Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
11 views63 pages

Wireshark Tutorial

Uploaded by

kipchumbabrian702
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
11 views63 pages

Wireshark Tutorial

Uploaded by

kipchumbabrian702
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 63

Wireshark Tutorial

Network Packet Analysis…


with Wireshark
WHAT YOU HOPE NETWORK PACKET
ANALYSIS IS LIKE...
OVERVIEW
• Review of the OSI Model
• Wireshark
– Capturing Packets
– A tour of the Wireshark UI
– Reviewing/Analysing Packets
– Filtering
– Demos
Review of the OSI Model
Our old friend the 7-layer OSI model
7 Application

6 Presentation

5 Session

4 Transport

3 Network

2 Link

1 Physical
LAYER 1: PHYSICAL LAYER
• Transfers a stream of bits
• Defines physical characteristics
– Connectors, pinouts
– Cable types, voltages, modulation
– Fibre types, lambdas
– Transmission rate (bps)
• No knowledge of bytes or frames
101101
LAYER 2: (DATA) LINK
LAYER
• Organises data into frames
• May detect transmission errors (corrupt frames)
• May support shared media
– Addressing (unicast, multicast) – who should receive
this frame
– Access control, collision detection
• Usually identifies the L3 protocol carried
• E.g. Ethernet, Wifi
LAYER 3: (INTER)NETWORK
LAYER
• Connects Layer 2 networks together
– Forwarding data from one network to another
– These different networks are called subnets (short for sub-network)
• Unified addressing scheme
– Independent of the underlying L2 network(s)
– Addresses organised so that it can scale globally (aggregation)
• Identifies the layer 4 protocol being carried
• Fragmentation and reassembly
• E.g. IP
LAYER 4: TRANSPORT
LAYER
• Identifies the endpoint process
– Another level of addressing (port number)
• May provide reliable delivery
– Streams of unlimited size
– Error correction and retransmission
– In-sequence delivery
– Flow control
• Might just be unreliable datagram transport
• E.g. TCP, UDP
LAYERS 5 AND 6
• Session Layer: long-lived sessions
– Re-establish transport connection if it fails
– Multiplex data across multiple transport connections
• Presentation Layer: data reformatting
– Character set translation
• Neither exist in the TCP/IP suite: the application is
responsible for these functions
LAYER 7: APPLICATION
LAYER
• The actual work you want to do
• Protocols specific to each application
• E.g. telnet, http, https, imap
ENCAPSULATION
• Each layer provides services to the layer above
• Each layer makes use of the layer below
• Data from one layer is encapsulated in frames of the layer
below
ENCAPSULATION IN
ACTION
L2 hdr L3 hdr L4 Application data
hdr

• L4 segment contains part of stream of application protocol


• L3 datagram contains L4 segment
• L2 frame has L3 datagram in data portion
Wireshark
• …is a free and open-source packet analyser.
Downloadin
g
• https://www.wireshark.org/download.htm
l
WELCOME SCREEN
INTERFACE SELECTION
STARTING A CAPTURE
• Click on the Shark icon
• Select Start from the menu
STOPPING A CAPTURE
• Click on the Stop icon
• Select Stop from the menu
SAVING A CAPTURE FILE
• Click on the Save icon
• Select Save from the menu
Sample PCAP files
• https://wiki.wireshark.org/
SampleCaptures
OPENING A CAPTURE
FILE
• Select the Folder icon
• Select Open from the menu
WHY DO WE NEED MORE THAN
TCPDUMP?
Wireshark can give us much more
information about a network capture
UI – Overview
UI -
STATISTICS
UI – PROTOCOL
HIERARCHY
UI –
Conversations
UI – Flow Graph
Reviewing captured packets
PACKET LIST
PACKET LIST
• Columns
–Time – the timestamp at which the packet crossed the
interface.
– Source – the originating host of the packet.
– Destination – the host to which the packet was sent.
– Protocol – the highest-level protocol that Wireshark
can detect.
– Length – the length in bytes of the packet on the wire.
– Info – an informational message pertaining to the protocol in
the protocol column.
MODIFYING TIME
FORMAT
Reviewing specific captured packets
LAYER 2
LAYER 3
Layer 4
Layer 7
RAW PACKET
Demo raw packet
highlighting
FILTERING
• Capture Filters
• Display Filters
– Enter Expression Directly
– Use Expressions Editor
FILTERING

Network Capture Captured Display Displayed


Interfac Filter Packets Filter Packets
e
FILTERING – CAPTURE
FILTERS
DISPLAY FILTERS – ENTER EXPRESSION
DIRECTLY
DISPLAY FILTER
EXAMPLES
– http.request – Display all HTTP requests.
– http.request || http.response – Display all HTTP request and
responses.
– ip.addr == 127.0.0.1 – Display all IP packets whose source or
destination is localhost.
– tcp.len < 100 – Display all TCP packets whose data length is
less than 100 bytes.
– http.request.uri matches “(gif)$” - Display all HTTP requests in
which the uri ends with “gif”.
– dns.query.name == “www.google.com” - Display all DNS queries
for
 “www.google.com”.
DISPLAY FILTERS – USE THE
EXPRESSIONS EDITOR
FOLLOWING A STREAM
Demo – Telnet
• Don’t forget to follow the TCP stream
MYSTERY
$ tcpdump -n -s 0 -r mystery.pcap
reading from file mystery.pcap, link-type EN10MB (Ethernet)

16:35:03.821897 IP6 2402:f000:1:8e01::5555 > 2607:fcd0:100:2300::b108:2a6b: IP


16.0.0.200 > 192.52.166.154: GREv1, call 6016, seq 430001, ack 539254, length 119: IP
172.16.44.3.40768 > 8.8.8.8.53: 42540+ AAAA? xqt-detect-mode2-97712e88-167a-45b9-93ee-
913140e76678. (71)

16:35:04.035791 IP6 2607:fcd0:100:2300::b108:2a6b > 2402:f000:1:8e01::5555: IP


192.52.166.154 > 16.0.0.200: GREv1, call 17, seq 539320, length 190: IP 8.8.8.8.53 >
172.16.44.3.40768: 42540 NXDomain 0/1/0 (146)
Thank you

You might also like