The Wireshark installation package includes numerous tools used to capture packets at the command line, merge trace files, split trace files, and more. Wheeler, Wireshark has over 2.
The following is a quick list of some tasks that can be performed using Wireshark. If you are an IT staff member, obtain written permission to listen in to network traffic for troubleshooting, optimization, security, and application analysis. Consult a legal specialist to understand your local and national laws regarding packet capture on wired and wireless networks. Get the Right Wireshark Version Since you may move from one location to another, from one computer to another, and from one operating system to another, it's best to know on what systems you can install Wireshark.
All OS versions of Wireshark can be obtained from www. Click the Download Wireshark button and the site will recognize the operating system you are running and highlight the version of Wireshark that is most appropriate for your OS. If you are really new to Wireshark, consider downloading, installing, and using the Windows version—the Windows installation process is the simplest process since it only requires running a single executable installation file.
Currently, the Windows and Mac OS X installation processes are quite simple since these versions of Wireshark are available with an installer program binary package. The installer program will walk you through the process to locate XQuartz, if necessary. This process is a bit more complex than just downloading the binary package and clicking "install.
Since this book is focused on the functionality of Wireshark, and not the installation process, we refer you to www.
Wireshark also comes preinstalled on a number of forensic tool distributions, such as BackTrack www. The complete list of operating system requirements is available at www. Sign up for the Wireshark-announce mailing list at www. You typically want to be up-to-date with Wireshark as new releases often include bug and security fixes. Learn how Wireshark Captures Traffic Understanding how Wireshark captures traffic will affect how you use Wireshark's features.
In this section we refer to the elements depicted in Figure 1. Figure 1. How Wireshark handles traffic from a live capture or from a saved trace file. Wireshark also relies on network interface cards and link-layer drivers to pass up traffic for capture and analysis. Although the network interface cards are the same in both situations, when you use Wireshark, two special link-layer drivers are commonly used: WinPcap and libpcap.
These special drivers provide access to raw data on the network. WinPcap is the special link-layer driver used on a Windows host. When you start capturing traffic with Wireshark, a tool called dumpcap is launched to do the actual capturing.
Frames are passed up from the network, through one of these special link-layer drivers directly into Wireshark's Capture Engine. If you applied a capture filter only capturing broadcast traffic for example , the frames that pass through the capture filter are passed up to the Capture Engine. For more information on filtering out excluding or filtering in passing on to Wireshark specific traffic types, refer to Reduce the Amount of Traffic You have to Work With. For example, you can set up a capture to save frames to a set of 50 MB files and automatically stop after 6 files have been written.
We refer to these files as trace files. The current default trace file format is. The new. In essence, you can now save annotations comments inside your trace file. We will look into this process in Chapter 7. This is where Wireshark's power becomes evident. Wireshark supports thousands of dissectors that translate the incoming bytes into human- readable format frames.
The dissectors break apart the fields in the frames and often perform analysis on the content of those fields. For more information on how Wireshark dissectors work, see Dissect the Wireshark Dissectors. With very few exceptions, you can move seamlessly from a Wireshark system running on one platform to a Wireshark system running on another platform with no problems.
The basic interface elements are the same. When you open a trace file whether captured with Wireshark or another analysis tool , the Wiretap Library delivers the frames to the Core Engine. Understand a Typical Wireshark Analysis Session Although each analysis session is a bit different, there are some basic steps that you should perform during each analysis session.
The following is a checklist of the most common tasks performed during an analysis session. Consider using this basic task checklist when you open a trace file. Now is the time to start your own checklist of tasks. As you go through the labs in this book, note the tasks that you'd like to repeat each time a trace file comes in. As with many skills, practice will pay off. Differentiate a Packet from a Frame You will see both terms used in the world of protocol analysis.
The term "packet" is often used as a blanket term to describe anything sent across a network, but there is a definite difference between these two terms. All communications between devices use frames.
