Upload
ryuxanten
View
218
Download
0
Embed Size (px)
Citation preview
7/30/2019 Reti di Calcolatori - Slide 21
http://slidepdf.com/reader/full/reti-di-calcolatori-slide-21 1/25
Corso di Laurea in Ingegneria delle Telecomunicazioni eIngegneria dell’Automazione
Corso di Reti di Calcolatori
Docente: Giorgio Ventre e Simon Pietro Romano{giorgio, spromano}@unina.it
Materiale a cura di: Vittorio [email protected]
Wireshark
(http://www.wireshark.org/)
7/30/2019 Reti di Calcolatori - Slide 21
http://slidepdf.com/reader/full/reti-di-calcolatori-slide-21 2/25
2
• Wireshark is a network packet analyzer. A network packet analyzer will try to
capture network packets and tries to display that packet data as detailed aspossible
• Here are some examples people use Wireshark for:
• network administrators use it to troubleshoot network problems
• network security engineers use it to examine security problems
• developers use it to debug protocol implementations
• people use it to learn network protocol internals
IntroductionIntroduction
7/30/2019 Reti di Calcolatori - Slide 21
http://slidepdf.com/reader/full/reti-di-calcolatori-slide-21 3/25
3
The main windowThe main window
7/30/2019 Reti di Calcolatori - Slide 21
http://slidepdf.com/reader/full/reti-di-calcolatori-slide-21 4/25
4
This pane shows the protocols and protocol fields of the packet selected in the
"Packet List" pane.
The "Packet Details" paneThe "Packet Details" pane
7/30/2019 Reti di Calcolatori - Slide 21
http://slidepdf.com/reader/full/reti-di-calcolatori-slide-21 5/25
5
• The packet bytes pane shows the data of the current packet (selected in the"Packet List" pane) in a hexdump style.
• As usual for a hexdump, the left side shows the offset in the packet data, inthe middle the packet data is shown in a hexadecimal representation and onthe right the corresponding ASCII characters (or . if not appropriate) aredisplayed.
The "Packet Bytes" paneThe "Packet Bytes" pane
7/30/2019 Reti di Calcolatori - Slide 21
http://slidepdf.com/reader/full/reti-di-calcolatori-slide-21 6/25
6
• Live capture from many different network media
• Import files from many other capture programs• Export files for many other capture programs
• Many protocol decoders
• Open Source Software
• What Wireshark is not:
• Wireshark isn't an intrusion detection system
• Wireshark will not manipulate things on the network, it will only "measure" thingsfrom it
Wireshark featuresWireshark features
7/30/2019 Reti di Calcolatori - Slide 21
http://slidepdf.com/reader/full/reti-di-calcolatori-slide-21 7/25
7
• The Wireshark capture engine provides the following features:
• Capture from different kinds of network hardware (Ethernet, Token Ring, ATM,...)
• Stop the capture on different triggers like: amount of captured data, capturedtime, captured number of packets
• Simultaneously show decoded packets while keep on capturing.
• Filter packets, reducing the amount of data to be captured
• Capturing into multiple files while doing a long term capture, and in addition theoption to form a ringbuffer of these files, keeping only the last x files, useful for a"very long term" capture
• The capture engine still lacks the following features:• Simultaneous capturing from multiple network interfaces (however, you can start
multiple instances of Wireshark and merge capture files later)
• Stop capturing (or doing some other action), depending on the captured data
Capturing live network dataCapturing live network data
7/30/2019 Reti di Calcolatori - Slide 21
http://slidepdf.com/reader/full/reti-di-calcolatori-slide-21 8/25
8
• Description: The interface description provided by the operating system
• IP: The first IP address Wireshark could resolve from this interface• Packets: The number of packets captured from this interface
• Packets/s : Number of packets captured in the last second
• Stop: Stop a currently running capture
• Capture: Start a capture on this interface immediately• Options: Open the Capture Options dialog with this interface selected
• Details (Win32 only): Open a dialog with detailed information about the interface.
