SlideShare a Scribd company logo

Wireshark Inroduction Li In

Download as PPT, PDF
M
mhaviv

WIRESHARK is a free and open-source packet analyzer that allows users to examine network traffic and inspect packets. It can be used for basic network troubleshooting, analysis, development, and education. The tool supports live packet captures from networked interfaces as well as offline analysis of captured packet data files. It decodes hundreds of protocols and can filter traffic based on various packet attributes.

1 of 53
Downloaded 823 times
1
2
Most read
3
4
5
6
7
8
9
Most read
10
11
12
13
14
Most read
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
WIRESHARK Basics Moshe Haviv January 2010 [email_address]
Contents What is WIRESHARK? Basic Network Sniffing Display filtering Capture filtering RTP Stream Analysis
What is WIRESHARK? WIRESHARK is a Network Packet Analyzer If installed with WinPcap it can also collect packets from the network If AirpCap(Not free) installed full USB based 802.11 capture and analysis is possible The latest WIRESHARK version on December 2009 is 1.2.5 It is an Open Source Software project
Who needs/uses WIRESHARK? Any regular user who wants to know what his/her computer sends to the network and receives from it. R&D Engineers to debug their protocol implementations Signaling protocols Applications that communicate with other network devices/applications- send/receive payloads Network administrators to troubleshoot their networks Network Security Engineers to discover security breaches and deficiencies Technical personnel that want to learn the workings of the protocols – Signaling and media-
Installing WIRESHARK Get the latest version from the official site http:// www.wireshark.org / WIRESHARK can be installed as an application or the source code can be downloaded to create a new tailored application By using LUA,a lightweight scripting language new dissectors, properties can be added http:// en.wikipedia.org/wiki/Lua_(programming_language )
Basic WIRESHARK features WIRESHARK supports hundreds of protocols http:// www.wireshark.org/docs/dfref / Live capture and offline analysis Multiplatform support: Windows, Linux, Solaris, MAC Multi-media support: Ethernet, ATM etc. Rich VOIP analysis Captured data browsing in GUI or in TTY mode (TSHARK) R/W many different capture file formats: tcpdump (libpcap), MS Network Monitor, Network General Sniffer®, RADCOM WAN/LAN Analyzer and many others. Output can be exported to XML, PostScript® or simple text
Platform/Media support table
How do we capture packets from the network? Where to connect? What do we want to capture? Packets entering/going out of our computer Basic Architecture Packets entering/going out of any network equipment connected to the network Network Architecture Once we know where and how to connect the computer with the WIRESHARK installed- Capturing architecture- we can start doing basic capturing
Basic Architecture Capturing In this architecture the signaling and/or media for the communication ends/starts at the WIRESHARK computer Connect the NIC(s) you want to collect packets from the network Start WIRESHARK Choose the relevant NIC in WIRESHARK menu Start Collecting packets
Network Capturing Architecture WIRESHARK
Network Capture Architecture- Both entities connected to a HUB – Shared Media Simply start capturing WIRESHARK Hub
Network Capture Architecture- Multimedia entity/PC connected to a switch(1) Connect WIRESHARK and Network entity to HUB Connect HUB to SWITCH with an uplink Start Capturing WIRESHARK HUB SWITCH
Network Capture Architecture- Multimedia entity/PC both connected to a switch(2) Configure port mirroring (spanning) on the switch Start capturing WIRESHARK SWITCH
Basic Network packet capturing-1- When you activate the WIRESHARK you get the following view
Basic Network packet capturing -2-
Basic Network packet capturing -3-
Basic Network packet capturing -4-
The GUI can be changed for GUI layout Columns Time format Coloring preferences Field values for specific protocols ……. Different profiles can be defined and saved WIRESHARK preferences
Basic displayed/captured packet manipulations Forcing a protocol to an unknown protocol packet Marking a packet or a group of packets Saving all or part of the captured packets Exporting a trace Printing all or part of the captured packets
 
