Wireshark Workshop

Fabio Rosa / Systems Engineer

What is it?! World’s most famous network protocol analyzer Powerful live-capture and display filter Used to be “Ethereal” Deep inspection of hundred of protocols, and more

being added each day… Multi-platform, runs on Windows, Linux, OS, Solaris,

FreeBSD, NetBSD, VxWorks, Android, and much more. Open/save many capture formats: tcpdump (libpcap),

Microsoft Network Monitor, and proprietary (WildPackets *peek, CA Sniffer, RADCOM, and many others)

The sponsorship (CACE) recently owned by Riverbed. (Don’t want to talk about it…)

Agenda: Tool introduction The Capture Screen Performing a Simple Capture Capture options (promiscuous mode, name

resolution, buffer size, etc…) Display Filters Sample Capture - DNS and HTTP (www.ebay.com) Sample Capture - ICAP Annex A – Handling Duplicate Packets Annex B – Useful Websites Annex C – HTTP Status Codes.

Introduction It’s a Network Analyzer! Will capture network packets and display them as

detailed as possible Custom Capture: All packets destined to the WS Wkst.

Good to sniff traffic intended to the PC or server where Wireshark is installed

Promiscuous mode: All packets on the wire Good to sniff communication between multiple devices (ex.

From Proxy, sniff DNS, Client, OCS, and so on…) / Diagnose problems.

Can be captured on a mirrored port, SPAN or Network TAP for full network visibility.

How it works? Network If. Uses the L2 address of FF:FF:FF:FF:FF:FF and parses all packets on the wire, instead of dropping the packets intended to other network devices.

The Capture Screen

Captured Packet List

Protocol Decode

HEX Decode

Simple Capture

Capture OptionsEnable Promiscuous

modeLimit packet size, if you don’t want to

analyze the payload. (Only headers)

Personalize Display options

Personalize Name Resolution

- MAC: vendor list (very useful)

- Network: RDNS resolution Do not enable … can slow down things

- Transport: Protocol name (very useful)

Display Filters Use the filter

box to enter the filter expression

The expressions can be saved into the Filter Profile, for future use.

Display Filters (cont.) Filter Expression example:

Ethernet Eth.addr == Eth.src / Eth.dst == Eth.vlan.id ==

Internet Protocol Ip.addr == Ip.src / Ip.dst == Ip.dsfield == 0x00

TCP Tcp.flag.syn / tcp.flag.ack / tcp.flag.fin == 0 or 1

Application or Protocol HTTP, DNS, ICAP, ICMP, SOCKS…

In case a protocol is being decoded by a wrong “dissector” you can change it with the “Decode As…” option.

TIP• You can see the whole

expression list using the “Expression” box on the toolbar

• Its possible to search options using the “/” key

• Use Boolean operators (AND, OR, NOT)

Display Filters (cont. 2) You can create filters based on the options,

selected directly from the packet capture. Apply as a Filter

The filter is applied with the selected parameter Prepare as a Filter

The filter expression is written at the “Filter” bar on the top.

Colorize as a Filter The packets matched by the filter can be colorized with

custom colors.

Sample Capture #1 Capture: Open www.ebay.com at the browser Open Summary (check throughput, size, packets) Select: “Follow TCP Stream” Configure “Manually Resolve Address” Configure the “Delta Time” column – Check server

response time. Show “Statistics > Endpoints” Show “Statistics > Conversations” Show “Statistics > IO Graphs” Extract HTTP objects from the capture “File >

Export > Objects > HTTP”

Sample Capture #2 Open Capture with ICAP example Check Origin and Destination Address Configure “Manually Resolve Address” for Proxy,

AV and DNS Create a Display Filter for ICAP traffic only Check server response time on “Delta Time” Select a session and “Follow TCP Stream” Open Summary (check throughput, size, packets) Check server requests, response and health-

check. Its also possible to retrieve HTTP objects from an

ICAP connection.

Annex A: Duplicate Packets Dup. Packets due to Network Retransmission

If a sending host thinks a packet is not transmitted correctly because of Packet Loss, it might Retransmit that packet. The receiving host might already got the first packet, and will receive a second one, which is a duplicated packet.

To remove this packets use the filter: not tcp.analysis.duplicate_ack and not

tcp.analysis.retransmission

Dup. Packets due to Routing or switching loop. This packets can be seen when sniffing trough a mirrored

port or network TAP. Use the “editcap.exe” at %ProgramFiles%/Wireshark/ to

remove them. Example: editcap -d capture.pcap dedup.pcap

Annex B: Useful Websites Download Wireshark!

www.wireshark.org This workshop was created using version 1.6.0

Capture examples: http://wiki.wireshark.org/SampleCaptures

The SampleCapture area at the wireshark.com website has a good list of capture examples.

http://packetlife.net/captures/ One of the greatest IT/Telecom blogs … offer great

capture examples and Network Posters with protocol detail.

Annex C - HTTP Status Codes 1xx –

Informational Codes

2xx – Success 200 OK

3xx – Redirection 300 Multiple

Choices 301 Moved

Permanently 302 Found 304 Not Modified 307 Temporary

Redirect

4xx – Client Error 400 Bad Request 401 Unauthorized 403 Forbidden 404 Not Found 410 Gone

5xx – Server Error 500 Internal Server

Error 501 Not

Implemented 503 Service

Unavailable 550 Permission

denied

Questions?