• Close: Close this dialog box
TheThe ““Capture InterfaceCapture Interface”” dialog boxdialog box
7/30/2019 Reti di Calcolatori - Slide 21
http://slidepdf.com/reader/full/reti-di-calcolatori-slide-21 9/25
9
TheThe ““Capture OptionsCapture Options”” dialog box (1/2)dialog box (1/2)
7/30/2019 Reti di Calcolatori - Slide 21
http://slidepdf.com/reader/full/reti-di-calcolatori-slide-21 10/25
10
• Buffer size: enter the buffer size to be used while capturing. This is the sizeof the kernel buffer which will keep the captured packets, until they arewritten to disk
• Capture packets in promiscuous mode: this checkbox allows you tospecify that Wireshark should put the interface in promiscuous mode whencapturing
• Limit each packet to n bytes: this field allows you to specify the maximum
amount of data that will be captured for each packet
• Capture Filter: this field allows you to specify a capture filter
• File: This field allows you to specify the file name that will be used for thecapture file
• Stop Capture... frame
• ... after n packet(s)
• ... after n megabytes(s)
• ... after n minute(s)
TheThe ““Capture OptionsCapture Options”” dialog box (2/2)dialog box (2/2)
7/30/2019 Reti di Calcolatori - Slide 21
http://slidepdf.com/reader/full/reti-di-calcolatori-slide-21 11/25
11
• [src|dst] host <host>: this primitive allows you to filter on a host IP addressor name
• ether [src|dst] host <ehost>: this primitive allows you to filter on Ethernethost addresses
• gateway host <host>: this primitive allows you to filter on packets that usedhost as a gateway
• [src|dst] net <net> [{mask <mask>}|{len <len>}]: this primitive allows youto filter on network numbers
• [tcp|udp] [src|dst] port <port>: t his primitive allows you to filter on TCPand UDP port numbers
• less|greater <length>: this primitive allows you to filter on packets whoselength was less than or equal to the specified length
• ip|ether proto <protocol>: this primitive allows you to filter on the specifiedprotocol at either the Ethernet layer or the IP layer
• ether|ip broadcast|multicast: this primitive allows you to filter on eitherEthernet or IP broadcasts or multicasts.
• <expr> relop <expr>: this primitive allows you to create complex filterexpressions that select bytes or ranges of bytes in packets
PrimitivesPrimitives
7/30/2019 Reti di Calcolatori - Slide 21
http://slidepdf.com/reader/full/reti-di-calcolatori-slide-21 12/25
12
This dialog box will inform you about the number of captured packets and thetime since the capture was started. The selection of which protocols arecounted cannot be changed
The "Capture Info" dialog boxThe "Capture Info" dialog box
7/30/2019 Reti di Calcolatori - Slide 21
http://slidepdf.com/reader/full/reti-di-calcolatori-slide-21 13/25
13
Once you have captured some packets, or you have opened a previously saved capturefile, you can view the packets that are displayed in the packet list pane by simply clickingon a packet in the packet list pane, which will bring up the selected packet in the treeview and byte view panes
Viewing packetsViewing packets
7/30/2019 Reti di Calcolatori - Slide 21
http://slidepdf.com/reader/full/reti-di-calcolatori-slide-21 14/25
14
• Display filters allow you to concentrate on the packets you are interested inwhile hiding the currently uninteresting ones. They allow you to select
packets by:• Protocol
• The presence of a field
• The values of fields
• A comparison between fields• ... and a lot more!