 
Display filtering By arranging the display sort field/order changed Sort order of time/packet number Sort order per IP/MAC address of source/destination Sort order per protocol By marking specific packets manually By configuring filters for Address Protocol Protocol field value Frame length String
Display filtering- by changing display sort order
Display Filter configuration We will configure simple filters For a specific IP address For a specific protocol For a specific field value of a protocol Compound filters
Filter elements Filter fields (protocol fields ) The full list can be found at http:// www.wireshark.org/docs/dfref / Display field comparison operators Display filters logical operators They are used to build complex filters by combining simple filters
Some basic filter field examples ip.src Source IP address ip.dst Destination IP address ip.addr IP address (source or destination) eth.dst Destination MAC address udp,sip, HTTP,H225,H245………….. H263.dbq, sip.Method , h323.fastStart , rtp.payload , diameter.User-Name ………
Filter Comparison operators English and C-like operators can be used (also mixed) English operators eq Equal ne Not Equal gt Greater then lt Less then ge Greater then or equal le Less then or equal C-like operators == != > < >= <=
Some simple filter examples ip.addr == 234.78.12.78 ip.src != 10.0.0.2 sip.Method==REGISTER h263.unrestricted_motion_vector == 0 sip.from.addr == &quot;sip:39260722@10.7.0.4“ h245.masterSlaveDetermination
How to build filter from the GUI Type your filter inside the filter toolbar Click “Apply”
How to build filter from the GUI-2-
 
Filter save-activate Filters can be saved/edited by clicking the edit/apply filter button A new window opens
Display filter logical operators These are used to build compound filters from simple expressions When in doubt use parenthesis before applying the operator The logical operators can have English or C-like syntax
Display filter logical operators (Contd.) and && Logical and or || Logical or xor ^^ Logical XOR not ! Logical Not […] Substring operator
Capture filtering When capturing packets they are stored in temporary files on the computer We can configure WIRESHARK to capture packets directly to a single or multiple files For heavy traffic network capturing or long time capturing the file/buffer sizes might overwhelm the computer or might even crash it. To prevent accumulating huge file/files if we know what we are looking for we should apply capture filtering
Capture filtering-2- WIRESHARK utilizes the libpcap filter language for capture filtering Details for libpcap can be found at http:// www.tcpdump.org/tcpdump_man.html Any type of display filter can also be defined for capture but with a different syntax and different activation procedure
Capture filtering – 3 -
Choose the relevant capture filter in “options” Start capturing Capture filtering – 4 – Activating capture filter
Capture filtering – 5 –
Capture filtering – 6 –
Capture filter syntax by examples host 192.168.122.23 Capture packets from/to IP address 192.168.122.23 src host 10.0.0.5 Capture packets from IP 10.0.0.5 tcp port 23 and host 10.0.0.5 ether src 00:11:6b:80:47:96 tcp port 23 and not src host 10.0.0.5 ip multicast
Basic Capture filter syntax [src|dst] host <host> ether [src|dst] host <ehost> [src|dst] net <net> [{mask <mask>}|{len <len>}] [tcp|udp] [src|dst] port <port> less|greater <length>
Statistics and data analysis We can get graphical or written statistics real-time or from captured file Statistics per protocol VOIP pairs visualization RTP stream analysis
Statistics menu – Statistics  Summary
Statistics menu – Statistics  Hierarchy Statistics
I/O Statistics – Real-time or offline
VOIP statistics Statistics  VOIP
VOIP statistics Statistics  VOIP (Contd.)
WIRESHARK can identify separate RTP streams RTP parameters can be retrieved Total RTP packets sent Delay Jitter RTP Stream Analysis
RTP streams – Outline Statistics  RTP  Show all Streams
RTP streams – Outline Statistics  RTP  Show all Streams Choose one of the streams  Analyze
 
References and important URLs http:// www.wireshark.org / http://www.wireshark.org/docs/ http://www.winpcap.org/ http://wiki.wireshark.org/CaptureSetup/NetworkMedia http://wiki.wireshark.org/Preferences. http://www.wireshark.org/lists/wireshark-bugs/ http:// www.cs.columbia.edu/irt/software/rtptools /

