Chappell University™
EFFECTIVELY
TEACHING WITH
WIRESHARK
®
LAURA CHAPPELL
LAURA@CHAPPELLU.COM
CHAPPELLU.COM • WIRESHARKTRAINING.COM
Wireshark Techniques
• Wireshark Functionality and Resources
• The “Golden Rules” of Wireshark Analysis
• Key Tasks Everyone Should Learn
–
–
–
–
–
–
–
2
Capturing Wired/Wireless Traffic
Custom Profiles
Top Capture Filters
Top Display Filters
Custom Coloring Rules
Finding Problems Using Graphs
Using the Wireshark Expert
Chappell University™
Chappell University™
SECTION 1:
WIRESHARK
FUNCTIONALITY
OVERVIEW
Capturing Traffic
Capture
Engine
Capture Filters
WinPcap – AirPcap - libpcap
Network
4
Chappell University™
Opening Trace Files
Wiretap
Library
Drive
5
Chappell University™
Processing Packets
GTK
Dissectors – Plugins – Display Filters
Core Engine
Capture
Engine
6
Wiretap
Library
Chappell University™
Help? Problems?
•
•
•
•
•
•
•
7
Website
Wiki Page
FAQ
WinPcap
Mailing Lists
Bug Tracker
Q&A
www.wireshark.org
wiki.wireshark.org
www.wireshark.org/faq.html
www.winpcap.org
www.wireshark.org/lists.html
bugs.wireshark.org/bugzilla
ask.wireshark.org
Chappell University™
General Analyst Resources
•
•
•
•
•
•
•
8
www.wiresharktraining.com - Tips
www.chappellU.com – info@ (me)
www.iana.org – Protocol Numbers
www.ietf.org – the RFCs
www.wiresharkbook.com – videos/traces
www.pcapr.net – lots of trace files
ask.wireshark.org – got questions?
Chappell University™
Chappell University™
SECTION 2:
THE “GOLDEN RULES”
OF WIRESHARK
ANALYSIS
The Golden Rules
10
• Capture as close to the complaining user/device
as possible
• Know how to capture the packets before you need
to (e.g., spanning vs. tapping and WLAN capture
options)
• Use capture filters sparingly/display filters liberally
• Customize Wireshark (profiles, coloring rules,
filters)
• Build a HOT trace file library
• The packets never lie – but they will not tell why
something is happening
Chappell University™
Chappell University™
SECTION 3:
THE KEY TASKS
EVERYONE SHOULD
MASTER
Let’s Go Live Now
•
•
•
•
•
•
•
12
Capturing Wired/Wireless Traffic
Using Profiles
Hot Capture Filters
Hot Display Filters
Using Coloring Rules
Finding Problems Using Graphs
Using the Wireshark Expert
Chappell University™
Wireless Traffic Capture
• You must have a promiscuous and
monitor mode adapter
• Check out AirPcap Adapters
(www.cacetech.com)
13
Chappell University™
WLAN OS/Driver Issues
http://wiki.wireshark.org/CaptureSetup/WLAN
Display Filter
Capture Filter
Promiscuous Mode
Promiscuous
Mode
=
Monitor Mode
Monitor Mode (rfmon mode)
14
Signal
Chappell University™
Port Spanning or Mirroring
Visibility
port #1
port #3
Span
port #3
to port #1
Chappell University™
Full Duplex Links
Visibility
iTap GigaBit Copper
Dual Port Aggregator
10/100BaseT
Dual Port Aggregator Tap
10/100BaseT
Port Aggregator Tap
Server
16
Chappell University™
Using Profiles
• Custom preferences, capture/display filters
and coloring rules
• Sample: WLAN Profile
17
Chappell University™
Capture Filters
Capture
Engine
Capture Filters
WinPcap – AirPcap - LibPcap
Network
18
Chappell University™
Hot Capture Filters
•
•
•
•
•
•
19
host 10.2.1.3
port 67 (TCP or UDP)
tcp port 80
ether host 00:08:15:00:08:15 (my MAC)
not ether host 00:08:15:00:08:15 (not me)
wlan host 00:2A:4B:23:36:2A
Chappell University™
Hot Display Filters
•
•
•
•
•
•
•
20
ip.addr == 10.2.0.0/16
!ip.addr == 10.2.0.0/16 (don’t use !=)
tcp.analysis.flags
wlan.fc.type_subtype ==8 (beacons only)
http.response.code > 399 (HTTP errors)
tcp.options contains 01:01:01:01 (ASA issue)
ftp.response.arg == "Login incorrect."
Chappell University™
Using Coloring Rules
Consider disabling
Checksum Errors
21
Chappell University™
Finding Problems with Graphs
• IO Graph – click on dips
• Advanced IO Graph – count
tcp.analysis.retransmissions, etc.
• TCP Time/Sequence Graph
• RTT Graph – client’s perspective
• Oh… and use Endpoint Statistics to
determine top talkers
22
Chappell University™
Graph Delays and Errors
23
Chappell University™
Always Check the Expert
24
Chappell University™
Chappell University™
WRAP-UP
LAURA@CHAPPELLU.COM