WIRESHARK Introduction 18532 - IBM · • Wireshark is great but can even get better in suiting...
Transcript of WIRESHARK Introduction 18532 - IBM · • Wireshark is great but can even get better in suiting...
![Page 1: WIRESHARK Introduction 18532 - IBM · • Wireshark is great but can even get better in suiting your needs Coloring Rules – Enterprise Extender 3](https://reader033.fdocuments.net/reader033/viewer/2022041513/5e29c4c0f2700f24520587c8/html5/thumbnails/1.jpg)
WIRESHARK Introduction 18532How to efficiently use the
Most Popular Network Analysis Tool
Thursday, March 3, 2016: 12:30 PM-1:30 PM
Matthias Burkhard IBM Germany de.linkedin.com/in/mreedetwitter: @mreede
InsertCustomSessionQR if Desired.
![Page 2: WIRESHARK Introduction 18532 - IBM · • Wireshark is great but can even get better in suiting your needs Coloring Rules – Enterprise Extender 3](https://reader033.fdocuments.net/reader033/viewer/2022041513/5e29c4c0f2700f24520587c8/html5/thumbnails/2.jpg)
Preferences – Adding Columns
2
![Page 3: WIRESHARK Introduction 18532 - IBM · • Wireshark is great but can even get better in suiting your needs Coloring Rules – Enterprise Extender 3](https://reader033.fdocuments.net/reader033/viewer/2022041513/5e29c4c0f2700f24520587c8/html5/thumbnails/3.jpg)
• Wireshark is great but can even get better in suiting your needs
Coloring Rules – Enterprise Extender
3
![Page 4: WIRESHARK Introduction 18532 - IBM · • Wireshark is great but can even get better in suiting your needs Coloring Rules – Enterprise Extender 3](https://reader033.fdocuments.net/reader033/viewer/2022041513/5e29c4c0f2700f24520587c8/html5/thumbnails/4.jpg)
• Line 24– Line 22
• Line 22– Line 20
WIRESHARK – Coloring Rules TCP
4
![Page 5: WIRESHARK Introduction 18532 - IBM · • Wireshark is great but can even get better in suiting your needs Coloring Rules – Enterprise Extender 3](https://reader033.fdocuments.net/reader033/viewer/2022041513/5e29c4c0f2700f24520587c8/html5/thumbnails/5.jpg)
• Filter on host name(s)
Filter Expressions – eq, in { }, contains
5
![Page 6: WIRESHARK Introduction 18532 - IBM · • Wireshark is great but can even get better in suiting your needs Coloring Rules – Enterprise Extender 3](https://reader033.fdocuments.net/reader033/viewer/2022041513/5e29c4c0f2700f24520587c8/html5/thumbnails/6.jpg)
• The best filters right at your fingertips
Filter 'Buttons' – Enterprise Extender
6
![Page 7: WIRESHARK Introduction 18532 - IBM · • Wireshark is great but can even get better in suiting your needs Coloring Rules – Enterprise Extender 3](https://reader033.fdocuments.net/reader033/viewer/2022041513/5e29c4c0f2700f24520587c8/html5/thumbnails/7.jpg)
Statistics Flow Graph– Enterprise Extender
7
• Statistics Flowgraph UDP 12000 LDLC traffic
• Name resolution done via hosts file
![Page 8: WIRESHARK Introduction 18532 - IBM · • Wireshark is great but can even get better in suiting your needs Coloring Rules – Enterprise Extender 3](https://reader033.fdocuments.net/reader033/viewer/2022041513/5e29c4c0f2700f24520587c8/html5/thumbnails/8.jpg)
Filter 'Buttons' right were you need them
8
![Page 9: WIRESHARK Introduction 18532 - IBM · • Wireshark is great but can even get better in suiting your needs Coloring Rules – Enterprise Extender 3](https://reader033.fdocuments.net/reader033/viewer/2022041513/5e29c4c0f2700f24520587c8/html5/thumbnails/9.jpg)
Switching Profiles: EE –> TCP
9
![Page 10: WIRESHARK Introduction 18532 - IBM · • Wireshark is great but can even get better in suiting your needs Coloring Rules – Enterprise Extender 3](https://reader033.fdocuments.net/reader033/viewer/2022041513/5e29c4c0f2700f24520587c8/html5/thumbnails/10.jpg)
Follow TCP Stream: Hidden TLS
10
![Page 11: WIRESHARK Introduction 18532 - IBM · • Wireshark is great but can even get better in suiting your needs Coloring Rules – Enterprise Extender 3](https://reader033.fdocuments.net/reader033/viewer/2022041513/5e29c4c0f2700f24520587c8/html5/thumbnails/11.jpg)
Edit Preferences: Adding SSL/TLS Ports
11
![Page 12: WIRESHARK Introduction 18532 - IBM · • Wireshark is great but can even get better in suiting your needs Coloring Rules – Enterprise Extender 3](https://reader033.fdocuments.net/reader033/viewer/2022041513/5e29c4c0f2700f24520587c8/html5/thumbnails/12.jpg)
