Scribd Logo
Upload

Welcome to Scribd!

  • 10 Wireshark-Intro

    Uploaded by

    tdyrdy
    12 views36 pages
    Wireshark is a free and open-source packet analyzer that allows users to examine network traffic and decode packet captures. It can display packet data as detailed lists and graphs and allows users to interactively browse packet payloads. Wireshark is useful for network troubleshooting, analysis, software and protocol development, and education. It runs on Linux, macOS, BSD, and Windows and supports many protocols.

    Original Description:

    Original Title

    10.wireshark-intro

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Wireshark is a free and open-source packet analyzer that allows users to examine network traffic and decode packet captures. It can display packet data as detailed lists and graphs and allows users to interactively browse packet payloads. Wireshark is useful for network troubleshooting, analysis, software and protocol development, and education. It runs on Linux, macOS, BSD, and Windows and supports many protocols.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    12 views36 pages

    10 Wireshark-Intro

    Uploaded by

    tdyrdy
    Wireshark is a free and open-source packet analyzer that allows users to examine network traffic and decode packet captures. It can display packet data as detailed lists and graphs and allows users to interactively browse packet payloads. Wireshark is useful for network troubleshooting, analysis, software and protocol development, and education. It runs on Linux, macOS, BSD, and Windows and supports many protocols.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 36

    Wireshark

    Vincent Ryan 1
    Introduction (1)

    Wireshark (formerly Ethereal)
    – Available for many platforms
    – Probably easiest sniffer to use, great UI, etc.

    Wireshark is a “protocol genius”
    – Decodes every bit of every packet

    “Follow TCP stream” function
    – Select a TCP packet, view entire session

    Vincent Ryan 2
    Introduction (2)

    Big Program
    – Can have vulnerabilities
    – Watch out for patches, and apply them
    – Be careful : attackers can craft network packets to take
    advantage of vulnerability in Wireshark
    – Never capture using Wireshark ( you need to be root to
    capture, and then an attacker could get control as root)

    Vincent Ryan 3
    Wireshark Display (1)

    Packet List
    Pane

    Packet
    Details Pane

    Packet Byte
    Pane

    StatusBar
    Source:https://www.wireshark.org/docs/wsug_html_chunked/ChUseMainWindowSection.html
    Vincent Ryan 4
    Wireshark Display (2)

    You can change the default layout if you wish

    Vincent Ryan 5
    Wireshark Filters


    Has two types of filters:
    – Capture filter: Used to select the data to record in
    the logs/pcaps. They are defined before starting
    the capture
    – Display filter: Used to search inside the captured
    logs/pcaps. They can be modified while data is
    captured.

    Vincent Ryan 6
    Which Filter should I use?


    The goals of the two filters are different.

    The capture filter is used as a first large filter to limit
    the size of captured data

    The display filter is much more powerful (and
    complex); it will permit you to search for exactly the
    data you want in the captured data.

    The syntax-es of the two types of filters are
    completely different.

    Vincent Ryan 7
    Wireshark: Capture Filter (1)


    The capture filter syntax is the same as that used by
    tcpdump.
    – It uses BPF notation

    Vincent Ryan 8
    Wireshark: Capture Filter (2)


    The steps to configure a capture filter are the following:
    – select capture -> options.
    – Set the interface to whatever interface you are capturing on
    – Click on the "capture filter" button for built-in capture filters
    OR
    – Fill the "capture filter" field or click on the "capture filter"
    button to give a name to your filter to reuse it for subsequent
    captures. The syntax is the same as is used in tcpdump.
    – Click on Start to capture data.

    Vincent Ryan 9
    Capture Filter (BPF) Examples

    tcp and dst port 3128



    Captures TCP packets with destination TCP port
    3128.
    ip and src host 10.1.1.1

    Captures IP packets with source IP address equals to
    10.1.1.1.
    src host 10.7.2.12 and not dst net 10.200.0.0/16

    Captures packets with source IP address equals to
    10.7.2.12 and not with the destination IP network
    10.200.0.0/16.

