Upload
basaveswar-kureti
View
120
Download
3
Embed Size (px)
Citation preview
PACKET ANALYSIS USING WIRESHARK
CEHTWITTER:@BASAVESWARK
WHAT IS WIRESHARK ?WIRESHARK IS A FREE AND OPEN SOURCE PACKET ANALYZER. IT IS USED FOR NETWORK TROUBLESHOOTING, ANALYSIS, SOFTWARE AND COMMUNICATIONS PROTOCOL DEVELOPMENT, AND EDUCATION
FEATURES• DEEP INSPECTION OF HUNDREDS OF PROTOCOLS, WITH MORE BEING ADDED ALL THE TIME• LIVE CAPTURE AND OFFLINE ANALYSIS• MULTI-PLATFORM: RUNS ON WINDOWS, LINUX, MACOS, SOLARIS, FREEBSD, NETBSD, AND MANY
OTHERS• CAPTURED NETWORK DATA CAN BE BROWSED VIA A GUI, OR VIA THE TTY-MODE TSHARK UTILITY• THE MOST POWERFUL DISPLAY FILTERS IN THE INDUSTRY• RICH VOIP ANALYSIS• READ/WRITE MANY DIFFERENT CAPTURE FILE FORMATS: TCPDUMP (LIBPCAP), PCAP NG, CATAPULT
DCT2000, CISCO SECURE IDS IPLOG, MICROSOFT NETWORK MONITOR, NETWORK GENERAL SNIFFER® (COMPRESSED AND UNCOMPRESSED), SNIFFER® PRO, AND NETXRAY®, NETWORK INSTRUMENTS OBSERVER, NETSCREEN SNOOP, NOVELL LANALYZER, RADCOM WAN/LAN ANALYZER, SHOMITI/FINISAR SURVEYOR, TEKTRONIX K12XX, VISUAL NETWORKS VISUAL UPTIME, WILDPACKETS ETHERPEEK/TOKENPEEK/AIROPEEK, AND MANY OTHERS
• CAPTURE FILES COMPRESSED WITH GZIP CAN BE DECOMPRESSED ON THE FLY• COLORING RULES CAN BE APPLIED TO THE PACKET LIST FOR QUICK, INTUITIVE ANALYSIS• OUTPUT CAN BE EXPORTED TO XML, POSTSCRIPT®, CSV, OR PLAIN TEXT
CAPTURING LIVE TRAFFIC
COLORING RULES
DISPLAY FILTERS• Filter specific addresses
ip.addr == 192.168.1.5ip.src ==192.168.1.5ip.dest ==192.168.1.5
• Filter specific protocolsdns || http (OR) dns or http
• Filter specific portstcp.port == 443udp.port == 1234
• Identity TCP issues, packet losstcp.analysis.flag
• Cleaning up or Pruning noise !(arp or dns or icmp)
DISPLAY FILTERS (CONTINUED)• Follow tcp stream
tcp.stream eq 32
• DNS Queriesudp contains facebook
• HTTP Request/Responseshttp.request http.response.code == 200
• TCP Traffic flagstcp.flags.syn == 1tcp.flags.reset == 1
• SIP Traffic sip
rtp
DEMO TIME
SOME QUICK SHORTCUTS
USE CASE # 1VOIP CALL RECORDING
USE CASE # 1VOIP CALL RECORDING (CONTINUED..)
USE CASE # 1VOIP CALL RECORDING (CONTINUED..)
USE CASE # 2DNS QUERY
USE CASE # 2DNS QUERY (CONTINUED)
USE CASE # 3TROUBLESHOOTING INTERNET ACCESS ISSUE(UNABLE TO ACCESS A PARTICULAR MUSIC SITE)
USE CASE # 4UNDERSTANDING SSL FLOW
USE CASE # 4UNDERSTANDING SSL FLOW (CONTINUED..)
REFERENCES• https://
en.wikipedia.org/wiki/Wireshark• https://www.wireshark.org/• Practical Packet Analysis by by
Chris Sanders• https://
www.youtube.com/watch?v=68t07-KOH9Y
• https://en.wikipedia.org/wiki/User_Datagram_Protocol
• https://en.wikipedia.org/wiki/Transmission_Control_Protocol
• http://www.informatics.buzdo.com/_images/f912-1.gif
• http://1.bp.blogspot.com/-gTRV25VTdb8/T55rvji6cEI/AAAAAAAACXM/9clbBo-y0nY/s1600/dnslookups.png
APPENDIX
APPENDIX (CONTINUED)