Packets and Protocols Chapter 4

Packets and ProtocolsPackets and ProtocolsChapter 4Chapter 4

Chapter FourChapter Four

Using WiresharkUsing Wireshark

The Wireshark main window

■ Menu bar■ Tool bar■ Summary window■ Protocol Tree window■ Data View window■ Filter bar■ Information field■ Display information


Menu Bar A typical application menu bar containing dropdown menu items.

Tool Bar

Contains buttons for some commonly used functions of Wireshark. The Tool Bar icons have tool tips that are displayed when you pause the mouse pointer over them.

Filter Bar Applies filters to the Summary window to restrict which packets in the capture are displayed, based on their attributes.

Summary Window Provides a one-line summary for each packet in the capture.

Protocol Tree Window Provides a detailed decode of the packet selected in the Summary window.

Data View Window

Provides a view of the raw data in the packet selected in the Summary window.

Information Field

A display area that provides information about the capture or field selected in the Protocol Tree window.

Display Information Field

A display area that provides information about the packet count in the current capture

Main window components


Summary window components

No. The frame number within the capture.

Time The time from the beginning of the capture to the time when the packet was

captured (in seconds).

Source

This is the highest level source address, (frequently the Internet Protocol (IP) address); however, it can also be the Media Access Control (MAC) address for layer 2 Ethernet protocols, or other address types for other protocols (e.g., Internetwork Packet Exchange [IPX], Appletalk, and so forth). (See the Wireshark “Name Resolution” sidebar for a discussion of MAC addresses.)

Destination

This is the highest level destination address (frequently the IP destination address); however, it can also be the MAC address for layer 2 Ethernet protocols, or other address types for other protocols (IPX, Appletalk, and so forth).

Protocol

Typically the highest level protocol that is decoded. Examples include user-level protocols such as Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), and Simple Mail Transfer Protocol (SMTP).

Info This field contains information that was determined by the highest level

decode to be useful or informative as part of a summary for this packet.


Summary window example

What does this summary info tell us?


Protocol tree windowProtocol tree window– The fields in this window can be The fields in this window can be

expanded or collapsedexpanded or collapsedThe 1The 1stst line will generally tell you most of line will generally tell you most of

what you need but you can drill down for what you need but you can drill down for further detailfurther detail

Click on the plus sign to expandClick on the plus sign to expand


Protocol window example

What does this protocol info tell us?


Data View WindowData View Window

Good place to find passwords and usernames!


Filter barFilter bar– Used to build Used to build displaydisplay filters filters

Will not allow invalid capture filtersWill not allow invalid capture filters Filter is not applied until you click apply!Filter is not applied until you click apply!

Information field (bottom of capture)Information field (bottom of capture)– Displays capture filename and sizeDisplays capture filename and size

Display information fieldDisplay information field– P = TotalP = Total– D = DisplayedD = Displayed– M = MarkedM = Marked


File menuFile menu


Open… Opens a capture file.

Open Recent Displays the Open Recent submenu to open a capture file from a list of

recently used capture files.

Merge Merges one or more capture files with the current capture file.

Close Closes the current capture file.

Save Saves the current capture file.

Save As… Saves the current capture file with a different filename/format.

File Set Displays the File Set submenu for file set information and navigation

Export Displays the Export submenu, allowing the portion of the packet highlighted

in the Data View window to be exported as a hexadecimal dump.

Print… Prints the current capture file.

Quit Quits the Wireshark application.



There are There are several save several save optionsoptions

CapturedCaptured

DisplayedDisplayed

RangeRange

Note that when you save a filtered Note that when you save a filtered capture, you strip off all other capture, you strip off all other packets in the newly saved capture packets in the newly saved capture filefile– Make sure you do not need these Make sure you do not need these

packets!packets!


