COMPUTER NETWORKS CPSC 441, Winter 2016 Prof. Mea Wang Department of Computer Science University of Calgary
Introduction: Wireshark and tshark Running tshark Running Wireshark Exercise: Analyze HTTP traffic to and from web browser
WHAT IS WIRESHARK? Wireshark is network protocol analyzer Runs in Linux, Mac and Windows Free of cost It is installed in lab machines, but need root access You can install it: on your own machine:http://www.wireshark.org/ download.html on your RAC VM (next slide) CPSC 457 Winter 2014
TSHARK Terminal version of Wireshark Typically used when interactive user interface is not available You need to use tshark to capture and analyze network packets on RAC VMs. Install tshark on your RAC VM Please login to your VM sudo apt-get install tshark If this results in package not available message, update package list by executing sudo apt-get update first and later install tshark
Introduction: Wireshark and tshark Running tshark Running Wireshark Exercise: Analyze HTTP traffic to and from web browser
CAPTURE TRAFFIC tshark has to be run with root privileges sudo (superuser mode) while running tshark Identify the network interface to monitor To list all interfaces in a machine: ifconfig -a For RAC VMs, there is only interface -- eth0 Create a destination folder to save the packet trace file In your home directory (/home/ubuntu): mkdir dump Change ownership of the dump folder to root: sudo chown -R root: dump Capture traffic sudo tshark -i eth0 -w dump/filedump0 Option i to specify interface name Option w to specify destination of packet trace file
Introduction: Wireshark and tshark Running tshark Running Wireshark (This tutorial is adapted from the textbook exercise.) Exercise: Analyze HTTP traffic to and from web browser
MAIN WINDOW Click Capture pull down button to select an interface and start capturing packets
CAPTURE WINDOW
CAPTURE WINDOW The command menus are standard pull-down menus located at the top of the window. The packet- lis1ng window displays an one-line summary for each packet captured. The packet- header details window provides details about the packet selected (highlighted) in the packet-listing window. The packet- contents window displays the entire content of the captured frame, in both ASCII and hexadecimal format. The packet display filter field, into which a protocol name or other information can be entered in order to filter the information displayed in the packet-listing window (and hence the packet-header and packet-contents windows).
Introduction: Wireshark and tshark Running tshark Running Wireshark Exercise: Analyze HTTP traffic to and from web browser (This tutorial is adapted from the textbook exercise.)
EXERCISE: HTTP ANALYSIS In this exercise, you will use Wireshark or tshark to analyze HTTP traffic. On your RAC VM: Since we cannot run a browser application on the VM, we will use the command wget to retrieve web content While running tshark through one terminal, connect to the public VM in another terminal. Then do the following steps: wget www.cpsc.ucalgary.ca wget will show a progress bar Once the webpage is downloaded completely, stop the capture (press Control-c in the terminal where tshark is running)
TSHARK: ANALYZE PACKETS Tshark dumps all incoming and outgoing packets from eth0 We need to filter the packets that are of interest to us tshark and wireshark shares the same Filter Engine The filter expression is provided to tshark using the option field -R. For example: To filter tcp packets: sudo tshark -r dump/filedump0 -R tcp By default, a short description of the packets (one per line) is displayed to the standard output You can redirect output using > operator If you want full information (all protocol fields) about packet, use V option: sudo tshark -r dump/filedump0 -R tcp -V To filter packets with HTTP header sudo tshark -r dump/filedump0 -R http
TSHARK: ANALYZE PACKETS To display tcp packets to and from specific port numbers sudo tshark -r dump/filedump0 -R tcp.dstport==80 tcp.srcport==80 Above command displays all packets having either source or destination tcp port number equal to 80 Note the operators == and Similarly, there are operators:!=, >, <, <=, <= dstport and srcport are field names defined in tshark for TCP destination and source port number, respectively. For more information about the filter expression General Info, go to manual page: man wireshark-filter For full list of field names https://www.wireshark.org/docs/ dfref/
TSHARK: FILTER HTTP PACKETS Filter packets with protocol or field name HTTP sudo tshark -r dump/filedump0 -R http Note that above command will ONLY display packets that is identified as HTTP by tshark or has a field called HTTP To display all packets exchanged between VM and the cpsc server sudo tshark -r dump/filedump0 -R tcp.dstport==80 tcp.srcport==80 HTTP server listens on port 80
WIRESHARK: HTTP ANALYSIS In Windows or MacOS: Start up your favorite web browser, which will display your selected homepage Start up the Wireshark software. To begin packet capture, select the Capture pull down menu and select Interfaces. This will cause the Wireshark: Capture Interfaces window to be displayed. You ll see a list of the interfaces on your computer. Click on Start for the interface on which you want to begin packet capture. While Wireshark is running, enter the URL: www.cpsc.ucalgary.ca in your browser and have that page displayed in browser Stop Wireshark packet capture by selecting stop in the Wireshark capture window
WIRESHARK: HTTP ANALYSIS Lets now filter the HTTP messages (due to webpage access) between your browser and cpsc web server Type in http (without the quotes, and in lower case all protocol names are in lower case in Wireshark) into the display filter specification window and press ENTER. The wireshark window will look similar to figure in slide 11
EXAMPLE: HTTP ANALYSIS No. and Time values are relative to the start of the capture
THINGS TO TRY OUT Find the HTTP Get Message. This is the HTTP request message sent to the cpsc web server from your browser Find the HTTP Ok Message. This is the HTTP Response message from the cpsc web server to your browser Figure out the IP address of cpsc web server Figure out the IP address of your machine Figure out the time gap between HTTP Get and HTTP OK?