Notes:20+ years of analysis experience and 10+ years of analysis experience rolled into a single book.
‐ Forward by Gerald Combs, Creator of Wireshark‐ Practical tips throughout‐ Basic through advanced techniques‐ Undocumented features‐ Exporting for reporting tricks‐ Analyze unruly applications‐ Spot the cause of slow web browsing‐ Identify WLAN problems‐ Analyze and replay VoIP connections‐ Reassemble traffic of all kinds‐ Catch scanning/discovery processes‐ Chapter review/answer sections‐ Real world case studies‐ Tricks for command‐line capture‐ Remote capture solutions‐ Decrypting SSL traffic‐ Tips for capturing on switched nets‐more...
Register online at chappellU.com Jumpstart: Wireshark 201
Notes:
Wireshark Jumpstart: Wireshark 201 Live Online Seminar – www.chappellu.com
Presenter: Laura Chappell, Founder of Chappell University and Wireshark [email protected] me: www.twitter.com/LauraChappellRead my blog at chappellu.com
Ten million packets? Are you kidding me? Something’s wrong with this picture!
In this live online seminar, Laura Chappell explains and demonstrates filtering techniques for more efficient and effective troubleshooting and security processes.
2
Jumpstart: Wireshark 201Register online at chappellU.com
Notes:Interested in onsite, customized training while analyzing your network traffic? Let me know –send me an email at [email protected].
I have lots of resources online:
• Follow me on Twitter (laurachappell)• Check out the Wireshark Network Analysis book videos at www.wiresharkbook.com• Sign up for the weekly Newsletter (chappellu.com/newsletter.html)• Check out the Wireshark Weekly Tips (www.wiresharktraining.com/tips.html)• Watch some of the videos I uploaded to SecurityTube.net
Check out the other online seminars and keep learning… even if it is an hour at a time. The schedule is online at chappellu.com/schedule.html.
Notes:These are the areas we will discuss in today’s seminar.
Why filter? Save yourself time!Capture filters vs. display filtersHot capture filters. Limit your workload.Hot display filters. Elegant solutions.Display filters and coloring rules. Make traffic really stand out!Using filters with Tshark. Sometimes you need to go command‐line. Q & A. I’ll get to as many questions as time permits.
Notes:Capture filters can only be used on traffic captured off the network, not trace files opened off a drive. If you apply a capture filter for all broadcast traffic, that is what will be passed up to the capture engine. You can’t go back and get packets that were filtered out from view using capture filters, so use these sparingly.
You do not need WinPcap, AirPcap or Libpcap in order to open up trace files. Those drivers are used to capture traffic on the network. When you open a trace file, you are using the wiretap library which supports numerous trace file formats including trace file formats used by Network General Sniffer, Wildpackets OmniPeek, Snoop and more.
Dissectors, plugins and display filters are applied once the packets are passed up either by the capture engine or the wiretap library into the core engine.
The display filters enable you to select which packets to view based on specific criteria that you define. Display filters do not affect the trace file itself – they only affect which packets you view.
Select Help > About Wireshark > Folders to find where the various Wireshark files are located. The locations listed are hyperlinked so you can quickly open folders.
Register online at chappellU.com Jumpstart: Wireshark 201
Notes:Yup – there are a lot capture filters available.
Wireshark includes a set of default capture filters in “name” filter_string format:
"Ethernet address 00:08:15:00:08:15" ether host 00:08:15:00:08:15"Ethernet type 0x0806 (ARP)" ether proto 0x0806"No Broadcast and no Multicast" not broadcast and not multicast"No ARP" not arp"IP only" ip"IP address 192.168.0.1" host 192.168.0.1"IPX only" ipx"TCP only" tcp"UDP only" udp"TCP or UDP port 80 (HTTP)" port 80"HTTP TCP port (80)" tcp port http"No ARP and no DNS" not arp and port not 53"Non‐HTTP and non‐SMTP to/from www.wireshark.org" not port 80 and not port 25 and host www.wireshark.org
Register online at chappellU.com Jumpstart: Wireshark 201
Notes:Capture filters use the tcpdump format (Berkeley Packet Filtering (BPF) format). Display filters use a special Wireshark display filter format. The two filter formats are not compatible or interchangeable.
If a capture filter uses incorrect syntax, an error message appears when you try to capture with the faulty filter.