Wireshark name resolutionWireshark name resolution– Three modesThree modes

MAC name resolutionMAC name resolution– Uses OUI names Uses OUI names – Identified by 1Identified by 1stst 6 bytes 6 bytes

Network name resolutionNetwork name resolution– i.e. DNS name resolutioni.e. DNS name resolution

Transport name resolutionTransport name resolution– Translates ports to namesTranslates ports to names


Save as dialogue boxSave as dialogue box

Note that many file types are available


Print dialogPrint dialog

You can print in plain text, post-script or output to a file


Printing optionsPrinting options– The summary lineThe summary line– All packetsAll packets– Marked packetsMarked packets– Packets from x to yPackets from x to y– All or partial detailAll or partial detail


The Edit menuThe Edit menu


Find Packet… Searches for a packet using a display filter or by searching for a matching

hexadecimal string or character string.

Find Next Finds the next packet that matches the search defined in the Find Packet

dialog box.

Find Previous Finds the previous packet that matches the search defined in the Find

Packet dialog box.

Mark

Packet Marks the packet currently selected in the Summary window. Marking provides a mechanism for manually selecting a packet or group of packets to be subsequently printed or saved.

Find Next Mark Finds and highlights the next marked packet in the capture.

Find Previous Mark Finds and highlights the previously marked packet in the capture.

Mark All Packets Marks all packets that match the currently applied display filter.

Unmark All Packets Unmarks all packets that match the currently applied display filter.

Set Time Reference (toggle) Toggles the Time Reference flag for the currently selected packet.

Find Next Reference Finds and highlights the next marked time reference packet in the

capture.

Find Previous Reference

Finds and highlights the previous marked time reference packet in the capture.

Preferences… Change user preferences, including preferences for packet decodes.


Find packetFind packet– Allows a search by filter, hex or string Allows a search by filter, hex or string

valuevalueUses same filters as display filtersUses same filters as display filtersCan search by HEX characters (good for MAC Can search by HEX characters (good for MAC

addresses)addresses)String search useful for usernames, etcString search useful for usernames, etc

– Ability to search up or downAbility to search up or down– Case sensitive or insensitiveCase sensitive or insensitive


Time reference toggleTime reference toggle– Allows you to calculate intra-packet Allows you to calculate intra-packet

times based on packets you selecttimes based on packets you selectHow long did client “B” take to respond to How long did client “B” take to respond to

client “A”?client “A”?


PreferencesPreferences

Allows you to customize Wireshark to your personal liking or needs


The View MenuThe View Menu

There is a lot of customizable information on the viewing capabilities of Wireshark


Menu Option Description

Main Toolbar Display or remove the Main Toolbar

Filter Toolbar Display or remove the Filter Toolbar

Status Bar Display or remove the Information Field and the Display Information Field

Packet List Display or remove the Summary window

Packet Details Display or remove the Protocol Tree window

Packet Bytes Display or remove the Data View window

Time Display Format A submenu for modifying the time displayed in the Summary window

Name Resolution A submenu for selecting the name resolution options to perform during capture.

Colorize Packet List Apply or remove the coloring defined in Coloring Rules to the Summary window

Auto Scroll in Live Capture Sets the option to automatically scroll and update the Summary window list while capturing packets.

Zoom In Proportionally increases the font and column size in the Summary window

Zoom Out Proportionally decreases the font and column size in the Summary window

Normal Size Returns the Summary window font and column size to the default setting.

Resize All Columns Automatically resizes column width in the Summary window to eliminate white space.

Expand Subtrees Expands the entire selected subtree in the Protocol Tree window

Expand All Expand all subtrees in the Protocol Tree window

Collapse All Collapse all subtrees in the Protocol Tree window

Coloring Rules… Create and edit color filters to colorize the packets in the Summary window that match a given display filter

string.

Show Packet In New Window

For the packet currently selected in the Summary window display it’s Protocol Tree window and Data View window in a new window.

Reload Reload the current capture file.


Time display informationTime display information– Time is gathered from LOCAL system timeTime is gathered from LOCAL system time– Very important to synchronize times when Very important to synchronize times when

doing simultaneous captures on two platformsdoing simultaneous captures on two platforms Wireshark can display time since 1Wireshark can display time since 1stst capture or delta capture or delta

timetime

– Automatically display live captureAutomatically display live capture Useful when you need to watch the packet flow, but Useful when you need to watch the packet flow, but

can slow the capture processcan slow the capture process


Color filtersColor filters– Useful for Useful for

the color-the color-blindblind

– Allows you Allows you to change to change the color of the color of protocols, protocols, errors, etc.errors, etc.


