KU EECS 780 – Communication Networks Laboratory – Introduction to Protocol Analysis with Wireshark
© James P.G. Sterbenz
ITTC
Communication Networks Laboratory
The University of Kansas EECS 780
Introduction to Protocol Analysis with Wireshark
Trúc Anh N. Nguyễn,
Egemen K. Çetinkaya, Mohammed Alenazi and
James P.G. Sterbenz
Department of Electrical Engineering & Computer Science
Information Technology & Telecommunications Research Center
The University of Kansas
malenazi@ittc.ku.edu
jpgs@eecs.ku.edu
http://www.ittc.ku.edu/~jpgs/courses/nets
24 August 2015
rev. 15.0
© 2004–2015 James P.G. Sterbenz
ITTC
© James P.G. Sterbenz
Protocol Analysis with Wireshark
Outline
L1.0
L1.1
L1.2
L1.3
L1.4
EECS 780 laboratory outline
Motivation and overview
Wireshark installation and use
Protocol analysis examples
Getting started
24 August 2015
KU EECS 780 – Comm Nets – Wireshark Lab
–1–
NET-L1-2
KU EECS 780 – Communication Networks Laboratory – Introduction to Protocol Analysis with Wireshark
ITTC
© James P.G. Sterbenz
EECS 780 Laboratories
Outline
L1.0
L1.1
L1.2
L1.3
L1.4
EECS 780 laboratory outline
Motivation and overview
Wireshark installation and use
Protocol analysis examples
Getting started
24 August 2015
NET-L1-3
KU EECS 780 – Comm Nets – Wireshark Lab
ITTC
© James P.G. Sterbenz
EECS 780 Laboratories
Semester Outline
• Wireshark labs
– throughout semester, intuitive, based on textbook
• Wiki and web authoring
– requires EECS, KU, or ITTC account
• Socket programming
– relatively simple lab to demonstrate socket concepts
• Network simulation
– lab to introduce network simulation
• Hands-on network performance evaluation
– configure Cisco router, utilise open source tools
• Others if time permits
– programmable networks using GpENI testbed
24 August 2015
KU EECS 780 – Comm Nets – Wireshark Lab
–2–
NET-L1-4
KU EECS 780 – Communication Networks Laboratory – Introduction to Protocol Analysis with Wireshark
ITTC
© James P.G. Sterbenz
Protocol Analysis with Wireshark
Motivation and Overview
L1.0
L1.1
L1.2
L1.3
L1.4
EECS 780 laboratory outline
Motivation and overview
Wireshark installation and use
Protocol analysis examples
Getting started
24 August 2015
NET-L1-5
KU EECS 780 – Comm Nets – Wireshark Lab
ITTC
© James P.G. Sterbenz
Motivation and Overview
Introduction1
• Wireshark is a network protocol analyzer
– www.wireshark.org
• First released in 1998 by Gerald Combs as Ethereal
– many contributors around the world
• Open source and free software
• Graphical alternative to tcpdump
24 August 2015
KU EECS 780 – Comm Nets – Wireshark Lab
–3–
NET-L1-6
KU EECS 780 – Communication Networks Laboratory – Introduction to Protocol Analysis with Wireshark
ITTC
© James P.G. Sterbenz
Motivation and Overview
Introduction2
•
•
•
•
•
Powerful tool for network troubleshooting
Sniffs and captures live traffic
Filters data for ease of analysis
Statistics and graphs available
Used in industry and academia
24 August 2015
NET-L1-7
KU EECS 780 – Comm Nets – Wireshark Lab
ITTC
© James P.G. Sterbenz
Protocol Analysis with Wireshark
Wireshark Installation and Use
L1.0
L1.1
L1.2
L1.3
L1.4
EECS 780 laboratory outline
Motivation and overview
Wireshark installation and use
Protocol analysis examples
Getting started
24 August 2015
KU EECS 780 – Comm Nets – Wireshark Lab
–4–
NET-L1-8
KU EECS 780 – Communication Networks Laboratory – Introduction to Protocol Analysis with Wireshark
