Professional Documents
Culture Documents
Info
Info
Recommended Skills
Recommended Equipment
=Windows, Linux or Mac OS to install Wireshark
Videos:
Dissectors
Wireshark uses many groups of protocol interpreters (behind the scenes) called
"dissectors." These dissectors provide the useful information that we typically see
in the details area for a capture. In this Nugget, we will take a look at how
Wireshark knows which dissector to use to interpret a specific layer of a protocol
stack, and what we can do when Wireshark doesn't know what dissector to use.
Profiles
Wireshark is used for various purposes. One day we might be doing security
application analysis, and the next day, troubleshooting latency on the network. The
customization of the columns and fields used for each type of analysis will be
different, and that is where profiles can save a bunch of time. By creating
profiles with the perfect settings for a given task, we can switch back and forth
between profiles on the fly, and not have to manually alter the settings each time
we use Wireshark. In this Nugget, Keith walks you through creating a custom
profile, and changing some of the defaults regarding the new profile. The capture
file used in this video is available in the NuggetLab download area.
Capture Filters
When there are gigabytes of data flowing across the network, and we need 24 hours
worth of capture time, there will likely be a challenge regarding disk space on the
Wireshark computer (even if splitting the capture over multiple files). In this
Nugget, Keith walks you through and demonstrates the use of Capture Filters in
Wireshark. Capture Filters allow Wireshark to only include the traffic you specify
(that will be saved in the capture file), while everything else is filtered out.
The homework assignment for this video is available in the NuggetLab area.
Display Filters
Many times, capture files can be large and contain thousands of network
conversations. Using a Display Filter, we can tell Wireshark which packets to
display, allowing us to focus on that specific traffic. In this Nugget, Keith
demonstrates the logic, creation, and use of Display Filters. The starting profile
preference file used in this video in available in the NuggetLab area, along with
the capture file used in this video.
Zeroing in on Conversations
Focusing on a single conversation among the thousands that may be part of a capture
file could be like looking for a needle in a haystack. Fortunately, Wireshark has
some sweet tools to assist us in following conversations. In this Nugget, Keith
walks you through four separate ways to focus on specific conversations within a
capture file. The capture file, along with the preferences file for the profile
used in this video, are available in the NuggetLab area.
Upgrading Wireshark
In this Nugget, Keith walks you through the upgrade to version 1.10. This new
version hosts a variety of new features including auto-update, HTTP request-
response time-stamps and additional display filter functionality. The two capture
files demonstrated in this video, along with the preferences file from the profile
used at the beginning of the video, are available in the NuggetLab area for this
video.
Coloring Rules
Another method to assist us in seeing and interpreting packets is to use coloring
rules for various types of packets. In this Nugget, Keith walks you through how to
determine why a color was used, and then how to change the defaults if desired.
Exporting custom color settings for portability are also discussed and
demonstrated. The profile preferences file, along with the capture file used in
this video, are available in the NuggetLab area.
Exporting
How do we get a portion of a capture file (as part of a new file or a report), into
the hands of those who need it? One solution is to use the Export feature in
Wireshark. In this Nugget, Keith walks you through the benefits and options of
exporting. The preferences file from the profile used in this video as well as the
capture file are available in the NuggetLab file area.
Input/Output Graphs
Identifying the protocols, hosts, subnets (etc) that are using up the most
bandwidth is easily done with IO graphs in Wireshark. In this Nugget, Keith walks
you through the creation and use of these graphs. The capture file used in this
video is available in the NuggetLab file area.
VoIP
One of the types of traffic we are likely to see in a capture file is Voice over IP
(VoIP). In this Nugget, Keith walks you through how to look at, graph and replay
voice conversations from the captured packets using Wireshark. The profile
preferences file, along with the capture file used in this video are available via
the NuggetLab file area for this video.
IPv6
Using a protocol analyzer can shed light on what is really happening with IPv6,
including the ability to verify what is actually happening on the network compared
to what is supposed to happen. In this Nugget, Keith walks you through setting up a
test IPv6 network and then capturing and analyzing the traffic with Wireshark.
Merging of files also is covered in this video. Capture and config files used in
this Nugget are in the NuggetLab file area.