A color coded display can help you troubleshoot


Show packet in new windowShow packet in new window– Allows you to zero in on a single packetAllows you to zero in on a single packet


Go menuGo menu– Allows you to navigate thru the captureAllows you to navigate thru the capture

Back Moves to the previous packet displayed in the current capture.

Forward Moves to the next packet displayed in the current capture.

Go To Packet… Go to a packet by frame number.

Go To corresponding Packet

When a field that refers to another frame is selected in the Protocol Tree window, select the packet being referred to in the Summary window.

First Packet Moves to the first displayed packet

Last Packet Moves to the last displayed packet


Capture menuCapture menu


Interfaces… Opens the Interfaces dialog box

Options… Opens the Capture Options

Start Start a capture.

Stop Stop a running packet capture.

Restart Restart a stopped packet capture

Capture Filters… Edit the capture filters.


You can capture on any single You can capture on any single interface on you Wireshark PCinterface on you Wireshark PC

* The packet count and packets per second displayed in the Capture Interfaces dialog box are not the total seen by the interfaces, but are the total count and rate seen by the interface from the time the Capture Interface dialog box was opened


Characteristics TabCharacteristics Tab


Statistics TabStatistics Tab


Protocol (Ethernet) TabProtocol (Ethernet) Tab


WLAN TabWLAN Tab


Capture Capture OptionsOptions– HowHow

To display?To display?

– WhatWhat Is captured?Is captured?

– WhereWhere To store?To store?

– WhenWhen To capture?To capture?


What interface?

Use multiple Files?

Buffer size?

Capture filter?

Where to save?

Promiscuous?

How many?

When to stop?


Buffer size vs. Capture sizeBuffer size vs. Capture size– Buffer size is dependant upon RAM Buffer size is dependant upon RAM – Capture size is dependant upon hard Capture size is dependant upon hard

drive sizedrive size Too large a buffer can slow the Too large a buffer can slow the

capture process and cause data loss capture process and cause data loss – too small will not give the HDD time – too small will not give the HDD time to write the datato write the data– Defaults are best!Defaults are best!


Capture optionsCapture options– While you can stop a capture based on:While you can stop a capture based on:

Capture a number of packets and stopCapture a number of packets and stopCapture for a period of time and stopCapture for a period of time and stopCapture a number of kilobytes and then stopCapture a number of kilobytes and then stop

– There is no way to start a capture There is no way to start a capture automatically (with Wireshark)automatically (with Wireshark)


The capture The capture dialog boxdialog box


Ringing the capture bufferRinging the capture buffer– Allows you to save multiple capturesAllows you to save multiple captures

1.1. Select “Use multiple files”Select “Use multiple files”

2.2. Select “Next file every …” Minutes or KBSelect “Next file every …” Minutes or KB

3.3. Figure how many files to keep “Ring buffer”Figure how many files to keep “Ring buffer”

4.4. Decide when to stop the capture Decide when to stop the capture Stop capture afterStop capture after

X ring capturesX ring captures X minutes/hours/daysX minutes/hours/days Kb/Mb/GbKb/Mb/Gb


Capture filter listCapture filter list– Name the filterName the filter– Create the filterCreate the filter


Capture filters vs. Display filtersCapture filters vs. Display filters– Capture filters are used before the capture to Capture filters are used before the capture to

narrow what is gatherednarrow what is gathered– Display filters are used after the capture to Display filters are used after the capture to

filter the outputfilter the output Capture and display filters are differentCapture and display filters are different

– Capture = tcp port httpCapture = tcp port http– Display = protocol=httpDisplay = protocol=http

Both do the same thing!Both do the same thing!


Analyze Menu OptionAnalyze Menu OptionMenu Option Description

Display Filters… Edits the display filters.

Apply as Filter A submenu for preparing and automatically applying a display filter based on any field

selected in the Protocol Tree window.

Prepare a Filter A submenu for preparing a display filter based on any field selected in the Protocol Tree

window.

