Sungkyunkwan University Introduction to OSI model and Network Analyzer :- Introduction to Wireshark Syed Muhammad Raza s.moh.raza@gmail.com Copyright 2000-2014 Networking Laboratory 1/56
An Overview Internet Protocol Stack Networking Laboratory 2/56
Internet Protocol Stack Consists of five layers 5. Application 4. Transport 3. Network 2. Link 1. Physical Derived from TCP/IP protocol stack Networking Laboratory 3/56
Internet Protocol Stack Explained Animation Video Explanation of operation and purpose of Internet Protocol Stack Networking Laboratory 4/56
Internet Protocol Stack Explained Animation Video Networking Laboratory 5/56
Packet Encapsulation The data is sent down the protocol stack Each layer adds to the data by prepending headers 22Bytes 20Bytes 20Bytes 64 to 1500 Bytes 4Bytes Networking Laboratory 6/56
W I R E S H A R K 0010100100101011101010101 Networking Laboratory 7/56
Introduction (1/3) Network Traffic Trace A recording of the network packets both received by and transmitted from a network interface What is a pcap file? pcap = Packet Capture File format originally designed for tcpdump/libpcap Most widely used packet capture format Networking Laboratory 8/56
Introduction (2/3) What is Wireshark? Formerly known as Ethereal Wireshark is a GUI Network Protocol Analyzer Follows the rules of the pcap library Found at http://www.wireshark.org The complete manual is located here Networking Laboratory 9/56
Introduction (3/3) Some of its functions Capturing network traffic from the interface Decodes packets of common protocols Displays the network traffic in human-readable format Some of its uses Troubleshoot network problems. Learn network protocol internals. Debug protocol/program implementation. Examine network-related security issues Networking Laboratory 10/56
Wireshark Startup Networking Laboratory 11/56
Screen Layout of Wireshark Menu Packet List The summary line, briefly describing what the packet is. Packet Details A protocol tree is shown in detail, allowing you to drill down deep your interest Filename Of Current File Packet Bytes shows what the packet looks like when it goes over the wire. Networking Laboratory 12/56
Basic UI Options (1/2) Change columns in the packet list to see the information relevant to you Edit -> Preferences ->Columns Networking Laboratory 13/56
Basic UI Options (2/2) File -> Open Opens a packet capture file. View -> Time Display Format Change the format of the packet timestamps in the packet list pane Switch between absolute and relative timestamps. Change level of precision. View -> Name Resolution Allow wireshark to resolve names from addresses at different protocol layers Networking Laboratory 14/56
Enable Protocols Networking Laboratory 15/56
Packet Capture Capture -> Interfaces Available network interfaces for capture Total packets per interface Packet rate per interface Networking Laboratory 16/56
Capture Options (1/2) Networking Laboratory 17/56
Capture Options (2/2) To Specify the interface to be monitored To Record all traffic even not for you Only Capture part of the packet Only Capture certain packet To Store the result in file Automatic Stop Condition Networking Laboratory 18/56
Start Capturing Networking Laboratory 19/56
Stop Capturing Networking Laboratory 20/56
Display Packet Captured Frame # Ethernet Header Destination Mac Address Field in Ethernet Header Networking Laboratory 21/56
Individual Packet Analysis Packet Details Detailed information about the currently selected packet is displayed in the packet details pane All packet layers are displayed in the tree menu Any portion of any layer can be exported via a right click and selecting Export Selected Packet Bytes Packet Bytes Displays the raw packet bytes The selected packet layer is highlighted Networking Laboratory 22/56
Trace Analysis (1/2) Packet list Displays all of the packets in the trace in the order they were recorded Columns Time the timestamp at which the packet crossed the interface Source the originating host of the packet Destination the host to which the packet was sent Protocol the highest level protocol that Wireshark can detect Length the length in bytes of the packet on the wire Info an informational message pertaining to the protocol in the protocol column Networking Laboratory 23/56
Trace Analysis (2/2) Packet list Default Coloring Gray TCP packets Black with red letters TCP Packets with errors Green HTTP Packets Light Blue UDP Packets Pale Blue ARP Packets Lavender ICMP Packets Black with green letters ICMP Packets with errors Colorings can be changed under View -> Coloring Rules Networking Laboratory 24/56
Column Sorting Output is Sorted By Frame No By Default Output is Sorted By Source Address Networking Laboratory 25/56
Conversation List Networking Laboratory 26/56
Saving Packets Captured Networking Laboratory 27/56
Capture Filters The capture filter syntax follows the rules of the pcap library This syntax is different from the display filter syntax Referring manual page of tcpdump (http://www.tcpdump.org/tcpdump_man.html ) Sample filters: src ip 192.168.1.1 ether src 00:50:BA:48:B5:EF Networking Laboratory 28/56
Capture Filters A capture filter for HTTP than captures traffic to and from a particular host tcp port 80 and host 10.10.10.5 A capture filter for HTTP than captures traffic not from a particular host tcp port 80 and not host 10.10.10.5 A capture filter to and from an Ethernet address ether 00:00:01:01:02:22 Networking Laboratory 29/56
Display Filters C-like symbols, or through English-like abbreviations: eq, == Equal ne,!= Not equal gt, > Greater than lt, < Less Than ge, >= Greater than or Equal to le, <= Less than or Equal to Networking Laboratory 30/56
Display Filters GUI Quick Way to Learn Display Filter Commands Networking Laboratory 31/56
Display Filters GUI 1. 3. 2. Networking Laboratory 32/56
Display Filters GUI Networking Laboratory 33/56
Display Filter Examples Filter examples http.request Display all HTTP requests http.request http.response Display all HTTP request and responses ip.addr == 127.0.0.1 Display all IP packets whose source or destination is localhost tcp.len < 100 Display all TCP packets whose data length is less than 100 bytes http.request.uri matches (gif)$ - Display all HTTP requests in which the uri ends with gif dns.query.name == www.google.com - Display all DNS queries for www.google.com Networking Laboratory 34/56
Follow TCP Stream Networking Laboratory 35/56
Follow TCP Stream red - stuff you sent blue - stuff you get Networking Laboratory 36/56
Expert Info Networking Laboratory 37/56
Conversations Networking Laboratory 38/56
Conversations Networking Laboratory 39/56
IOGraphs Networking Laboratory 40/56
IOGraphs Networking Laboratory 41/56
IOGraphs Networking Laboratory 42/56
IOGraphs Networking Laboratory 43/56
IOGraphs Networking Laboratory 44/56
Flow Graphs Networking Laboratory 45/56
Flow Graphs Networking Laboratory 46/56
HTTP Analysis Networking Laboratory 47/56
HTTP Analysis Load Distribution Networking Laboratory 48/56
HTTP Analysis Packet Counter Networking Laboratory 49/56
HTTP Analysis Requests Networking Laboratory 50/56
And there is much much more which you should explore on your own Happy Exploring Networking Laboratory 51/56
Improving WireShark Performance Don t use capture filters Increase your read buffer size Don t update the screen dynamically Get a faster computer Use a TAP Don t resolve names Networking Laboratory 52/56
Some Useful Information Wireshark http://www.wireshark.org TCPDUMP MAN Page http://www.tcpdump.org/tcpdump_man.html IP Protocol http://www.networksorcery.com/enp/protocol/ip.htm Networking Laboratory 53/56
Thank you Networking Laboratory 54/56