We don't spend a lot of time troubleshooting or analyzing Ethernet frames, however. There's not a lot to analyze in an Ethernet header or trailer and Ethernet technology is fairly well implemented and not often the problem. In the world of wireless technology, however, there is a lot going on in the WLAN header—enough to focus on during a troubleshooting session. You will not always see the Ethernet trailer when analyzing traffic.
Some operating systems do not support capturing the trailers on Ethernet networks. Just to make this more confusing, Wireshark adds a "Frame" section to provide extra information about all actual frames. When you look inside the Packet Details pane, you will see this Frame section at the top. If you expand that section, you will see time, coloring and other information added to the actual frame by Wireshark. The actual frame begins with the second line, labeled "Ethernet II.
It does not contain any of the actual contents of the frame. Figure 2 indicates the beginning and ending of the actual frame as well as the Frame section that contains the metadata. People often refer to network analysis as "packet analysis"—this naming is due to the fact that the majority of analysis tasks begin at the IP header. Figure 2 indicates the beginning and ending of the packet. That may include an HTTP header or just data. Figure 2 indicates the beginning and ending of the TCP segment.
Figure 2. How will these devices affect the format of the frame along the path? In this book, we use the term "frame" when focusing on the MAC header in communications, or when referring to a value in the No.
Since Wireshark often refers to frames as packets in various menus, we will use Wireshark's terminology in those cases. For example, the File menu contains an option to "Export Specified Packets" even though it is exporting frames. Also key to communications analysis is a solid understanding of how packets travel through a network and how the traffic is affected by various network devices. Let's look at a network path that includes a client, two switches, one standard router, a router that performs Network Address Translation NAT and a server.
Figure 3. We've used simple letters to represent the MAC addresses aka hardware addresses of the devices. There are many times when you will need to capture at more than one location. For example, when you want to know how a device affects the contents of a frame, you need to capture the frame both before and after it travels through the device.
You may also want to capture traffic at two locations to determine which internetworking device is dropping packets. Because capturing at multiple locations is a common analysis task, you should have Wireshark or at least dumpcap loaded on more than one laptop or be prepared to capture using port spanning or a full-duplex tap.
We will cover these capture options in Chapter 2. All devices can only send to the hardware address of local machines in MAC headers. This MAC header will be stripped off by the first router along the path—these MAC headers are only temporary and are used to get the packet to the next hop along a path. In the IP header example above, the packet is addressed from True switches[6] do not affect the contents of the frame. Switch 1 would simply look at the destination MAC address MAC address B to determine if that host is connected to one of the switch ports.
When the switch finds the switch port associated with MAC address B, the switch forwards the frame out the appropriate switch port. Analyst View: We would see a frame that matches the frame we saw at point 1. Upon receipt of the frame, after checking to make sure the frame isn't corrupt and that the frame is addressed to the router's MAC address, the router strips off the Ethernet header. The router examines the destination IP address in the packet it is now considered a packet, not a frame and consults its routing tables to see if it knows what to do with the packet.
If the router does not know how to get to the destination IP address and it doesn't have a default gateway to send the packet to , the router will drop the packet and send a message back to the originator indicating there is a routing problem.
We can capture these error messages with Wireshark and detect which router is unable to forward our packets to the destination. In addition, we would see that the source IP address and source port number has changed. At this point we should see the same frame that we saw at Point 4.
Remember, switches should not alter the contents of a frame. Likewise, if you capture at Point 3, 4, or 5, you cannot determine the MAC address of the client. If you capture at point 5, you cannot tell the actual IP address of the client, either. The switches would only forward broadcast, multicasts, and traffic destined to your Wireshark system's MAC address down your port[7]. Switches do not alter the MAC addresses or the IP addresses of the traffic, but they can be a major roadblock in network analysis.
Consider the example shown in Figure 4. We loaded Wireshark on the machine connected to switch port 1. We have a problem if we want to listen to the traffic between the two other devices on the network. The switch is not going to forward this down our port—it's not addressed to our MAC address.
Figure 4. Switches can affect the amount of traffic you see. It is this limitation that causes us to figure out other methods for listening in on network traffic.
