Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Chapter 4

advertisement 
Packets and Protocols
Chapter 4
Chapter Four
Using Wireshark
Packets and Protocols
Chapter 4
The Wireshark main window
■ Menu bar
■ Tool bar
■ Summary window
■ Protocol Tree
window
■ Data View window
■ Filter bar
■ Information field
■ Display
information
Packets and Protocols
Chapter 4
Main window components
Menu Bar
A typical application menu bar containing dropdown menu items.
Tool Bar
Contains buttons for some commonly used functions of Wireshark. The Tool
Bar icons have tool tips that are displayed when you pause the mouse pointer
over them.
Filter Bar
Applies filters to the Summary window to restrict which packets in the capture
are displayed, based on their attributes.
Summary
Window
Provides a one-line summary for each packet in the capture.
Protocol
Tree
Window
Provides a detailed decode of the packet selected in the Summary window.
Data View
Window
Provides a view of the raw data in the packet selected in the Summary
window.
Information
Field
A display area that provides information about the capture or field selected in
the Protocol Tree window.
Display
Information
Field
A display area that provides information about the packet count in the current
capture
Packets and Protocols
Chapter 4
Summary window components
No.
The frame number within the capture.
Time
The time from the beginning of the capture to the time when the packet was
captured (in seconds).
Source
This is the highest level source address, (frequently the Internet Protocol (IP)
address); however, it can also be the Media Access Control (MAC) address
for layer 2 Ethernet protocols, or other address types for other protocols
(e.g., Internetwork Packet Exchange [IPX], Appletalk, and so forth). (See
the Wireshark “Name Resolution” sidebar for a discussion of MAC
addresses.)
Destination
This is the highest level destination address (frequently the IP destination
address); however, it can also be the MAC address for layer 2 Ethernet
protocols, or other address types for other protocols (IPX, Appletalk, and
so forth).
Protocol
Typically the highest level protocol that is decoded. Examples include userlevel protocols such as Hypertext Transfer Protocol (HTTP), File Transfer
Protocol (FTP), and Simple Mail Transfer Protocol (SMTP).
Info
This field contains information that was determined by the highest level
decode to be useful or informative as part of a summary for this packet.
Packets and Protocols
Chapter 4
Summary window example
What does this summary info tell us?
Packets and Protocols
Chapter 4
 Protocol
tree window
– The fields in this window can be
expanded or collapsed
 The
1st line will generally tell you most of
what you need but you can drill down for
further detail
 Click on the plus sign to expand
Packets and Protocols
Chapter 4
Protocol window example
What does this protocol info tell us?
Packets and Protocols
Chapter 4
 Data
View Window
Good place to
find
passwords
and
usernames!
Packets and Protocols
Chapter 4

Filter bar
– Used to build display filters
 Will
not allow invalid capture filters
 Filter is not applied until you click apply!

