Wireshark

by T.S.R.K. Prasad

References / Acknowledgements
Laura Chappells Introduction to Ethereal, part 1 of 2 Introduction to Ethereal, part 2 of 2 (will be made available on the course site) tcpdump (same as Wireshark) capture filters and Wireshark display filters available at http://packetlife.net/library/cheat-sheets/

References

Optional Readings
[nCAP] L. Deri, nCap: Wire-speed Packet Capture and Transmission (ntop.org) Steven McCanne and Van Jacobson, The BSD Packet Filter: A New Architecture for User-level Packet Capture, USENIX 1993. Francesco Fusco and Luca Deri, High Speed Network Traffic Analysis with Commodity Multi-core Systems, IMC2010.

[BPF]

[Fusco]

Optional Reading

Presentation Overview
Advanced Features Wireshark Filters Wireshark UI

Placement Strategies
Introduction

Lecture Outline

Presentation Overview
Advanced Features Wireshark Filters Wireshark UI

Placement Strategies
Introduction

Lecture Outline

Applications of Wireshark
network administrators use it to troubleshoot network problems network security engineers use it to examine security problems developers use it to debug protocol implementations people use it to learn network protocol internals
Introduction Applications

Features of Wireshark
Available for UNIX and Windows. Capture live packet data from a network interface. Display packets with very detailed protocol information. Open and Save packet data captured. Import and Export packet data from and to a lot of other capture programs.
Introduction Features

Filter packets on many criteria. Search for packets on many criteria. Colorize packet display based on filters. Create various statistics. ... and a lot more!

What Wireshark Is not?

Wireshark isn't an intrusion detection system. Wireshark will not manipulate things on the network, it will only "measure" things from the network.

Introduction Limitations

Presentation Overview
Advanced Features Wireshark Filters Wireshark UI

Placement Strategies
Introduction

Lecture Outline

Wireshark Placement Strategies

Hubs Switches
Port Mirroring Hubbing Out

Routers Target determines the strategy

Placement Strategies

Wireshark Placement: Hubs

No one uses hubs anymore.

Placement Strategies Hubs

Wireshark Placement: Switches

Only broadcast traffic seen.

Placement Strategies Switches

Wireshark Placement: Port Mirroring

Good for monitoring

Placement Strategies Switches

Wireshark Placement: Hubbing Out

Can observe one specific computer.

Placement Strategies Switches

Wireshark Placement: Routers

Can observe one interface of the router.

Placement Strategies Routers

Presentation Overview
Advanced Features Wireshark Filters Wireshark UI

Placement Strategies
Introduction

Lecture Outline

Wireshark Main UI

Capture Interfaces

All the traffic received by the computer

UI Capture Interfaces

Capture Options
Capture everyones packets Limit capture packet size Capture interface Capture filter

Options to store capture data in files Capture stop triggers Name and Address Resolution

UI Capture Options

Slice (Limit) the Packet Size

How do we know the packet size limit?

In Capture Options

Capture Data
Wireshark menu
Summary Window

Decode Window

Hex Window

UI Capture Data

Summary Window
Packet number Packet Source (Name / Address) Highest Protocol Packet Summary

Relative timestamp

Packet Destination (Name / Address)

UI Summary Window

Decode Window
Capture details for the packet

MAC header

UI Decode Window

Decode Window 2
Network Header

Transport Header

UI Decode Window

Protocol Hierarchy Statistics

Tells you something about the network. Probably first thing to look at when in trouble.

UI Protocol Hierarchy

Analyze Menu

Useful options to narrow down the capture to interesting packets

UI Analyze Menu

Statistics Menu

Statistical information about the captured packets. The most useful menu in Wireshark.
UI Statistics Menu

Telephony Menu

With right equipment, Wireshark can also look into the telephone network. Govt. permit required to purchase the equipment.

UI Telephony Menu

Preferences Under the Hood

UI Preferences

Wireshark Coloring Rules

Visual guide to separate packets

UI Coloring Rules

End Points (from Statistics Menu)

List of end points for all the protocols Example: ipv4 tcp udp ethernet

UI End Points

End Points Snapshots

Active end points

UI End Points

Presentation Overview
Advanced Features Wireshark Filters Wireshark UI

Placement Strategies
Introduction

Lecture Outline

Where Filters are Applied?

Filters help Select the interesting packets Reduce the capture file size

Filters

Capture Filter (from Capture Options)

Filters Capture Filter

Display Filter
Display filter Expression builder for display filter

Only filtered packets are displayed.

Filters Filtered Summary

Filter Expression Builder

Filters Filter Expression Builder

Apply Filter A Simple Technique

Filters Apply Filter

Presentation Overview
Advanced Features Wireshark Filters Wireshark UI

Placement Strategies
Introduction

Lecture Outline

Wireshark IO Graphs

Advanced Features IO Graphs

Follow Streams A Telnet Session

Dangerous

Streams possible: -TCP - UDP - SSL

Advanced Features Follow Streams