Edit Preferences: Adding SSL/TLS Ports
12
![Page 13: WIRESHARK Introduction 18532 - IBM · • Wireshark is great but can even get better in suiting your needs Coloring Rules – Enterprise Extender 3](https://reader033.fdocuments.net/reader033/viewer/2022041513/5e29c4c0f2700f24520587c8/html5/thumbnails/13.jpg)
Edit Preferences: Providing Master-Secrets
13
![Page 14: WIRESHARK Introduction 18532 - IBM · • Wireshark is great but can even get better in suiting your needs Coloring Rules – Enterprise Extender 3](https://reader033.fdocuments.net/reader033/viewer/2022041513/5e29c4c0f2700f24520587c8/html5/thumbnails/14.jpg)
Edit Preferences Columns: Decrypted HTTP2
14
![Page 15: WIRESHARK Introduction 18532 - IBM · • Wireshark is great but can even get better in suiting your needs Coloring Rules – Enterprise Extender 3](https://reader033.fdocuments.net/reader033/viewer/2022041513/5e29c4c0f2700f24520587c8/html5/thumbnails/15.jpg)
Coloring rule: Decrypted HTTP2 OK
15
![Page 16: WIRESHARK Introduction 18532 - IBM · • Wireshark is great but can even get better in suiting your needs Coloring Rules – Enterprise Extender 3](https://reader033.fdocuments.net/reader033/viewer/2022041513/5e29c4c0f2700f24520587c8/html5/thumbnails/16.jpg)
Filter Button: Eureka!
16
![Page 17: WIRESHARK Introduction 18532 - IBM · • Wireshark is great but can even get better in suiting your needs Coloring Rules – Enterprise Extender 3](https://reader033.fdocuments.net/reader033/viewer/2022041513/5e29c4c0f2700f24520587c8/html5/thumbnails/17.jpg)
Edit Preferences: Adding SSL/TLS Ports
17
![Page 18: WIRESHARK Introduction 18532 - IBM · • Wireshark is great but can even get better in suiting your needs Coloring Rules – Enterprise Extender 3](https://reader033.fdocuments.net/reader033/viewer/2022041513/5e29c4c0f2700f24520587c8/html5/thumbnails/18.jpg)
Statistics Stream Graph: Stevens
18
![Page 19: WIRESHARK Introduction 18532 - IBM · • Wireshark is great but can even get better in suiting your needs Coloring Rules – Enterprise Extender 3](https://reader033.fdocuments.net/reader033/viewer/2022041513/5e29c4c0f2700f24520587c8/html5/thumbnails/19.jpg)
Statistics Stream Graph: Round Trip Time
19
![Page 20: WIRESHARK Introduction 18532 - IBM · • Wireshark is great but can even get better in suiting your needs Coloring Rules – Enterprise Extender 3](https://reader033.fdocuments.net/reader033/viewer/2022041513/5e29c4c0f2700f24520587c8/html5/thumbnails/20.jpg)
Statistics Stream Graph: Window Scaling
20
![Page 21: WIRESHARK Introduction 18532 - IBM · • Wireshark is great but can even get better in suiting your needs Coloring Rules – Enterprise Extender 3](https://reader033.fdocuments.net/reader033/viewer/2022041513/5e29c4c0f2700f24520587c8/html5/thumbnails/21.jpg)
Display Filters: Slow TCP connections
21
![Page 22: WIRESHARK Introduction 18532 - IBM · • Wireshark is great but can even get better in suiting your needs Coloring Rules – Enterprise Extender 3](https://reader033.fdocuments.net/reader033/viewer/2022041513/5e29c4c0f2700f24520587c8/html5/thumbnails/22.jpg)
Display Filters: Slow TCP connections
22
• Sophisticated Filters can be stored in the Profile
0.19 < tcp.time_delta < 0.3 && (tcp.len==0 || (0 < tcp.len < 1360))0.19 < tcp.time_delta < 0.3 && (tcp.len==0 || (0 < tcp.len < 1360))
![Page 23: WIRESHARK Introduction 18532 - IBM · • Wireshark is great but can even get better in suiting your needs Coloring Rules – Enterprise Extender 3](https://reader033.fdocuments.net/reader033/viewer/2022041513/5e29c4c0f2700f24520587c8/html5/thumbnails/23.jpg)
Display Filters: up_down tcp.flags&7
23
• Combine filters to get what you needhttp2.header.name == "server" or tcp.flags&7 or ssl.record.content_type==21
![Page 24: WIRESHARK Introduction 18532 - IBM · • Wireshark is great but can even get better in suiting your needs Coloring Rules – Enterprise Extender 3](https://reader033.fdocuments.net/reader033/viewer/2022041513/5e29c4c0f2700f24520587c8/html5/thumbnails/24.jpg)
How many FINs do we need?