Plan and test your capture methods in advance. It's not a fun process to start testing capture methods when all hell breaks loose on the network and users, their managers, your manager, and the CEO are pounding on your office door or encroaching in your cubicle air space. Be prepared—be practiced. Access Wireshark Resources Eventually you will hit a problem that you just can't solve. Whether it is a problem in Wireshark functionality or packet structures, you can find assistance in several key places on the Internet.
Visit wiki. You can also add the protocol or application name to the URL for assistance on a protocol. For example, you can type wiki. You can also get to these pages by right-clicking on any protocol displayed inside a frame, as shown in Figure 5.
Wireshark detects the protocol selected and launches the related Wiki page. Figure 5. Right-click on any protocol shown in the Packet Details pane to launch the related Wiki protocol page. Visit ask. You must register for a free account to post a question here. Figure 6. Use the Search function 7 to look for key words related to your question at ask.
The following lists the key areas on ask. Questions tab—Click to return to the All Questions page shown above. Tags tab—Click to see the list of tags related to questions—click on tags related to your topic of interest to see if there is helpful information there. Unanswered tab—Click to see questions that are still considered unanswered.
Ask a Question tab—Click to ask your question. If you don't have a free account here yet, your question will be saved as you create an account and login with your new credentials. Search area and button—Search for the topic you are interested in first. This is a great place to start.
Answer count—This number indicates how many answers have been submitted to a question. View count—This number indicates how many times a question has been viewed. This is a great indicator to determine how "hot" a topic is. Question title hyperlink and tags—Click on the question title to jump to the question page. The tags indicate the topic s covered in the question. Jump to buttons—Click on any of these buttons to jump to the list of active questions, newest questions, or questions that have the most votes.
The contributor information includes the Karma level level of acquired trust in the forum and their administrative levels. That list, along with years of experience teaching Wireshark techniques and analyzing network traffic, led to the skills included in this book. Analyze Traffic Using the Main Wireshark View You don't always need to do a deep dive into the traffic to understand what's going on. A quick look at the main Wireshark window may be all you need to find the cause or culprit.
Although there are many functions available on the Start Page, the fastest way to navigate in Wireshark is though the main menu and main toolbar. Click the File Open button on the main toolbar circled in Figure 7. Open http-google Figure 7. The Start Page appears when you launch Wireshark. Instead, use the main toolbar to navigate in Wireshark. This trace file contains the traffic between a client and the www.
If you capture your own traffic to www. Your traffic will contain different MAC and IP addresses and you may have some elements of the Google site cached on disk. In the case of cached content, you will load portions of the web site page from disk—you will not see the cached content being sent from the server in the trace file.
We will work with this trace file as we explore the various elements of the Wireshark main view. The key is when to use the main menu Figure 8 and where to find what you're looking for. Many of Wireshark's functions are available through the right-click method or the main toolbar also referred to as the icon toolbar.
Figure 8. All functions in the Go and Capture menu items can be done faster using the main toolbar. The following list highlights the reasons you may need to use the main menu instead of the main toolbar. Become an efficient analyst by finding the fastest ways to perform tasks.
Learn to Use the Main Toolbar Whenever Possible You can work very efficiently by clicking on the buttons on the main toolbar to open files and access filters, coloring rules, and preferences. In this book we use most of the key functions on the main toolbar. These functions are listed in Figure 9. Figure 9.
Become familiar with the main toolbar functions—this is the fastest way to work in Wireshark. Master the Filter Toolbar We use display filters to pull the "needle out of the haystack. For example, if you are troubleshooting someone's web browsing session, you can use a display filter to remove email sessions or virus update traffic from view. Figure 10 highlights the purpose of each section of the filter toolbar. Figure Learn to use the display filter toolbar to save time analyzing traffic.
The Packet List pane is the top pane, as shown in Figure When you select a frame in the Packet List pane, the Packet Details pane and Packet Bytes pane provide additional information on the selected packet.