More Related Content

PPTX
Packet analysis using wireshark
Basaveswar Kureti
 
PPTX
Wireshark
Sourav Roy
 
PDF
Incident response methodology
Piyush Jain
 
PPTX
Wireshark network analysing software
dharmesh nakum
 
PDF
Wireshark Tutorial
Coursenvy.com
 
PPTX
Wireshark
antivirusspam
 
PPT
Wireshark Basics
Yoram Orzach
 
PPT
Wireshark - presentation
Kateryna Haskova
 
Packet analysis using wireshark
Basaveswar Kureti
 
Wireshark
Sourav Roy
 
Incident response methodology
Piyush Jain
 
Wireshark network analysing software
dharmesh nakum
 
Wireshark Tutorial
Coursenvy.com
 
Wireshark
antivirusspam
 
Wireshark Basics
Yoram Orzach
 
Wireshark - presentation
Kateryna Haskova
 

What's hot (20)

PPT
Wireshark
Vijay kumar
 
PPTX
Wireshark
Kushagra Ganeriwal
 
PDF
Wireshark tutorial
Chaman Poorani
 
PPTX
Wireshark, Tcpdump and Network Performance tools
Sachidananda Sahu
 
PPTX
Tcpdump
Sourav Roy
 
PDF
Wireshark ppt
bala150985
 
PPTX
How Hack WiFi through Aircrack-ng in Kali Linux Cyber Security
Ahmad Yar
 
PPTX
Introduction 2 linux
Papu Kumar
 
PPTX
Mikrotik Tutorial
Md Sohrab Hossain Sourav
 
PPTX
Routers and Routing Configuration
yasir1122
 
PPT
Ixia presentation
Sasi Reddy
 
PPT
Layer 2 switching fundamentals(networking)
welcometofacebook
 
PDF
Network commands
Dr. Mahadev Gawas
 
PDF
DDoS Attack Detection & Mitigation in SDN
Chao Chen
 
PPTX
Ssh tunnel
Amandeep Singh
 
PPTX
NFV +SDN (Network Function Virtualization)
Hamidreza Bolhasani
 
PPT
Fortigate Training
NCS Computech Ltd.
 
PPTX
Software defined networking(sdn) vahid sadri
Vahid Sadri
 
PPTX
Wireshark.pptx
SalmanKhan222894
 
PDF
Cisco Live! :: Introduction to Segment Routing :: BRKRST-2124 | Las Vegas 2017
Bruno Teixeira
 
Wireshark
Vijay kumar
 
Wireshark
Kushagra Ganeriwal
 
Wireshark tutorial
Chaman Poorani
 
Wireshark, Tcpdump and Network Performance tools
Sachidananda Sahu
 
Tcpdump
Sourav Roy
 
Wireshark ppt
bala150985
 
How Hack WiFi through Aircrack-ng in Kali Linux Cyber Security
Ahmad Yar
 
Introduction 2 linux
Papu Kumar
 
Mikrotik Tutorial
Md Sohrab Hossain Sourav
 
Routers and Routing Configuration
yasir1122
 
Ixia presentation
Sasi Reddy
 
Layer 2 switching fundamentals(networking)
welcometofacebook
 
Network commands
Dr. Mahadev Gawas
 
DDoS Attack Detection & Mitigation in SDN
Chao Chen
 
Ssh tunnel
Amandeep Singh
 
NFV +SDN (Network Function Virtualization)
Hamidreza Bolhasani
 
Fortigate Training
NCS Computech Ltd.
 
Software defined networking(sdn) vahid sadri
Vahid Sadri
 
Wireshark.pptx
SalmanKhan222894
 
Cisco Live! :: Introduction to Segment Routing :: BRKRST-2124 | Las Vegas 2017
Bruno Teixeira
 
Ad

Similar to Wireshark Inroduction Li In (20)