24
• Who is closing the session and why ?
![Page 25: WIRESHARK Introduction 18532 - IBM · • Wireshark is great but can even get better in suiting your needs Coloring Rules – Enterprise Extender 3](https://reader033.fdocuments.net/reader033/viewer/2022041513/5e29c4c0f2700f24520587c8/html5/thumbnails/25.jpg)
Meet me at SHARE San Antonio,Tx 2016
MQ IPCS Socket Analysis Session 18531
WIRESHARK Introduction Session 18532
WIRESHARK Hands-On Lab Session 18533
25
hhttps://ibm.biz/MQ-Songhttps://ibm.biz/MQ-Song
Hhttps://ibm.biz/MQ-IPCShttps://ibm.biz/MQ-IPCS
Hhttps://ibm.biz/SHARKatSHAREhttps://ibm.biz/SHARKatSHARE
de.linkedin.com/in/mreedetwitter @mreede
![Page 26: WIRESHARK Introduction 18532 - IBM · • Wireshark is great but can even get better in suiting your needs Coloring Rules – Enterprise Extender 3](https://reader033.fdocuments.net/reader033/viewer/2022041513/5e29c4c0f2700f24520587c8/html5/thumbnails/26.jpg)
Meet me at SHARE San Antonio,Tx 2016
MQ IPCS Socket Analysis Session 18531
WIRESHARK Introduction Session 18532
WIRESHARK Hands-On Lab Session 18533
26
hhttps://ibm.biz/MQ-Songhttps://ibm.biz/MQ-Song
Hhttps://ibm.biz/MQ-IPCShttps://ibm.biz/MQ-IPCS
Hhttps://ibm.biz/SHARKatSHAREhttps://ibm.biz/SHARKatSHARE
de.linkedin.com/in/mreedetwitter @mreede
![Page 27: WIRESHARK Introduction 18532 - IBM · • Wireshark is great but can even get better in suiting your needs Coloring Rules – Enterprise Extender 3](https://reader033.fdocuments.net/reader033/viewer/2022041513/5e29c4c0f2700f24520587c8/html5/thumbnails/27.jpg)
• Enterprise Extender and TN3270 Profile – SNA over IP Protocols
– Telnet TCP port 23
– EE UDP ports 12000-12004
WIRESHARK
27
WiresharkWiresharkBootcampBootcamp
![Page 28: WIRESHARK Introduction 18532 - IBM · • Wireshark is great but can even get better in suiting your needs Coloring Rules – Enterprise Extender 3](https://reader033.fdocuments.net/reader033/viewer/2022041513/5e29c4c0f2700f24520587c8/html5/thumbnails/28.jpg)
• Line 24– Line 22
• Line 22– Line 20
WIRESHARK – Filter Expressions
28
![Page 29: WIRESHARK Introduction 18532 - IBM · • Wireshark is great but can even get better in suiting your needs Coloring Rules – Enterprise Extender 3](https://reader033.fdocuments.net/reader033/viewer/2022041513/5e29c4c0f2700f24520587c8/html5/thumbnails/29.jpg)
• Line 24– Line 22
• Line 22– Line 20
Statistics Conversations
29
![Page 30: WIRESHARK Introduction 18532 - IBM · • Wireshark is great but can even get better in suiting your needs Coloring Rules – Enterprise Extender 3](https://reader033.fdocuments.net/reader033/viewer/2022041513/5e29c4c0f2700f24520587c8/html5/thumbnails/30.jpg)
• Line 24– Line 22
• Line 22– Line 20
Statistics Conversations
30
![Page 31: WIRESHARK Introduction 18532 - IBM · • Wireshark is great but can even get better in suiting your needs Coloring Rules – Enterprise Extender 3](https://reader033.fdocuments.net/reader033/viewer/2022041513/5e29c4c0f2700f24520587c8/html5/thumbnails/31.jpg)
• Allows multiple graphs to be drawn– Any filter combination – Various graph types
● Line, Bar, Dot, Square, Diamond
– More Colors