    Vincent Ryan 10
    Display Filter (1)

    Vincent Ryan 11
    Display Filter (2)

    • The Display filter (also called post-filter) filters the view


    of what you are seeing. All packets in the capture still
    exist in the trace
    • Display filters use their own format and are much more
    powerful than capture filters
    • If the filter syntax is correct, it will be highlighted in green,
    otherwise if there is a syntax mistake it will be highlighted
    in red.
    Correct Syntax

    12
    Vincent Ryan
    Display Filter (3)


    The display filter is used to search inside captured
    data which was possibly obtained with a capture filter.

    Its search capabilities are more extensive than those
    of the capture filter

    It is on the main screen when you start wireshark, with
    expression beside it.

    Vincent Ryan 13
    Yellow Display Filter

    If the display filter is yellow, it means that the filter is
    syntactically correct, but it will probably not work as
    intended.

    dns.a != 192.168.2.200

    If the A record for MTU.IE includes 192.168.2.200, this
    will return FALSE

    A : MTU.IE : 172.16.200.12, 192.168.10.10,
    192.168.2.200

    Correct way to write the filter is

    dns and not (dns.a includes 192.168.2.200)

    Vincent Ryan 14
    Display Filter Examples

    snmp || dns || icmp



    Display the SNMP or DNS or ICMP traffics.
    ip.addr == 10.1.1.1

    Displays the packets with source or destination IP
    address equals to 10.1.1.1
    ip.src != 10.1.2.3 or ip.dst != 10.4.5.6

    Displays the packets with a source IP address
    different from 10.1.2.3 or with a destination IP different
    from 10.4.5.6

    Vincent Ryan 15
    What is this Display Filter
    doing?

    Vincent Ryan
    Source:https://isc.sans.edu/forums/diary/RTF+files+for+Hancitor+utilize+exploit+for+CVE201711882/23271/ 16
    Follow TCP Stream


    If you are working with TCP based protocols it can be
    very helpful to see the data from a TCP stream in the
    way that the application layer sees it.
    – Perhaps you are looking for passwords in a telnet
    stream, or you are trying to make sense of a data
    stream.

    Simply select a TCP packet in the packet list of the
    stream/connection you are interested in, and then
    select the Follow TCP Stream menu item from the
    Wireshark Analyze menu

    Vincent Ryan 17
    Fragmentation in
    Wireshark

    By default, Wireshark reassembles fragments.

    To change this default behaviour edit the preferences.
    In the Edit menu, select Preferences, expand the
    Protocols section, select IP, and uncheck the
    Reassemble fragmented IP datagrams checkbox.

    Vincent Ryan 18
    Colouring rules (1)

    • The Colouring Rules will help you to better


    understand the trace file: you will be able to
    display different kind of packets in a different
    colour

    • You can manage them via the View ->


    Coloring Rules… menu

    Vincent Ryan 19
    Colouring Rules (2)

    Vincent Ryan 20
    Colouring Rules (3)
    • Colouring rules colour a packet if the rule, expressed with Display
    Filter syntax, is matched.
    • Colouring rules can be created, deleted, moved up and down,
    disabled, imported, exported or reset to default (Cleared).
    • Rule precedence: the rules are evaluated from the top to the bottom
    of the list. When a rule is matched the evaluation finishes for that
    packet.
    • Now let’s disable a very annoying one: Checksum errors (Most of the
    time this a false positive error caused by TCP/UDP offloading settings
    of your network adapter)
    • To disable it simply select it and then press the disable button. A line
    will appear on it marking that the rule is disabled. It is better to
    disable rules than delete them!

    Vincent Ryan 21
    Columns
    • Columns are fundamental to view the traffic you
    captured.
    • The default column set not always appropriate for
    the analysis of all the problems you want to analyse.
    • So it is possible to define custom columns, resize
    them and re-arrange them as you like.
    • Clicking on a column you can sort the data in
    ascending and descending order: this feature is
    particularly useful when you order the capture for
    “Seconds since previous captured/displayed packet”
    • Custom Column definition needs the field name you
    want to display: the same field name you use in the
    Display Filter syntax.
    Vincent Ryan 22
    How to define a custom column

    1 Click on Edit -> Preferences -> Column


    section.
    2 Click the button.
    3 Select Custom from the Field Type drop down

    4 Enter the field that you want to display in the


    column in the “Field name” field
    5 Click on the title of the column and name it,
    then press and then

    Vincent Ryan 23
    Useful columns to add
    • The columns you add depend on the traffic you
    are going to analyse. You may want to create
    different configuration profiles for different
    situations and define a different column set in
    every profile.
    • You can reposition the columns, delete them or
    simply hide them.
    • A couple of useful columns to add in all the
    circumstances are: tcp.stream and
    tcp.window_size_value. The first is useful to
    distinguish between a TCP Streams and the other
    to spot Window Size 0 conditions.

