Scribd
Upload
87 views

WireShark Intro&Installation

This document provides an introduction and overview of the Wireshark network packet analyzer software. It discusses what Wireshark is, how it works, and how to install, use, and navigate it. Key points include: Wireshark works by putting the network card in promiscuous mode to capture all network traffic, it uses dissectors to analyze and display the packet contents, and it provides various tools for filtering, analyzing, and troubleshooting network traffic.

Uploaded by

Juan m.
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
87 views

WireShark Intro&Installation

This document provides an introduction and overview of the Wireshark network packet analyzer software. It discusses what Wireshark is, how it works, and how to install, use, and navigate it. Key points include: Wireshark works by putting the network card in promiscuous mode to capture all network traffic, it uses dissectors to analyze and display the packet contents, and it provides various tools for filtering, analyzing, and troubleshooting network traffic.

Uploaded by

Juan m.
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 39

WireShark

Introduction
Topics
• What is WireShark
• Installing Wireshark
• Capturing Packets
• Setting Preferences
• Navigation and Packet Colorization
• Network Statistics
• Setting Display Filters
• Saving and Printing Captures
What is WireShark
• Open Source Packet capture and analysis
application
• Original Author - Gerald Combs 1997
• Had been using Sniffer, new company could not
afford
• 1998 Ethereal v0.2.0 was born
• 2006 moved to new company CACE
Technologies thus name change to Wireshark
• CACE also developed WinPcap and AirPcap
How WireShark Works
• WireShark sets The NIC into promiscuous
mode
– WinPcap facilitates this with its drivers for
Ethernet
– Airpcap for wireless cards
– Promiscuous mode allows your ethernet interface
to listen to all traffic on the network including
both unicast and broadcast traffic
How WireShark Works
1. Filter the packets we are interested in using a
capture filter(we will not be using this
feature)
2. Packets are then sent the capture engine
3. The Core capture engine uses the Dissectors
to display the packets
4. Packets can further be filtered using the
display filters
1. Switch Network Card in to Promiscous Mode

By Default Only
Broadcast traffic or With WinPcap
traffic with the NIC’s All traffic is forwarded
MAC Address is up the TCP/IP stack
forwarded up the
TCP/IP stack

Network
Card

Network Traffic
2. Capture Filter and Capture Engine

Capture engine uses


Capture engine dissector’s to sort and
display packets

Filtered Binary
Capture Filter packets are
discarded

Network
WinPcap is loaded
Card

Network
Traffic
3. Dissectors Convert Binary Data

Human Readable Text

Dissectors
WinPcap
All traffic is
forwarded in
binary
Network
Card

Network
Traffic
Dissectors
• Dissectors tell WireShark how to interpret the
packets its receives
– Most dissectors come as add ins and are extensible
• Much valuable info can be learned from the
dissector code
• Main code directory
http://anonsvn.wireshark.org/wireshark/trunk/
• Dissectors located at:
http://anonsvn.wireshark.org/wireshark/trunk/e
pan/dissectors/
Dissect the Wireshark Dissectors
Frame Dissector

Ethernet Dissector
Type field

IPv4 Dissector
Protocol field

TCP Dissector
Port fields

HTTP Dissector
(c) Chappell
University
WireShark Install
Where to find Wireshark
• You can download Wireshark at this link:
https://www.wireshark.org/download.html

Windows
Desktop
Versions
Portable
Version.
The version
used in this
course.
MAC
Versions
Installation
• Install on your USB storage device.
• After Running the installer you have
downloaded(WiresharkPortable_2.0.1.paf.exe) you will
see:

• Select OK

• Select Next
Installation Continued
• Change the drive to your USBs Drive Letter or
browse to it.
Be patient it will take a few minutes
All Done
• Click the Run Wireshark Portable and then Finish
Starting a capture
• Select the Local Area Connection
• Then Click on the Capture drop down and select start
Help
• Wireshark Specific
– Help Tab on Menu Bar
– www.wireshark.org
– Wiki.wireshark.org
– http://www.wiresharktraining.com
• General Protocol Info
– www.iana.org
– www.ietf.org
– www.packet-level.com
– www.icir.org/enterprise-tracing
Frame Dissector

• This information is created and calculated by


WireShark
Layer 2 Dissector

Layer 2
• This is all the information present in the Ethernet
Header
Layer 3 Dissector

Layer 3
• This is all the information present in the IPv4
Header
Layer 4 Dissector

Layer 4
• This is all the information present in the TCP
Header
Layer 5,6,7 Dissector

Layer 5,6,7
• This is all the HTTP header information
• You will see packets scrolling on your screen
• Click on the stop capture icon
1. Menu
2. Main Tool bar
3. Filter Tool Bar
4. Packet List Pane
5. Packet Detail Pane
6. Packet Bytes Pane
Capturing Packets

To Capture use Drop Down


Click on Start or :

Best Choice
Select Options
Select Local Area Connection
Select Start
Capturing Packets
• Capture to a file
– Care must be taken as you can fill a drive very quickly
– Capture filters can be created that will only capture
packets of interest
• Uses different filter syntax than display filters
Navigation
• Moving through the packets can be done by:
– Jump to packet number
– Marking packets Ctrl-m
– Setting Time references
Find Packet
• Find packet based on payload can be searched on:
– Display Filter
– Hex Values
– String
– Regular Expressions
Activate the find Tool Bar
Click here
Or use Ctrl+f

Find filter types Dropdown menu


Sorting Columns
• Click on any Column to sort by it’s
content
– Enables to find types quickly
• Time column Sort
– In the View Drop down
– Select Time Display Format
– Select Seconds since the
previously displayed packet
– Then sort on the time column to
find large delays
Network Statistics
From the Statistics menu Select Protocol Hierarchy Statistics
Setting Display Filters - Defaults
• Sit back and watch the demo
• Take some good notes
• Sample display filters
ip.addr==192.168.1.2
ip.src==192.168.1.2
ip.dst==192.168.1.2
eth.addr==01:22:33:4a:ad:14
ip.addr==192.168.1.2&&icmp
Setting Display Filters – Packet contents
• Choose any packet and right click on any field
to apply or prepare as a filter
Setting Display Filters – Logical Operators

• == is equivalent to
• Or ||
• And &&
• < less than
• > greater than
• ! not
Saving Captures
• Watch the demo
• Saving creates a binary file that can be saved in many
industry standard formats
Analyzer Placement
• Hub network
– place it anywhere
• Switch Network
– Can only hear broadcasts or traffic destine for analyzers
mac
– Solution
• Hub out node you wish to listen to
• Hub can also have an issue with speed mismatch
• Need to observe both ends of the problem
• Port Mirroring or SPAN(Switched Port Analysis)
– Be careful of how many ports you SPAN
• Full Duplex Tap
– Aggregated and non-Aggregated(Time synch essential)
Analyzer Placement
Client Computer Router
Internet

Tap

Switch

Mirror Port Server


Homework
• Do the using Wireshark Practice lab and use
the answers you get to complete the quiz.
• You can take the quiz as many times as you
want before the end date on the Quiz.
• Doing well on this will quiz improve your quiz
grade more importantly aid you greatly in all
the Labs in this course.

You might also like