Information field (bottom of capture)
– Displays capture filename and size

Display information field
– P = Total
– D = Displayed
– M = Marked
Packets and Protocols
Chapter 4
 File
menu
Packets and Protocols
Chapter 4
Open…
Opens a capture file.
Open Recent
Displays the Open Recent submenu to open a capture file from a list of
recently used capture files.
Merge
Merges one or more capture files with the current capture file.
Close
Closes the current capture file.
Save
Saves the current capture file.
Save As…
Saves the current capture file with a different filename/format.
File Set
Displays the File Set submenu for file set information and navigation
Export
Displays the Export submenu, allowing the portion of the packet highlighted
in the Data View window to be exported as a hexadecimal dump.
Print…
Prints the current capture file.
Quit
Quits the Wireshark application.
Packets and Protocols
Chapter 4
 There
are
several save
options
Captured
Displayed
Range
Packets and Protocols
Chapter 4
 Note
that when you save a filtered
capture, you strip off all other
packets in the newly saved capture
file
– Make sure you do not need these
packets!
Packets and Protocols
Chapter 4
Packets and Protocols
Chapter 4
 Wireshark
name resolution
– Three modes
 MAC
name resolution
– Uses OUI names
– Identified by 1st 6 bytes
 Network
name resolution
– i.e. DNS name resolution
 Transport
name resolution
– Translates ports to names
Packets and Protocols
Chapter 4
 Save
Note that
many file
types are
available
as dialogue box
Packets and Protocols
Chapter 4
 Print
dialog
You can
print in
plain text,
post-script
or output
to a file
Packets and Protocols
Chapter 4
 Printing
options
– The summary line
– All packets
– Marked packets
– Packets from x to y
– All or partial detail
Packets and Protocols
Chapter 4
 The
Edit menu
Packets and Protocols
Chapter 4
Find Packet…
Searches for a packet using a display filter or by searching for a matching
hexadecimal string or character string.
Find Next
Finds the next packet that matches the search defined in the Find Packet
dialog box.
Find Previous
Finds the previous packet that matches the search defined in the Find Packet
dialog box.
Mark
Packet Marks the packet currently selected in the Summary window. Marking
provides a mechanism for manually selecting a packet or group of
packets to be subsequently printed or saved.
Find Next Mark
Finds and highlights the next marked packet in the capture.
Find Previous
Mark
Finds and highlights the previously marked packet in the capture.
Mark All
Packets
Marks all packets that match the currently applied display filter.
Unmark All
Packets Unmarks all packets that match the currently applied display filter.
Set Time
Reference
(toggle)
Toggles the Time Reference flag for the currently selected packet.
Find Next
Reference Finds and highlights the next marked time reference packet in the
capture.
Find Previous
Reference
Finds and highlights the previous marked time reference packet in the
capture.
Preferences…
Change user preferences, including preferences for packet decodes.
Packets and Protocols
Chapter 4
 Find
packet
– Allows a search by filter, hex or string
value
 Uses
same filters as display filters
 Can search by HEX characters (good for
MAC addresses)
 String search useful for usernames, etc
– Ability to search up or down
– Case sensitive or insensitive
Packets and Protocols
Chapter 4
 Time
reference toggle
– Allows you to calculate intra-packet
times based on packets you select
 How
long did client “B” take to respond to
client “A”?
Packets and Protocols
Chapter 4
 Preferences
Allows you to
customize
Wireshark to
your
personal
liking or
needs
Packets and Protocols
Chapter 4
 The
View Menu
There is a lot of
customizable
information on the
viewing
capabilities of
Wireshark
Packets and Protocols
Chapter 4
Menu
Option Description
Main Toolbar
Display or remove the Main Toolbar
Filter Toolbar
Display or remove the Filter Toolbar
Status Bar
Display or remove the Information Field and the Display Information Field
Packet List
Display or remove the Summary window
Packet Details
Display or remove the Protocol Tree window
Packet Bytes
Display or remove the Data View window
Time Display Format
A submenu for modifying the time displayed in the Summary window
Name Resolution
A submenu for selecting the name resolution options to perform during capture.
Colorize Packet List
Apply or remove the coloring defined in Coloring Rules to the Summary window
Auto Scroll in Live
Capture
Sets the option to automatically scroll and update the Summary window list while capturing packets.
Zoom In
Proportionally increases the font and column size in the Summary window
Zoom Out
Proportionally decreases the font and column size in the Summary window
Normal Size
Returns the Summary window font and column size to the default setting.
Resize All Columns
Automatically resizes column width in the Summary window to eliminate white space.
Expand Subtrees
Expands the entire selected subtree in the Protocol Tree window
Expand All
Expand all subtrees in the Protocol Tree window
Collapse All
Collapse all subtrees in the Protocol Tree window
Coloring Rules…
Create and edit color filters to colorize the packets in the Summary window that match a given display filter
string.
Show Packet In New
Window
For the packet currently selected in the Summary window display it’s Protocol Tree window and Data View
window in a new window.
Reload
Reload the current capture file.
Packets and Protocols
Chapter 4

Time display information
– Time is gathered from LOCAL system time
– Very important to synchronize times when
doing simultaneous captures on two platforms
 Wireshark
time
can display time since 1st capture or delta
– Automatically display live capture
 Useful
when you need to watch the packet flow, but
can slow the capture process
Packets and Protocols
Chapter 4

Color filters
– Useful for
the colorblind
– Allows you
to change
the color of
protocols,
errors, etc.
Packets and Protocols
Chapter 4
A color coded display can help you troubleshoot
Packets and Protocols
Chapter 4
 Show
packet in new window
– Allows you to zero in on a single packet
Packets and Protocols
Chapter 4

