Upload
vankhanh
View
240
Download
0
Embed Size (px)
Citation preview
Contents
1
2
4
A Brief Introduction of Wireshark
How to Capture Wireshark Packets
Case Study
3 Display and Analyze the Packets
1997
Gerald Combs started to develop Ethereal.
1998
First edition v0.2.0 came out, and more people joined into the improvement of Ethereal.
2006
Ethereal was renamed as wireshark due to the trademark issue.
2014
Wireshark is still world’s most popular network protocol analyzer.
History of Wireshark
A Brief History of Wireshark
Wireshark is a free and open-source packet analyzer, used for network
troubleshooting, software and communication protocol development, etc.
Main Functions of Wireshark
Capture live packet data from a network interface
Display the packets with detailed protocol information,
occurring time, source, and destination
Filter and Search packets on many criteria to get the ones you
are looking for
Open and Save packet data captured
Import and Export packet data from and to a lot of other
capture programs
…and a lot more
Note: Wireshark only captures existed packets on the network, won't produce and
send new packets to the network.
2
1
4
How to Capture Wireshark Packets
A Brief Introduction of Wireshark
Case Study
3 Display and Analyze the Packets
Contents
① Situation 1: Network issues between your PC and IPC/DVR Example: You are running iVMS-4200/Web browser on your PC, trying to live view/playback
the video from the IPC/DVR but failed. If you want to capture the communication packets
between your PC and IPC/DVR, just run the wireshark on the PC, and start capture.
② Situation 2: Network issues between your IPC and NVR
Example: To capture the communication packets between IPC and NVR, you can either
capture on IPC side or NVR side. Taking NVR side as example: unplug the network cable of
NVR plug the cable into a hub connect both the NVR and capture PC into the hub, then
start capture. (You can also use switch with port mirror function to replace the hub here.)
IPC, DVR/NVR, VMS, PC, switch, gateway, and other network devices have
built a huge network system. To capture the packets we want, where should
we install the wireshark?
Network
Situation 1
Network
Situation 2
Hub
Understand Where to Install Wireshark
Step 1 – Download wireshark from
http://www.wireshark.org/download.html
Step 2 Install and run wireshark on the capture PC, click File >> Interfaces
Step 3 – Select the interface you want to capture, then click on Start after
the interface to capture, or click on Option to enter advanced capture
setting.
How to Capture Network Packets
Capture Interface
Capture Filter
Display Options and Name Resolution
Stop Capture Rule
Use new capture file when a specific trigger condition is reached.
If you know the size of packet you capture, you can set the limit packet size here.
Uncheck this option to capture only the packets going to or from your computer (not all packets on your LAN segment)
Step 3 – Advanced Capture Options
Step 4 – After the capture starts, duplicate the network issue you
encountered on the IPC/DVR/VMS.
Step 5 – Stop the capture, then save the capture file.
How to Capture Network Packets
3
1
4
Display and Analyze the Packets
A Brief Introduction of Wireshark
Case Study
2 How to Capture Wireshark Packets
Contents
Comparison Operator
English C Language Meaning
eq == equal
ne != not equal
gt > Greater than
lt < Less than
ge >= Greater or equal
le <= Less or equal
Logical Operator
English C Language Meaning
And & Logical And
Or || Logical Or
Xor ^^ Logical Xor
Not ! Logical Not
ip.addr == 10.1.1.1 Display the packets whose source/destination ip is 10.1.1.1
ip.src = 10.1.2.3 and ip.dst != 10.4.5.6 Display the packets whose source ip is 10.1.2.3 and whose destinaation ip is not 10.4.5.6
ip.src = 10.1.2.3 and ip.dst != 10.4.5.6 Display the packets whose source ip is 10.1.2.3 and whose destinaation ip is not 10.4.5.6
tcp.port == 25 Display the tcp packets whose source/destination port is 25
snmp || dns || icmp Display snmp/dns/icmp packets.
tcp.dstport == 25 Display the tcp packets whose destination port is 25
Display Filters
In the form displays the information selected packet in details, and they are divided into different
groups according to the OSI layer.
