Professional Documents
Culture Documents
10 Wireshark-Intro
10 Wireshark-Intro
Vincent Ryan 1
Introduction (1)
●
Wireshark (formerly Ethereal)
– Available for many platforms
– Probably easiest sniffer to use, great UI, etc.
●
Wireshark is a “protocol genius”
– Decodes every bit of every packet
●
“Follow TCP stream” function
– Select a TCP packet, view entire session
Vincent Ryan 2
Introduction (2)
●
Big Program
– Can have vulnerabilities
– Watch out for patches, and apply them
– Be careful : attackers can craft network packets to take
advantage of vulnerability in Wireshark
– Never capture using Wireshark ( you need to be root to
capture, and then an attacker could get control as root)
Vincent Ryan 3
Wireshark Display (1)
Packet List
Pane
Packet
Details Pane
Packet Byte
Pane
StatusBar
Source:https://www.wireshark.org/docs/wsug_html_chunked/ChUseMainWindowSection.html
Vincent Ryan 4
Wireshark Display (2)
Vincent Ryan 5
Wireshark Filters
●
Has two types of filters:
– Capture filter: Used to select the data to record in
the logs/pcaps. They are defined before starting
the capture
– Display filter: Used to search inside the captured
logs/pcaps. They can be modified while data is
captured.
Vincent Ryan 6
Which Filter should I use?
●
The goals of the two filters are different.
●
The capture filter is used as a first large filter to limit
the size of captured data
●
The display filter is much more powerful (and
complex); it will permit you to search for exactly the
data you want in the captured data.
●
The syntax-es of the two types of filters are
completely different.
Vincent Ryan 7
Wireshark: Capture Filter (1)
●
The capture filter syntax is the same as that used by
tcpdump.
– It uses BPF notation
Vincent Ryan 8
Wireshark: Capture Filter (2)
●
The steps to configure a capture filter are the following:
– select capture -> options.
– Set the interface to whatever interface you are capturing on
– Click on the "capture filter" button for built-in capture filters
OR
– Fill the "capture filter" field or click on the "capture filter"
button to give a name to your filter to reuse it for subsequent
captures. The syntax is the same as is used in tcpdump.
– Click on Start to capture data.
Vincent Ryan 9
Capture Filter (BPF) Examples
Vincent Ryan 10
Display Filter (1)
Vincent Ryan 11
Display Filter (2)
12
Vincent Ryan
Display Filter (3)
●
The display filter is used to search inside captured
data which was possibly obtained with a capture filter.
●
Its search capabilities are more extensive than those
of the capture filter
●
It is on the main screen when you start wireshark, with
expression beside it.
Vincent Ryan 13
Yellow Display Filter
●
If the display filter is yellow, it means that the filter is
syntactically correct, but it will probably not work as
intended.
●
dns.a != 192.168.2.200
●
If the A record for MTU.IE includes 192.168.2.200, this
will return FALSE
●
A : MTU.IE : 172.16.200.12, 192.168.10.10,
192.168.2.200
●
Correct way to write the filter is
●
dns and not (dns.a includes 192.168.2.200)
Vincent Ryan 14
Display Filter Examples
Vincent Ryan 15
What is this Display Filter
doing?
Vincent Ryan
Source:https://isc.sans.edu/forums/diary/RTF+files+for+Hancitor+utilize+exploit+for+CVE201711882/23271/ 16
Follow TCP Stream
●
If you are working with TCP based protocols it can be
very helpful to see the data from a TCP stream in the
way that the application layer sees it.
– Perhaps you are looking for passwords in a telnet
stream, or you are trying to make sense of a data
stream.
●
Simply select a TCP packet in the packet list of the
stream/connection you are interested in, and then
select the Follow TCP Stream menu item from the
Wireshark Analyze menu
Vincent Ryan 17
Fragmentation in
Wireshark
●
By default, Wireshark reassembles fragments.
●
To change this default behaviour edit the preferences.
In the Edit menu, select Preferences, expand the
Protocols section, select IP, and uncheck the
Reassemble fragmented IP datagrams checkbox.
Vincent Ryan 18
Colouring rules (1)
Vincent Ryan 19
Colouring Rules (2)
Vincent Ryan 20
Colouring Rules (3)
• Colouring rules colour a packet if the rule, expressed with Display
Filter syntax, is matched.