Wireshark colors the frames based on a set of coloring rules. For more information on coloring rules, see Identify Applied Coloring Rules.
You can add columns to the Packet List pane and sort on any column. This sorting ability can help you find similar packets or large delays in the trace file. By default, the Packet List pane is sorted by the frame number column "No. Figure 12 shows the Packet List pane of http-google Each packet in the trace file contains information in the default columns listed below.
Number "No. By default, traffic is sorted on the No. You can sort the Packet List pane by clicking on the desired column heading. If you change the sort order and want to return to the default look of the Packet List pane, sort on this column. Time column—By default, Wireshark shows when each frame arrived compared to the first frame in the Time column. Source and Destination columns—The Source and Destination columns show the highest layer address available in each frame.
Protocol column—Wireshark displays the last dissector applied to the frame. This is a great place to look if you're trying to figure out what applications are in use.
Length column—This column indicates the total length of each frame. We can easily detect if an application uses itty bitty stinkin' packet sizes by looking at this column.
Info column—This column provides basic information about the frame. Look at this column as you scroll through this trace file. The seven default columns of the Packet List pane. For example, if you click on the Protocol column heading when viewing http—google Click the Number "No. Click once on any column heading to sort from low to high—click again to sort from high to low. In Figure 14 we moved the Time column to the right. Just click and drag column headings left or right to reorder columns.
Select Hide Column to remove the column from view, as shown in Figure To view the column again, right-click on any column heading, select Displayed Columns, and select the column name[9]. Right-click on any column heading to view the column options menu. When you do not want to see a column, select Hide Column. Right-click on any packet in the Packet List pane to see what's available, as shown in Figure In this book, we use this right-click functionality to apply filters, colorize traffic, reassemble traffic follow streams , force Wireshark to dissect something in a different way, and more.
Right-click on any packet in the Packet List pane to see the available functions. You can easily change these coloring rules and create additional coloring rules to alert you to unusual traffic. We will work with coloring rules in Identify Applied Coloring Rules. The Packet Details pane shows the power of Wireshark's dissectors.
As mentioned earlier, the Frame section is not part of a packet as it travels through a network— Wireshark adds the Frame section for additional information about the frame, such as when the frame arrived, what coloring rule is applied to the frame, the frame number, and frame length, as seen in Figure Alternately you can use right-click to expand en entire frame Expand All or expand just one collapsed section Expand Subtrees.
The Frame section includes metadata such as arrival timestamp, frame number, and dissectors applied to the frame. We may look at this pane when Wireshark sees "data" in a frame. When you highlight a field in the Packet Details pane, Wireshark also highlights the location of that field and the bytes contained in that field in the Packet Bytes pane.
Perform the same steps to turn it on again. These columns can be resized as necessary. This button is colored to show you the highest level of information contained in the Expert Infos window. The Expert Infos window can alert you to numerous network concerns seen in the trace file as well as packet comments.
Click this button to add, edit, or view a trace file comment. This feature can only be used if the trace file has been saved in. First Column: Get Field, Capture, or Trace File Information The information shown in the first column to the right of the Annotation button changes depending on what is highlighted in the panes above it or if you are running a live trace file.
In Figure 19, we can see the file name and size in this column. If you click on a field in the Packet Bytes pane, this column displays the field name[10]. Click around inside the Packet Details pane to see the contents of this first column change. Second Column: Get Packet Counts Total and Displayed When you open a saved trace file, the second column indicates the total number of packets in the file, the number of packets currently displayed in case we applied a display filter , the number of marked packets packets we marked as "of interest" , and the amount of time required to load the trace file.
During a live capture, this column displays the number of packets captured, displayed, and marked. In Figure 19, we can see that http-google Figure 19 indicates that we are working in the Default profile.
Profiles are created so you can customize your Wireshark environment. There are two things you can do to improve efficiency using Wireshark.