• Can be saved in wireshark Profile
WIRESHARK V2 Statistics IO Graph
31
![Page 32: WIRESHARK Introduction 18532 - IBM · • Wireshark is great but can even get better in suiting your needs Coloring Rules – Enterprise Extender 3](https://reader033.fdocuments.net/reader033/viewer/2022041513/5e29c4c0f2700f24520587c8/html5/thumbnails/32.jpg)
• TCP– ACK
– dupACK
• For SMB
– Create
– Close REQ
– Close RSP
WIRESHARK V2 Related Packets
32
![Page 33: WIRESHARK Introduction 18532 - IBM · • Wireshark is great but can even get better in suiting your needs Coloring Rules – Enterprise Extender 3](https://reader033.fdocuments.net/reader033/viewer/2022041513/5e29c4c0f2700f24520587c8/html5/thumbnails/33.jpg)
• Easy Navigation– Based on Coloring
Intelligent Scrollbar
33
![Page 34: WIRESHARK Introduction 18532 - IBM · • Wireshark is great but can even get better in suiting your needs Coloring Rules – Enterprise Extender 3](https://reader033.fdocuments.net/reader033/viewer/2022041513/5e29c4c0f2700f24520587c8/html5/thumbnails/34.jpg)
• Throughput– rwin – cwnd– RTT
– Packet Loss
Statistics Stream Graph
34
![Page 35: WIRESHARK Introduction 18532 - IBM · • Wireshark is great but can even get better in suiting your needs Coloring Rules – Enterprise Extender 3](https://reader033.fdocuments.net/reader033/viewer/2022041513/5e29c4c0f2700f24520587c8/html5/thumbnails/35.jpg)
• WindowScaling– rwin – cwnd– RTT
– Packet Loss
Statistics Stream Graph
35
![Page 36: WIRESHARK Introduction 18532 - IBM · • Wireshark is great but can even get better in suiting your needs Coloring Rules – Enterprise Extender 3](https://reader033.fdocuments.net/reader033/viewer/2022041513/5e29c4c0f2700f24520587c8/html5/thumbnails/36.jpg)
• Throughput– rwin – cwnd– RTT
– Packet Loss
Statistics Stream Graph
36
![Page 37: WIRESHARK Introduction 18532 - IBM · • Wireshark is great but can even get better in suiting your needs Coloring Rules – Enterprise Extender 3](https://reader033.fdocuments.net/reader033/viewer/2022041513/5e29c4c0f2700f24520587c8/html5/thumbnails/37.jpg)
• Throughput– rwin – cwnd– RTT
– Packet Loss
Statistics Stream Graph
37
![Page 38: WIRESHARK Introduction 18532 - IBM · • Wireshark is great but can even get better in suiting your needs Coloring Rules – Enterprise Extender 3](https://reader033.fdocuments.net/reader033/viewer/2022041513/5e29c4c0f2700f24520587c8/html5/thumbnails/38.jpg)
• WindowScaling– rwin
Statistics Stream Graph
38
![Page 39: WIRESHARK Introduction 18532 - IBM · • Wireshark is great but can even get better in suiting your needs Coloring Rules – Enterprise Extender 3](https://reader033.fdocuments.net/reader033/viewer/2022041513/5e29c4c0f2700f24520587c8/html5/thumbnails/39.jpg)
• SMB Performance– rwin – cwnd– RTT
– Packet Loss
Statistics IO Graph
39
