Workshop Wireshark
Download as PPTX, PDF2 likes2,194 views
This document provides an overview and agenda for a Wireshark workshop. It introduces Wireshark as a network protocol analyzer tool that can perform deep inspection of hundreds of protocols. The workshop will cover how to use the capture screen, perform simple captures, configure capture options, use display filters to analyze specific traffic, and examine sample captures including DNS, HTTP, and ICAP traffic. Annexes provide information on handling duplicate packets, useful Wireshark resources, and HTTP status codes.
Workshop Wireshark
- 1. Wireshark Workshop Fabio Rosa / Systems Engineer
- 2. What is it?! World’s most famous network protocol analyzer Powerful live-capture and display filter Used to be “Ethereal” Deep inspection of hundred of protocols, and more being added each day… Multi-platform, runs on Windows, Linux, OS, Solaris, FreeBSD, NetBSD,VxWorks, Android, and much more. Open/save many capture formats: tcpdump (libpcap), Microsoft Network Monitor, and proprietary (WildPackets *peek, CA Sniffer, RADCOM, and many others) The sponsorship (CACE) recently owned by Riverbed. (Don’t want to talk about it…)
- 3. Agenda: Tool introduction The Capture Screen Performing a Simple Capture Capture options (promiscuous mode, name resolution, buffer size, etc…) Display Filters Sample Capture - DNS and HTTP (www.ebay.com) Sample Capture - ICAP Annex A – Handling Duplicate Packets Annex B – Useful Websites Annex C – HTTP Status Codes.
- 4. Introduction It’s a Network Analyzer! Will capture network packets and display them as detailed as possible Custom Capture: All packets destined to the WS Wkst. Good to sniff traffic intended to the PC or server where Wireshark is installed Promiscuous mode: All packets on the wire Good to sniff communication between multiple devices (ex. From Proxy, sniff DNS, Client, OCS, and so on…) / Diagnose problems. Can be captured on a mirrored port, SPAN or Network TAP for full network visibility. How it works? Network If. Uses the L2 address of FF:FF:FF:FF:FF:FF and parses all packets on the wire, instead of dropping the packets intended to other network devices.
- 5. The Capture Screen Captured Packet List Protocol Decode HEX Decode
- 7. Capture Options Enable Promiscuous mode Limit packet size, if you don’t want to analyze the payload. (Only headers) Personalize Display options Personalize Name Resolution - MAC: vendor list (very useful) Network: RDNS resolution Do not enable … can slow down things Transport: Protocol name (very useful)
- 8. Display Filters Use the filter box to enter the filter expression The expressions can be saved into the Filter Profile, for future use.
- 9. Display Filters (cont.) Filter Expression example: Ethernet Internet Protocol Ip.addr == Ip.src / Ip.dst == Ip.dsfield == 0x00 TIP • You can see the whole expression list using the “Expression” box on the toolbar • Its possible to search options using the “/” key • Use Boolean operators (AND, OR, NOT) TCP Eth.addr == Eth.src / Eth.dst == Eth.vlan.id == Tcp.flag.syn / tcp.flag.ack / tcp.flag.fin == 0 or 1 Application or Protocol HTTP, DNS, ICAP, ICMP, SOCKS… In case a protocol is being decoded by a wrong “dissector” you can change it with the “Decode As…” option.
- 10. Display Filters (cont. 2) You can create filters based on the options, selected directly from the packet capture. Apply as a Filter Prepare as a Filter The filter is applied with the selected parameter The filter expression is written at the “Filter” bar on the top. Colorize as a Filter The packets matched by the filter can be colorized with custom colors.
- 11. Sample Capture #1 Capture: Open www.ebay.com at the browser Open Summary (check throughput, size, packets) Select: “Follow TCP Stream” Configure “Manually Resolve Address” Configure the “Delta Time” column – Check server response time. Show “Statistics > Endpoints” Show “Statistics > Conversations” Show “Statistics > IO Graphs” Extract HTTP objects from the capture “File > Export > Objects > HTTP”
- 12. Sample Capture #2 Open Capture with ICAP example Check Origin and Destination Address Configure “Manually Resolve Address” for Proxy, AV and DNS Create a Display Filter for ICAP traffic only Check server response time on “Delta Time” Select a session and “Follow TCP Stream” Open Summary (check throughput, size, packets) Check server requests, response and health-check. Its also possible to retrieve HTTP objects from an ICAP connection.
- 13. Annex A: Duplicate Packets Dup. Packets due to Network Retransmission If a sending host thinks a packet is not transmitted correctly because of Packet Loss, it might Retransmit that packet. The receiving host might already got the first packet, and will receive a second one, which is a duplicated packet. To remove this packets use the filter: not tcp.analysis.duplicate_ack and not tcp.analysis.retransmission Dup. Packets due to Routing or switching loop. This packets can be seen when sniffing trough a mirrored port or network TAP. Use the “editcap.exe” at %ProgramFiles%/Wireshark/ to remove them. Example: editcap -d capture.pcap dedup.pcap
- 14. Annex B: Useful Websites Download Wireshark! www.wireshark.org This workshop was created using version 1.6.0 Capture examples: http://wiki.wireshark.org/SampleCaptures The SampleCapture area at the wireshark.com website has a good list of capture examples. http://packetlife.net/captures/ One of the greatest IT/Telecom blogs … offer great capture examples and Network Posters with protocol detail.
- 15. Annex C - HTTP Status Codes 1xx – Informational Codes 2xx – Success 200 OK 3xx – Redirection 300 Multiple Choices 301 Moved Permanently 302 Found 304 Not Modified 307 Temporary Redirect 4xx – Client Error 400 Bad Request 401 Unauthorized 403 Forbidden 404 Not Found 410 Gone 5xx – Server Error 500 Internal Server Error 501 Not Implemented 503 Service Unavailable 550 Permission denied
- 16. Questions?