WIRESHARK Basics

Moshe Haviv January 2010mhaviv2000@gmail.com

2 Contents

What is WIRESHARK? Basic Network Sniffing Display filtering Capture filtering RTP Stream Analysis

3 What is WIRESHARK? WIRESHARK is a Network Packet Analyzer

If installed with WinPcap it can also collect packets from the network

If AirpCap(Not free) installed full USB based 802.11 capture and analysis is possible

The latest WIRESHARK version on December 2009 is 1.2.5

It is an Open Source Software project

4

Who needs/uses WIRESHARK?

Any regular user who wants to know what his/her computer sends to the network and receives from it.

R&D Engineers to debug their protocol implementations Signaling protocols Applications that communicate with other network

devices/applications- send/receive payloads

Network administrators to troubleshoot their networks

Network Security Engineers to discover security breaches and deficiencies

Technical personnel that want to learn the workings of the protocols – Signaling and media-

5

Installing WIRESHARK

Get the latest version from the official site http://www.wireshark.org/

WIRESHARK can be installed as an application or the source code can be downloaded to create a new tailored application

By using LUA,a lightweight scripting language new dissectors, properties can be added http://en.wikipedia.org/wiki/Lua_(programming_language)

6

Basic WIRESHARK features

WIRESHARK supports hundreds of protocols http://www.wireshark.org/docs/dfref/

Live capture and offline analysis Multiplatform support: Windows, Linux, Solaris, MAC Multi-media support: Ethernet, ATM etc. Rich VOIP analysis Captured data browsing in GUI or in TTY mode (TSHARK) R/W many different capture file formats:

tcpdump (libpcap), MS Network Monitor, Network General Sniffer®,RADCOM WAN/LAN Analyzer and many others.

Output can be exported to XML, PostScript® or simple text

7

Platform/Media support table

8

How do we capture packets from the network? Where to connect?

What do we want to capture? Packets entering/going out of our computer

Basic Architecture Packets entering/going out of any network

equipment connected to the networkNetwork Architecture

Once we know where and how to connect the computer with the WIRESHARK installed- Capturing architecture- we can start doing basic capturing

9

Basic Architecture Capturing

In this architecture the signaling and/or media for the communication ends/starts at the WIRESHARK computer

Connect the NIC(s) you want to collect packets from the network

Start WIRESHARK Choose the relevant NIC in WIRESHARK menu Start Collecting packets

10

Network Capturing Architecture

WIRESHARK

11

Network Capture Architecture- Both entities connected to a HUB – Shared Media

Simply start capturing

WIRESHARKHub

12

Network Capture Architecture- Multimedia entity/PC connected to a switch(1)

WIRESHARK

HUB

SWITCH

-Connect WIRESHARK and Network entity to HUB

-Connect HUB to SWITCH with an uplink

-Start Capturing

13

Network Capture Architecture- Multimedia entity/PC both connected to a switch(2)

-Configure port mirroring (spanning) on the switch

-Start capturing

WIRESHARK

SWITCH

14

Basic Network packet capturing-1- When you activate the WIRESHARK you get the following view

15

Basic Network packet capturing -2-

16

Basic Network packet capturing -3-

17

Basic Network packet capturing -4-

18

The GUI can be changed for GUI layout Columns Time format Coloring preferences Field values for specific protocols …….

Different profiles can be defined and saved

WIRESHARK preferences

19

Basic displayed/captured packet manipulations

Forcing a protocol to an unknown protocol packet

Marking a packet or a group of packets Saving all or part of the captured

packets Exporting a trace Printing all or part of the captured

packets

20

21

22 Display filtering

By arranging the display sort field/order changed Sort order of time/packet number Sort order per IP/MAC address of

source/destination Sort order per protocol

By marking specific packets manually By configuring filters for

Address Protocol Protocol field value Frame length String

23

Display filtering- by changing display sort order

24

Display Filter configuration

We will configure simple filters For a specific IP address For a specific protocol For a specific field value of a protocol Compound filters