First, try right-clicking on various packets, fields, and windows in Wireshark to determine if right-click functionality is available. Many tasks are only available when you right-click. Other can just be performed faster using the right-click method. Second, get to know Wireshark's main toolbar and use that whenever possible. Although Wireshark launches with the Start Page, once you leave the Start Page, you don't return to it unless you close a trace file or restart Wireshark.
Use the main toolbar and the right-click method to work with trace files instead of returning to the Start Page. Lab 1: Use Packets to Build a Picture of a Network When you are analyzing traffic, try to get a feel for the network layout from what you can learn in the packets.
Who is sending the packets? Who are the targets? If multiple hosts talk through a device, it is likely a router. Switches are transparent, but you must assume that clients go through switches to reach a router.
In addition, you will look at the Protocol column to determine what applications are running on various hosts. Red text visible in eBook versions only indicates that we just learned this information from the current frame. Frame 1 Launch Wireshark, click the File Open button on the main tool bar and double-click on general Examine the Packet List pane.
Frame 1 uses IPv6. This appears to be an IPv6 multicast note the IPv6mcast designation in the destination Ethernet address field. Frame 2 Frame 2 is an ARP packet. Look inside the Ethernet header then inside the ARP portion of the packet. Again, look in the Ethernet header and IP header to build your picture of the network.
Since the target has not responded, we really can't say the target is there. We will mark it with a question mark until we see it talk on the network. Frame 4 Frame 4 is the reply to frame 3. We can now draw in the new HTTP server in our diagram.
Look at the source MAC address in frame 4. It comes from the router, not the source server. The new MAC header contains the address of the router's interface on this network as the new source MAC address and the address of the destination device as the new destination MAC address. This is how a router forwards a packet. On your local network, you may see traffic from many different IP addresses come from the MAC address of the local router.
Frame 5 finishes the TCP 3-way handshake. This packet is sent to the broadcast address. We must wait for the target to send a packet before we say it is definitely there. We now know that this server is talking on the wire. Frame 9 is the final piece of the TCP handshake. Frame 11 Frame 11 is a response from the target. We can now assume the target is running. Frame 12 finishes the TCP handshake and our drawing of the network we discovered just by looking at these first few packets in the trace file.
As you can see, lots of different conversations are occurring simultaneously. We can build a picture of the network based on the packets we see. Analyze Typical Network Traffic What is "typical network traffic? Every network is different. They may support different applications and have different network designs. There are, however, some common packets that you'll see during most login procedures and web browsing sessions. Let's just take a look at what you might see in a typical web browsing process and discuss the types of background traffic that can be seen as well.
Analyze Web Browsing Traffic Open http-google In a typical web browsing session, your trace file will probably include a DNS request to resolve a host name to an IP address referred to as an "A" record [frame 1].
Hopefully a DNS reply will be sent back with at least one IP address associated with that host name [frame 2]. The server acknowledges receipt of the request [frame 9] and sends the OK response [frame 10][13]. Now the server begins sending the main page to the client [frame 11]. Periodically, the client requests another element of the www. In addition, when there is a link on www. You can likely see the relationship between the DNS queries and the menu, shown below.
Continue to look through the trace file to get a feel for the traffic that crosses the network when someone opens the main Google page. Analyze Sample Background Traffic You will surely see some "background traffic" on your network.
Background traffic is generated when automated processes run—no user interaction is required. Background traffic can be seen when Java looks for updates, your virus detection tool looks for updates, Dropbox checks in, IPv6 tries to discover IPv6 routers, and more.
Become familiar with your background traffic so you can recognize it when you are troubleshooting problems. You don't want to waste time troubleshooting a background process that has nothing to do with the problem at hand. Open mybackground Here is a breakdown of the background traffic on our lab host.
In frame 27, we see a Local Master Announcement. Starting at frame 28, we can see some DNS queries for javadl-esd-secure. It looks like our host is updating Java from an Akamai host we expanded the Packet Details pane to look inside the DNS response for that tidbit. Frame 95 is an SNMP get-request to This is an interesting one.
