Wireshark Tutorial - University Of Georgia
Wireshark TutorialChris NeasbittUGA Dept. of Computer Science
ContentsIntroduction What is a network trace? What is Wireshark?Basic UI Some of the most useful parts of the UI.Packet Capture How do we capture packets?Trace Analysis Individual Packet Analysis Filters Exercises
Introduction Network Traffic Trace A recording of the network packets both receivedby and transmitted from a network interface.What is a pcap file? pcap Packet Capture File format originally designed for tcpdump/libpcap. Most widely used packet capture format.
Introduction What is Wireshark? A graphical network packet analyser. Found at http://www.wireshark.org The complete manual is located here.What some are it's uses? Troubleshoot network problems. Learn network protocol internals. Debug protocol/program implementation. Examine network-related security issues.
Basic UI
Basic UI File - Open View - Time Display Format Opens a packet capture file.Change the format of the packet timestamps in thepacket list pane. Switch between absolute and relative timestamps. Change level of precision.View - Name Resolution Allow wireshark to resolve names from addressesat different protocol layers.
Basic UICapture - Interfaces Available networkinterfaces for capture.Total packets perinterface.Packet rate per interface.
Basic UI Capture - Options Set various captureparameters.Promiscous mode On – record all packetsreaching the interface.Off – record only thosepackets directed to thehost.
Basic UI Analyze - Follow TCP Stream Applies a filter to follow a single tcp conversationwithin the trace.Displays the reassembiled data section of eachpacket in the conversation.Useful for debugging or analyzing any TCP basedapplication layer protocol. HTTP, FTP, SSH, LDAP, SMTP, etc.
Basic UIStatistics - Protocol Hierarchy Presents descriptivestatistics per protocol.Useful for determining thetypes, amounts, andrelative proportions ofprotocols within a trace.
Basic UIStatistics - Conversations Generates descriptivestatistics about eachconversation for eachprotocol in the trace.
Basic UIStatistics - Flow Graph Generates a sequencegraph for the selectedtraffic.Useful for understandingseq. and ack.calculations.
Packet CaptureInterface selection Capture - Interfaces Select the interface from which to capture packets. any – captures from all interfaces lo – captures from the loopback interface (i.e. from localhost)Set the desired capture parameters under the optionsmenu.Start Capture Click the start button next to the desired interface. Captured traffic will be displayed in the packet list pane.
Packet Capture Stop Capture Select Capture - StopSaving Capture Once the capture has been stopped select File - Save As.From the save dialog you can specify file type andwhich packets to save via the packet rangemenu.
Trace Analysis
Trace AnalysisPacket list Displays all of the packets in the trace in the order they wererecorded.Columns Time – the timestamp at which the packet crossed theinterface. Source – the originating host of the packet. Destination – the host to which the packet was sent. Protocol – the highest level protocol that Wireshark can detect. Lenght – the lenght in bytes of the packet on the wire. Info – an informational message pertaining to the protocol inthe protocol column.
Trace AnalysisPacket list Default Coloring Gray – TCP packets Black with red letters – TCP Packets with errors Green – HTTP Packets Light Blue – UDP Packets Pale Blue – ARP Packets Lavender – ICMP Packets Black with green letters – ICMP Packets with errorsColorings can be changed under View - Coloring Rules
Individual Packet Analysis
Individual Packet AnalysisPacket Details Detailed information about the currently selected packet isdisplayed in the packet details pane.All packet layers are displayed in the tree menu.Any portion of any layer can be exported via a right click andselecting Export Selected Packet BytesPacket Bytes Displays the raw packet bytes. The selected packet layer is highlighted.
FiltersFilters Packets captures usually contain many packets irrelevant tothe specific analysis task.To remove these packets from display or from the captureWireshark provides the ability to create filters. Filters are evaluted against each individual packet. Boolean expresions dealing with packet properties. Supports regular expressions. Can either be manually constructed, composed via theExpressions menu or composed based on a selectedpacket's properties.
FiltersExpressions Menu Field name – selects thepacket property.Relation – selects theboolean test.Predefined values – commonvalues against which theselected packet property istested.Value – Arbitrary Textual orNumeric value againstwhich the selected packetproperty is tested.
FiltersCompound Filters Filters can be composed of multiple tests joined with booleanconnectives. && - logical conjuction (i.e. AND) - logical disjunction (i.e OR) ! - logical negation (i.e. NOT)Supports the order of operations.Regular Expressions Fields can be evaluated against a regular expression using the“matches” test.Uses Perl regex syntax.