Go menu
– Allows you to navigate thru the capture
Back
Moves to the previous packet displayed in the current capture.
Forward
Moves to the next packet displayed in the current capture.
Go To Packet…
Go to a packet by frame number.
Go To corresponding
Packet
When a field that refers to another frame is selected in the Protocol Tree window,
select the packet being referred to in the Summary window.
First Packet
Moves to the first displayed packet
Last Packet
Moves to the last displayed packet
Packets and Protocols
Chapter 4

Capture menu
Menu Option
Description
Interfaces…
Opens the Interfaces dialog box
Options…
Opens the Capture Options
Start
Start a capture.
Stop
Stop a running packet capture.
Restart
Restart a stopped packet capture
Capture
Filters… Edit the capture filters.
Packets and Protocols
Chapter 4
 You
can capture on any single
interface on you Wireshark PC
* The packet count and packets per second displayed in the Capture Interfaces
dialog box are not the total seen by the interfaces, but are the total count and
rate seen by the interface from the time the Capture Interface dialog box was
opened
Packets and Protocols
Chapter 4
 Characteristics
Tab
Packets and Protocols
Chapter 4
 Statistics
Tab
Packets and Protocols
Chapter 4
 Protocol
(Ethernet) Tab
Packets and Protocols
Chapter 4
 WLAN
Tab
Packets and Protocols
Chapter 4

Capture
Options
– How
 To
display?
– What
 Is
captured?
– Where
 To
store?
– When
 To
capture?
Packets and Protocols
Chapter 4
What interface?
Buffer size?
Promiscuous?
Capture filter?
Where to save?
Use multiple Files?
How many?
When to stop?
Packets and Protocols
Chapter 4
 Buffer
size vs. Capture size
– Buffer size is dependant upon RAM
– Capture size is dependant upon hard
drive size
 Too
large a buffer can slow the
capture process and cause data loss
– too small will not give the HDD
time to write the data
– Defaults are best!
Packets and Protocols
Chapter 4
 Capture
options
– While you can stop a capture based on:
 Capture
a number of packets and stop
 Capture for a period of time and stop
 Capture a number of kilobytes and then
stop
– There is no way to start a capture
automatically (with Wireshark)
Packets and Protocols
Chapter 4
 The
capture
dialog box
Packets and Protocols
Chapter 4

Ringing the capture buffer
– Allows you to save multiple captures
1.
2.
3.
4.
Select “Use multiple files”
Select “Next file every …” Minutes or KB
Figure how many files to keep “Ring buffer”
Decide when to stop the capture
 Stop capture after
 X ring captures
 X minutes/hours/days
 Kb/Mb/Gb
Packets and Protocols
Chapter 4
Packets and Protocols
Chapter 4
 Capture
filter list
– Name the filter
– Create the filter
Packets and Protocols
Chapter 4

Capture filters vs. Display filters
– Capture filters are used before the capture to
narrow what is gathered
– Display filters are used after the capture to
filter the output

Capture and display filters are different
– Capture = tcp port http
– Display = protocol=http
 Both
do the same thing!
Packets and Protocols
Chapter 4

Analyze Menu Option
Menu Option
Description
Display Filters…
Edits the display filters.
Apply as Filter
A submenu for preparing and automatically applying a display filter based on any field
selected in the Protocol Tree window.
Prepare a Filter
A submenu for preparing a display filter based on any field selected in the Protocol Tree
window.
Firewall ACL
Rules
Creates a filter for several standard firewall types based on the current selected packet in
the Summary Window.
Enabled
Protocols…
Enables and disables the decoding of individual protocols.
Decode As…
Specifies decoding certain packets as being part of a particular protocol.
User Specified
Decodes
Reports which user-specified decodes are currently in force.
Follow TCP
Stream
Displays an entire TCP stream at once.
Follow SSL
Stream
Displays an entire SSL stream at once.
Expert Info
Displays a summary of the capture file.
Expert Info
Composite
Displays statistics in a Protocol Tree view for the protocols in the capture.
Packets and Protocols
Chapter 4