# This file is automatically generated, DO NOT MODIFY."Enabled","Packets","ip","#8c3700","Impulse","Packets/s","","0""Enabled","Windowsize","ip.ttl<128","#fce94f","Dot","MAX(Y Field)","tcp.window_size","0""Enabled","inFlight","tcp.analysis.bytes_in_flight and ip.ttl==128 and !tcp.analysis.retransmission","#4e9a06","Dot","MAX(Y Field)","tcp.analysis.bytes_in_flight","0""Enabled","RTT","tcp.srcport==445 and tcp.analysis.ack_rtt < 0.3","#204a87","Line","MAX(Y Field)","tcp.analysis.ack_rtt","0""Enabled","GAP","tcp.options.sack_le","#fcaf3e","Bar","MAX(Y Field)","tcp.window_size","0""Enabled","DUPACKS","tcp.analysis.duplicate_ack","#fcaf3e","Impulse","MAX(Y Field)","tcp.window_size","0""Disabled","RXMIT"," tcp.dstport==445 and tcp.analysis.retransmission","#ef2929","Dot","MAX(Y Field)","tcp.analysis.bytes_in_flight","0""Disabled","Seq","tcp.dstport==20","#4e9a06","Impulse","MAX(Y Field)","tcp.seq","0""Disabled","Ack","tcp.srcport==20","#729fcf","Line","MAX(Y Field)","tcp.ack","0""Disabled","Outbound","ip.ttl==64","#2e3436","Impulse","Packets/s","","0""Disabled","inbound","!ip.ttl==64","#729fcf","Dot","Packets/s","","0"
![Page 40: WIRESHARK Introduction 18532 - IBM · • Wireshark is great but can even get better in suiting your needs Coloring Rules – Enterprise Extender 3](https://reader033.fdocuments.net/reader033/viewer/2022041513/5e29c4c0f2700f24520587c8/html5/thumbnails/40.jpg)
Paragraph Copy 14
TCP Stream Graph - Stevens
40
![Page 41: WIRESHARK Introduction 18532 - IBM · • Wireshark is great but can even get better in suiting your needs Coloring Rules – Enterprise Extender 3](https://reader033.fdocuments.net/reader033/viewer/2022041513/5e29c4c0f2700f24520587c8/html5/thumbnails/41.jpg)
Paragraph Copy 14
IO Graph – Bytes in Flight vs. Windowsize
41
![Page 42: WIRESHARK Introduction 18532 - IBM · • Wireshark is great but can even get better in suiting your needs Coloring Rules – Enterprise Extender 3](https://reader033.fdocuments.net/reader033/viewer/2022041513/5e29c4c0f2700f24520587c8/html5/thumbnails/42.jpg)
Paragraph Copy 14
IO Graph – Bytes in Flight vs. Windowsize
42
![Page 43: WIRESHARK Introduction 18532 - IBM · • Wireshark is great but can even get better in suiting your needs Coloring Rules – Enterprise Extender 3](https://reader033.fdocuments.net/reader033/viewer/2022041513/5e29c4c0f2700f24520587c8/html5/thumbnails/43.jpg)
Paragraph Copy 14
IO Graph – Bytes in Flight vs. Windowsize
43
![Page 44: WIRESHARK Introduction 18532 - IBM · • Wireshark is great but can even get better in suiting your needs Coloring Rules – Enterprise Extender 3](https://reader033.fdocuments.net/reader033/viewer/2022041513/5e29c4c0f2700f24520587c8/html5/thumbnails/44.jpg)
Paragraph Copy 14
IO Graph – Bytes in Flight vs. Windowsize
44
![Page 45: WIRESHARK Introduction 18532 - IBM · • Wireshark is great but can even get better in suiting your needs Coloring Rules – Enterprise Extender 3](https://reader033.fdocuments.net/reader033/viewer/2022041513/5e29c4c0f2700f24520587c8/html5/thumbnails/45.jpg)
Paragraph Copy 14
IO Graph – Bytes in Flight vs. Windowsize
45
1.3MB/s
2.6MB/s
![Page 46: WIRESHARK Introduction 18532 - IBM · • Wireshark is great but can even get better in suiting your needs Coloring Rules – Enterprise Extender 3](https://reader033.fdocuments.net/reader033/viewer/2022041513/5e29c4c0f2700f24520587c8/html5/thumbnails/46.jpg)
Paragraph Copy 14
IO Graph – Bytes in Flight vs. Windowsize
46