introduction to osi model and network analyzer...
TRANSCRIPT
Networking Laboratory 1/56
Sungkyunkwan University
Copyright 2000-2014 Networking Laboratory
Introduction to OSI model
and
Network Analyzer :- Introduction to Wireshark
Syed Muhammad Raza – [email protected]
Networking Laboratory 2/56
An Overview
Internet Protocol Stack
Networking Laboratory 3/56
Internet Protocol Stack
Consists of five layers
Derived from TCP/IP protocol stack
5. Application
4. Transport
3. Network
2. Link
1. Physical
Networking Laboratory 4/56
Internet Protocol Stack Explained
Animation Video
Explanation of operation and purpose of Internet Protocol
Stack
Networking Laboratory 5/56
Internet Protocol Stack Explained
Animation Video
Networking Laboratory 6/56
Packet Encapsulation
22Bytes 20Bytes 20Bytes 4Bytes
64 to 1500 Bytes
The data is sent down the protocol stack
Each layer adds to the data by prepending headers
Networking Laboratory 7/56
W I R E S H A R K
0010100100101011101010101
Networking Laboratory 8/56
Introduction (1/3)
Network Traffic Trace
► A recording of the network packets both received by and transmitted
from a network interface
What is a pcap file?
► pcap = Packet Capture
► File format originally designed for tcpdump/libpcap
► Most widely used packet capture format
Networking Laboratory 9/56
Introduction (2/3)
What is Wireshark ?
► Formerly known as Ethereal
► Wireshark is a GUI Network Protocol Analyzer
► Follows the rules of the pcap library
► Found at http://www.wireshark.org
► The complete manual is located here
Networking Laboratory 10/56
Introduction (3/3)
Some of its functions
► Capturing network traffic from the interface
► Decodes packets of common protocols
► Displays the network traffic in human-readable format
Some of its uses
► Troubleshoot network problems.
► Learn network protocol internals.
► Debug protocol/program implementation.
► Examine network-related security issues
Networking Laboratory 11/56
Wireshark Startup
Networking Laboratory 12/56
Screen Layout of Wireshark
Packet List
The summary
line, briefly
describing what
the packet is.
Packet Details
A protocol tree is
shown in detail,
allowing you to
drill down deep
your interest
Packet Bytes
shows what the
packet looks like
when it goes
over the wire. Filename Of Current File
Menu
Networking Laboratory 13/56
Basic UI Options (1/2)
Change columns in the packet list to see the information
relevant to you
► Edit -> Preferences ->Columns
Networking Laboratory 14/56
Basic UI Options (2/2)
File -> Open
► Opens a packet capture file.
View -> Time Display Format
► Change the format of the packet timestamps in the packet list pane
► Switch between absolute and relative timestamps.
► Change level of precision.
View -> Name Resolution
► Allow wireshark to resolve names from addresses at different
protocol layers
Networking Laboratory 15/56
Enable Protocols
Networking Laboratory 16/56
Packet Capture
Capture -> Interfaces
► Available network interfaces for capture
► Total packets per interface
► Packet rate per interface
Networking Laboratory 17/56
Capture Options (1/2)
Networking Laboratory 18/56
Capture Options (2/2)
To Specify the interface to be monitored
To Record all traffic even not for you
Only Capture part of the packet
To Store the result in file
Automatic Stop Condition
Only Capture certain packet
Networking Laboratory 19/56
Start Capturing
Networking Laboratory 20/56
Stop Capturing
Networking Laboratory 21/56
Display Packet Captured
Frame #
Ethernet Header
Destination Mac Address Field in Ethernet Header
Networking Laboratory 22/56
Individual Packet Analysis
Packet Details
► Detailed information about the currently selected packet is displayed
in the packet details pane
► All packet layers are displayed in the tree menu
► Any portion of any layer can be exported via a right click and
selecting Export Selected Packet Bytes
Packet Bytes
► Displays the raw packet bytes
► The selected packet layer is highlighted
Networking Laboratory 23/56
