Upload
mhaviv
View
5.124
Download
3
Tags:
Embed Size (px)
DESCRIPTION
This is a simple introductiory Wireshark Training slideshow
Citation preview
WIRESHARK Basics
Moshe Haviv January [email protected]
2 Contents
What is WIRESHARK? Basic Network Sniffing Display filtering Capture filtering RTP Stream Analysis
3 What is WIRESHARK? WIRESHARK is a Network Packet Analyzer
If installed with WinPcap it can also collect packets from the network
If AirpCap(Not free) installed full USB based 802.11 capture and analysis is possible
The latest WIRESHARK version on December 2009 is 1.2.5
It is an Open Source Software project
4
Who needs/uses WIRESHARK?
Any regular user who wants to know what his/her computer sends to the network and receives from it.
R&D Engineers to debug their protocol implementations Signaling protocols Applications that communicate with other network
devices/applications- send/receive payloads
Network administrators to troubleshoot their networks
Network Security Engineers to discover security breaches and deficiencies
Technical personnel that want to learn the workings of the protocols – Signaling and media-
5
Installing WIRESHARK
Get the latest version from the official site http://www.wireshark.org/
WIRESHARK can be installed as an application or the source code can be downloaded to create a new tailored application
By using LUA,a lightweight scripting language new dissectors, properties can be added http://en.wikipedia.org/wiki/Lua_(programming_language)
6
Basic WIRESHARK features
WIRESHARK supports hundreds of protocols http://www.wireshark.org/docs/dfref/
Live capture and offline analysis Multiplatform support: Windows, Linux, Solaris, MAC Multi-media support: Ethernet, ATM etc. Rich VOIP analysis Captured data browsing in GUI or in TTY mode (TSHARK) R/W many different capture file formats:
tcpdump (libpcap), MS Network Monitor, Network General Sniffer®,RADCOM WAN/LAN Analyzer and many others.
Output can be exported to XML, PostScript® or simple text
7
Platform/Media support table
8
How do we capture packets from the network? Where to connect?
What do we want to capture? Packets entering/going out of our computer
Basic Architecture Packets entering/going out of any network
equipment connected to the networkNetwork Architecture
Once we know where and how to connect the computer with the WIRESHARK installed- Capturing architecture- we can start doing basic capturing
9
Basic Architecture Capturing
In this architecture the signaling and/or media for the communication ends/starts at the WIRESHARK computer
Connect the NIC(s) you want to collect packets from the network
Start WIRESHARK Choose the relevant NIC in WIRESHARK menu Start Collecting packets
10
Network Capturing Architecture
WIRESHARK
11
Network Capture Architecture- Both entities connected to a HUB – Shared Media
Simply start capturing
WIRESHARKHub
12
Network Capture Architecture- Multimedia entity/PC connected to a switch(1)
WIRESHARK
HUB
SWITCH
-Connect WIRESHARK and Network entity to HUB
-Connect HUB to SWITCH with an uplink
-Start Capturing
13
Network Capture Architecture- Multimedia entity/PC both connected to a switch(2)
-Configure port mirroring (spanning) on the switch
-Start capturing
WIRESHARK
SWITCH
14
Basic Network packet capturing-1- When you activate the WIRESHARK you get the following view
15
Basic Network packet capturing -2-
16
Basic Network packet capturing -3-
17
Basic Network packet capturing -4-
18
The GUI can be changed for GUI layout Columns Time format Coloring preferences Field values for specific protocols …….
