Wireshark Tutorial, Wireshark Tutorial, Wireshark Tutorial
- 1. Wireshark Tutorial These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/) Network Startup Resource Center www.ws.nsrc.org
- 2. Who am I? • Dean Pemberton • Long time network engineer – Ascend – Lucent – Juniper – Telstra NZ • Now in network security with www.cassini.nz
- 3. Thanks to… … for letting me use their office to present from
- 4. Network Packet Analysis… with Wireshark
- 5. What you hope network packet analysis is like... Photo by Mick Haupt on Unsplash
- 6. What network packet analysis is really like!
- 7. Overview • Review of the OSI Model • Wireshark – Capturing Packets – A tour of the Wireshark UI – Reviewing/Analysing Packets – Filtering – Demos
- 8. Review of the OSI Model
- 9. Application Presentation Session Transport Network Link Physical 7 6 5 4 3 2 1 Our old friend the 7-layer OSI model
- 10. 101101 Layer 1: Physical Layer • Transfers a stream of bits • Defines physical characteristics – Connectors, pinouts – Cable types, voltages, modulation – Fibre types, lambdas – Transmission rate (bps) • No knowledge of bytes or frames
- 11. Layer 2: (Data) Link Layer • Organises data into frames • May detect transmission errors (corrupt frames) • May support shared media –Addressing (unicast, multicast) – who should receive this frame –Access control, collision detection • Usually identifies the L3 protocol carried • E.g. Ethernet, Wifi
- 12. Layer 3: (Inter)Network Layer • Connects Layer 2 networks together – Forwarding data from one network to another – These different networks are called subnets (short for sub-network) • Unified addressing scheme – Independent of the underlying L2 network(s) – Addresses organised so that it can scale globally (aggregation) • Identifies the layer 4 protocol being carried • Fragmentation and reassembly • E.g. IP
- 13. Layer 4: Transport Layer • Identifies the endpoint process – Another level of addressing (port number) • May provide reliable delivery – Streams of unlimited size – Error correction and retransmission – In-sequence delivery – Flow control • Might just be unreliable datagram transport • E.g. TCP, UDP
- 14. Layers 5 and 6 • Session Layer: long-lived sessions – Re-establish transport connection if it fails – Multiplex data across multiple transport connections • Presentation Layer: data reformatting – Character set translation • Neither exist in the TCP/IP suite: the application is responsible for these functions
- 15. Layer 7: Application layer • The actual work you want to do • Protocols specific to each application • E.g. telnet, http, https, imap
- 16. Encapsulation • Each layer provides services to the layer above • Each layer makes use of the layer below • Data from one layer is encapsulated in frames of the layer below
- 17. L2 hdr L3 hdr L4 hdr Application data Encapsulation in action • L4 segment contains part of stream of application protocol • L3 datagram contains L4 segment • L2 frame has L3 datagram in data portion
- 18. Wireshark • …is a free and open-source packet analyser.
- 20. Welcome Screen
- 22. Starting a capture • Click on the Shark icon • Select Start from the menu
- 23. Stopping a Capture • Click on the Stop icon • Select Stop from the menu
- 24. Saving a capture file • Click on the Save icon • Select Save from the menu
- 25. Sample PCAP files • https://wiki.wireshark.org/SampleCaptures
- 26. Opening a capture file • Select the Folder icon • Select Open from the menu
- 27. Why do we need more than tcpdump?
- 28. Wireshark can give us much more information about a network capture
- 29. UI – Overview
- 31. UI - Statistics
- 32. UI – Protocol Hierarchy
- 37. UI – Flow Graph
- 40. Packet List
- 41. Packet List • Columns – Time – the timestamp at which the packet crossed the interface. – Source – the originating host of the packet. – Destination – the host to which the packet was sent. – Protocol – the highest-level protocol that Wireshark can detect. – Length – the length in bytes of the packet on the wire. – Info – an informational message pertaining to the protocol in the protocol column.
- 44. Reviewing specific captured packets
- 45. Layer 2
- 46. Layer 3
- 47. Layer 4
- 48. Layer 7
- 49. Raw Packet
- 50. Demo raw packet highlighting
- 51. Remember this?
- 52. Filtering • Capture Filters • Display Filters – Enter Expression Directly – Use Expressions Editor
- 54. Filtering – Capture Filters
- 55. Display Filters – Enter Expression Directly
- 56. Display Filter examples – http.request – Display all HTTP requests. – http.request || http.response – Display all HTTP request and responses. – ip.addr == 127.0.0.1 – Display all IP packets whose source or destination is localhost. – tcp.len < 100 – Display all TCP packets whose data length is less than 100 bytes. – http.request.uri matches “(gif)$” - Display all HTTP requests in which the uri ends with “gif”. – dns.query.name == “www.google.com” - Display all DNS queries for “www.google.com”.
- 57. Display Filters – Use the expressions editor
- 64. Demo – Telnet • Don’t forget to follow the TCP stream
- 65. Demo – SIP • Don’t forget to play the telephone call
- 66. Demp – BGP • Don’t forget to look for the disconnect message
- 67. Mystery $ tcpdump -n -s 0 -r mystery.pcap reading from file mystery.pcap, link-type EN10MB (Ethernet) 16:35:03.821897 IP6 2402:f000:1:8e01::5555 > 2607:fcd0:100:2300::b108:2a6b: IP 16.0.0.200 > 192.52.166.154: GREv1, call 6016, seq 430001, ack 539254, length 119: IP 172.16.44.3.40768 > 8.8.8.8.53: 42540+ AAAA? xqt-detect-mode2-97712e88-167a-45b9-93ee- 913140e76678. (71) 16:35:04.035791 IP6 2607:fcd0:100:2300::b108:2a6b > 2402:f000:1:8e01::5555: IP 192.52.166.154 > 16.0.0.200: GREv1, call 17, seq 539320, length 190: IP 8.8.8.8.53 > 172.16.44.3.40768: 42540 NXDomain 0/1/0 (146)
- 69. Demo – GRE
- 70. Demo – OSPF over GRE
- 71. Extending Wireshark - Lua • Too long for this tutorial. • https://wiki.wireshark.org/Lua/Dissectors
- 72. Questions?
- 73. Thank you