Introduction to Wireshark

Based in part on Computer Networking: A Top-Down Approach by Kurose and Ross

VirtualBox

To import a virtual machine on VirtualBox:• File > Import Appliance• Select the OVA file you downloaded from the course

website.

PAGE 2

Wireshark is a packet sniffer

• The basic tool for observing the messages exchanged between executing protocol entities is called a packet sniffer.

• A packet sniffer itself is passive.• It observes messages being sent and received by

applications and protocols running on your computer, but never sends packets itself. Similarly, received packets are never explicitly addressed to the packet sniffer.

PAGE 3

Analyzing packets with Wireshark

• A packet analyzer displays the contents of all fields within a protocol message.

• The packet capture library receives a copy of every link-layer frame that is sent from or received by your computer

PAGE 4

Running Wireshark

• Use the virtual machine provided• Wireshark is already installed• Virtualbox password is: secnet• Open a terminal (CTRL-T) and type sudo wireshark− sudo gives added permissions so capturing is possible.

• Install wireshark on your own machine• You will still need the VM for later labs.• http://www.wireshark.org/download.html• For capturing you will need to install the driver when

installing or run wireshark in administrator mode.− without wireshark will likely show no network interfaces

PAGE 5

Wireshark - interface

PAGE 6

Wireshark Window sections.

• Command menu, e.g.• File: save captured packet data or open packet data file• Capture: To begin packet capture

• Packet listing windowInclude packet number(assigned by Wireshark), time, packet source and destination address, protocols type, other explanations(info)

• Packet header details window

• Packet content in Hexadecimal formatting

PAGE 7

Test Run With Wireshark

• STEPS1. Start up your favorite web browser, which will display your selected

homepage2. Start up the Wireshark software. Wireshark has not yet begun

capturing packets.3. To begin packet capture, select the Capture pulldown menu and

select Interfaces. This will cause the “Wireshark: Capture Interfaces” window to be displayed.

4. You’ll see a list(*) of the interfaces on your computer as well as a count of the packets that have been observed on that interface so far. Click on Start for the interface on which you want to begin packet capture. Packet capture will now begin -Wireshark is now capturing all packets being sent/received from/by your computer!

PAGE 8

(*) If list is empty Wireshark may not have permission;see installation instructions on how to address.

Test Run With Wireshark (continued)

5. By selecting Capture pulldown menu and selecting Stop, you can stop packet capture. But don’t stop packet capture yet. Let’s capture some interesting packets first. To do so, we’ll need to generate some network traffic. Let’s do so using a web browser, which will use the HTTP protocol.

6. While Wireshark is running, enter the URL:http://gaia.cs.umass.edu/wireshark-labs/INTRO-wireshark-file1.htmland have that page displayed in your browser. In order to display this page, your browser will contact the HTTP server at gaia.cs.umass.edu and exchange HTTP messages with the server in order to download this page. The Ethernet frames containing these HTTP messages (as well as all other frames passing through your Ethernet adapter) will be captured by Wireshark.

PAGE 9

Test Run With Wireshark (continued)

7. After your browser has displayed the INTRO-wireshark-file1.html page (it is a simple one line of congratulations), stop Wireshark packet capture by selecting stop in the Wireshark capture window.

Note: You now have live packet data that contains all protocol messages exchanged between your computer and other network entities! The HTTP message exchanges with the gaia.cs.umass.edu web server should appear somewhere in the listing of packets captured. But there will be many other types of packets displayed as well (the many different protocol types). Even though the only action you took was to download a web page, there were evidently many other protocols running on your computer that are unseen by the user.

SEC / Mathematics and Computer Science PAGE 10

Test Run With Wireshark (continued)

8. Type http (all protocol names are lower case in Wireshark) into the display filter specification window at the top of the main Wireshark window. Then select Apply (to the right of where you entered “http”). This will cause only HTTP message to be displayed in the packet-listing window.

9. Find the HTTP GET message that was sent from your computer to the gaia.cs.umass.edu HTTP server. When you select the HTTP GET message, the Ethernet frame, IP datagram, TCP segment, and HTTP message header information will be displayed in the packetheaderwindow . By clicking on ‘+’ and ‘-’ right-pointing and down-pointing arrowheads to the left side of the packet details window, minimize the amount of Frame, Ethernet, Internet Protocol, and Transmission Control Protocol information displayed. Maximize the amount information displayed about the HTTP protocol.

PAGE 11

Exercises Intro, Exercise 1

The first three exercises refer to the test run you just performed. The final exercise uses a prepared capture (pcap) file. Hints and solutions are given after each exercise. A short lessons-learned at the very end discuses what to `take away’ from these exercises.

Exercise 1• How long did it take from when the HTTP GET message

was sent until the HTTP OK reply was received?

PAGE 12

Hint 1

• By default, the value of the Time column in the packet listing window is the amount of time, in seconds, since Wireshark tracing began.

• To display the Time field in time-of-day format, select the Wireshark View pull down menu, then select Time Display Format, then select Time-of-day.)

PAGE 13

Exercise 2

Extract IP addresses: • What is the Internet address of the gaia.cs.umass.edu (also

known as www.net.cs.umass.edu)?• What is the Internet address of your computer?

PAGE 14

Hint 2

• You’ll mostly see two IPs in the HTTP traffic. Consider which would be the client (you) and which the server.

PAGE 15

Exercise 3

Exporting messages for use elsewhere:• Print the two HTTP messages displayed in step 9

above to file.

PAGE 16

Hint/Solution 3

• To print, select Print from the Wireshark File command menu, and select “Selected Packet Only” and “Print as displayed” and then click OK.− Make sure to select print to file.

PAGE 17

Exercise 4

The pcap file

security1.win.tue.nl/~aamadori/2IC60/Lab1/HTTP_traffic.pcap.

contains some traffic captured during web browsing.

• Load the file in wiresharka) What image was looked at?b) What action was taken, with what parameters?

PAGE 18

Hint 4

• Web traffic uses http• You can filter to only show messages for a certain

protocol.• in http Post and Get requests are used the send data

between a client and a webserver.

PAGE 19

Solution 4

a) Oink.

b) Order a pizza:• with Bacon, Cheese and Mushroom.• no Pineapple please !

PAGE 20

Lessons learned, takeaways.

• Prep: How to capture traffic with Wireshark.1. How to investigate specific aspects of recorded network

traffic; where to find certain information in Wireshark.2. How to interpret messages and extract important data

such as IP addresses. Realize which information belongs to which machine (your vs servers IP).

3. How to store/export information for external reporting.4. A first off-line forensics use case: how to investigate

recorded traffic and extract information from network traces.

PAGE 21