Network Packet Analyzer
Wireshark is an open source network packet analyzer (previously known as Ethereal). A network packet analyzer captures packets from various interfaces, NICs, etc. Captured packets can be used to troubleshoot network problems, analyze network security or involved protocol. Features: Available for both Windows and most of the Unix platforms. Has the ability to capture live packet from different type of network such as Ethernet, ATM, Token ring etc. Can provide details such as packet source and destination addresses, interface type, frames lengh etc. It is able to filter and capture packets according to user requirements as well as visualise specific packets using colouring.
Installing Wireshark on Windows platform is very much straight forward. It can be installed from the installation package (.exe file). However, Wireshark needs a packet capturing driver installed on the system such as WinPcap for MS-Windows platform or libpCap for Unix plaftorm. Thus, they must be present in the system or have to be installed together with Wireshark.
3. Packet Capturing
In general, a root/administrator privileges are required to capture packet on a network. To start packet capturing you need to select a local interface. It is possible to run multiple wireshark instances simultaneously to capture different interfaces at the same time. Excercise 1: Capture live packet
1. From Capture menu select Interfaces. ‘Capture Interfaces’ dialog box will
display all local interface cards (Fig. 1) that can be captured. Before start capturing let’s have a look at options.
2. Select Options.
3. Select an interface from the first drop down list box you want to capture.
4. Check ‘Capture packets in promiscuos mode’ if you want to capture packets
from LAN broadcast. Uncheck to only capture packets to and from that specific computer.
5. In the display option dialog box Uncheck ‘Hide capture info’ checkbox. This will display summarise information on captured packet.
6. Check all name resoulation checkbox. This will resolve MAC and network
address into more readable format.
7. Click Start to commence packet capturing.
Figure 1: Select capture Interfaces. Some network activity required to generate packet transmission over the network interface. If internet connection is available simple internet browsing will initiate TCP and other types packet transmission OR a simple PING command to any LAN computer will trasmit some ICMP packets. Trasmitted packet will be caputured and displayed in the Wireshark main window (see Fig. 2).
Figure 2: Captured packets are displayed by Wireshark
4. Filtering Packets
You might not want to capture all types packet rather might be interested in some specific destined or kind of packets to analyze a network issue. We can filter packets two ways while viewing packets and while capturing packets. Filtering based on protocol type is simple. For example, to filter and display all ICMP packet, type ICMP in the ‘Filter’ textbox in the Wireshark main window. To withdraw the filter click ‘Clear’ button besides the textbox. We need to use comparison operators to filter packets based on their field values and source or destination address. Operators are based on ‘C’ programming language, however an equivelent English can be used. Following table describes available operators. Operator s == != > < >= English-Like eq ne gt lt ge Equal Description
Not Equal Example: ip.addr!=126.96.36.199 Greater Than Example: frame.pkt_len>100 Less Than Example: frame.pkt_len<10 Greater Than or Equal Example: frame.pkt_len ge 0x100 Here English-like comparison operator and field value are used to compare. Less Than or Equal Example: frame.pkt_len <=50 (frame size always in bytes) Logical AND Example: tcp.window_size == 0 && tcp.flags.reset != 1 Here, when TCP window size equals to 0 and reset flag is false means destination TCP buffer is full and can not receive any more packets. Logical OR Example: tcp.port ==25 || icmp Here will be displayed only SMTP packets on port 25 or ICMP packets. Logical XOR Example: ip.src==192.168.0.1 XOR ip.dst==192.168.1.10 Logical NOT Example: !(ip.addr==192.168.0.3)
Excercise 2. Filter Packets while viewing
Filter packet using expression dialog box (see Fig. 3):
1. Click Expression button besides Filter textbox
2. Choose a protocol from ‘field name’
3. Choose a Relation 4. Choose a suitable Value for the protocol