    Vincent Ryan 24
    Wireshark Statistics

     select the Statistics->Protocol Hierarchy menu option.


     Displays statistics about the pcap.
     Above, all the packets are Ethernet (Local Area Network) packets, but at the
    network layer most of the packets are TCP, but some are UDP.

    25
    Vincent Ryan
    Packet Statistics (1)
     Protocol Hierarchy

    26
    CSED702D: Internet Traffic Monitoring and Analysis
    Packet Statistics (2)
     Conversation
     Traffic between two specific endpoints

    27
    CSED702D: Internet Traffic Monitoring and Analysis
    Packet Statistics (3)
     I/O Graph

    28
    CSED702D: Internet Traffic Monitoring and Analysis
    Packet Statistics (4)
     I/O Graph : User configurable graph of the packets.

    29
    CSED702D: Internet Traffic Monitoring and Analysis
    Packet Statistics (5)
     Configurable Options
     I/O Graphs
    • Graph 1-5: enable the specific graph 1-5 (graph 1 by default)
    • Filter: a display filter for this graph (only the packets that pass this filter
    will be taken into account for this graph)
    • Style: the style of the graph (Line/Impulse/FBar/Dot)
     X Axis
    • Tick interval: an interval in x direction lasts
    (10/1 minutes or 10/1/0.1/0.01/0.001 seconds)
    • Pixels per tick: use 10/5/2/1 pixels per tick interval
    • View as time of day: option to view x direction labels as time of day inst
    ead of seconds or minutes since beginning of capture
     Y Axis
    • Unit: the unit for the y direction
    (Packets/Tick, Bytes/Tick, Bits/Tick, Advanced...)
    • Scale: the scale for the y unit (Logarithmic,Auto,10,20,50,100,200,...)
    30
    CSED702D: Internet Traffic Monitoring and Analysis
    Packet Statistics (6)
     I/O Graph

    31
    CSED702D: Internet Traffic Monitoring and Analysis
    Wireshark Decoding (1)
    Consider the picture below
    Wireshark dissects this as SSH traffic, but is it really?

    32
    CSED702D: Internet Traffic Monitoring and Analysis
    Wireshark Decoding (2)
    Here, we see a proper SSH capture. We get more details for
    the individual SSH packets. So that first capture, on the
    previous slide, is probably not SSH

    VincentSource:https://isc.sans.edu/forums/diary/HTTPS+on+every+port/23261/
    Ryan 33
    Wireshark Decoding (3) : Decode As
    Wireshark will try to decode protocols based on several criteria, one of
    them is the port number. If the port is 22, Wireshark will try to decode the
    traffic as SSH, even it it is not SSH.
    The traffic in the first capture is actually TLS. To get Wireshark to decode
    this traffic as SSL/TLS, you right-click a packet and select "Decode As...".
    And then you configure Wireshark to decode traffic with port 22 as SSL:

    Vincent Ryan Source:https://isc.sans.edu/forums/diary/HTTPS+on+every+port/23261/


    34
    Wireshark Decoding (4)

    Then, we get traffic that is properly decoded:

    Vincent Ryan
    Source:https://isc.sans.edu/forums/diary/HTTPS+on+every+port/23261/ 35
    Wireshark Decoding (5) : Recognising TLS

    Note: Recognising SSL/TLS


    As SSL/TLS becomes ubiquitous, you can expect to find
    SSL/TLS traffic on non-standard ports.

    There are a couple of tricks to recognize SSL/TLS traffic:


    you might see a domain name or strings from the certificate
    in the first packets,
    OR
    if you look at raw bytes, take a look at the second and third
    byte of data payload of each TCP packet. If these bytes are
    all 03 00, or 03 01, or 03 02, or 03 03, or 03 04, then you
    are most likely dealing with SSL/TLS traffic.
    (These values represent the SSL/TLS version: SSL 3.0,
    TLS 1.0, TLS 1.1, TLS 1.2, TLS1.3.)

    Vincent Ryan 36

    You might also like