0% found this document useful (0 votes)
13 views

Wireshark_Tutorial

The document is a tutorial on Wireshark, an open-source network protocol analyzer used for capturing and analyzing network traffic. It covers features, tools, and examples of how to use Wireshark and related tools like Tcpdump and Tshark for packet capturing and filtering. The tutorial also explains how to interpret packet data, apply filters, and analyze various protocols including TCP and UDP.

Uploaded by

neerajsandy061
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
13 views

Wireshark_Tutorial

The document is a tutorial on Wireshark, an open-source network protocol analyzer used for capturing and analyzing network traffic. It covers features, tools, and examples of how to use Wireshark and related tools like Tcpdump and Tshark for packet capturing and filtering. The tutorial also explains how to interpret packet data, apply filters, and analyze various protocols including TCP and UDP.

Uploaded by

neerajsandy061
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 85

Internet Traffic Monitoring

and Analysis:
Wireshark Tutorial
Outline
What is Wireshark?
Capturing Packets
Analyzing Packets
Filtering Packets
Saving and Manipulating Packets
Packet Statistics
Colorizing Specific Packets
References
What is Wireshark?
The De-Facto Network Protocol Analyzer
◦ Open-Source (GNU Public License)
◦ Multi-platform (Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and others)
◦ Easily extensible
◦ Large development group

Previously Named “Ethereal”


What is Wireshark?
Features
◦ Deep inspection of thousands of protocols
◦ Live capture and offline analysis
◦ Standard three-pane packet browser
◦ Captured network data can be browsed via a GUI, or via the TTY-mode
TShark utility
◦ The most powerful display filters in the industry
◦ Rich VoIP analysis
◦ Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth,
USB, Token Ring, Frame Relay, FDDI, and others
◦ Coloring rules can be applied to the packet list for quick, intuitive analysis
◦ Output can be exported to XML, PostScript®, CSV, or plain text
What is Wireshark?
What we can:
◦ Capture network traffic
◦ Decode packet protocols using dissectors
◦ Define filters – capture and display
◦ Watch smart statistics
◦ Analyze problems
◦ Interactively browse that traffic

Some examples people use Wireshark for:


◦ Network administrators: troubleshoot network problems
◦ Network security engineers: examine security problems
◦ Developers: debug protocol implementations
◦ People: learn network protocol internals
Tools Overview
Tcpdump
◦ Unix-based command-line tool used to intercept packets
◦ Including filtering to just the packets of interest
◦ Reads “live traffic” from interface specified using -i option …
◦ … or from a previously recorded trace file specified using -r option
◦ You create these when capturing live traffic using -w option

Tshark
◦ Tcpdump-like capture program that comes w/ Wireshark
◦ Very similar behavior & flags to tcpdump
Wireshark
◦ GUI for displaying tcpdump/tshark packet traces

6
Tcpdump example
• Ran tcpdump on a Unix machine
• First few lines of the output:
01:46:28.808262 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230-
7.dsl.pltn13.pacbell.net.2481: . 2513546054:2513547434(1380) ack
1268355216 win 12816
01:46:28.808271 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230-
7.dsl.pltn13.pacbell.net.2481: P 1380:2128(748) ack 1 win 12816
01:46:28.808276 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230-
7.dsl.pltn13.pacbell.net.2481: . 2128:3508(1380) ack 1 win 12816
01:46:28.890021 IP adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481 >
danjo.CS.Berkeley.EDU.ssh: P 1:49(48) ack 1380 win 16560

7
What does a line convey?
Timestamp This Source
is an IPhost
packet
name
Source port number (22)

01:46:28.808262 IP danjo.CS.Berkeley.EDU.ssh >


adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481: .
2513546054:2513547434(1380) ack 1268355216 win 12816

