Networking Laboratory 1/56

Sungkyunkwan University

Copyright 2000-2014 Networking Laboratory

Introduction to OSI model

and

Network Analyzer :- Introduction to Wireshark

Syed Muhammad Raza – s.moh.raza@gmail.com

Networking Laboratory 2/56

An Overview

Internet Protocol Stack

Networking Laboratory 3/56

Internet Protocol Stack

Consists of five layers

Derived from TCP/IP protocol stack

5. Application

4. Transport

3. Network

2. Link

1. Physical

Networking Laboratory 4/56

Internet Protocol Stack Explained

Animation Video

Explanation of operation and purpose of Internet Protocol

Stack

Networking Laboratory 5/56

Internet Protocol Stack Explained

Animation Video

Networking Laboratory 6/56

Packet Encapsulation

22Bytes 20Bytes 20Bytes 4Bytes

64 to 1500 Bytes

The data is sent down the protocol stack

Each layer adds to the data by prepending headers

Networking Laboratory 7/56

W I R E S H A R K

0010100100101011101010101

Networking Laboratory 8/56

Introduction (1/3)

Network Traffic Trace

► A recording of the network packets both received by and transmitted

from a network interface

What is a pcap file?

► pcap = Packet Capture

► File format originally designed for tcpdump/libpcap

► Most widely used packet capture format

Networking Laboratory 9/56

Introduction (2/3)

What is Wireshark ?

► Formerly known as Ethereal

► Wireshark is a GUI Network Protocol Analyzer

► Follows the rules of the pcap library

► Found at http://www.wireshark.org

► The complete manual is located here

Networking Laboratory 10/56

Introduction (3/3)

Some of its functions

► Capturing network traffic from the interface

► Decodes packets of common protocols

► Displays the network traffic in human-readable format

Some of its uses

► Troubleshoot network problems.

► Learn network protocol internals.

► Debug protocol/program implementation.

► Examine network-related security issues

Networking Laboratory 11/56

Wireshark Startup

Networking Laboratory 12/56

Screen Layout of Wireshark

Packet List

The summary

line, briefly

describing what

the packet is.

Packet Details

A protocol tree is

shown in detail,

allowing you to

drill down deep

your interest

Packet Bytes

shows what the

packet looks like

when it goes

over the wire. Filename Of Current File

Menu

Networking Laboratory 13/56

Basic UI Options (1/2)

Change columns in the packet list to see the information

relevant to you

► Edit -> Preferences ->Columns

Networking Laboratory 14/56

Basic UI Options (2/2)

File -> Open

► Opens a packet capture file.

View -> Time Display Format

► Change the format of the packet timestamps in the packet list pane

► Switch between absolute and relative timestamps.

► Change level of precision.

View -> Name Resolution

► Allow wireshark to resolve names from addresses at different

protocol layers

Networking Laboratory 15/56

Enable Protocols

Networking Laboratory 16/56

Packet Capture

Capture -> Interfaces

► Available network interfaces for capture

► Total packets per interface

► Packet rate per interface

Networking Laboratory 17/56

Capture Options (1/2)

Networking Laboratory 18/56

Capture Options (2/2)

To Specify the interface to be monitored

To Record all traffic even not for you

Only Capture part of the packet

To Store the result in file

Automatic Stop Condition

Only Capture certain packet

Networking Laboratory 19/56

Start Capturing

Networking Laboratory 20/56

Stop Capturing

Networking Laboratory 21/56

Display Packet Captured

Frame #

Ethernet Header

Destination Mac Address Field in Ethernet Header

Networking Laboratory 22/56

Individual Packet Analysis

Packet Details

► Detailed information about the currently selected packet is displayed

in the packet details pane

► All packet layers are displayed in the tree menu

► Any portion of any layer can be exported via a right click and

selecting Export Selected Packet Bytes

Packet Bytes

► Displays the raw packet bytes

► The selected packet layer is highlighted

Networking Laboratory 23/56

Trace Analysis (1/2)

