Ethereal/WireShark Tutorial

Yen-Cheng Chen IM, NCNU April, 2006

Introduction 
 

Ethereal is a network packet analyzer. A network packet analyzer will try to capture network packets and tries to display that packet data as detailed as possible. Download Ethereal:
http://www.ethereal.com/download.html 

What will be captured
All packets that an interface can ´hear´ At your PC connected to a switch 
 

Unicast (to and from the interface only) Multicast, RIP, IGMP,« Broadcast, e,g ARP,

http://www.net/wireshark/wires hark-setup-1.org/docs/wsug_html/ .wireshark.3.0.sourceforge.org/  Download: http://prdownloads.WireShark  The Ethereal network protocol analyzer has changed its name to Wireshark.wireshark.exe Wireshark User's Guide  http://www.

1 List available capture interfaces 2 Start a capture 3 Stop the capture .

menu main toolbar filter toolbar packet list pane ipconfig /renew packet details pane packet bytes pane status bar .

packet list pane .

Sort by source .

packet details pane .

packet bytes pane .

.

.

Filter .

.

.

3 1 2 4 .

2 1 .

src == 10.137) .10.dst eq 163.10.13.Filter Expression ip.137 and ip.137 && ip.22.16) !(ip.137 || ip.16 ip.20.22.22.20.13.10.13.13.dst == 10.16 http && ( ip.20.10.137 || ip.src == 163.16 ip.src == 10.20.src == 163.dst == 163.10.22.13.src == 10.src eq 10.

.

.

.

(ip.137) && (ip.10.13.20.16) .dst == 10.src == 163.22.

Follow TCP Stream .

.

.

Export .

22.16) Transmission Control Protocol.20. Src: 10. Len: 559 Source port: 1822 (1822) Destination port: http (80) Sequence number: 1 (relative sequence number) Next sequence number: 560 (relative sequence number) Acknowledgement number: 1 (relative ack number) Header length: 20 bytes Flags: 0x0018 (PSH.137).137 (10. ACK) Window size: 17520 Checksum: 0xf4f3 [correct] Hypertext Transfer Protocol .22.22. 613 bytes captured) Ethernet II.No.13. Src: AsustekC_6a:ea:8d (00:13:d4:6a:ea:8d).1 Frame 31 (613 bytes on wire. Seq: 1.254 (00:02:ba:ab:74:2b) Internet Protocol.10. Dst Port: http (80). Ack: 1.058434 10. Dst: 10.16 HTTP GET /~ycchen/nm/ HTTP/1.137 Destination Protocol Info 163. Src Port: 1822 (1822).13.20.20.13.13. Dst: 163.10.10. Time Source 31 6.10.16 (163.

Capture Options .

Assignments     5 layers Ethernet II frame 802.3 frame Broadcast frame Deadline: 12/17  .