Destination host name Destination port number


TCP specific information

• Different output formats for different packet types


8
Similar Output from Tshark
1190003744.940437 61.184.241.230 -> 128.32.48.169 SSH
Encrypted request packet len=48
1190003744.940916 128.32.48.169 -> 61.184.241.230 SSH
Encrypted response packet len=48
1190003744.955764 61.184.241.230 -> 128.32.48.169 TCP 6943 >
ssh [ACK] Seq=48 Ack=48 Win=65514 Len=0 TSV=445871583
TSER=632535493
1190003745.035678 61.184.241.230 -> 128.32.48.169 SSH
Encrypted request packet len=48
1190003745.036004 128.32.48.169 -> 61.184.241.230 SSH
Encrypted response packet len=48
1190003745.050970 61.184.241.230 -> 128.32.48.169 TCP 6943 >
ssh [ACK] Seq=96 Ack=96 Win=65514 Len=0 TSV=445871583
TSER=632535502
9
Demo 1 – Basic Run
Syntax:
tcpdump [options] [filter expression]
Unfortunately, Eustis machine does not allow normal users to run
tcpdump
I will demonstrate it on my group’s Unix machine: acnserver.fils.edu
◦ $ sudo tcpdump –i eth0
◦ On your own Unix machine, you can run it using “sudo” or directly run
“tcpdump”

Observe the output

10
Filters
We are often not interested in all packets flowing through the network
Use filters to capture only packets of interest to us

11
Demo 2
1. Capture only udp packets
• tcpdump “udp”

2. Capture only tcp packets


• tcpdump “tcp”

12
Demo 2 (contd.)

1. Capture only UDP packets with destination port 53 (DNS requests)


• tcpdump “udp dst port 53”

2. Capture only UDP packets with source port 53 (DNS replies)


• tcpdump “udp src port 53”

3. Capture only UDP packets with source or destination port 53 (DNS


requests and replies)
• tcpdump “udp port 53”

13
Demo 2 (contd.)
1. Capture only packets destined to quasar.cs.berkeley.edu
• tcpdump “dst host quasar.cs.berkeley.edu”

2. Capture both DNS packets and TCP packets to/from


quasar.cs.berkeley.edu
• tcpdump “(tcp and host quasar.cs.berkeley.edu) or udp port 53”

14
How to write filters
Refer the tcpdump/tshark man page
Many example webpages on the Internet

15
Running tcpdump
Requires superuser/administrator privileges on Unix
◦ http://www.tcpdump.org/
◦ You can do it on your own Unix machine
◦ You can install a Linux OS in Vmware on your machine

Tcpdump for Windows


◦ WinDump: http://www.winpcap.org/windump/
◦ Free software

16
So What is WireShark?
Packet sniffer/protocol analyzer
Open Source Network Tool
Latest version of the ethereal tool
Wireshark Interface

18
Wireshark Interface

19
Interfaces
Packet
List

Packet
Details

Packet
Bytes
Status Bar

21
Capturing Packets (1/3)
Capture Options
Capture Filter
Capturing Packets (2/3)

Capture all packets on the


network
Buffer size – in order not
to fill your laptop disk

Capture filter
Display
options

Capture in Name
multiple files resolution
options

When to
automatically
stop the
capture
Capturing Packets (3/3)

Example (W-LAN):
Received Signal Strength
Indication (RSSI) and Link
speed (BW)
Capture Filter examples
host 10.1.11.24

host 192.168.0.1 and host 10.1.11.1

tcp port http

ip

not broadcast not multicast

ether host 00:04:13:00:09:a3


Capture Buffer Usage
Capture Interfaces
Interface Details: Characteristics
Interface Details: Statistics
Interface Details: 802.3 (Ethernet)
Display Filters (Post-Filters)
Display filters (also called post-filters) only filter the view of what you
are seeing. All packets in the capture still exist in the trace
Display filters use their own format and are much more powerful then
capture filters
Display Filter
Display Filter Examples
ip.src==10.1.11.00/24

ip.addr==192.168.1.10 && ip.addr==192.168.1.20

tcp.port==80 || tcp.port==3389

!(ip.addr==192.168.1.10 && ip.addr==192.168.1.20)