PDF
TekTape Manual
Yasin KAPLAN
 
PDF
wireshark.pdf
ssuserafc27c
 
PPT
Traffic monitoring
Radu Galbenu
 
PDF
26.1.7 lab snort and firewall rules
Freddy Buenaño
 
PPTX
How to Use GSM/3G/4G in Embedded Linux Systems
Toradex
 
PPT
an_introduction_to_network_analyzers_new.ppt
Iwan89629
 
DOCX
Backtrack Manual Part4
Nutan Kumar Panda
 
PDF
IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...
IRJET Journal
 
PPTX
MikroTik Basic Training Class - Online Moduls - English
Adhie Lesmana
 
PPT
Traffic-Monitoring.ppt
ToffeeLomerz
 
PPT
Traffic-Monitoring.ppt
Senthil Vit
 
PPT
Traffic-Monitoring.ppt
ssuser0a05422
 
PPT
OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)
Denny K Miu
 
PPTX
Presentation on wireshark
Anil Thalor
 
PPTX
Introduction to ns3
Shahid Beheshti University
 
DOCX
B.Eng-Final Year Project interim-report
Akash Rajguru
 
PPS
Ccna Imp Guide
abhijitgnbbl
 
PPTX
PACKET Sniffer IMPLEMENTATION
Goutham Royal
 
PPTX
Network Tools Basic Fundamentals of Wireshark
Chinfeliprada1
 
PDF
Cotopaxi - IoT testing toolkit (Black Hat Asia 2019 Arsenal)
Jakub Botwicz
 
TekTape Manual
Yasin KAPLAN
 
wireshark.pdf
ssuserafc27c
 
Traffic monitoring
Radu Galbenu
 
26.1.7 lab snort and firewall rules
Freddy Buenaño
 
How to Use GSM/3G/4G in Embedded Linux Systems
Toradex
 
an_introduction_to_network_analyzers_new.ppt
Iwan89629
 
Backtrack Manual Part4
Nutan Kumar Panda
 
IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...
IRJET Journal
 
MikroTik Basic Training Class - Online Moduls - English
Adhie Lesmana
 
Traffic-Monitoring.ppt
ToffeeLomerz
 
Traffic-Monitoring.ppt
Senthil Vit
 
Traffic-Monitoring.ppt
ssuser0a05422
 
OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)
Denny K Miu
 
Presentation on wireshark
Anil Thalor
 
Introduction to ns3
Shahid Beheshti University
 
B.Eng-Final Year Project interim-report
Akash Rajguru
 
Ccna Imp Guide
abhijitgnbbl
 
PACKET Sniffer IMPLEMENTATION
Goutham Royal
 
Network Tools Basic Fundamentals of Wireshark
Chinfeliprada1
 
Cotopaxi - IoT testing toolkit (Black Hat Asia 2019 Arsenal)
Jakub Botwicz
 
Ad

Wireshark Inroduction Li In

  • 1. WIRESHARK Basics Moshe Haviv January 2010 [email_address]
  • 2. Contents What is WIRESHARK? Basic Network Sniffing Display filtering Capture filtering RTP Stream Analysis
  • 3. What is WIRESHARK? WIRESHARK is a Network Packet Analyzer If installed with WinPcap it can also collect packets from the network If AirpCap(Not free) installed full USB based 802.11 capture and analysis is possible The latest WIRESHARK version on December 2009 is 1.2.5 It is an Open Source Software project
  • 4. Who needs/uses WIRESHARK? Any regular user who wants to know what his/her computer sends to the network and receives from it. R&D Engineers to debug their protocol implementations Signaling protocols Applications that communicate with other network devices/applications- send/receive payloads Network administrators to troubleshoot their networks Network Security Engineers to discover security breaches and deficiencies Technical personnel that want to learn the workings of the protocols – Signaling and media-
  • 5. Installing WIRESHARK Get the latest version from the official site http:// www.wireshark.org / WIRESHARK can be installed as an application or the source code can be downloaded to create a new tailored application By using LUA,a lightweight scripting language new dissectors, properties can be added http:// en.wikipedia.org/wiki/Lua_(programming_language )
