1. Wireshark
advertisement
COMP2322 Lab 1 Introduction to Wireshark Weichao Li Jan. 22, 2016 Before the lab • Review the content of communication architecture. • Review TCP/IP model and protocol suite. • Understand data transferring, layering, and encapsulation/demultiplexing. 2 Content • • • • Data capture basis and tools Getting started with Wireshark Advanced usage Traffic and protocol analysis 3 Packet capture • Why do we need to capture packets? – troubleshoot network problems – examine security problems – debug protocol implementations – learn network protocol internals 4 Existing packet capture tools/sniffers • Classic tools – Wireshark (http://www.wireshark.org/) – tcpdump (http://www.tcpdump.org/) • Other tools – Ettercap – Dsniff – Ntop – KISMET – WinDump – Tshark –… 5 What is Wireshark? • An open-source network protocol analyzer – capture network packets – display that packet data • Decodes 1,926 protocols (V2.0.1). • Supports command-line and GUI interfaces. • Run on many platforms, including Windows, OS X, Linux, and UNIX. • Many online resources • Wireshark User’s Guide (http://www.wireshark.org/download/docs/user-guide-a4.pdf) 6 How does Wireshark work? Wireshark Windows Linux libpcap Winpcap 7 Libpcap and Winpcap • Libpcap and Winpcap are libraries for network traffic capture, providing the core functions of packet capturing. – Linux/Unix -> libpcap – Windows -> winpcap • Homepage of libpcap: – http://www.tcpdump.org/ • Homepage of winpcap: – http://www.winpcap.org 8 Tcpdump and Windump • Tcpdump – Unix-based command-line tool used to analyze packets • Include filtering to just capture the packets of interest – Homepage: http://www.tcpdump.org/ • Windump – The Windows version of tcpdump – Homepage: http://www.winpcap.org/windump/ 9 Tshark • Also a network protocol analyzer • Command-line version of Wireshark • User manual: https://www.wireshark.org/docs/manpages/tshark.html 10 Basic usage of Wireshark • Tip: packet capture need root / administrator privileges • Packet capture: select the right interface! • Save / open trace 11 Practice 1: my first packet trace • Y:\Win32\WiresharkPortable_1.4 • Select the right interface. • Start packet capture for 10 seconds and save the trace. • Question 1 (2 marks for each part in a question) – A) How many interface have you observed? What are they? – B) Which interface will you choose and why? 12 Advanced usage (1): filters • Capture filters – Only the packets meeting the rule will be captured and decoded in Wireshark. – Syntax • Specify protocols: ip, tcp, udp • Specify host: host, dst, src • More filters can be found: http://wiki.wireshark.org/CaptureFilters • Display filters – Do not affect captured packets. – Only determine whether or not to display some packets. – Syntax • Useful: Follow TCP Stream • More filters can be found: http://wiki.wireshark.org/DisplayFilters 13 Advanced usage (2) • Follow a stream. – Stream: [IP address A, port A, IP address B, port B] • Adjust the layout and columns. – Edit -> Preference • Statistics – Summary: general statistics about the current capture file – Conversations: statistics of the captured conversations • Conversation is the traffic between two specific endpoints – Endpoints: traffic statistics of an end host – IO Graphs: visualizing the number of packets in time – … 14 Analyze Web application • The World Wide Web (WWW) is the most popular Internet application. • Answer the following questions (Question 2): – A) What’s the relationship between Web and HTTP? – B) What type of protocols does HTTP belong to? – C) How many application protocols have you captured when accessing a website? 15 Practice 2: analyze HTTP traffic • • • • Y:\Win32\WiresharkPortable Select the right interface. Visit www.polyu.edu.hk. Analyze HTTP traffic (Question 3) – A) What’s your HTTP request method? – B) What’s your HTTP request version? – C) What’s the status code in the response? What does it mean? 16 Practice 2 (cont’d) • Apply a display filter so that only HTTP packets are shown (Question 4) – A) How many HTTP requests have been sent to the Web server? – B) Write down each request (at least 3). 17 Practice 3 • Try different capture filters (Question 5) – A) How can I capture only HTTP traffic? – B) How can I capture only the traffic from/to a specified host? • Visit http://www.polyu.edu.hk again and analyze the HTTP traffic (Question 6) – A) What’s your IP address? – B) What’s the server’s IP address? • Visit http://www.polyu.edu.hk/test and analyze the HTTP traffic (Question 7) – A) What’s the difference compared with the last step? 18 Practice 3 (cont’d) • Visit http://www.oneprobe.org and analyze HTTP traffic (Question 8) – – – – A) What’s the difference compared with the previous steps? B) How many Web servers have you accessed? C) Write down the exact IP addresses of servers. D) Explain what happened in this HTTP session. 19 Practice 4 • • • • • Delete capture filter Start a new capture Visit http://hk.yahoo.com/ When the page is fully loaded, stop capturing Compare the throughput between UDP and TCP in time (through Statistics->IO Graphs) 20 Practice 5 • • • • Start a new capture Visit https://www.google.com.hk When the page is fully loaded, stop capturing Identify the HTTPS traffic (Question 9) – A) What’s the default port of HTTPS? – B) What can you see after applying “follow the TCP stream”? – C) Write down the process of how a https connection is established. 21 Practice 6 • Visit http://www.facebook.com and analysis HTTP traffic – Record the IP address of the Facebook server – Save the trace • Visit Facebook again at home, and compare the trace with the one obtained in campus (Question 10) – A) Record the IP address of the Facebook server. – B) Is the IP address recorded at home the same as the one recorded in campus? – C) If not, explain why the servers are different. 22 Further reading • CDN (content delivery network) – http://www.nczonline.net/blog/2011/11/29/howcontent-delivery-networks-cdns-work/ 23 Thanks 24
