTTP Analysis Packet Counter 32

33 HTTP Analysis Requests TroubleShooting TCP Latency Loss Jitter Jabber Small Packets Latency The time it takes for a packet to travel from point a to point b L t i ft th Latency is often the cause of slow networks 33

34 Troubleshooting TCP Latency T1 T1 is the time it took from the moment the syn was sent until the client received the syn/ack This time is due to the wire latency + processing time of the IP stack on the server T2 T2 is the time it took from receiving the SYN/ACK until the ACK is sent. This time is the processing time of the IP stack on the client 34

35 T3 T3 is the time it took from sending the ACK until the clients sends a GET. This time is the processing time of the application on the client T4 T4 is the time it took from sending GET until an ACK is received at the client. This time is due to wire latency. T5 T5 is the time it took from getting the ACK until data is received at the client. This time is due the server application. 35

36 TIPS Time #1 & #4 should be small on a LAN application. If not, check your network path, nic settings and throughput. Time #2 is the client ip stack. Should be minimal. If not, check the driver. Time #3 is the client application. This time will undoubtedly vary greatly between packets. Talk to your developers if you see and issue here. Time #5 is the server application. This time will also vary greatly, but generally if #5 is huge and #4 is really, really small look at delays caused by the server application. Start troubleshooting on the server by looking at CPU, bandwidth, memory and disk IO. Jitter Jitter is an unwanted variation of one or more characteristics of a periodic signal in electronics and telecommunications. Jitter may be seen in characteristics such as the interval between successive pulses, or the amplitude, frequency, or phase of successive cycles. Source: Wikipedia.com Jitter 36

37 Jitter Jitter Jitter 37

38 LOSS Um lost packets Source: me LOSS Jabber Jabber occurs when there are excessively long packets from a network device. This isn t very common on IP only networks, but is very common on multiprotocol networks Simply check for packet size 38

39 Packet Size Packet Length Improving WireShark Performance Don t use capture filters Increase your read buffer size Don t update the screen dynamically Get a faster computer Use a TAP Don t resolve names 39

40 Thank you 40