  • 6. Basic WIRESHARK features WIRESHARK supports hundreds of protocols http:// www.wireshark.org/docs/dfref / Live capture and offline analysis Multiplatform support: Windows, Linux, Solaris, MAC Multi-media support: Ethernet, ATM etc. Rich VOIP analysis Captured data browsing in GUI or in TTY mode (TSHARK) R/W many different capture file formats: tcpdump (libpcap), MS Network Monitor, Network General Sniffer®, RADCOM WAN/LAN Analyzer and many others. Output can be exported to XML, PostScript® or simple text
  • 8. How do we capture packets from the network? Where to connect? What do we want to capture? Packets entering/going out of our computer Basic Architecture Packets entering/going out of any network equipment connected to the network Network Architecture Once we know where and how to connect the computer with the WIRESHARK installed- Capturing architecture- we can start doing basic capturing
  • 9. Basic Architecture Capturing In this architecture the signaling and/or media for the communication ends/starts at the WIRESHARK computer Connect the NIC(s) you want to collect packets from the network Start WIRESHARK Choose the relevant NIC in WIRESHARK menu Start Collecting packets
  • 11. Network Capture Architecture- Both entities connected to a HUB – Shared Media Simply start capturing WIRESHARK Hub
  • 12. Network Capture Architecture- Multimedia entity/PC connected to a switch(1) Connect WIRESHARK and Network entity to HUB Connect HUB to SWITCH with an uplink Start Capturing WIRESHARK HUB SWITCH
  • 13. Network Capture Architecture- Multimedia entity/PC both connected to a switch(2) Configure port mirroring (spanning) on the switch Start capturing WIRESHARK SWITCH
  • 14. Basic Network packet capturing-1- When you activate the WIRESHARK you get the following view
  • 15. Basic Network packet capturing -2-
  • 16. Basic Network packet capturing -3-
  • 17. Basic Network packet capturing -4-
  • 18. The GUI can be changed for GUI layout Columns Time format Coloring preferences Field values for specific protocols ……. Different profiles can be defined and saved WIRESHARK preferences
  • 19. Basic displayed/captured packet manipulations Forcing a protocol to an unknown protocol packet Marking a packet or a group of packets Saving all or part of the captured packets Exporting a trace Printing all or part of the captured packets
  • 20.  
  • 21.  
  • 22. Display filtering By arranging the display sort field/order changed Sort order of time/packet number Sort order per IP/MAC address of source/destination Sort order per protocol By marking specific packets manually By configuring filters for Address Protocol Protocol field value Frame length String
  • 23. Display filtering- by changing display sort order
  • 24. Display Filter configuration We will configure simple filters For a specific IP address For a specific protocol For a specific field value of a protocol Compound filters
  • 25. Filter elements Filter fields (protocol fields ) The full list can be found at http:// www.wireshark.org/docs/dfref / Display field comparison operators Display filters logical operators They are used to build complex filters by combining simple filters
  • 26. Some basic filter field examples ip.src Source IP address ip.dst Destination IP address ip.addr IP address (source or destination) eth.dst Destination MAC address udp,sip, HTTP,H225,H245………….. H263.dbq, sip.Method , h323.fastStart , rtp.payload , diameter.User-Name ………