(ip.addr==192.168.1.10 && ip.addr==192.168.1.20) && (tcp.port==445 || tcp.port==139)

(ip.addr==192.168.1.10 && ip.addr==192.168.1.20) && (udp.port==67 || udp.port==68)

tcp.dstport == 80
Display Filter

37
Display Filter
String1, String2 (Optional settings):
◦ Sub protocol categories inside the protocol.
◦ Look for a protocol and then click on the "+" character.
◦ Example:
◦ tcp.srcport == 80
◦ tcp.flags == 2
◦ SYN packet
◦ Tcp.flags.syn==1
◦ tcp.flags == 18
◦ SYN/ACK

◦ Note of TCP Flag field:

38
Display Filter Expressions
snmp || dns || icmp
◦ Display the SNMP or DNS or ICMP traffics.
tcp.port == 25
◦ Display packets with TCP source or destination
port 25.
tcp.flags
◦ Display packets having a TCP flags
tcp.flags.syn == 0x02
◦ Display packets with a TCP SYN flag.

If the filter syntax is correct, it will be highlighted in green,


otherwise if there is a syntax mistake it will be highlighted in red.
Correct syntax
Wrong syntax
39
Save Filtered Packets After Using Display Filter

We can also save all filtered packets in text file for


further analysis
Operation:
FileExport packet dissections
as “plain text” file

1). In “packet range” option,


select “Displayed”

2). In choose “summary line” or


“detail”

40
Analyzing Packets (1/9)
❖ Ethernet Frame Example
Analyzing Packets (2/9)

IP Packet Example
Analyzing Packets (3/9)

TCP Packet Example


Analyzing Packets (4/9)

TCP 3-way Handshake


Connection-Oriented
Before any data transfer, TCP establishes a connection:
◦ One TCP entity is waiting for a connection (“server”)
◦ The other TCP entity (“client”) contacts the server
The actual procedure for setting up connections is more complex.
Each connection is CLIENT SERVER
full duplex Request a co
nnection
waiting for
onnection connection
Accept a c
request

Data Transer
Disconnect

45
Reliable
Byte stream is broken up into chunks which are called seg-
ments

Receiver sends acknowledgements (ACKs) for segments

TCP maintains a timer. If an ACK is not received in time,


the segment is retransmitted

Detecting errors:
TCP has checksums for header and data. Segments with
invalid checksums are discarded

Each byte that is transmitted has a sequence number

46
Byte Stream Service
To the lower layers, TCP handles data in blocks, the segments.
To the higher layers TCP handles data as a sequence of bytes and does not identify
boundaries between bytes
So: Higher layers do not know about the beginning and end of segments !

Application Application
1. read 40 bytes
1. write 100 bytes 2. read 40 bytes
2. write 20 bytes 3. read 40 bytes

queue of queue of
bytes to be bytes that
Segments
TCP transmitted TCP have been
received

47
TCP Format
TCP segments have a 20 byte header with >= 0 bytes of data.

IP header TCP header TCP data


20 bytes 20 bytes

0 15 16 31

Source Port Number Destination Port Number

Sequence number (32 bits)

20 bytes
Acknowledgement number (32 bits)
header
length
0 Flags window size
TCP checksum urgent pointer

Options (if any)

DATA

48
TCP header fields
Port Number:
◦ A port number identifies the endpoint of a connection.
◦ A pair <IP address, port number> identifies one endpoint of a
connection.
◦ Two pairs <client
IP address, server port number>
and <server IP address, server port number> identify a
TCP connection.