It seems the lab host is configured to look for a network printer by that address, but no such printer exists. Guess we need to clean off that machine a bit, eh? Starting at frame , we learn the lab host also runs Memeo for backup—we see some HTTP traffic going to www. This is what a background traffic analysis session feels like—looking through the traffic to define what is "normal.
For example, frame doesn't match the regular traffic we expect to see in a background trace file. In the Packet Details pane, we see the packet is sent to the Secure Shell port 22 —that's a bit of a concern.
We also see that Wireshark indicates that something is wrong with the TCP header—there is an illegal value in the Acknowledgment Number field. Finding the needle in the haystack isn't difficult if you know the haystack well and can just move it aside. Doing a bit of research on the source IP address, we gather the following information: inetnum: Networks can be pretty noisy with various background processes running, but if you can spend some time getting familiar with the "normal" ones, it shouldn't take you long to find the real stinkers.
In this book you will learn a lot about filtering. Once you learn what is "normal," consider building a filter to remove this normal traffic from view.
What is left after filtering out the good traffic may be one or more shiny needles. Step 1: Close all applications except for Wireshark and any normal background applications that run on your machine. Step 2: Click the Capture Interfaces button on the main toolbar. Step 3: Select the checkbox in front of the interface that sees active traffic. If you don't see any increases in the packet counts, be patient or toggle out to the command prompt to ping another host. You might recognize your active interface or only have one interface to select from.
Step 4: Click Start. Let the capture run for at least five minutes longer if you can wait. Step 5: Click the Stop Capture button on the main toolbar. Spend some time going through the trace file to identify the applications that run in the background on your machine.
Focus on the Protocol column and the Info column. If you don't recognize the application, perform some research on the IP addresses that your system communicates with. Most likely you will also see broadcast or multicast traffic from other hosts on your network. Step 5: To save this file, click the Save button on the main toolbar, navigate to the target directory, and name your file background1.
Recognizing your own background traffic will help you remove this from consideration when looking for unusual communications. Consider saving trace files of your "normal" traffic to refer to when troubleshooting. Open Trace Files Captured with Other Tools Although Wireshark is considered the de facto standard in packet capture and analysis tools, there are numerous other tools available.
It is important to know which tools can interoperate with Wireshark. When someone hands you a trace file, you can use File Open to examine the traffic in Wireshark. Wireshark uses its Wiretap Library to convert the file into a format that Wireshark can display. For example, if you receive a trace file captured using Sun Snoop with the. Wireshark lists all the file types recognized, as shown in Figure Click the arrow next to Files of type to see all the trace file formats that Wireshark recognizes.
If someone sends you a trace file and Wireshark doesn't recognize the format, first just change the file extension to. Wireshark understands so many formats. It is very unusual to receive a trace file in an unrecognized format. Lab 3: Open a Network Monitor.
Step 1: Click the File Open button on the main toolbar. Step 2: Navigate to your trace file directory and click on http-winpcap Wireshark looks inside the trace file to identify what tool was used to capture the traffic, as shown below.
Step 3: Click Open. Wireshark can recognize and open trace files created with most other industry tools. All Supplements MB. Supplements part 1 MB. Click here to download the supplements for the First Edition of this book. Table of Contents. Sample lab focused on importing custom profile.
Detect when Wireshark can't keep up during capture. Quick Reference: Display Filter Area. Graph application bandwidth using tcp. Use Tshark to export field values and statistics from trace files. Learn about the Student Manual version. Go to Info for Educators. This book is available through Amazon and any bookstore that orders through the Ingram Book Distribution system. New titles and editions may not be available through all global amazon sites immediately.
Bulk purchases over 50 books can be ordered directly from Chappell University. For bulk purchases, please contact us. LAB 10 - The chappellu. In this updated book, Laura offers step-by-step instructions on the key functions and features of Wireshark, including:. This book includes 46 step-by-step Labs to quickly bring you up to speed with Wireshark version 2 regardless of whether you are a newbie or already working with Wireshark today! This site comply with DMCA digital copyright.
We do not store files not owned by us, or without the permission of the owner.
0コメント