Upload
mrp5579
View
232
Download
0
Embed Size (px)
Citation preview
8/7/2019 Ashu - Wireshark Notes
1/36
1 Nokia Siemens Networks
For internal use
Packet Capture Basics
8/7/2019 Ashu - Wireshark Notes
2/36
2 Nokia Siemens Networks
For internal use
Non-Technical Interpretation
Data travels around your networklike a train. With a packet sniffer,
get the ability to capture the dataand look inside the packets tosee what is actually moving long
the tracks.
8/7/2019 Ashu - Wireshark Notes
3/36
3 Nokia Siemens Networks
For internal use
Technical Representation
8/7/2019 Ashu - Wireshark Notes
4/36
4 Nokia Siemens Networks
For internal use
Ethereal/Wireshark Application
Open source protocol analyzer for Ethernet based traffic.
Old name Ethereal, now Wireshark: same tool, new name.
Stand-alone tool for capture and analysis.
GUI and command-line tools.
Throughout thispresentation thesnapshots are fromEthereal, but applyas well to Wireshark.
In your projects youshould use the latestversion, which is here:http://www.wireshark.org/
http://www.wireshark.org/http://www.wireshark.org/8/7/2019 Ashu - Wireshark Notes
5/36
5 Nokia Siemens Networks
For internal use
Wireshark on Windows/Linux and WinPcap
Wireshark displays and analyses the traffic.
Wireshark relies on a packet capture library to capture traffic.
On Linux/Unix, this libpcap library is normally included in the system.
On Windows, we need open source WinPcap library http://www.winpcap.org/.
Windows: Linux/Unix:
Wireshark application for sniffing packets
WinPcappacket capture libraryrunning in user space
libpcappacket capture libraryrunning in user space
Windows Operating System Linux/Unix operating system
WinPcap Network Packet Filter (NPF)device driver
running in kernel space
Linux Socket Filter (LSF)or BSD Packet Filter (BPF)
running in kernel space
Network Card Drivers
Network Interface Card
http://www.winpcap.org/http://www.winpcap.org/8/7/2019 Ashu - Wireshark Notes
6/366 Nokia Siemens Networks
For internal use
View of Ethereal/Wireshark
Packet List
Packet Details
Packet Bytes
8/7/2019 Ashu - Wireshark Notes
7/367 Nokia Siemens Networks
For internal use
Packet ListPacket Order
Time Order
Source IP
Destination IP
Protocol
Information
8/7/2019 Ashu - Wireshark Notes
8/368 Nokia Siemens Networks
For internal use
Packet Details
Breakdow n of the Frame, the Packet, the TCP portion
Source and Destination IP
Source and Destination TCP Ports
8/7/2019 Ashu - Wireshark Notes
9/36
8/7/2019 Ashu - Wireshark Notes
10/3610 Nokia Siemens Networks
For internal use
Running Ethereal/Wireshark
8/7/2019 Ashu - Wireshark Notes
11/3611 Nokia Siemens Networks
For internal use
Running Ethereal/Wireshark
8/7/2019 Ashu - Wireshark Notes
12/3612 Nokia Siemens Networks
For internal use
Running Ethereal/Wireshark
8/7/2019 Ashu - Wireshark Notes
13/3613 Nokia Siemens Networks
For internal use
Running Ethereal/Wireshark
8/7/2019 Ashu - Wireshark Notes
14/36
14 Nokia Siemens Networks
For internal use
Running Ethereal/Wireshark
8/7/2019 Ashu - Wireshark Notes
15/36
15 Nokia Siemens Networks
For internal use
Running Ethereal/Wireshark
8/7/2019 Ashu - Wireshark Notes
16/36
16 Nokia Siemens Networks
For internal use
What Ethereal/Wireshark saw
8/7/2019 Ashu - Wireshark Notes
17/36
17 Nokia Siemens Networks
For internal use
What Ethereal/Wireshark saw
8/7/2019 Ashu - Wireshark Notes
18/36
18 Nokia Siemens Networks
For internal use
What Ethereal/Wireshark saw
8/7/2019 Ashu - Wireshark Notes
19/36
19 Nokia Siemens Networks
For internal use
What Ethereal/Wireshark saw
8/7/2019 Ashu - Wireshark Notes
20/36
20 Nokia Siemens Networks
For internal use
What Ethereal/Wireshark saw
8/7/2019 Ashu - Wireshark Notes
21/36
21 Nokia Siemens Networks
For internal use
Display Packet Filtering
8/7/2019 Ashu - Wireshark Notes
22/36
22 Nokia Siemens Networks
For internal use
Display Packet Filtering
8/7/2019 Ashu - Wireshark Notes
23/36
23 Nokia Siemens Networks
For internal use
Saving Captures
Captured Views
Range of Packets
All Packets
Naming is critical: Was it the client?
Was it the Server?
8/7/2019 Ashu - Wireshark Notes
24/36
24 Nokia Siemens Networks
For internal use
Saving Captures
Captured Views
Range of Packets
All Packets
Naming is critical: Was it the client?
Was it the Server?
8/7/2019 Ashu - Wireshark Notes
25/36
25 Nokia Siemens Networks
For internal use
After Filter/Save/Open
8/7/2019 Ashu - Wireshark Notes
26/36
26 Nokia Siemens Networks
For internal use
Time Column & Delta
8/7/2019 Ashu - Wireshark Notes
27/36
27 Nokia Siemens Networks
For internal use
FTP Only Filter
8/7/2019 Ashu - Wireshark Notes
28/36
28 Nokia Siemens Networks
For internal use
Follow the Stream
8/7/2019 Ashu - Wireshark Notes
29/36
29 Nokia Siemens Networks
For internal use
Follow the Stream
8/7/2019 Ashu - Wireshark Notes
30/36
30 Nokia Siemens Networks
For internal use
Advanced Display FilteringCaveat: The display filters differ from the capture filters!
Filter for just that TCP stream (ip.addr eq 207.46.133.140 and ip.addr eq 172.17.22.56) and
(tcp.port eq 21 and tcp.port eq 3511)
Filter for traffic between two hosts ip.addr == 207.46.133.140 and ip.addr == 172.17.22.56
Filter for IP Traffic and removal of other traffic ip and !(nbns) and !(msnms) and !(browser) and !(rip)
Exclude all traffic from and to host 207.46.133.140 This will work: not ip.addr == 207.46.133.140 Attention, this wont work: ip.addr != 207.46.133.140
For the reasons why, check out the display filter manual.
8/7/2019 Ashu - Wireshark Notes
31/36
31 Nokia Siemens Networks
For internal use
Filtering Out Traffic Of One Address
filters out a.b.c.d:
not ip.addr == a.b.c.d
not (ip.src == a.b.c.d or ip.dst == a.b.c.d)
does not filter out a.b.c.d:
ip.addr != a.b.c.dip.src != a.b.c.d or ip.dst != a.b.c.d
8/7/2019 Ashu - Wireshark Notes
32/36
32 Nokia Siemens Networks
For internal use
Summary Info
8/7/2019 Ashu - Wireshark Notes
33/36
33 Nokia Siemens Networks
For internal use
Summary Info
8/7/2019 Ashu - Wireshark Notes
34/36
34 Nokia Siemens Networks
For internal use
Protocol Hierarchy
8/7/2019 Ashu - Wireshark Notes
35/36
35 Nokia Siemens Networks
For internal use
I/O Graphing
8/7/2019 Ashu - Wireshark Notes
36/36
For internal use
HTTP Breakdown