Wireshark_Tutorial
Wireshark_Tutorial
and Analysis:
Wireshark Tutorial
Outline
What is Wireshark?
Capturing Packets
Analyzing Packets
Filtering Packets
Saving and Manipulating Packets
Packet Statistics
Colorizing Specific Packets
References
What is Wireshark?
The De-Facto Network Protocol Analyzer
◦ Open-Source (GNU Public License)
◦ Multi-platform (Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and others)
◦ Easily extensible
◦ Large development group
Tshark
◦ Tcpdump-like capture program that comes w/ Wireshark
◦ Very similar behavior & flags to tcpdump
Wireshark
◦ GUI for displaying tcpdump/tshark packet traces
6
Tcpdump example
• Ran tcpdump on a Unix machine
• First few lines of the output:
01:46:28.808262 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230-
7.dsl.pltn13.pacbell.net.2481: . 2513546054:2513547434(1380) ack
1268355216 win 12816
01:46:28.808271 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230-
7.dsl.pltn13.pacbell.net.2481: P 1380:2128(748) ack 1 win 12816
01:46:28.808276 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230-
7.dsl.pltn13.pacbell.net.2481: . 2128:3508(1380) ack 1 win 12816
01:46:28.890021 IP adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481 >
danjo.CS.Berkeley.EDU.ssh: P 1:49(48) ack 1380 win 16560
7
What does a line convey?
Timestamp This Source
is an IPhost
packet
name
Source port number (22)
10
Filters
We are often not interested in all packets flowing through the network
Use filters to capture only packets of interest to us
11
Demo 2
1. Capture only udp packets
• tcpdump “udp”
12
Demo 2 (contd.)
13
Demo 2 (contd.)
1. Capture only packets destined to quasar.cs.berkeley.edu
• tcpdump “dst host quasar.cs.berkeley.edu”
14
How to write filters
Refer the tcpdump/tshark man page
Many example webpages on the Internet
15
Running tcpdump
Requires superuser/administrator privileges on Unix
◦ http://www.tcpdump.org/
◦ You can do it on your own Unix machine
◦ You can install a Linux OS in Vmware on your machine
16
So What is WireShark?
Packet sniffer/protocol analyzer
Open Source Network Tool
Latest version of the ethereal tool
Wireshark Interface
18
Wireshark Interface
19
Interfaces
Packet
List
Packet
Details
Packet
Bytes
Status Bar
21
Capturing Packets (1/3)
Capture Options
Capture Filter
Capturing Packets (2/3)
Capture filter
Display
options
Capture in Name
multiple files resolution
options
When to
automatically
stop the
capture
Capturing Packets (3/3)
Example (W-LAN):
Received Signal Strength
Indication (RSSI) and Link
speed (BW)
Capture Filter examples
host 10.1.11.24
ip
tcp.port==80 || tcp.port==3389
tcp.dstport == 80
Display Filter
37
Display Filter
String1, String2 (Optional settings):
◦ Sub protocol categories inside the protocol.
◦ Look for a protocol and then click on the "+" character.
◦ Example:
◦ tcp.srcport == 80
◦ tcp.flags == 2
◦ SYN packet
◦ Tcp.flags.syn==1
◦ tcp.flags == 18
◦ SYN/ACK
38
Display Filter Expressions
snmp || dns || icmp
◦ Display the SNMP or DNS or ICMP traffics.
tcp.port == 25
◦ Display packets with TCP source or destination
port 25.
tcp.flags
◦ Display packets having a TCP flags
tcp.flags.syn == 0x02
◦ Display packets with a TCP SYN flag.
40
Analyzing Packets (1/9)
❖ Ethernet Frame Example
Analyzing Packets (2/9)
IP Packet Example
Analyzing Packets (3/9)
Data Transer
Disconnect
45
Reliable
Byte stream is broken up into chunks which are called seg-
ments
Detecting errors:
TCP has checksums for header and data. Segments with
invalid checksums are discarded
46
Byte Stream Service
To the lower layers, TCP handles data in blocks, the segments.
To the higher layers TCP handles data as a sequence of bytes and does not identify
boundaries between bytes
So: Higher layers do not know about the beginning and end of segments !
Application Application
1. read 40 bytes
1. write 100 bytes 2. read 40 bytes
2. write 20 bytes 3. read 40 bytes
queue of queue of
bytes to be bytes that
Segments
TCP transmitted TCP have been
received
47
TCP Format
TCP segments have a 20 byte header with >= 0 bytes of data.
0 15 16 31
20 bytes
Acknowledgement number (32 bits)
header
length
0 Flags window size
TCP checksum urgent pointer
DATA
48
TCP header fields
Port Number:
◦ A port number identifies the endpoint of a connection.
◦ A pair <IP address, port number> identifies one endpoint of a
connection.
◦ Two pairs <client
IP address, server port number>
and <server IP address, server port number> identify a
TCP connection.
Applications Applications
IP IP
49
TCP header fields
Sequence Number (SeqNo):
◦ Sequence number is 32 bits long.
◦ So the range of SeqNo is
0 <= SeqNo <= 232 -1 4.3 Gbyte
◦ Each sequence number identifies a byte in the byte stream
◦ Initial Sequence Number (ISN) of a connection is set during connection
establishment
50
TCP header fields
Acknowledgement Number (AckNo):
◦ Acknowledgements are piggybacked, I.e
a segment from A -> B can contain an acknowledgement for a data sent in the B -> A direction
◦ A hosts uses the AckNo field to send acknowledgements. (If a host sends
an AckNo in a segment it sets the “ACK flag”)
◦ The AckNo contains the next SeqNo that a hosts wants to receive
Example: The acknowledgement for a segment with
sequence numbers 0-1500 is AckNo=1501
51
TCP header fields
Acknowledge Number (cont’d)
◦ TCP uses the sliding window flow protocol (see CS 457) to regulate the flow
of traffic from sender to receiver
◦ TCP uses the following variation of sliding window:
◦ no NACKs (Negative ACKnowledgement)
◦ only cumulative ACKs
Example:
Assume: Sender sends two segments with “1..1500” and “1501..3000”, but
receiver only gets the second segment.
In this case, the receiver cannot acknowledge the second packet. It can only
send AckNo=1
52
TCP header fields
Header Length ( 4bits):
◦ Length of header in 32-bit words
◦ Note that TCP header has variable length (with minimum 20 bytes)
53
Analyzing Packets (5/9)
Flow Graph
◦ Giving us a graphical flow, for better understanding of what we see
Analyzing Packets (6/9)
Flow Graph
Analyzing Packets (7/9)
Stable
stream BW
Filtering Packets (1/4)
Applying Filter when Capturing Packets
67
Saving and Manipulating Packets (1/3)
Save only displayed packets
Saving and Manipulating Packets (2/3)
Protocol Hierarchy
Packet Statistics (2/8)
Conversation
◦ Traffic between two specific endpoints
Time [Sec]
Packet Statistics (8/8)
Seq No [B]
Time [Sec]
Colorizing Specific Packets (1/4)
Packet Colorization
◦ Colorize packets according to a filter
◦ Allow to emphasize the packets interested in
◦ A lot of Coloring Rule examples at the Wireshark Wiki Coloring Rules page at
http://wiki.wireshark.org/ColoringRules
We want to watch a
specific protocol through
out the capture file
Colorizing Specific Packets (2/4)
Colorizing Specific Packets (3/4)
Colorizing Specific Packets (4/4)
83
References
Wireshark Website
◦ http://www.wireshark.org
Wireshark Documentation
◦ http://www.wireshark.org/docs/
Wireshark Wiki
◦ http://wiki.wireshark.org