Date post: | 14-Oct-2015 |
Category: |
Documents |
Upload: | pravin-joshi |
View: | 17 times |
Download: | 0 times |
of 41
Wireshark
by
T.S.R.K. Prasad
References / Acknowledgements
Laura Chappells
Introduction to Ethereal, part 1 of 2
Introduction to Ethereal, part 2 of 2
(will be made available on the course site)
tcpdump (same as Wireshark) capture filters and Wireshark display filters available at
http://packetlife.net/library/cheat-sheets/
References
Optional Readings
[nCAP] L. Deri, nCap: Wire-speed Packet Capture and Transmission (ntop.org)
[BPF] Steven McCanne and Van Jacobson, The BSD Packet Filter: A New Architecture for User-level Packet Capture, USENIX 1993.
[Fusco] Francesco Fusco and Luca Deri, High Speed Network Traffic Analysis with Commodity Multi-core Systems, IMC- 2010.
Optional Reading
Presentation Overview
Advanced Features
Wireshark Filters
Wireshark UI
Placement Strategies
Introduction
Lecture Outline
Presentation Overview
Advanced Features
Wireshark Filters
Wireshark UI
Placement Strategies
Introduction
Lecture Outline
Applications of Wireshark
network administrators use it to troubleshoot network problems
network security engineers use it to examine security problems
developers use it to debug protocol implementations
people use it to learn network protocol internals
Introduction Applications
Features of Wireshark
Available for UNIX and Windows.
Capture live packet data from a network interface.
Display packets with very detailed protocol information.
Open and Save packet data captured.
Import and Export packet data from and to a lot of other capture programs.
Filter packets on many criteria.
Search for packets on many criteria.
Colorize packet display based on filters.
Create various statistics.
... and a lot more!
Introduction Features
What Wireshark Is not?
Wireshark isn't an intrusion detection system.
Wireshark will not manipulate things on the network, it will only "measure" things from the network.
Introduction Limitations
Presentation Overview
Advanced Features
Wireshark Filters
Wireshark UI
Placement Strategies
Introduction
Lecture Outline
Wireshark Placement Strategies Hubs
Switches
Port Mirroring
Hubbing Out
Routers
Target determines the strategy
Placement Strategies
Wireshark Placement: Hubs
No one uses hubs anymore.
Placement Strategies Hubs
Wireshark Placement: Switches
Only broadcast traffic seen.
Placement Strategies Switches
Wireshark Placement: Port Mirroring
Good for monitoring
Placement Strategies Switches
Wireshark Placement: Hubbing Out
Can observe one specific computer.
Placement Strategies Switches
Wireshark Placement: Routers
Can observe one interface of the router.
Placement Strategies Routers
Presentation Overview
Advanced Features
Wireshark Filters
Wireshark UI
Placement Strategies
Introduction
Lecture Outline
Wireshark Main UI
Capture Interfaces
All the traffic received by the computer
UI Capture Interfaces
Capture Options Capture everyones packets
Limit capture packet size
Options to store capture data in files
Capture stop triggers
Name and Address Resolution
Capture filter
Capture interface
UI Capture Options
Slice (Limit) the Packet Size How do we know the packet size limit?
In Capture Options
Capture Data Wireshark menu
Summary Window
Decode Window
Hex Window
UI Capture Data
Summary Window
Packet number
Relative timestamp
Packet Source (Name / Address)
Packet Destination (Name / Address)
Highest Protocol Packet Summary
UI Summary Window
Decode Window Capture details for the packet
MAC header
UI Decode Window
Decode Window 2 Network Header
Transport Header
UI Decode Window
Protocol Hierarchy Statistics
Tells you something about the network. Probably first thing to look at when in trouble.
UI Protocol Hierarchy
Analyze Menu
Useful options to narrow down the capture to interesting packets
UI Analyze Menu
Statistics Menu
Statistical information about the captured packets. The most useful menu in Wireshark.
UI Statistics Menu
Telephony Menu
With right equipment, Wireshark can also look into the telephone network. Govt. permit required to purchase the equipment.
UI Telephony Menu
Preferences Under the Hood
UI Preferences
Wireshark Coloring Rules
Visual guide to separate packets
UI Coloring Rules
End Points (from Statistics Menu)
List of end points for all the protocols
Example: ipv4
tcp
udp
ethernet
UI End Points
End Points Snapshots Active end points
UI End Points
Presentation Overview
Advanced Features
Wireshark Filters
Wireshark UI
Placement Strategies
Introduction
Lecture Outline
Where Filters are Applied?
Filters help
Select the interesting packets
Reduce the capture file size
Filters
Capture Filter (from Capture Options)
Filters Capture Filter
Display Filter
Only filtered packets are displayed.
Display filter Expression builder for display filter
Filters Filtered Summary
Filter Expression Builder
Filters Filter Expression Builder
Apply Filter A Simple Technique
Filters Apply Filter
Presentation Overview
Advanced Features
Wireshark Filters
Wireshark UI
Placement Strategies
Introduction
Lecture Outline
Wireshark IO Graphs
Advanced Features IO Graphs
Follow Streams A Telnet Session
Streams possible: -TCP - UDP - SSL
Dangerous
Advanced Features Follow Streams