wireshark hands-on labshark@share wireshark hands-on lab thursday, march 5, 2015 01:45 pm – 02:45...
TRANSCRIPT
![Page 1: wireshark Hands-On LabSHARK@SHARE wireshark Hands-On Lab Thursday, March 5, 2015 01:45 PM – 02:45 PM Sheraton Seattle, Redwood Session 16752 Matthias Burkhard IBM Germany](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50b1c7534eb240fc5e98c8/html5/thumbnails/1.jpg)
SHARKSHARK@@SHARESHARE
wireshark Hands-On Lab Thursday, March 5, 2015
01:45 PM – 02:45 PMSheraton Seattle, RedwoodSession 16752Matthias Burkhard IBM Germany
https://ibm.biz/SHARKSHARKatSHARESHARE
![Page 2: wireshark Hands-On LabSHARK@SHARE wireshark Hands-On Lab Thursday, March 5, 2015 01:45 PM – 02:45 PM Sheraton Seattle, Redwood Session 16752 Matthias Burkhard IBM Germany](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50b1c7534eb240fc5e98c8/html5/thumbnails/2.jpg)
Wireshark Lab Demo
203/06/15
• Starting wireshark: Start → Programs → wireshark– Updating wireshark ? No thanks, not now!
![Page 3: wireshark Hands-On LabSHARK@SHARE wireshark Hands-On Lab Thursday, March 5, 2015 01:45 PM – 02:45 PM Sheraton Seattle, Redwood Session 16752 Matthias Burkhard IBM Germany](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50b1c7534eb240fc5e98c8/html5/thumbnails/3.jpg)
Wireshark Lab - Layout
303/06/15
• 3 areas in wireshark: Packet List, Packet Details, Hexview
![Page 4: wireshark Hands-On LabSHARK@SHARE wireshark Hands-On Lab Thursday, March 5, 2015 01:45 PM – 02:45 PM Sheraton Seattle, Redwood Session 16752 Matthias Burkhard IBM Germany](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50b1c7534eb240fc5e98c8/html5/thumbnails/4.jpg)
Wireshark Lab - Statistics → Summary
403/06/15
• Overall Information about the trace file
![Page 5: wireshark Hands-On LabSHARK@SHARE wireshark Hands-On Lab Thursday, March 5, 2015 01:45 PM – 02:45 PM Sheraton Seattle, Redwood Session 16752 Matthias Burkhard IBM Germany](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50b1c7534eb240fc5e98c8/html5/thumbnails/5.jpg)
Wireshark Lab - Display Filter
503/06/15
• Syntax check in filter: green, yellow, red– Looking for unencrypted TN3270 traffic?
– Filtering on DO TN3270E command sent by server
– Always 3 bytes only: FFFD28
![Page 6: wireshark Hands-On LabSHARK@SHARE wireshark Hands-On Lab Thursday, March 5, 2015 01:45 PM – 02:45 PM Sheraton Seattle, Redwood Session 16752 Matthias Burkhard IBM Germany](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50b1c7534eb240fc5e98c8/html5/thumbnails/6.jpg)
Wireshark Lab - Statistics → Endpoints
603/06/15
• Find out how many TCP ports the TN3270 Server is using– Check the Limit to display filter
– 4 TCP ports are found sending DO TN3270E commands
– 23, 9923, 8923, 8723
![Page 7: wireshark Hands-On LabSHARK@SHARE wireshark Hands-On Lab Thursday, March 5, 2015 01:45 PM – 02:45 PM Sheraton Seattle, Redwood Session 16752 Matthias Burkhard IBM Germany](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50b1c7534eb240fc5e98c8/html5/thumbnails/7.jpg)
Wireshark Lab - Statistics → Endpoints
703/06/15
• Find out how many TCP ports the TN3270 Server is using– Check the Limit to display filter
– 4 TCP ports are found sending DO TN3270E commands
– 23, 9923, 8923, 8723