Different profiles can be defined and saved
WIRESHARK preferences
19
Basic displayed/captured packet manipulations
Forcing a protocol to an unknown protocol packet
Marking a packet or a group of packets Saving all or part of the captured
packets Exporting a trace Printing all or part of the captured
packets
20
21
22 Display filtering
By arranging the display sort field/order changed Sort order of time/packet number Sort order per IP/MAC address of
source/destination Sort order per protocol
By marking specific packets manually By configuring filters for
Address Protocol Protocol field value Frame length String
23
Display filtering- by changing display sort order
24
Display Filter configuration
We will configure simple filters For a specific IP address For a specific protocol For a specific field value of a protocol Compound filters
25
Filter elements
Filter fields (protocol fields)The full list can be found at http://www.wireshark.org/docs/dfref/
Display field comparison operators
Display filters logical operatorsThey are used to build complex filters by combining simple filters
26
Some basic filter field examples
ip.src Source IP address ip.dst Destination IP address ip.addr IP address (source or destination) eth.dst Destination MAC address udp,sip, HTTP,H225,H245………….. H263.dbq, sip.Method, h323.fastStart,
rtp.payload, diameter.User-Name………
27
Filter Comparison operators
English and C-like operators can be used (also mixed)
English operators eq Equal ne Not Equal gt Greater then lt Less then ge Greater then or equal le Less then or equal
C-like operators == != > < >= <=
28
Some simple filter examples
ip.addr == 234.78.12.78 ip.src != 10.0.0.2 sip.Method==REGISTER h263.unrestricted_motion_vector == 0 sip.from.addr ==
"sip:[email protected]“ h245.masterSlaveDetermination
29
How to build filter from the GUI
Type your filter inside the filter toolbar
Click “Apply”
30
How to build filter from the GUI-2-
31
32Filter save-activate
Filters can be saved/edited by clicking the edit/apply filter button
A new window opens
33
Display filter logical operators
These are used to build compound filters from simple expressions
When in doubt use parenthesis before applying the operator
The logical operators can have English or C-like syntax
34
Display filter logical operators (Contd.)
and && Logical and
or || Logical or
xor ^^ Logical XOR
not ! Logical Not
[…] Substring operator
35 Capture filtering
When capturing packets they are stored in temporary files on the computer
We can configure WIRESHARK to capture packets directly to a single or multiple files
For heavy traffic network capturing or long time capturing the file/buffer sizes might overwhelm the computer or might even crash it.
To prevent accumulating huge file/files if we know what we are looking for we should apply capture filtering
36
Capture filtering-2-
WIRESHARK utilizes the libpcap filter language for capture filtering
Details for libpcap can be found at http://www.tcpdump.org/tcpdump_man.html
Any type of display filter can also be defined for capture but with a different syntax and different activation procedure
37
Capture filtering – 3 -
38
Choose the relevant capture filter in “options”
Start capturing
Capture filtering – 4 – Activating capture filter
39
Capture filtering – 5 –
40
Capture filtering – 6 –
41
Capture filter syntax by examples
host 192.168.122.23 Capture packets from/to IP address 192.168.122.23
src host 10.0.0.5Capture packets from IP 10.0.0.5
tcp port 23 and host 10.0.0.5 ether src 00:11:6b:80:47:96 tcp port 23 and not src host 10.0.0.5 ip multicast
42Basic Capture filter syntax
[src|dst] host <host> ether [src|dst] host <ehost> [src|dst] net <net> [{mask <mask>}|{len <len>}] [tcp|udp] [src|dst] port <port> less|greater <length>
43
Statistics and data analysis
We can get graphical or written statistics real-time or from captured file
Statistics per protocol
VOIP pairs visualization
RTP stream analysis
44
Statistics menu –
StatisticsSummary
45
Statistics menu – StatisticsHierarchy Statistics
46
I/O Statistics – Real-time or offline
47
VOIP statistics
StatisticsVOIP
48
VOIP statistics StatisticsVOIP (Contd.)
49
WIRESHARK can identify separate RTP streams
RTP parameters can be retrieved Total RTP packets sent Delay Jitter
RTP Stream Analysis
50
RTP streams – Outline StatisticsRTP Show all Streams
51
RTP streams – Outline StatisticsRTP Show all Streams
Choose one of the streams Analyze
52
53
References and important URLs
http://www.wireshark.org/ http://www.wireshark.org/docs/ http://www.winpcap.org/ http://wiki.wireshark.org/
CaptureSetup/NetworkMedia http://wiki.wireshark.org/Preferences. http://www.wireshark.org/lists/
wireshark-bugs/ http://www.cs.columbia.edu/irt/
software/rtptools/