There are
literally
thousands of
capture options
available and
the good news
is most have
already been
written for you.
Packets and Protocols
Chapter 4
 Edit
display
filter list
– Allows you
to create
display
filters via
GUI

Select Major protocol…
Packets and Protocols
Chapter 4
• Operators
include:
==
!=
>
<
>=
<=

Select operator
Packets and Protocols
Chapter 4
• Note that the
value will
change
depending upon
the protocol
chosen

Select value
Packets and Protocols
Chapter 4

Display
Filter
dialog
box
Filter Name
Filter String
Packets and Protocols
Chapter 4
 Apply
as filter vs. prepare a filter
– The Apply as Filter and Prepare a Filter submenus have
the same options and behave in the same way with one
exception:


The Prepare a Filter submenu items prepare a display filter
string and place it in the Filter text box.
The Apply as Filter submenu items prepare a display filter
string, place it in the Filter text box, and apply it to the
capture.
Packets and Protocols
Chapter 4
Packets and Protocols
Chapter 4
 Apply
 Note
as filter examples:
the importance of the operators!
Packets and Protocols
Chapter 4

To enable or
not to
enable?
– Disabling
protocols
may make
your sniffer
run faster
(maybe)
Packets and Protocols
Chapter 4
 Decode
as…
Not used very
often – best not
to override
defaults
 Forces
Wireshark to decode a protocol
the way you decide.
Packets and Protocols
Chapter 4
 Since
Wireshark is open source,
there are already many, many
protocols pre-programmed in. The
“decode as” option is not generally
needed unless you are sniffing a
proprietary protocol.
Packets and Protocols
Chapter 4
 Following
Very useful for
following a
conversation
but usually
only if the
data is sent in
the clear
(telnet, SMTP,
etc)
a TCP or SSL stream
Packets and Protocols
Chapter 4

SMTP
follow TCP
stream
example
Packets and Protocols
Chapter 4

Expert info (and expert info composite) is
used to sort errors and problems
– The Expert Info and Expert Info Composite menu
options provide identical information in similar layouts.
Both options provide a breakdown of the current
capture, and display summary information about current
conversations, errors, and warnings that can be derived
from the traffic patterns. These options are a great
method to use to begin troubleshooting traffic-related
issues, as they provide some simple error related
information without having to analyze each packet by
hand.
Packets and Protocols
Chapter 4
 Expert
info
example
Packets and Protocols
Chapter 4

The
statistics
menu
– Provides
many useful
traffic
statistics
Packets and Protocols
Chapter 4
 Statistics
menu options
Packets and Protocols
Chapter 4
 Statistics
options
menu
Packets and Protocols
Chapter 4
 Statistics
menu options
Packets and Protocols
Chapter 4
 Capture
Summary
dialogue box
– Gives a great quick
summary of the
capture statistics
Packets and Protocols
Chapter 4
 Protocol
hierarchy
statistics
– Gives
statistics
broken
down by
each
protocol
Packets and Protocols
Chapter 4
 Protocol
hierarchy statistics columns
Column
Description
Protocol
The protocol on which statistics are being reported. The protocol may have sub-items on the tree
representing the protocols it contains (e.g., the IP contains TCP and UDP).
% Packets
Percentage of all packets in the capture that are of this protocol.
Packets
The number of packets in the capture that are of this protocol.
Bytes
The number of bytes in this capture containing this protocol.
End Packets
The number of packets for which this protocol is the last protocol in the decode (e.g., a TCP synchronize
[SYN] packet containing no data would be an end packet for TCP and counted in TCP’s end packets
count).
End Bytes
The number of bytes for which this protocol is the last protocol in the decode.
Packets and Protocols
Chapter 4

TCP
Stream
Graph
Packets and Protocols
Chapter 4
 TCP
Stream Graph Options
Packets and Protocols
Chapter 4

The RTT graph shows
the RTT vs. the
sequence number .
You can see the RTT
spike around
sequence number
1000000, which is
roughly the same
sequence number
where you will see
discontinuity in the
time sequence
graphs.
Packets and Protocols
Chapter 4

The
throughput
graph shows
the
throughput of
the TCP
stream vs.
time.
Packets and Protocols
Chapter 4

