Packet Capture Basics

For internal use 1 © Nokia Siemens Networks

Non-Technical Interpretation

Data travels around your network like a train. With a packet sniffer, get the ability to capture the data and look inside the packets to see what is actually moving long the tracks.

For internal use 2 © Nokia Siemens Networks

Technical Representation

For internal use 3 © Nokia Siemens Networks

new name. Old name “Ethereal”.wireshark. In your projects you should use the latest version. GUI and command-line tools. Throughout this presentation the snapshots are from Ethereal. now “Wireshark”: same tool. but apply as well to Wireshark.Ethereal/Wireshark Application Open source protocol analyzer for Ethernet based traffic. which is here: http://www. Stand-alone tool for capture and analysis.org/ For internal use 4 © Nokia Siemens Networks .

org/. we need open source WinPcap library http://www. this libpcap library is normally included in the system.Wireshark on Windows/Linux and WinPcap Wireshark displays and analyses the traffic. Wireshark relies on a packet capture library to capture traffic. On Windows. Windows: Linux/Unix: Wireshark – application for sniffing packets WinPcap libpcap packet capture library packet capture library running in user space running in user space Windows Operating System Linux/Unix operating system WinPcap Network Packet Filter (NPF) Linux Socket Filter (LSF) device driver or BSD Packet Filter (BPF) running in kernel space running in kernel space Network Card Drivers Network Interface Card For internal use 5 © Nokia Siemens Networks . On Linux/Unix.winpcap.

View of Ethereal/Wireshark Packet List Packet Details Packet Bytes For internal use 6 © Nokia Siemens Networks .

Packet List Packet Order Time Order Source IP Destination IP Protocol Information For internal use 7 © Nokia Siemens Networks .

the Packet.Packet Details Source and Destination TCP Ports Source and Destination IP Breakdown of the Frame. the TCP portion For internal use 8 © Nokia Siemens Networks .

Packet Bytes View of the data – Hexadecimal and Raw Data For internal use 9 © Nokia Siemens Networks .

Running Ethereal/Wireshark For internal use 10 © Nokia Siemens Networks .

Running Ethereal/Wireshark For internal use 11 © Nokia Siemens Networks .

Running Ethereal/Wireshark For internal use 12 © Nokia Siemens Networks .

Running Ethereal/Wireshark For internal use 13 © Nokia Siemens Networks .

Running Ethereal/Wireshark For internal use 14 © Nokia Siemens Networks .

Running Ethereal/Wireshark For internal use 15 © Nokia Siemens Networks .

What Ethereal/Wireshark saw For internal use 16 © Nokia Siemens Networks .

What Ethereal/Wireshark saw For internal use 17 © Nokia Siemens Networks .

What Ethereal/Wireshark saw For internal use 18 © Nokia Siemens Networks .

What Ethereal/Wireshark saw For internal use 19 © Nokia Siemens Networks .

What Ethereal/Wireshark saw For internal use 20 © Nokia Siemens Networks .

Display Packet Filtering For internal use 21 © Nokia Siemens Networks .

Display Packet Filtering For internal use 22 © Nokia Siemens Networks .

Saving Captures Captured Views Range of Packets All Packets Naming is critical: • Was it the client? • Was it the Server? For internal use 23 © Nokia Siemens Networks .

Saving Captures Captured Views Range of Packets All Packets Naming is critical: • Was it the client? • Was it the Server? For internal use 24 © Nokia Siemens Networks .

After Filter/Save/Open For internal use 25 © Nokia Siemens Networks .

Time Column & Delta For internal use 26 © Nokia Siemens Networks .

FTP Only Filter For internal use 27 © Nokia Siemens Networks .

Follow the Stream For internal use 28 © Nokia Siemens Networks .

Follow the Stream For internal use 29 © Nokia Siemens Networks .

133.133.133. check out the display filter manual.17.addr == 207.22.addr eq 172.port eq 3511) Filter for traffic between two hosts • ip.46.Advanced Display Filtering Caveat: The display filters differ from the capture filters! Filter for just that TCP stream • (ip.140 and ip.140 • This will work: not ip.addr == 172.addr != 207.46.133.46.46. this won’t work: ip.22.140 • For the reasons why.56) and (tcp. For internal use 30 © Nokia Siemens Networks .17.port eq 21 and tcp.addr == 207.46.56 Filter for IP Traffic and removal of other traffic • ip and !(nbns) and !(msnms) and !(browser) and !(rip) Exclude all traffic from and to host 207.133.addr eq 207.140 • Attention.140 and ip.

c.d: not ip.b.d not (ip.b.src == a.b.c.dst != a.b.d ip.b.d or ip.c.src != a.c.b.Filtering Out Traffic Of One Address filters out a.addr != a.d For internal use 31 © Nokia Siemens Networks .b.d: ip.addr == a.dst == a.c.c.d or ip.d) does not filter out a.b.c.c.

Summary Info For internal use 32 © Nokia Siemens Networks .

Summary Info For internal use 33 © Nokia Siemens Networks .

Protocol Hierarchy For internal use 34 © Nokia Siemens Networks .

I/O Graphing For internal use 35 © Nokia Siemens Networks .

HTTP Breakdown For internal use 36 © Nokia Siemens Networks .

Sign up to vote on this title
UsefulNot useful