Packet list

► Displays all of the packets in the trace in the order they were

recorded

► Columns

Time – the timestamp at which the packet crossed the interface

Source – the originating host of the packet

Destination – the host to which the packet was sent

Protocol – the highest level protocol that Wireshark can detect

Length – the length in bytes of the packet on the wire

Info – an informational message pertaining to the protocol in the

protocol column

Networking Laboratory 24/56

Trace Analysis (2/2)

Packet list

► Default Coloring

Gray – TCP packets

Black with red letters – TCP Packets with errors

Green – HTTP Packets

Light Blue – UDP Packets

Pale Blue – ARP Packets

Lavender – ICMP Packets

Black with green letters – ICMP Packets with errors

► Colorings can be changed under View -> Coloring Rules

Networking Laboratory 25/56

Column Sorting

Output is Sorted By Frame No By Default

Output is Sorted By Source Address

Networking Laboratory 26/56

Conversation List

Networking Laboratory 27/56

Saving Packets Captured

Networking Laboratory 28/56

Capture Filters

The capture filter syntax follows the rules of the pcap

library

This syntax is different from the display filter syntax

Referring manual page of tcpdump

(http://www.tcpdump.org/tcpdump_man.html )

Sample filters:

► src ip 192.168.1.1

► ether src 00:50:BA:48:B5:EF

Networking Laboratory 29/56

Capture Filters

A capture filter for HTTP than captures traffic to and from a

particular host

► tcp port 80 and host 10.10.10.5

A capture filter for HTTP than captures traffic not from a

particular host

► tcp port 80 and not host 10.10.10.5

A capture filter to and from an Ethernet address

► ether 00:00:01:01:02:22

Networking Laboratory 30/56

Display Filters

C-like symbols, or through English-like abbreviations:

► eq, == Equal

► ne, != Not equal

► gt, > Greater than

► lt, < Less Than

► ge, >= Greater than or Equal to

► le, <= Less than or Equal to

Networking Laboratory 31/56

Display Filters GUI

Quick Way to Learn Display

Filter Commands

Networking Laboratory 32/56

Display Filters GUI

1.

2.

3.

Networking Laboratory 33/56

Display Filters GUI

Networking Laboratory 34/56

Display Filter Examples

Filter examples

► http.request – Display all HTTP requests

► http.request || http.response – Display all HTTP request and

responses

► ip.addr == 127.0.0.1 – Display all IP packets whose source or

destination is localhost

► tcp.len < 100 – Display all TCP packets whose data length is less

than 100 bytes

► http.request.uri matches “(gif)$” - Display all HTTP requests in which

the uri ends with “gif”

► dns.query.name == “www.google.com” - Display all DNS queries for

“www.google.com”

Networking Laboratory 35/56

Follow TCP Stream

Networking Laboratory 36/56

Follow TCP Stream

red - stuff you sent blue - stuff you get

Networking Laboratory 37/56

Expert Info

Networking Laboratory 38/56

Conversations

Networking Laboratory 39/56

Conversations

Networking Laboratory 40/56

IOGraphs

Networking Laboratory 41/56

IOGraphs

Networking Laboratory 42/56

IOGraphs

Networking Laboratory 43/56

IOGraphs

Networking Laboratory 44/56

IOGraphs

Networking Laboratory 45/56

Flow Graphs

Networking Laboratory 46/56

Flow Graphs

Networking Laboratory 47/56

HTTP Analysis

Networking Laboratory 48/56

HTTP Analysis – Load Distribution

Networking Laboratory 49/56

HTTP Analysis – Packet Counter

Networking Laboratory 50/56

HTTP Analysis – Requests

Networking Laboratory 51/56

And there is much much more which you should explore on

your own … Happy Exploring

Networking Laboratory 52/56

Improving WireShark Performance

Don’t use capture filters

Increase your read buffer size

Don’t update the screen dynamically

Get a faster computer

Use a TAP

Don’t resolve names

Networking Laboratory 53/56

Some Useful Information

Wireshark

http://www.wireshark.org

TCPDUMP MAN Page

http://www.tcpdump.org/tcpdump_man.html

IP Protocol

http://www.networksorcery.com/enp/protocol/ip.htm

Networking Laboratory 54/56

Thank you