25

Filter elements

Filter fields (protocol fields)The full list can be found at http://www.wireshark.org/docs/dfref/

Display field comparison operators

Display filters logical operatorsThey are used to build complex filters by combining simple filters

26

Some basic filter field examples

ip.src Source IP address ip.dst Destination IP address ip.addr IP address (source or destination) eth.dst Destination MAC address udp,sip, HTTP,H225,H245………….. H263.dbq, sip.Method, h323.fastStart,

rtp.payload, diameter.User-Name………

27

Filter Comparison operators

English and C-like operators can be used (also mixed)

English operators eq Equal ne Not Equal gt Greater then lt Less then ge Greater then or equal le Less then or equal

C-like operators == != > < >= <=

28

Some simple filter examples

ip.addr == 234.78.12.78 ip.src != 10.0.0.2 sip.Method==REGISTER h263.unrestricted_motion_vector == 0 sip.from.addr ==

"sip:39260722@10.7.0.4“ h245.masterSlaveDetermination

29

How to build filter from the GUI

Type your filter inside the filter toolbar

Click “Apply”

30

How to build filter from the GUI-2-

31

32Filter save-activate

Filters can be saved/edited by clicking the edit/apply filter button

A new window opens

33

Display filter logical operators

These are used to build compound filters from simple expressions

When in doubt use parenthesis before applying the operator

The logical operators can have English or C-like syntax

34

Display filter logical operators (Contd.)

and && Logical and

or || Logical or

xor ^^ Logical XOR

not ! Logical Not

[…] Substring operator

35 Capture filtering

When capturing packets they are stored in temporary files on the computer

We can configure WIRESHARK to capture packets directly to a single or multiple files

For heavy traffic network capturing or long time capturing the file/buffer sizes might overwhelm the computer or might even crash it.

To prevent accumulating huge file/files if we know what we are looking for we should apply capture filtering

36

Capture filtering-2-

WIRESHARK utilizes the libpcap filter language for capture filtering

Details for libpcap can be found at http://www.tcpdump.org/tcpdump_man.html

Any type of display filter can also be defined for capture but with a different syntax and different activation procedure

37

Capture filtering – 3 -

38

Choose the relevant capture filter in “options”

Start capturing

Capture filtering – 4 – Activating capture filter

39

Capture filtering – 5 –

40

Capture filtering – 6 –

41

Capture filter syntax by examples

host 192.168.122.23 Capture packets from/to IP address 192.168.122.23

src host 10.0.0.5Capture packets from IP 10.0.0.5

tcp port 23 and host 10.0.0.5 ether src 00:11:6b:80:47:96 tcp port 23 and not src host 10.0.0.5 ip multicast

42Basic Capture filter syntax

[src|dst] host <host> ether [src|dst] host <ehost> [src|dst] net <net> [{mask <mask>}|{len <len>}] [tcp|udp] [src|dst] port <port> less|greater <length>

43

Statistics and data analysis

We can get graphical or written statistics real-time or from captured file

Statistics per protocol

VOIP pairs visualization

RTP stream analysis

44

Statistics menu –

StatisticsSummary

45

Statistics menu – StatisticsHierarchy Statistics

46

I/O Statistics – Real-time or offline

47

VOIP statistics

StatisticsVOIP

48

VOIP statistics StatisticsVOIP (Contd.)

49

WIRESHARK can identify separate RTP streams

RTP parameters can be retrieved Total RTP packets sent Delay Jitter

RTP Stream Analysis

50

RTP streams – Outline StatisticsRTP Show all Streams

51

RTP streams – Outline StatisticsRTP Show all Streams

Choose one of the streams Analyze

52

53

References and important URLs

http://www.wireshark.org/ http://www.wireshark.org/docs/ http://www.winpcap.org/ http://wiki.wireshark.org/

CaptureSetup/NetworkMedia http://wiki.wireshark.org/Preferences. http://www.wireshark.org/lists/

wireshark-bugs/ http://www.cs.columbia.edu/irt/

software/rtptools/