Firewall ACL Rules

Creates a filter for several standard firewall types based on the current selected packet in the Summary Window.

Enabled Protocols… Enables and disables the decoding of individual protocols.

Decode As… Specifies decoding certain packets as being part of a particular protocol.

User Specified Decodes Reports which user-specified decodes are currently in force.

Follow TCP Stream Displays an entire TCP stream at once.

Follow SSL Stream Displays an entire SSL stream at once.

Expert Info Displays a summary of the capture file.

Expert Info Composite Displays statistics in a Protocol Tree view for the protocols in the capture.


There are There are literally literally thousands of thousands of capture options capture options available and available and the good news the good news is most have is most have already been already been written for you.written for you.


Edit display Edit display filter listfilter list– Allows you Allows you

to create to create display display filters via filters via GUIGUI

Select Major protocol…


Select operator

• Operators include:

==

!=

>

<

>=

<=


Select valueSelect value

• Note that the value will change depending upon the protocol chosen


Display Display Filter Filter dialog dialog boxbox

Filter Name

Filter String


Apply as filter vs. prepare a filterApply as filter vs. prepare a filter– The Apply as Filter and Prepare a Filter submenus have

the same options and behave in the same way with one exception:

The Prepare a Filter submenu items prepare a display filter string and place it in the Filter text box.

The Apply as Filter submenu items prepare a display filter string, place it in the Filter text box, and apply it to the capture.


Apply as filter examples:Apply as filter examples:

Note the importance of the operators!Note the importance of the operators!


To enable or To enable or not to not to enable?enable?– Disabling Disabling

protocols protocols may make may make your sniffer your sniffer run faster run faster (maybe)(maybe)


Decode as…Decode as…

Forces Wireshark to decode a protocol Forces Wireshark to decode a protocol the way you decide. the way you decide.

Not used very often – best not to override defaults


Since Wireshark is open source, Since Wireshark is open source, there are already many, many there are already many, many protocols pre-programmed in. The protocols pre-programmed in. The “decode as” option is not generally “decode as” option is not generally needed unless you are sniffing a needed unless you are sniffing a proprietary protocol.proprietary protocol.


Following a TCP or SSL streamFollowing a TCP or SSL stream

Very useful for following a conversation but usually only if the data is sent in the clear (telnet, SMTP, etc)


SMTP SMTP follow TCP follow TCP streamstream exampleexample


Expert info (and expert info composite) is Expert info (and expert info composite) is used to sort errors and problemsused to sort errors and problems– The Expert Info and Expert Info Composite menu options

provide identical information in similar layouts. Both options provide a breakdown of the current capture, and display summary information about current conversations, errors, and warnings that can be derived from the traffic patterns. These options are a great method to use to begin troubleshooting traffic-related issues, as they provide some simple error related information without having to analyze each packet by hand.


Expert info Expert info exampleexample


The The statistics statistics menumenu– Provides Provides

many useful many useful traffic traffic statisticsstatistics


Statistics menu optionsStatistics menu options


Statistics menu Statistics menu optionsoptions


Statistics menu optionsStatistics menu options


Capture Summary Capture Summary dialogue boxdialogue box– Gives a great quick Gives a great quick

summary of the summary of the capture statisticscapture statistics


Protocol Protocol hierarchy hierarchy statisticsstatistics– Gives Gives

statistics statistics broken broken down by down by each each protocolprotocol


Column Description

Protocol The protocol on which statistics are being reported. The protocol may have sub-items on the tree

representing the protocols it contains (e.g., the IP contains TCP and UDP).

% Packets Percentage of all packets in the capture that are of this protocol.

Packets The number of packets in the capture that are of this protocol.

Bytes The number of bytes in this capture containing this protocol.

End Packets

The number of packets for which this protocol is the last protocol in the decode (e.g., a TCP synchronize [SYN] packet containing no data would be an end packet for TCP and counted in TCP’s end packets count).

End Bytes The number of bytes for which this protocol is the last protocol in the decode.