The timesequence graph
(Stevens)
produces a
simple graph of
TCP sequence
numbers vs.
time for the TCP
stream
containing the
packet that was
selected in the
Summary
window
Packets and Protocols
Chapter 4

The timesequence graph
(tcptrace) is also
primarily a graph
of TCP sequence
numbers vs. time.
Unlike the
Stevens’ style
time-sequence
graph, however, it
conveys a lot
more information
about the TCP
stream.
Packets and Protocols
Chapter 4

Using
graphs for
troubleshooting
dropped
segments
Note the packet drop errors (REF pg 200)
Packets and Protocols
Chapter 4

Using
graphs for
troubleshooting
throughput
issues
Why does the throughput drop off? REF pg 201
Packets and Protocols
Chapter 4

Using
graphs for
troubleshooting
throughput
issues
(cont)
Why is the throughput so jagged?
Packets and Protocols
Chapter 4
 Troubleshooting
with a sniffer
(whether via graphs or data)
becomes a piece of cake!*
*This is, of course after you know what a normal network sniffer capture looks like!
Packets and Protocols
Chapter 4

Graph Control
– Many aspect of the graph functions can be customized
including

Zoom
– Zoom in/out of graph sections

Magnify
– Allows you to dig more deeply
into parts of the gathered data

Origin
– Start/Stop at any point in the
capture

Cross
– Turn crosshairs on/off

Graph Type
– Select the type of graph
Packets and Protocols
Chapter 4

Help menu
Menu
Option Description
Contents
Displays the contents for the Wireshark online help.
Supported Protocols
Displays a list of the supported protocols and the display filter fields they provide.
Manual Pages
A submenu for accessing traditional UNIX-style manual pages for Wireshark, Wireshark filters, and
command line utilities.
Wireshark Online
A submenu for accessing online Wireshark resources.
About Wireshark
Displays information about Wireshark version and compile information.
Packets and Protocols
Chapter 4

Manual Pages submenu
Menu Option
Description
Wireshark
Opens the manual page (manpage) for Wireshark.
Wireshark
Filter
Opens the manpage for creating Wireshark filters.
TShark
Opens the manpage for TShark, the command-line version of Wireshark.
Dumpcap
Opens the manpage for Dumpcap, a command-line packet capture utility.
Mergecap
Opens the manpage for Mergecap, a command-line utility for merging two or more libpcap capture files
Editcap
Opens the manpage for Mergecap, a command-line utility for editing and translating libpcap files.
Text2pcap
Opens the manpage for text2pcap, a command-line utility for generating capture files from a text hexdump of
packets
Packets and Protocols
Chapter 4
 Help
About
Packets and Protocols
Chapter 4

Special Menus
– Pop up menus
Summary menu
options
Packets and Protocols
Chapter 4

Special Menu
– Summary
pop up
Packets and Protocols
Chapter 4

Special Menu
– Protocol tree
Protocol tree
menu options
Packets and Protocols
Chapter 4

Special Menu
– Protocol tree
pop up
Packets and Protocols
Chapter 4

Special Menu
– Data view
Data view menu
options
Packets and Protocols
Chapter 4

Command line
options
– Wireshark can
also be run via
command line.
Packets and Protocols
Chapter 4

To capture on interface eth0 immediately
and write the results to a ring buffer with
three files of maximum size 100 kilobytes
with base filename test.libpcap, execute
the following at the command line:
Wireshark –i eth0 –k –w test.libpcap –b 3 –a filesize:100
Related documents
Warriors of the net questions 1. What three things are put on the
Warriors of the net questions 1. What three things are put on the
Algebra 1 Preparing for Success Packet
Algebra 1 Preparing for Success Packet
Review Questions
Review Questions
2001 Final Exam
2001 Final Exam
Efficient Network-Coding-Based Opportunistic Routing
Efficient Network-Coding-Based Opportunistic Routing
Powerpoint
Powerpoint
1-07 ICS2O3C - Warriors of the Net
1-07 ICS2O3C - Warriors of the Net
CCNA Exploration Routing Protocols and Concepts 10 – Link State
CCNA Exploration Routing Protocols and Concepts 10 – Link State
The 7 Layers of the OSI Model
The 7 Layers of the OSI Model
View File
View File
Download
advertisement