Applications Applications

Ports: 23 80 104 7 80 16 Ports:


TCP TCP

IP IP

49
TCP header fields
Sequence Number (SeqNo):
◦ Sequence number is 32 bits long.
◦ So the range of SeqNo is
0 <= SeqNo <= 232 -1  4.3 Gbyte
◦ Each sequence number identifies a byte in the byte stream
◦ Initial Sequence Number (ISN) of a connection is set during connection
establishment

50
TCP header fields
Acknowledgement Number (AckNo):
◦ Acknowledgements are piggybacked, I.e
a segment from A -> B can contain an acknowledgement for a data sent in the B -> A direction

◦ A hosts uses the AckNo field to send acknowledgements. (If a host sends
an AckNo in a segment it sets the “ACK flag”)
◦ The AckNo contains the next SeqNo that a hosts wants to receive
Example: The acknowledgement for a segment with
sequence numbers 0-1500 is AckNo=1501

51
TCP header fields
Acknowledge Number (cont’d)
◦ TCP uses the sliding window flow protocol (see CS 457) to regulate the flow
of traffic from sender to receiver
◦ TCP uses the following variation of sliding window:
◦ no NACKs (Negative ACKnowledgement)
◦ only cumulative ACKs

Example:
Assume: Sender sends two segments with “1..1500” and “1501..3000”, but
receiver only gets the second segment.
In this case, the receiver cannot acknowledge the second packet. It can only
send AckNo=1

52
TCP header fields
Header Length ( 4bits):
◦ Length of header in 32-bit words
◦ Note that TCP header has variable length (with minimum 20 bytes)

53
Analyzing Packets (5/9)
Flow Graph
◦ Giving us a graphical flow, for better understanding of what we see
Analyzing Packets (6/9)

Flow Graph
Analyzing Packets (7/9)

Filtering Specific TCP Stream


Analyzing Packets (8/9)
Filtering Specific TCP Stream
Analyzing Packets (9/9)

RTP Stream Analysis

Stable
stream BW
Filtering Packets (1/4)
Applying Filter when Capturing Packets

Capture  Interfaces  Options:


Filtering Packets (2/4)
❖ Applying Filter when Analyzing Packets
Filtering Packets (3/4)
Examples:
◦ Capture only traffic to or from IP address 172.18.5.4
◦ host 172.18.5.4
◦ Capture traffic to or from a range of IP addresses
◦ net 192.168.0.0/24
◦ net 192.168.0.0 mask 255.255.255.0
◦ Capture traffic from a range of IP addresses
◦ src net 192.168.0.0/24
◦ src net 192.168.0.0 mask 255.255.255.0
◦ Capture traffic to a range of IP addresses
◦ dst net 192.168.0.0/24
◦ dst net 192.168.0.0 mask 255.255.255.0
◦ Capture only DNS (port 53) traffic
◦ port 53
◦ Capture non-HTTP and non-SMTP traffic on your server
◦ host www.example.com and not (port 80 or port 25)
◦ host www.example.com and not port 80 and not port 25
Filtering Packets (4/4)
Examples:
◦ Capture except all ARP and DNS traffic
◦ port not 53 and not arp
◦ Capture traffic within a range of ports
◦ (tcp[2:2] > 1500 and tcp[2:2] < 1550) or (tcp[4:2] > 1500 and tcp[4:2] < 1550)
◦ tcp portrange 1501-1549
◦ Capture only Ethernet type EAPOL
◦ ether proto 0x888e
◦ Capture only IP traffic
(the shortest filter, but sometimes very useful to get rid of lower layer protocols like ARP and STP)
◦ ip
◦ Capture only unicast traffic
(useful to get rid of noise on the network if you only want to see traffic to and from your machine,
not, for example, broadcast and multicast announcements)
◦ not broadcast and not multicast
Protocol Hierarchy
Protocol Hierarchy
Follow TCP Stream
Follow TCP Stream
red - stuff you sent blue - stuff you get
Filter out/in Single TCP Stream
When click “filter out this TCP stream” in previous page’s box, new filter string
will contain like:
◦ http and !(tcp.stream eq 5)
So, if you use “tcp.stream eq 5” as filter string, you keep this HTTP session