  • 27. Filter Comparison operators English and C-like operators can be used (also mixed) English operators eq Equal ne Not Equal gt Greater then lt Less then ge Greater then or equal le Less then or equal C-like operators == != > < >= <=
  • 28. Some simple filter examples ip.addr == 234.78.12.78 ip.src != 10.0.0.2 sip.Method==REGISTER h263.unrestricted_motion_vector == 0 sip.from.addr == &quot;sip:39260722@10.7.0.4“ h245.masterSlaveDetermination
  • 29. How to build filter from the GUI Type your filter inside the filter toolbar Click “Apply”
  • 30. How to build filter from the GUI-2-
  • 31.  
  • 32. Filter save-activate Filters can be saved/edited by clicking the edit/apply filter button A new window opens
  • 33. Display filter logical operators These are used to build compound filters from simple expressions When in doubt use parenthesis before applying the operator The logical operators can have English or C-like syntax
  • 34. Display filter logical operators (Contd.) and && Logical and or || Logical or xor ^^ Logical XOR not ! Logical Not […] Substring operator
  • 35. Capture filtering When capturing packets they are stored in temporary files on the computer We can configure WIRESHARK to capture packets directly to a single or multiple files For heavy traffic network capturing or long time capturing the file/buffer sizes might overwhelm the computer or might even crash it. To prevent accumulating huge file/files if we know what we are looking for we should apply capture filtering
  • 36. Capture filtering-2- WIRESHARK utilizes the libpcap filter language for capture filtering Details for libpcap can be found at http:// www.tcpdump.org/tcpdump_man.html Any type of display filter can also be defined for capture but with a different syntax and different activation procedure
  • 37. Capture filtering – 3 -
  • 38. Choose the relevant capture filter in “options” Start capturing Capture filtering – 4 – Activating capture filter
  • 39. Capture filtering – 5 –
  • 40. Capture filtering – 6 –
  • 41. Capture filter syntax by examples host 192.168.122.23 Capture packets from/to IP address 192.168.122.23 src host 10.0.0.5 Capture packets from IP 10.0.0.5 tcp port 23 and host 10.0.0.5 ether src 00:11:6b:80:47:96 tcp port 23 and not src host 10.0.0.5 ip multicast
  • 42. Basic Capture filter syntax [src|dst] host <host> ether [src|dst] host <ehost> [src|dst] net <net> [{mask <mask>}|{len <len>}] [tcp|udp] [src|dst] port <port> less|greater <length>
  • 43. Statistics and data analysis We can get graphical or written statistics real-time or from captured file Statistics per protocol VOIP pairs visualization RTP stream analysis
  • 44. Statistics menu – Statistics  Summary
  • 45. Statistics menu – Statistics  Hierarchy Statistics
  • 46. I/O Statistics – Real-time or offline
  • 47. VOIP statistics Statistics  VOIP
  • 48. VOIP statistics Statistics  VOIP (Contd.)
  • 49. WIRESHARK can identify separate RTP streams RTP parameters can be retrieved Total RTP packets sent Delay Jitter RTP Stream Analysis
  • 50. RTP streams – Outline Statistics  RTP  Show all Streams
  • 51. RTP streams – Outline Statistics  RTP  Show all Streams Choose one of the streams  Analyze
  • 52.  
  • 53. References and important URLs http:// www.wireshark.org / http://www.wireshark.org/docs/ http://www.winpcap.org/ http://wiki.wireshark.org/CaptureSetup/NetworkMedia http://wiki.wireshark.org/Preferences. http://www.wireshark.org/lists/wireshark-bugs/ http:// www.cs.columbia.edu/irt/software/rtptools /

