Welcome to Scribd. Sign in or start your free trial to enjoy unlimited e-books, audiobooks & documents.Find out more
Download
Standard view
Full view
of .
Look up keyword
Like this
3Activity
0 of .
Results for:
No results containing your search query
P. 1
Wireshark

Wireshark

Ratings: (0)|Views: 198|Likes:
Published by shivacharry

More info:

Published by: shivacharry on Mar 12, 2011
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as DOC, PDF, TXT or read online from Scribd
See more
See less

01/02/2013

pdf

text

original

 
Wireshark 
Network Packet Analyzer
1. Introduction
Wireshark is an open source network packet analyzer (previously known as Ethereal).A network packet analyzer captures packets from various interfaces, NICs, etc.Captured packets can be used to troubleshoot network problems, analyze networksecurity or involved protocol.
Features:
Available for both Windows and most of the Unix platforms. Has theability to capture live packet from different type of network such as Ethernet, ATM,Token ring etc. Can provide details such as packet source and destination addresses,interface type, frames lengh etc. It is able to filter and capture packets according touser requirements as well as visualise specific packets using colouring.
2. Installation
Installing Wireshark on Windows platform is very much straight forward. It can beinstalled from the installation package (.exe file). However, Wireshark needs apacket capturing driver installed on the system such as
WinPcap
for MS-Windowsplatform or
libpCap
for Unix plaftorm.
 
Thus, they must be present in the system orhave to be installed together with Wireshark.
3. Packet Capturing
In
 
general, a root/administrator privileges are required to capture packet on anetwork. To start packet capturing you need to select a local interface. It is possibleto run multiple wireshark instances simultaneously to capture different interfaces atthe same time.
Excercise 1: Capture live packet
1.
From
Capture
menu select
Interfaces.
‘Capture Interfaces’ dialog box willdisplay all local interface cards (Fig. 1) that can be captured. Before startcapturing let’s have a look at options.
2.
Select
Options.
3. Select an interface from the first drop down list box you want to capture.
4.
Check 
‘Capture packets in promiscuos mode’ if you want to capture packetsfrom LAN broadcast.
Uncheck 
to only capture packets to and from that specificcomputer.
 
5. In the display option dialog box Uncheck ‘Hide capture info’ checkbox. This willdisplay summarise information on captured packet.
6.
Check 
all name resoulation checkbox. This will resolve MAC and networkaddress into more readable format.
7.
Click
Start
to commence packet capturing.Figure 1: Select capture Interfaces.Some network activity required to generate packet transmission over the networkinterface. If internet connection is available simple internet browsing will initiate TCPand other types packet transmission OR a simple PING command to any LANcomputer will trasmit some ICMP packets. Trasmitted packet will be caputured anddisplayed in the Wireshark main window (see Fig. 2).Figure 2: Captured packets are displayed by Wireshark
 
4. Filtering Packets
You might not want to capture all types packet rather might be interested in somespecific destined or kind of packets to analyze a network issue. We can filter packetstwo ways while viewing packets and while capturing packets.Filtering based on protocol type is simple. For example, to filter and display all ICMPpacket, type ICMP in the ‘Filter’ textbox in the Wireshark main window. To withdrawthe filter click ‘Clearbutton besides the textbox. We need to use comparisonoperators to filter packets based on their field values and source or destinationaddress. Operators are based on ‘C’ programming language, however an equivelentEnglish can be used. Following table describes available operators.OperatorsEnglish-Like Description== eq Equal
Example:
ip.addr==192.186.0.1
!= ne Not EqualExample:
ip.addr!=192.186.0.1
> gt Greater ThanExample:
frame.pkt_len>100
< lt Less ThanExample:
frame.pkt_len<10
>= ge Greater Than or EqualExample:
frame.pkt_len ge 0x100
Here English-like comparison operator and field value areused to compare.<= le Less Than or EqualExample: frame.pkt_len <=50(frame size always in bytes)&& and Logical ANDExample:
tcp.window_size == 0 && tcp.flags.reset != 1
Here, when TCP window size equals to 0 and reset flag isfalse means destination
TCP buffer is full
and can notreceive any more packets.|| or Logical ORExample:
tcp.port ==25 || icmp
Here will be displayed only SMTP packets on port 25 orICMP packets.^^ xor Logical XORExample:
ip.src==192.168.0.1 XOR ip.dst==192.168.1.10
! not Logical NOTExample: !(ip.addr==192.168.0.3)
Excercise 2. Filter Packets while viewing

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->