• Wireshark provides a simple but powerful display filter language that you
can build quite complex filter expressions with. You can compare values inpackets as well as combine expressions into more specific expressions
Filtering packets while viewingFiltering packets while viewing
7/30/2019 Reti di Calcolatori - Slide 21
http://slidepdf.com/reader/full/reti-di-calcolatori-slide-21 15/25
7/30/2019 Reti di Calcolatori - Slide 21
http://slidepdf.com/reader/full/reti-di-calcolatori-slide-21 16/25
16
• ip.addr==192.168.10.10
• ether.addr==ff.ff.ff.ff.ff.ff
• Frame.pkt_len > 1500
• Ip.len > 43000• http.request.uri==http://www.repubblica.it
• protocol=tcp
ExamplesExamples
7/30/2019 Reti di Calcolatori - Slide 21
http://slidepdf.com/reader/full/reti-di-calcolatori-slide-21 17/25
17
• If you are working with TCP based protocols it can be very helpful to see thedata from a TCP stream in the way that the application layer sees it.
• Simply select a TCP packet in the packet list of the stream/connection you
are interested in and then select the Follow TCP Stream menu item from theWireshark Tools menu
The "Follow TCP Stream" dialog box (1/2)The "Follow TCP Stream" dialog box (1/2)
7/30/2019 Reti di Calcolatori - Slide 21
http://slidepdf.com/reader/full/reti-di-calcolatori-slide-21 18/25
18
The "Follow TCP Stream" dialog box (2/2)The "Follow TCP Stream" dialog box (2/2)
7/30/2019 Reti di Calcolatori - Slide 21
http://slidepdf.com/reader/full/reti-di-calcolatori-slide-21 19/25
19
Packet Reassembling
For some of the network protocols Wireshark knows of, a mechanism is implemented
to find, decode and display these chunks of data. Wireshark will try to find thecorresponding packets of this chunk, and will show the combined data as additional
pages in the "Packet Bytes" pane
Name Resolution
Name resolution tries to resolve some of the numerical address values into a humanreadable format
Checksums
Several network protocols use checksums to ensure data integrity. Wireshark willvalidate the checksums of several protocols, e.g.: IP, TCP, ... .It will do the samecalculation as a "normal receiver" would do, and shows the checksum fields in thepacket details with a comment, e.g.: [correct] [invalid, must be 0x12345678] or alike
Advanced topicsAdvanced topics
7/30/2019 Reti di Calcolatori - Slide 21
http://slidepdf.com/reader/full/reti-di-calcolatori-slide-21 20/25
20
• General statistics:
• Summary about the capture file
• Protocol Hierarchy of the captured packets
• Endpoints e.g. traffic to and from an IP addresses
• Conversations e.g. traffic between specific IP addresses
• IO Graphs visualizing the number of packets (or similar) in time
• Protocol specific statistics:
• Service Response Time between request and response of some protocols
•Various other
protocol specific statistics
StatisticsStatistics
7/30/2019 Reti di Calcolatori - Slide 21
http://slidepdf.com/reader/full/reti-di-calcolatori-slide-21 21/25
7/30/2019 Reti di Calcolatori - Slide 21
http://slidepdf.com/reader/full/reti-di-calcolatori-slide-21 22/25
22
TheThe "Protocol Hierarchy" window"Protocol Hierarchy" window
7/30/2019 Reti di Calcolatori - Slide 21
http://slidepdf.com/reader/full/reti-di-calcolatori-slide-21 23/25
23
A network endpoint is the logical endpoint of separate protocol traffic of aspecific protocol layer
EndpointsEndpoints
7/30/2019 Reti di Calcolatori - Slide 21
http://slidepdf.com/reader/full/reti-di-calcolatori-slide-21 24/25
24
A network conversation is the traffic between two specific endpoints. Forexample, an IP conversation is all the traffic between two IP addresses.
ConversationsConversations
7/30/2019 Reti di Calcolatori - Slide 21
http://slidepdf.com/reader/full/reti-di-calcolatori-slide-21 25/25
25
• The service response time is the time between a request and thecorresponding response. This information is available for many protocols
• Service response time statistics are currently available for the followingprotocols:
• DCE-RPC
• Fibre Channel• H.225 RAS
• LDAP
• MGCP
• ONC-RPC• SMB
Service Response TimeService Response Time