ITTC
© James P.G. Sterbenz
Wireshark Installation
Highlights
• Wireshark can be installed on various platforms
– UNIX, MS, Linux, Mac OS, etc
• Most recent release is v.1.8.4, Nov. 2012
• System requirements
– section 1.2 at
http://www.wireshark.org/docs/wsug_html/
– rule of thumb: fast CPU, more memory is better
• FAQs and Wiki pages provide more information
24 August 2015
NET-L1-9
KU EECS 780 – Comm Nets – Wireshark Lab
ITTC
© James P.G. Sterbenz
Wireshark Installation
Overview
• Installation of Wireshark requires
– downloading the relevant package
• building the source into binary if the source is downloaded
– install binaries to their destinations
– section 2 provides detailed installation instructions
http://www.wireshark.org/docs/wsug_html/
• Windows installation includes WinPcap
– packet capture library (also needed for tcpdump)
• Installation easy and intuitive
24 August 2015
KU EECS 780 – Comm Nets – Wireshark Lab
–5–
NET-L1-10
KU EECS 780 – Communication Networks Laboratory – Introduction to Protocol Analysis with Wireshark
ITTC
© James P.G. Sterbenz
Wireshark Usage
Windows XP Installation1
Go to
wireshark.org
Click on
Download
Wireshark
Save and run
the executable
(.exe) file
Installation
wizard is
intuitive
24 August 2015
KU EECS 780 – Comm Nets – Wireshark Lab
ITTC
NET-L1-11
© James P.G. Sterbenz
Wireshark Usage
Windows XP Installation2
pcap library is
required to
capture lowlevel network
messages
WinPcap for
Windows,
libpcap for
UNIX/Linux
Latest
WinPcap
release 4.1.2
24 August 2015
KU EECS 780 – Comm Nets – Wireshark Lab
–6–
NET-L1-12
KU EECS 780 – Communication Networks Laboratory – Introduction to Protocol Analysis with Wireshark
ITTC
© James P.G. Sterbenz
Wireshark Installation
Windows XP Installation3
24 August 2015
NET-L1-13
KU EECS 780 – Comm Nets – Wireshark Lab
ITTC
© James P.G. Sterbenz
Wireshark Usage
Main Features
• Capturing live traffic
– data can be captured on wired or wireless medium
• Numerous protocols can be captured and analyzed
• Filtering is essential when dealing with lots of packets
– filters can be applied on protocols, fields, values, etc.
– filtering while capturing packets is possible
24 August 2015
KU EECS 780 – Comm Nets – Wireshark Lab
–7–
NET-L1-14
KU EECS 780 – Communication Networks Laboratory – Introduction to Protocol Analysis with Wireshark
ITTC
© James P.G. Sterbenz
Wireshark GUI
Main Window
menu
main toolbar
filter toolbar
packet list
pane
packet details
pane
packet bytes
pane
status bar
24 August 2015
KU EECS 780 – Comm Nets – Wireshark Lab
ITTC
NET-L1-15
© James P.G. Sterbenz
Wireshark Usage
Starting Capture
To capture:
go to Capture
menu and
select
Interfaces…
Start
capturing on
interface that
has IP address
Other ways of
capturing
possible
24 August 2015
KU EECS 780 – Comm Nets – Wireshark Lab
–8–
NET-L1-16
KU EECS 780 – Communication Networks Laboratory – Introduction to Protocol Analysis with Wireshark
ITTC
© James P.G. Sterbenz
Wireshark Usage
Capturing1
Once the
capturing
starts,
until the data
is exchanged
on Network
Interface Card
(NIC),
main window
will be blank
24 August 2015
KU EECS 780 – Comm Nets – Wireshark Lab
ITTC
NET-L1-17
© James P.G. Sterbenz
Wireshark Usage
Capturing2
When packets
exchanged on
NIC,
the packets
will be
dumped to
main window
24 August 2015
KU EECS 780 – Comm Nets – Wireshark Lab
–9–
NET-L1-18