To learn more about the tcpdump filter format, see www.tcpdump.org/tcpdump_man.html.
For more information on capturing traffic using a network tap or by spanning switch ports, refer to Wireshark Network Analysis and the Wireshark 101 Jumpstart (available in recorded format for All Access Pass members – see www.chappellU.com/online.html).
Register online at chappellU.com Jumpstart: Wireshark 201
Notes:In this example, we are interested in capturing SIP and RTP traffic (VoIP).
Our SIP traffic runs on port 5060 – we can use the capture filter udp port 5060 or simply sip.
Given that our RTP traffic can run over a range of addresses generally in the 8000‐8100 range, we might consider using udp portrange 8000-8100.
One quick way to capture VoIP traffic may be to simply use the capture filter udp and then use display filters to view our VoIP call setup and call data.
Register online at chappellU.com Jumpstart: Wireshark 201
Notes:Although rarely used, you can create a byte offset filter – a filter that looks for specific values at specific locations in a packet. For example, link[6:2]=0x0021. This filter looks at the start of the source MAC address field for the value of the first two bytes. If the source MAC address in a packet begins with these two bytes, the packet will be captured.
Register online at chappellU.com Jumpstart: Wireshark 201
Notes:One of the most common filter mistakes involves the use of the ! or not operand. This problem is mostly seen when filtering out traffic to or from and IP address or port number. Many people are familiar with the ip.addr==10.2.4.1 syntax for displaying packets that contain the IP address 10.2.4.1 in either the source or destination IP address field.
Naturally, they enter ip.addr != 10.2.4.1 to try to view all packets except ones that contain the address 10.2.4.1. This filter structure does not work, however.
The filter ip.addr != 10.2.4.1 actually means you are looking for a packet that has an ip.addrfield that contains a value other than 10.2.4.1.
There are two IP address fields in the packet, however and this filter will allow a packet if it has 10.2.4.1 in one of those fields. First Wireshark looks at the source IP address field to see if the filter matches. Next it looks at the display address field.
Register online at chappellU.com Jumpstart: Wireshark 201
Notes:Here are some of the things I’m going to demonstrate:
• Type in with auto‐complete• Right‐click filtering (field or [interpretation])• Apply As… filter• Prepare As… filter• Conversation filters• Endpoint filters• Follow streams• Expressions• Find with filters• Relationship between display filters and coloring rules
Register online at chappellU.com Jumpstart: Wireshark 201
Notes:Now what?! Here’s a quick list of ‘to do’ items for you after this class.
1. C’mon… upgrade to Wireshark: There’s NO REASON to be working with the old Ethereal software – it’s outdated and end‐of‐lifed. Get to www.wireshark.org and update to the latest version of Wireshark.
2. In Preferences > User Interface, increase your Filter display max. list entries value so Wireshark remembers more recent display filters used.
3. Create a new profile – your new capture filters and display filters will be saved in that filter directory. You can share these files with other users – just let them know to make a profile and copy your filter files into that profile directory!
4. Build up your set of capture filters – consider opening in a text editor to make ‘em nice and organized and easier to work with.
5. Build up your set of display filters – there is a set of display filters available with the Wireshark 101 Jumpstart course.
6. Create some basic tshark filtering batch files to quickly start capturing traffic using display filters.
Remember to follow me on Twitter and check out my blog.
Courses available to All Access Pass Members (www.chappellU.com/online.html) include:Top 10 Reasons Your Network is SlowWLAN Analysis 101Wireshark JumpstartAnalyze and Improve Network ThroughputHacked Hosts: Network ForensicsTrace File Analysis: TCPTshark Command‐Line CaptureTroubleshooting with Coloring RulesCore 1: Wireshark Functionality and TCP/IP CommunicationsCore 2: Wireshark Troubleshooting and Security
Visit www.chappellU.com/online.html for more details.
![NAME SYNOPSIS −AdDeflLnNOpqRStuUvxX ][esj/cnt4504/reading/tcpdump.1.pdf · TCPDUMP(8) TCPDUMP(8) Algorithms may bedes-cbc, 3des-cbc, blowfish-cbc, rc3-cbc, cast128-cbc,ornone.The](https://static.documents.pub/doc/80x56/604e8bc7dec7c8115c72cbfe/name-synopsis-aaddeilnnopqrstuuvxx-esjcnt4504readingtcpdump1pdf-tcpdump8.jpg)