Packet Details
On the left is packet details pane, and on the right is packet bytes pane shows the data details in a
hexdump style.
-- The network interface used in capture
-- Indicate the capture state: in progress or stopped
-- Saving path of the capture file, and the size of captured packets
-- No. of captured packets, No. of displayed packets, No. of marked packets
Packet Display Panel
Device is not connected
TCP handshake between VMS and DVR
Heartbeat between DVR and VMS
RTP frame of the video stream is consequent.
Capture Device Basic Packets
RTSP Protocol
1. Streaming Protocol
2. Encoding Standard
3. Streaming Port 4. Channel No. 5. Stream Type
UPnP enabled device sending packets to the network, including device location, uuid, and device basic information
Capture Device Basic Packets
Get the Network Parameter of DVR
Get the Network Parameter of Disconnected DVR
4
1
2
Case Study
A Brief Introduction of Wireshark
How to Capture Wireshark Packets
2 Display and Analyze the Packets
Contents
Case study: Customer tries to remotely live view/playback DS-7316HFI-ST DVR
on IE and iVMS-4200, he finds that live/view and playback on IE are good, live
view on 4200 is good, but playback on 4200 prompts fail message. Below is the
wireshark capture of playback failure on iVMS-4200.
Conclusion: Using display filter to find related tcp packet, 0x320 in Hex is 800 in decimal, 800 means device is running out of network bandwidth. For the DS-7300HFI-ST (60Mbps in total), one channel playback on iVMS-4200 consumes 12Mb bandwidth. Hence, if there is no over 12Mbps available bandwidth, it prompts failure message playing back on the iVMS-4200.
Case Study – Playback Failure on iVMS-4200
NTP communication packets between NTP
server and client
The source/dst IP and port of NTP request
Synced UTC time
Case study: Using wireshark to capture DVR’s NTP packets.
Case Study – NTP
Stream media server is running
Stream media server is closed
While using iVMS-4200 to live view the cameras via stream media server, you will be able to capture the stream packets if the stream media server successfully forwards the video stream.
Case study: Using wireshark to capture stream forwarding packets via stream media server.
Case Study – Stream Media Server
Case Study: Customer installed Liftmaster gateway to his router to control the gate via network, after he plugs
DS-9600NI-ST V3.0.0 NVR to the same router, Liftmaster stops working. And it works again as soon as he unplugs
the NVR. Below are captured broadcasting packets, the cause is found to be that some UDP destination ports of
the broadcasting happens to be the working port of liftmaster, and it might has caused port interference. In
V3.0.2 firmware, this broadcasting for third-party IPC at an interval of 15 seconds has been changed to broadcast
once while NVR’s booting up.
Broadcast on UDP port 3702 - 2 packets of approximately 1670 bytes every 17 seconds ---ONVIF IPC
Broadcast on UDP port 10670 - 1 packet of approximately 100 bytes every 17 seconds ---Panosonic IPC
Broadcast on UDP port 2380 - 1 packet of approximately 60 bytes every 17 seconds ---SONY IPC
Broadcast on UDP port 10001 - 1 packet of approximately 76 bytes every 17 seconds ---SANYO IPC
Broadcast on UDP port 1757 - 1 packet of approximately 60 bytes every 17 seconds ---BOSCH IPC
Broadcast on UDP port 6005 - 1 packet of approximately 60 bytes every 17 seconds ---ACTi IPC
Broadcast on UDP port 69 - 1 packet of approximately 64 bytes every 17 seconds ---ARECONT IPC
Broadcast on UDP port 7701 - 1 packet of approximately 300 bytes every 17 seconds ---SAMSUNG IPC
Broadcast on UDP port 4022 - 1 packet of approximately 120 bytes every 17 seconds ---HUNT IPC
Multicast to 224.0.0.251, UDP port 5353 - 2 packets of approximately 88 bytes each every 17 seconds ---AXIS IPC
Third-party IPC Online Search
Case Study – Third-party IPC Online Search