Figure 3: Packet Filter by expression Also, specific type of packet can be filtered from the pop-up menu by right clicking on a packet. Click ‘Capture Filters’ from Capture menu to setup filtering while packets are captured. Select ‘Filter Name’ and enter logical expression in the ‘filter string’ textbox. See some more filter examples below. Example 1: Assumes, we want to capture some UDP packets which payload first 3byte has a sequence such as 0x81, 0x60, 0x03. Then, the filter will be: udp[8:3]==81:60:03
Here, to capture UDP payload, we must skip UDP 8 bytes header. The sub-string operator […] has been used to tell WireShark to skip first 8 bytes and then capture subsequent 3 bytes (i.e. [8:3] ) and compare it with the given value (i.e. 81:60:03). Example 2: The first 3 bytes of any MAC address used is Organizationally Unique Part (OUI), used to uniquely identify hardware manufacturer. Suppose we want to capture packet generating from a Dell machine only. Our filter expression will be: eth.addr[0:3]==00:06:5B Here, WireShark will compare first 3 bytes of all MAC addresses and will capture if it matched with a given OUI. Example 3: Welchia worm infect a system by sending an ICMP echo request which is 92 bytes long and it contains an ICMP payload begins with four A’s bytes. To detect this worm our filter will be: icmp[icmptype] == icmp-echo AND ip[2:2] == 92 and icmp[8:4] == 0xAAAAAAAA
5. TCP Stream
The captured packets in WireShark main window are displayed in Hexa-decimal dump, which is not a easier to understand. We can use Wireshark built-in converter to view packet contents. Excercise 3: TCP Stream 1.
Select a Specific TCP packet Select Follow TCP Stream from Analyze menu Select Entire Conversation from the drop down list box.
Note that traffic from initiating node (i.e. sending node) is in BLUE colour and traffic generated from target node (i.e. destination node) is in RED colour (see figure 4). 4. Select any format from ASCII, EBCDIC, Hex dump, C Arrays and Raw from lower right corner.
5. After analysis click Filter Out This Stream, if you want to filter such packet.
Figure 4: Following a TCP stream Excercise 4: Using Expert infos Expert infos can be used to quickly identify an error or trace an unwanted network behaviour.
Select Expert Info from Analyze menu Choose a Severity Filter to customize your display.
By default Chat Packet displays in grey colour. Indicates an usual workflow i.e. TCP SYN flag. Note Packets are displayed in cyan colour, indicates an unsual error code such as HTTP 404 error. Warn Packets are displayed in yellow colour, indicates error such as a connection problem. A packet is presented with red colour when there is a serious problem. All Errors and Warning also can be displayed in a composite view. To do this...
3. Select Expert Info Composite from Analyze menu
6. Use of Statistics
WireShark can generate wide range of network statistics. It can produce summary on the captured file and can display protocol hierarchy of any captured packets. Also, it can display amount of traffic between two specific ip address (called conversation). An IO graph can visually display traffic over a certain period of time. Excercise 5: Statistics
Select Summary from Statistics menu to display summary information on average packet/sec, average packet size, total bandwidth used and many others.
Select Protocol Hierarchy from Statistics menu to display all protocol within a packet in a hierarchical view. The percentage usages of packet of the frame are displayed. Select Conversation from Statistics menu to analyze traffic between to ip address. To resolve hardware MAC address into readable format Make sure Name Resolution checkbox is checked. Click Ipv4 and TCP tab to analyze conversation between different ip address. To graphically display packet traffic select IO Graphs from Statistics menu. Click Filter for Graph1 and select an select filter string Repeat for Graph2 and so on to visually analyze certain type packet traffic.
5. 6. 7.
7. Customizing Packets
Default colouring scheme can be changed to more visualise packet as they captured. In next excercise will set a colouring rule for a worm. Excercise 6: Colouring Rules
Select Coloring Rules from View menu. Click New button and fill text box as follows
Name: Blaster Worm String: dst port 135 AND tcp port 135 AND ip[2:2] == 48 3. Select a distinguisable Background and Foreground Colour for this rule.