67
Saving and Manipulating Packets (1/3)
Save only displayed packets
Saving and Manipulating Packets (2/3)

Export to CSV file


Saving and Manipulating Packets (3/3)
Exported CSV File
Packet Statistics (1/8)

Protocol Hierarchy
Packet Statistics (2/8)
Conversation
◦ Traffic between two specific endpoints

With some manipulation


Packet Statistics (3/8)
I/O Graph
Packet Statistics (4/8)
Configurable Options
◦ I/O Graphs
◦ Graph 1-5: enable the specific graph 1-5 (graph 1 by default)
◦ Filter: a display filter for this graph (only the packets that pass this filter will be taken into
account for this graph)
◦ Style: the style of the graph (Line/Impulse/FBar/Dot)
◦ X Axis
◦ Tick interval: an interval in x direction lasts
(10/1 minutes or 10/1/0.1/0.01/0.001 seconds)
◦ Pixels per tick: use 10/5/2/1 pixels per tick interval
◦ View as time of day: option to view x direction labels as time of day instead of seconds or
minutes since beginning of capture
◦ Y Axis
◦ Unit: the unit for the y direction
(Packets/Tick, Bytes/Tick, Bits/Tick, Advanced...)
◦ Scale: the scale for the y unit (Logarithmic,Auto,10,20,50,100,200,...)
Packet Statistics (5/8)
TCP Stream Graph
Packet Statistics (6/8)

Round-Trip Time Graph

RTT Vs. Sequence numbers gives us the time that take


to Ack every packet.
In case of variations, it can cause DUPACKs and even
Retransmissions
Usually will happen on communications lines:
Over the Internet
Over cellular networks
Packet Statistics (7/8)
Seq No [B]

Time / Sequence Graph

Time / Sequence representes how sequence numbers


advances with time
In a good connection (like in the example), the line will
be linear
The angle of the line indicates the speed of the
connection. In this example – fast connection

Time [Sec]
Packet Statistics (8/8)
Seq No [B]

Time / Sequence Graph

In this case, we see a non-


contiguous graph
Can be due to:
Severe packet loss
Server response (processing)
time

Time [Sec]
Colorizing Specific Packets (1/4)
Packet Colorization
◦ Colorize packets according to a filter
◦ Allow to emphasize the packets interested in
◦ A lot of Coloring Rule examples at the Wireshark Wiki Coloring Rules page at
http://wiki.wireshark.org/ColoringRules
We want to watch a
specific protocol through
out the capture file
Colorizing Specific Packets (2/4)
Colorizing Specific Packets (3/4)
Colorizing Specific Packets (4/4)

TLS Connection Establishment


Basic usage of Grep
Command-line text-search program in Linux
Some useful usage:
◦ Grep ‘word’ filename # find lines with ‘word’
◦ Grep –v ‘word’ filename # find lines without ‘word’
◦ Grep ‘^word’ filename # find lines beginning with ‘word’
◦ Grep ‘word’ filename > file2 # output lines with ‘word’ to file2
◦ ls -l | grep rwxrwxrwx # list files that have ‘rwxrwxrwx’ feature
◦ grep '^[0-4]‘ filename # find lines beginning with any of the numbers from 0-4
◦ Grep –c ‘word’ filename # find lines with ‘word’ and print out the number of these
lines
◦ Grep –i ‘word’ filename # find lines with ‘word’ regardless of case

Many tutorials on grep online


◦ http://www.cyberciti.biz/faq/howto-use-grep-command-in-linux-unix/
◦ http://www.thegeekstuff.com/2009/03/15-practical-unix-grep-command-examples/

83
References
Wireshark Website
◦ http://www.wireshark.org

Wireshark Documentation
◦ http://www.wireshark.org/docs/

Wireshark Wiki
◦ http://wiki.wireshark.org

Network analysis Using Wireshark Cookbook


◦ http://www.amazon.com/Network-Analysis-Using-Wireshark-
Cookbook/dp/1849517649
Q&A

You might also like