![Page 8: wireshark Hands-On LabSHARK@SHARE wireshark Hands-On Lab Thursday, March 5, 2015 01:45 PM – 02:45 PM Sheraton Seattle, Redwood Session 16752 Matthias Burkhard IBM Germany](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50b1c7534eb240fc5e98c8/html5/thumbnails/8.jpg)
Wireshark Lab - Filter multiple ports
803/06/15
• Filters can combine multiple checks– Use the 'or' operator to filter on all telnet ports
– 4 TCP ports are found sending DO TN3270E commands
– Notice the number of packets that passed the filter at the bottom of the screen
![Page 9: wireshark Hands-On LabSHARK@SHARE wireshark Hands-On Lab Thursday, March 5, 2015 01:45 PM – 02:45 PM Sheraton Seattle, Redwood Session 16752 Matthias Burkhard IBM Germany](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50b1c7534eb240fc5e98c8/html5/thumbnails/9.jpg)
Wireshark Lab - Save filtered packets
903/06/15
• File → Export specified packets– Creates a new trace file with a subset of packets
– Use a name that you recognize what the contents is
![Page 10: wireshark Hands-On LabSHARK@SHARE wireshark Hands-On Lab Thursday, March 5, 2015 01:45 PM – 02:45 PM Sheraton Seattle, Redwood Session 16752 Matthias Burkhard IBM Germany](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50b1c7534eb240fc5e98c8/html5/thumbnails/10.jpg)
Wireshark Lab - Comment the trace file
1003/06/15
• Allows to pass 'Meta Information' in the tracefile
• Don't forget to save the commentary: File → Save –
![Page 11: wireshark Hands-On LabSHARK@SHARE wireshark Hands-On Lab Thursday, March 5, 2015 01:45 PM – 02:45 PM Sheraton Seattle, Redwood Session 16752 Matthias Burkhard IBM Germany](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50b1c7534eb240fc5e98c8/html5/thumbnails/11.jpg)
Wireshark Lab - Statistics – Flow Graph
1103/06/15
• Show all Packets over a vertical time line
• Can use filters to draw different colored graphs
![Page 12: wireshark Hands-On LabSHARK@SHARE wireshark Hands-On Lab Thursday, March 5, 2015 01:45 PM – 02:45 PM Sheraton Seattle, Redwood Session 16752 Matthias Burkhard IBM Germany](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50b1c7534eb240fc5e98c8/html5/thumbnails/12.jpg)
Wireshark Lab - Follow TCP Stream
1203/06/15
• Rightclick on any packet of the TCP session
• Follow TCP stream opens a view of all data
• Creates a filter on tcp.stream
![Page 13: wireshark Hands-On LabSHARK@SHARE wireshark Hands-On Lab Thursday, March 5, 2015 01:45 PM – 02:45 PM Sheraton Seattle, Redwood Session 16752 Matthias Burkhard IBM Germany](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50b1c7534eb240fc5e98c8/html5/thumbnails/13.jpg)
Wireshark Lab - Decode AS
1303/06/15
• If the protocol is not what wireshark thinks it is
• 160301 looks like a TLS Negotiation packet– Rightclick on any packet → Decode as “SSL”
![Page 14: wireshark Hands-On LabSHARK@SHARE wireshark Hands-On Lab Thursday, March 5, 2015 01:45 PM – 02:45 PM Sheraton Seattle, Redwood Session 16752 Matthias Burkhard IBM Germany](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50b1c7534eb240fc5e98c8/html5/thumbnails/14.jpg)
Wireshark Lab - Decode AS
1403/06/15
• Now all port 23 traffic is mapped to SSL Protocol
• Sessions terminate after an Encrypted Alert