Protocol hierarchy statistics columnsProtocol hierarchy statistics columns


TCP TCP Stream Stream GraphGraph


TCP Stream Graph OptionsTCP Stream Graph Options


The RTT graph shows the RTT vs. the sequence number . You can see the RTT spike around sequence number 1000000, which is roughly the same sequence number where you will see discontinuity in the time sequence graphs.


The throughput graph shows the throughput of the TCP stream vs.

time.


The time-sequence graph (Stevens) produces a simple graph of TCP sequence numbers vs. time for the TCP stream containing the packet that was selected in the Summary window


The time-sequence graph (tcptrace) is also primarily a graph of TCP sequence numbers vs. time. Unlike the Stevens’ style time-sequence graph, however, it conveys a lot more information about the TCP stream.


Using Using graphs for graphs for trouble-trouble-shooting shooting dropped dropped segmentssegments


Note the packet drop errors (REF pg 200)Note the packet drop errors (REF pg 200)


Using Using graphs for graphs for trouble-trouble-shooting shooting throughput throughput issuesissues

Why does the throughput drop off? REF pg 201Why does the throughput drop off? REF pg 201


Using Using graphs for graphs for trouble-trouble-shooting shooting throughput throughput issues issues (cont)(cont)

Why is the throughput so jagged?Why is the throughput so jagged?

Troubleshooting with a sniffer Troubleshooting with a sniffer (whether via graphs or data) (whether via graphs or data) becomes a piece of cake!*becomes a piece of cake!*


*This is, of course after you know what a normal network sniffer capture looks like!*This is, of course after you know what a normal network sniffer capture looks like!

Graph ControlGraph Control– Many aspect of the graph functions can be customized Many aspect of the graph functions can be customized

includingincluding ZoomZoom

– Zoom in/out of graph sectionsZoom in/out of graph sections MagnifyMagnify

– Allows you to dig more deeply Allows you to dig more deeply into parts of the gathered datainto parts of the gathered data

OriginOrigin– Start/Stop at any point in the Start/Stop at any point in the capturecapture

CrossCross– Turn crosshairs on/offTurn crosshairs on/off

Graph TypeGraph Type– Select the type of graphSelect the type of graph


Help menuHelp menu



Contents Displays the contents for the Wireshark online help.

Supported Protocols Displays a list of the supported protocols and the display filter fields they provide.

Manual Pages A submenu for accessing traditional UNIX-style manual pages for Wireshark, Wireshark filters, and

command line utilities.

Wireshark Online A submenu for accessing online Wireshark resources.

About Wireshark Displays information about Wireshark version and compile information.

Manual Pages submenuManual Pages submenu



Wireshark Opens the manual page (manpage) for Wireshark.

Wireshark Filter Opens the manpage for creating Wireshark filters.

TShark Opens the manpage for TShark, the command-line version of Wireshark.

Dumpcap Opens the manpage for Dumpcap, a command-line packet capture utility.

Mergecap Opens the manpage for Mergecap, a command-line utility for merging two or more libpcap capture files

Editcap Opens the manpage for Mergecap, a command-line utility for editing and translating libpcap files.

Text2pcap Opens the manpage for text2pcap, a command-line utility for generating capture files from a text hexdump of

packets

Help - Help - AboutAbout


Special MenusSpecial Menus– Pop up menusPop up menus


Summary menu Summary menu optionsoptions

Special Menu Special Menu – Summary Summary

pop uppop up



Special MenuSpecial Menu– Protocol treeProtocol tree

Protocol tree Protocol tree menu optionsmenu options


Special Menu Special Menu – Protocol tree Protocol tree

pop uppop up


Special MenuSpecial Menu– Data viewData view

Data view menu Data view menu optionsoptions

Command line Command line optionsoptions– Wireshark can Wireshark can

also be run via also be run via command line.command line.


To capture on interface eth0 immediately and write the results to a ring buffer with three files of maximum size 100 kilobytes with base filename test.libpcap, execute the following at the command line:

Wireshark –i eth0 –k –w test.libpcap –b 3 –a filesize:100


Packets and Protocols Chapter 4

Documents

Transcript of Packets and Protocols Chapter 4