• Colouring rules can be created, deleted, moved up and down,
disabled, imported, exported or reset to default (Cleared).
• Rule precedence: the rules are evaluated from the top to the bottom
of the list. When a rule is matched the evaluation finishes for that
packet.
• Now let’s disable a very annoying one: Checksum errors (Most of the
time this a false positive error caused by TCP/UDP offloading settings
of your network adapter)
• To disable it simply select it and then press the disable button. A line
will appear on it marking that the rule is disabled. It is better to
disable rules than delete them!
Vincent Ryan 21
Columns
• Columns are fundamental to view the traffic you
captured.
• The default column set not always appropriate for
the analysis of all the problems you want to analyse.
• So it is possible to define custom columns, resize
them and re-arrange them as you like.
• Clicking on a column you can sort the data in
ascending and descending order: this feature is
particularly useful when you order the capture for
“Seconds since previous captured/displayed packet”
• Custom Column definition needs the field name you
want to display: the same field name you use in the
Display Filter syntax.
Vincent Ryan 22
How to define a custom column
Vincent Ryan 23
Useful columns to add
• The columns you add depend on the traffic you
are going to analyse. You may want to create
different configuration profiles for different
situations and define a different column set in
every profile.
• You can reposition the columns, delete them or
simply hide them.
• A couple of useful columns to add in all the
circumstances are: tcp.stream and
tcp.window_size_value. The first is useful to
distinguish between a TCP Streams and the other
to spot Window Size 0 conditions.
Vincent Ryan 24
Wireshark Statistics
25
Vincent Ryan
Packet Statistics (1)
Protocol Hierarchy
26
CSED702D: Internet Traffic Monitoring and Analysis
Packet Statistics (2)
Conversation
Traffic between two specific endpoints
27
CSED702D: Internet Traffic Monitoring and Analysis
Packet Statistics (3)
I/O Graph
28
CSED702D: Internet Traffic Monitoring and Analysis
Packet Statistics (4)
I/O Graph : User configurable graph of the packets.
29
CSED702D: Internet Traffic Monitoring and Analysis
Packet Statistics (5)
Configurable Options
I/O Graphs
• Graph 1-5: enable the specific graph 1-5 (graph 1 by default)
• Filter: a display filter for this graph (only the packets that pass this filter
will be taken into account for this graph)
• Style: the style of the graph (Line/Impulse/FBar/Dot)
X Axis
• Tick interval: an interval in x direction lasts
(10/1 minutes or 10/1/0.1/0.01/0.001 seconds)
• Pixels per tick: use 10/5/2/1 pixels per tick interval
• View as time of day: option to view x direction labels as time of day inst
ead of seconds or minutes since beginning of capture
Y Axis
• Unit: the unit for the y direction
(Packets/Tick, Bytes/Tick, Bits/Tick, Advanced...)
• Scale: the scale for the y unit (Logarithmic,Auto,10,20,50,100,200,...)
30
CSED702D: Internet Traffic Monitoring and Analysis
Packet Statistics (6)
I/O Graph
31
CSED702D: Internet Traffic Monitoring and Analysis
Wireshark Decoding (1)
Consider the picture below
Wireshark dissects this as SSH traffic, but is it really?
32
CSED702D: Internet Traffic Monitoring and Analysis
Wireshark Decoding (2)
Here, we see a proper SSH capture. We get more details for
the individual SSH packets. So that first capture, on the
previous slide, is probably not SSH
VincentSource:https://isc.sans.edu/forums/diary/HTTPS+on+every+port/23261/
Ryan 33
Wireshark Decoding (3) : Decode As
Wireshark will try to decode protocols based on several criteria, one of
them is the port number. If the port is 22, Wireshark will try to decode the
traffic as SSH, even it it is not SSH.
The traffic in the first capture is actually TLS. To get Wireshark to decode
this traffic as SSL/TLS, you right-click a packet and select "Decode As...".
And then you configure Wireshark to decode traffic with port 22 as SSL:
Vincent Ryan
Source:https://isc.sans.edu/forums/diary/HTTPS+on+every+port/23261/ 35
Wireshark Decoding (5) : Recognising TLS
Vincent Ryan 36