![Page 15: wireshark Hands-On LabSHARK@SHARE wireshark Hands-On Lab Thursday, March 5, 2015 01:45 PM – 02:45 PM Sheraton Seattle, Redwood Session 16752 Matthias Burkhard IBM Germany](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50b1c7534eb240fc5e98c8/html5/thumbnails/15.jpg)
Wireshark Lab - Conversation Filter – IP
1503/06/15
• Following a single client's traffic
• Sessions terminate after an Encrypted Alert
• And restart after 2 seconds
![Page 16: wireshark Hands-On LabSHARK@SHARE wireshark Hands-On Lab Thursday, March 5, 2015 01:45 PM – 02:45 PM Sheraton Seattle, Redwood Session 16752 Matthias Burkhard IBM Germany](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50b1c7534eb240fc5e98c8/html5/thumbnails/16.jpg)
Wireshark Lab - Profile TN3270
1603/06/15
• Download the files to your Personal Configuration Folder
• Help → About wireshark → Folders
![Page 17: wireshark Hands-On LabSHARK@SHARE wireshark Hands-On Lab Thursday, March 5, 2015 01:45 PM – 02:45 PM Sheraton Seattle, Redwood Session 16752 Matthias Burkhard IBM Germany](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50b1c7534eb240fc5e98c8/html5/thumbnails/17.jpg)
Wireshark Lab - TN3270 Negotiation fails
1703/06/15
• Filter on TN3270 Negotiation
![Page 18: wireshark Hands-On LabSHARK@SHARE wireshark Hands-On Lab Thursday, March 5, 2015 01:45 PM – 02:45 PM Sheraton Seattle, Redwood Session 16752 Matthias Burkhard IBM Germany](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50b1c7534eb240fc5e98c8/html5/thumbnails/18.jpg)
Wireshark Lab - TN3270 Negotiation fails
1803/06/15
• Filter on TN3270 Negotiation
![Page 19: wireshark Hands-On LabSHARK@SHARE wireshark Hands-On Lab Thursday, March 5, 2015 01:45 PM – 02:45 PM Sheraton Seattle, Redwood Session 16752 Matthias Burkhard IBM Germany](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50b1c7534eb240fc5e98c8/html5/thumbnails/19.jpg)
Wireshark Lab - Filter on LUName
1903/06/15
• Filter on any ASCII string using the contains operator
![Page 20: wireshark Hands-On LabSHARK@SHARE wireshark Hands-On Lab Thursday, March 5, 2015 01:45 PM – 02:45 PM Sheraton Seattle, Redwood Session 16752 Matthias Burkhard IBM Germany](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50b1c7534eb240fc5e98c8/html5/thumbnails/20.jpg)
Wireshark Lab - Filter on single Client
2003/06/15
• Very short lived TCP connections
• Closing after TN3270E negotiation fails
![Page 21: wireshark Hands-On LabSHARK@SHARE wireshark Hands-On Lab Thursday, March 5, 2015 01:45 PM – 02:45 PM Sheraton Seattle, Redwood Session 16752 Matthias Burkhard IBM Germany](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50b1c7534eb240fc5e98c8/html5/thumbnails/21.jpg)
Wireshark Lab Reference
2103/06/15
• What the TCP payload looks like
Telnet NegotiationFFFD2E DO TLSFFFC2E WONT TLSFFFD28 DO TN3270EFFFB28 WILL TN3270EFFFA28 SB TN3270E 00 Associate 01 Connect 02 DevType 03 Functions 04 Is 05 Reason 06 Reject06 Reject 07 Request 08 Send
Keepalive ProbesFFFB06 WILL TIMEMARKFFFC06 WONT TIMEMARKFFFD06 DO TIMEMARK
8055010301 SSLV2 ClientHello V3114 Change Cipher Spec 1403vv 0001 01 ChangeCipherSpec 15 Alert 1603vv xxxx yy 00 SSL3.016 Handshake Protocol 1603vv xxxx yy 00 SSL3.0 01 TLS1.0 02 TLS1.1 03 TLS1.2 01 ClientHello 02 ServerHello 0B Certificate 0E ServerHelloDone 10 ClientKeyExchange17 Application Data 1703vv xxxx yy Encrypted ApplData