Editor's Notes

  • #4: Wireshark can display, analyze and collect packets from the network.
  • #6: Information on LUA can be found at http://en.wikipedia.org/wiki/Lua_(programming_language) or in the WIRESHARK User manual. By default LUA is disabled and can be enabled by editing the init.lua file at the WIRESHARK global configuration directory. Changing the disable_lua from true to false will do the trick. Now when the WIRESHARK is initialized if LUA is enabled it will activate the init.lua file from the user’s directory .
  • #7: The full list of protocols can be found
  • #8: 1 Linux Affix Bluetooth stack only. 2 PPP non-control frames only. 3 Latest libpcap CVS required 4 On some platforms: WLAN non-control frames only, with fake Ethernet headers, and only traffic to and from the machine doing the capturing. 5 Windows does not have a UNIX-style loopback interface.
  • #10: In this architecture the PC where the WIRESHARK is installed is assumed to have the multimedia software as well. That can be a softphone like eConf from France Telecom, SJPhone (An ASTERIX based softphone), IP softphone 6.x from AVAYA etc. Or the computer is a third party equipment that is sending commands or receiving information from another network element directly involved with that. That may be the case where there is a WEB interface that manages the gateway, the SIP proxy, the multimedia system etc.
  • #11: We are assuming that we want to capture signaling and/or RTP packets from the multimedia equipment.
  • #12: In a HUB/Shared media all packets, unicasts to other stations as well as ours, multicasts and broadcast can be observed.
  • #13: In a switch unicast packets not directed to the entity cannot be seen.
  • #14: Most medium priced Ethernet switches support port mirroring/copying (Spanning). When port mirroring is configured between from one switch port (source) to a to another (destination) port then packets coming to/from source will also appear on the destination- NO the reverse won’t be true!! In sophisticated networks it is even possible to see all the traffic from one port/vlan on another switch port not necessarily on the same switch. Cisco has that. By the way Cisco names copy porting as Spanning. http://wiki.wireshark.org/SwitchReference
  • #15: As a matter of fact after choosing an interface from the background of the picture above and then stopping the capture you can get the small window for choosing the same or another interface.
  • #16: By clicking Capture  Interfaces  Options on the Interface menu you choose the interface you want to collect packets from. There are some important fields here.
  • #17: “ Capture Packets in promiscuous mode ” If you do not click you will only be able to see packets specifically addressed to your computer, unless another process in your computer put the mode to promiscuous mode. Display Options: Update list of packets in real time The packets will be displayed while in capture. If not ticked then all packets will be visible only after the capturing is stopped in WIRESHARK. Automatic scrolling in live capture When ticked the scrolling to the last captured packet is done automatically. Hide capture info dialog By not ticking that option you will already see some statistics when capturing. Percentage of specific protocols in capture, total captured packets etc. While capturing the packets are stored in a small buffer. It is possible to save packets while capturing, in a single file or multiple files by limiting the size of each file. When you press start capturing starts.
  • #19: From the main WIRESHARK window choose Edit  Preferences . Some useful fields: Time format- Normally it is relative. The first packet arriving at 0.000 seconds. You can choose absolute time or one packet’s arrival can serve as a REFERENCE from which all the other packets’ arrival times are recomputed.
  • #20: Some protocols do not have default port numbers and/or unrecognized and as such we need to tell WIRESHARK how to parse them.
  • #21: .
  • #24: The display above has been obtained on a previously captured file. It is ordered by source address. It is achieved by clicking on the “Source” column. Other types of ordering can also be used. I advise to play with that.
  • #25: Compound filters are built by combining simple filters with logical operations such as “and”, “or”.
  • #26: A simple filter example: ip.addr==192.168.1.1
  • #28: Examples : frame.len &lt; 30 ip.src ne 10.0.0.5 ip.addr == 123.78.10.34
  • #31: You do not need to know the exact syntax of the filter expression. The WIRESHARK GUI helps you on that. When you click the “Expression” button a new window as shown above opens. By clicking on the relevant protocol’s “+” sign all the available fields appear and you can easily build the filter you want. As in the classical filter typing the last thing to do would be to press “Apply” to see packets displayed according to your filter. You can filter the display in real-time while collecting and over a capture file. In real-time you might get the wrong impression that it is also capturing according to that filter. That is not true!!
  • #32: The filter above when activated will show only the H.245 packets among all the captured packets.
  • #33: The lines you see in the filter window are the filters defined. If we want to define a new filter for saving purposes: 1- Click new 2- Type the name of the filter- free text 3- Type the filter string 4- Click OK Now the filter is saved. Next time the filter edit/apply button is clicked the name of this filter will also appear in the filter names window. By choosing any filter and then clicking Apply will activate the filter.
  • #35: Among the logical operators the most interesting is the string operator which can have a couple of formats: [n:m] In this syntax n is the start of the field and m is the length of the string. For example eth.src[0:3] == 00:00:83 searches packets with MAC addresses which have the first three bytes as above. [n-m] In this syntax n is the start of the field and m is the end. If we want to have a similar filter as above in this syntax we can use eth.src[0-2] ==00:00:83. This type of filtering in the example can be very useful if you need to capture packets from/to specific company product NICs. Another simple example. (ip.src == 10.0.0.1) and (ip.dst==10.0.0.3)
  • #38: When you click the capture filter icon you get a small window. If you want to configure a new capture filter click the “ New ” button. By default the name of the capture filter and the capture string is “ new ”. Change the name of the capture filter and enter a capture filter string as will be explained. If some capture filters are already defined as is the case in the picture above then simply choose one and do whatever editing you want to do. At this stage you have only saved the new filter.
  • #41: If we click on the new1 filter the ascii text of the filter also appears. In this example we are interested in capturing packets from /to IP address 192.168.122.123.
  • #49: By choosing Statistic  VOIP  Clicking one of the streams in the new window and  Graph. At the graph clicking on any SIP messages will take the mouse to that packet.
  • #50: The delay/jitter all relate to the sending station and not from source to destination all the way. To do that we need to buffer packets at the source and at the destination.