Trace Analysis (1/2)
Packet list
► Displays all of the packets in the trace in the order they were
recorded
► Columns
Time – the timestamp at which the packet crossed the interface
Source – the originating host of the packet
Destination – the host to which the packet was sent
Protocol – the highest level protocol that Wireshark can detect
Length – the length in bytes of the packet on the wire
Info – an informational message pertaining to the protocol in the
protocol column
Networking Laboratory 24/56
Trace Analysis (2/2)
Packet list
► Default Coloring
Gray – TCP packets
Black with red letters – TCP Packets with errors
Green – HTTP Packets
Light Blue – UDP Packets
Pale Blue – ARP Packets
Lavender – ICMP Packets
Black with green letters – ICMP Packets with errors
► Colorings can be changed under View -> Coloring Rules
Networking Laboratory 25/56
Column Sorting
Output is Sorted By Frame No By Default
Output is Sorted By Source Address
Networking Laboratory 26/56
Conversation List
Networking Laboratory 27/56
Saving Packets Captured
Networking Laboratory 28/56
Capture Filters
The capture filter syntax follows the rules of the pcap
library
This syntax is different from the display filter syntax
Referring manual page of tcpdump
(http://www.tcpdump.org/tcpdump_man.html )
Sample filters:
► src ip 192.168.1.1
► ether src 00:50:BA:48:B5:EF
Networking Laboratory 29/56
Capture Filters
A capture filter for HTTP than captures traffic to and from a
particular host
► tcp port 80 and host 10.10.10.5
A capture filter for HTTP than captures traffic not from a
particular host
► tcp port 80 and not host 10.10.10.5
A capture filter to and from an Ethernet address
► ether 00:00:01:01:02:22
Networking Laboratory 30/56
Display Filters
C-like symbols, or through English-like abbreviations:
► eq, == Equal
► ne, != Not equal
► gt, > Greater than
► lt, < Less Than
► ge, >= Greater than or Equal to
► le, <= Less than or Equal to
Networking Laboratory 31/56
Display Filters GUI
Quick Way to Learn Display
Filter Commands
Networking Laboratory 32/56
Display Filters GUI
1.
2.
3.
Networking Laboratory 33/56
Display Filters GUI
Networking Laboratory 34/56
Display Filter Examples
Filter examples
► http.request – Display all HTTP requests
► http.request || http.response – Display all HTTP request and
responses
► ip.addr == 127.0.0.1 – Display all IP packets whose source or
destination is localhost
► tcp.len < 100 – Display all TCP packets whose data length is less
than 100 bytes
► http.request.uri matches “(gif)$” - Display all HTTP requests in which
the uri ends with “gif”
► dns.query.name == “www.google.com” - Display all DNS queries for
“www.google.com”
Networking Laboratory 35/56
Follow TCP Stream
Networking Laboratory 36/56
Follow TCP Stream
red - stuff you sent blue - stuff you get
Networking Laboratory 37/56
Expert Info
Networking Laboratory 38/56
Conversations
Networking Laboratory 39/56
Conversations
Networking Laboratory 40/56
IOGraphs
Networking Laboratory 41/56
IOGraphs
Networking Laboratory 42/56
IOGraphs
Networking Laboratory 43/56
IOGraphs
Networking Laboratory 44/56
IOGraphs
Networking Laboratory 45/56
Flow Graphs
Networking Laboratory 46/56
Flow Graphs
Networking Laboratory 47/56
HTTP Analysis
Networking Laboratory 48/56
HTTP Analysis – Load Distribution
Networking Laboratory 49/56
HTTP Analysis – Packet Counter
Networking Laboratory 50/56
HTTP Analysis – Requests
Networking Laboratory 51/56
And there is much much more which you should explore on
your own … Happy Exploring
Networking Laboratory 52/56
Improving WireShark Performance
Don’t use capture filters
Increase your read buffer size
Don’t update the screen dynamically
Get a faster computer
Use a TAP
Don’t resolve names
Networking Laboratory 53/56
Some Useful Information
Wireshark
http://www.wireshark.org
TCPDUMP MAN Page
http://www.tcpdump.org/tcpdump_man.html
IP Protocol
http://www.networksorcery.com/enp/protocol/ip.htm
Networking Laboratory 54/56
Thank you