FiltersFilter Text Box Green – valid filter Red – invalid filter Yellow – may produce unexpected resultsPacket based filters Filters can be constructed on the basis of individual packetsby right clicking on a packet and selecting either: Prepare as filter – creates a filter. Apply as filter – creates a filter and applies it to the trace. Follow TCP Stream – creates a filter from a TCP packet'sstream number and applies it to the trace.
FiltersFilter examples http.request – Display all HTTP requests.http.request http.response – Display all HTTP request andresponses.ip.addr 127.0.0.1 – Display all IP packets whose source ordestination is localhost.tcp.len 100 – Display all TCP packets whose data length isless than 100 bytes.http.request.uri matches “(gif) ” - Display all HTTP requestsin which the uri ends with “gif”.dns.query.name “www.google.com” - Display all DNSqueries for “www.google.com”.
QuestionsAny Questions?Thank you for your attention!
ExercisesWork in groups of 2. Download the trace athttp://cs.uga.edu/ neasbitt/files/user1 tcpdump.pcap Answer the following questions on a sheet of paper. What is the total number of HTTP Post requests in the trace?What is the status code for the last HTTP response in TCPstream 17?What is the total size in bytes for all packets containingJavaScript Object Notation (JSON) data?Between which two IP address where the most IP packetssent?What is pictured in the image bostonmusic-promo.jpg?
ExercisesWork in groups of 2. Download the trace athttp://cs.uga.edu/ neasbitt/files/user1 tcpdump.pcap Answer the following questions on a sheet of paper. What is the total number of HTTP Post requests in the trace?What is the status code for the last HTTP response in TCPstream 17?What is the total size in bytes for all packets containingJavaScript Object Notation (JSON) data?Between which two IP address where the most IP packetssent? What is pictured in the image bostonmusic-promo.jpg?Question Answers1. 82. 3023. 22534. 10.0.2.15 – 123.125.114.185. A stereo system.
Trace Analysis Packet list Displays all of the packets in the trace in the order they were recorded. Columns Time – the timestamp at which the packet crossed the interface. Source – the originating host of the packet. Destination – the host to which the packet was sent. Protocol – the highest level protocol that Wireshark can detect.
Change Wireshark permission settings We need administrative privilege to capture packet, though Raspberrian OS works as user mode. We need to change Wireshark permission to be able to capture packets in user mode. "sudo dpkg-reconfigure wireshark-common" Choose YES to capture packets in user mode "sudo adduser wireshark pi"
packets and tries to display that packet data as detailed as possible. Wireshark is already installed on Lab VM, start Wireshark from Dash menu on the left. You should see following window. 2.1.2 Wireshark Live Capture Wireshark can capture traffic from many different network media types
Getting Wireshark In order to run Wireshark, you will need to have access to a computer that supports both Wireshark and the libpcap or WinPCap packet capture library. The libpcap software will be installed for you, if it is not installed within your operating system, when you install Wireshark.
building Wireshark are much more common in the UNIX world than on Win32. The first part of this book will describe how to set up the environment needed to develop Wireshark. The second part of this book will describe how to change the Wireshark source code. Wireshark.
Lab 1: Packet Sniffing and Wireshark Introduction The first part of the lab introduces packet sniffer, Wireshark. Wireshark is a free open-source network protocol analyzer. It is used for network troubleshooting and communication protocol analysis. Wireshark captures network packets in real time and display them in human-readable format.
Wireshark 101 Qiao Zhang CSE 461 15sp Section #1 Slides adapted from Ravi Bhoraskar. What is Wireshark? Wireshark is a network packet analyzer uses libpcap to capture packets logs all packets seen by NIC . Refer ch
Traffic Analysis with Wireshark 5 2. WHY WIRESHARK? Wireshark is an open-source protocol analyser designed by Gerald Combs that runs on Windows and Unix platforms. Originally known as Ethereal, its main objective is to analyse traffic as well as being an excellent, easy-to-use application for analysing communications and resolving network problems.
Fengwei Zhang - CSC 5991 Cyber Security Practice 1 CSC 5991 Cyber Security Practice Lab 1: Packet Sniffing and Wireshark Introduction The first part of the lab introduces packet sniffer, Wireshark. Wireshark is a free open-source network protocol analyzer. It is used for network troubleshooting and communication protocol analysis.