KU EECS 780 – Communication Networks Laboratory – Introduction to Protocol Analysis with Wireshark
ITTC
© James P.G. Sterbenz
Wireshark Usage
Stopping Capture
Capturing can
be stopped by
clicking on
“Stop the
running
capture”
button on the
main toolbar
24 August 2015
KU EECS 780 – Comm Nets – Wireshark Lab
ITTC
NET-L1-19
© James P.G. Sterbenz
Wireshark Usage
Filtering
Filter by
entering the
“protocol
name or field
name” and
click the apply
button in the
filter menu
Detailed filters
can be applied
by creating
expressions
24 August 2015
KU EECS 780 – Comm Nets – Wireshark Lab
– 10 –
NET-L1-20
KU EECS 780 – Communication Networks Laboratory – Introduction to Protocol Analysis with Wireshark
ITTC
© James P.G. Sterbenz
Protocol Analysis with Wireshark
Protocol Analysis and Examples
L1.0
L1.1
L1.2
L1.3
L1.4
EECS 780 laboratory outline
Motivation and overview
Wireshark installation and use
Protocol analysis and examples
Getting started
24 August 2015
KU EECS 780 – Comm Nets – Wireshark Lab
ITTC
NET-L1-21
© James P.G. Sterbenz
Protocol Analysis with Wireshark
Protocol Analysis
• Packets/protocols can be analyzed after capturing
• Individual fields in protocols can be easily seen
• Graphs and flow diagrams can be helpful in analysis
24 August 2015
KU EECS 780 – Comm Nets – Wireshark Lab
– 11 –
NET-L1-22
KU EECS 780 – Communication Networks Laboratory – Introduction to Protocol Analysis with Wireshark
ITTC
© James P.G. Sterbenz
Protocol Analysis and Examples
Packet Details Pane
Analysis is
performed
manually
Example
shows TCP
segment with
SYN and ACK
fields set to 1
24 August 2015
KU EECS 780 – Comm Nets – Wireshark Lab
ITTC
NET-L1-23
© James P.G. Sterbenz
Protocol Analysis and Examples
Packet Byte Pane
Zoom in or
out is possible
in main
toolbar
Packet Byte
pane consists
of offset, Hex,
and ASCII
fields
24 August 2015
KU EECS 780 – Comm Nets – Wireshark Lab
– 12 –
NET-L1-24
KU EECS 780 – Communication Networks Laboratory – Introduction to Protocol Analysis with Wireshark
ITTC
© James P.G. Sterbenz
Protocol Analysis and Examples
Statistics – Flow Graph Example
TCP plots and
flow graphs
are available
in
Statistics
menu
Example
shows a flow
diagram of
ping utility
24 August 2015
KU EECS 780 – Comm Nets – Wireshark Lab
ITTC
NET-L1-25
© James P.G. Sterbenz
Protocol Analysis with Wireshark
Getting Started
L1.0
L1.1
L1.2
L1.3
L1.4
EECS 780 laboratory outline
Motivation and overview
Wireshark installation and use
Protocol analysis and examples
Getting started
24 August 2015
KU EECS 780 – Comm Nets – Wireshark Lab
– 13 –
NET-L1-26
KU EECS 780 – Communication Networks Laboratory – Introduction to Protocol Analysis with Wireshark
ITTC
© James P.G. Sterbenz
Getting Started
Installation and First Lab Exercise
• Install Wireshark
• Go to student resources web page at
http://http://www.pearsonhighered.com/pearsonhigheredus/educator/product/
products_detail.page?isbn=9780132856201
• Complete first Wireshark Lab – Getting Started
• Familiarize yourself with Wireshark
24 August 2015
KU EECS 780 – Comm Nets – Wireshark Lab
ITTC
NET-L1-27
© James P.G. Sterbenz
Protocol Analysis with Wireshark
Acknowledgements
Some material in these foils comes from the textbook
supplementary materials:
• Kurose & Ross,
Computer Networking:
A Top-Down Approach, 6th ed.
http://kuroseross.com
• http://www.wireshark.org/
• http://www.winpcap.org/ 24 August 2015
KU EECS 780 – Comm Nets – Wireshark Lab
– 14 –
NET-L1-28