Wireshark

4,951 views
4,688 views

Published on

0 Comments
7 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,951
On SlideShare
0
From Embeds
0
Number of Embeds
101
Actions
Shares
0
Downloads
0
Comments
0
Likes
7
Embeds 0
No embeds

No notes for slide
  • Add some slides here but hide them when not needed.
  • GusBrian
  • Orignial Author and Developer
  • Mention Turbocap,Airpcap, and Pilot
  • Where to begin
  • Get some more information on commercial tools available.
  • Explain the outline of the day. 45 minute hours with 10 minute or longer labs and potty and snack breaks builtin.
  • Show off slides of other sniffersIntroduce tcpdump and tshark and let them know we will provide more info in the advanced section after lunchTalk about how you discuss the transmission medium – wire v fiber v air
  • Hide when not needed for advanced users.
  • Check your NIC to see if TCP Checksum offload is available and/or turned on or off. If on it will cause your frames to be 4 bytes smaller than normal because you will not see the FCS at the end of the frame.
  • Packet structureICMPAD netbiosnmap scan DirbusterSnoopNmap ||parserCpan
  • Perhaps a more detailed explanation of each of these. Maybe attach and appendix with more detailed info.Mention window size and why it is importantRunts and giantsTcp flagintrduction
  • See if Gus can give more on NS, CWR and ECE
  • Just an example of an ACK segment
  • Go to http://www.wireshark.org and download and reinstall the latest 64 bit version on your system.Install wireless USB nics.Let them do some will packet captures is they want to just mess around as we will go over the application in the next session.
  • Explain
  • Explain
  • HubsSwtichesIn line taps
  • Colorizing LabReviewthe captures provided.Explore your preferences.Create different profiles for situations like Wlan v Lan v WAN captures.Create profiles for preferred networks.Explore your directory structures.Create at least two coloring rules.Create at least two new capture filters to be applied to a capture file.Create at least two display filters to be applied to a capture file.
  • Display Filter labCreate a capture of at least 2 meg that consists of 2 1 meg files.Attempt to user mergecap to combine the two files.Download windump, run and attempt to open your saved capture with Wiresharkwindump –i <interface name> > <filename>
  • Capture filter labDisplay Filter labCreate a capture of at least 2 meg that consists of 2 1 meg files.Attempt to user mergecap to combine the two files.Download windump, run and attempt to open your saved capture with Wiresharkwindump –i <interface name> > <filename>
  • Merge lab
  • Tshark lab
  • Wireshark

    1. 1. An Introduction to Protocol Analysis
    2. 2. INTRODUCTIONS
    3. 3. Gerald Combs Author Founder Developer Community Leader
    4. 4. Cace Technologies Where Gerald Works (for now) Home of AirPcap  For wireless captures of 802.11 frames TurboCap Wireshark Appliances Pilot Reporting Software
    5. 5. PILOT
    6. 6. Laura Chappell Where to begin Is an independent Runs  Wireshark University  Chappell University  Heads up Wireshark Certification
    7. 7. Wireshark University Training Materials Videos Captures Books CD/DVD
    8. 8. Other Tools T Shark  TCPDump  Included with wireshark  Native to *nix Netmonitor  Windows version Capsa  Snoop Cain  Sun Microsystems Windump  Ettercap  Dsniff  Ngrep
    9. 9. OVERVIEW
    10. 10. Purpose Troubleshooting  Slow Networks  Application Problems  DNS Issues  Web Servers  DHCP Issues
    11. 11. Review of OSI Layer 7 Application (Net Process to App) Layer 6 Presentation (Data Rep. & Encrypt) Layer 5 Session (Interhost Comm) Layer 4 Transport (Delivery Protocol) Layer 3 Network (Logical Addressing) Layer 2 Data Link (Physical Addressing) • MAC • LLC Layer 1 Physical (Media, signal & Bin)
    12. 12. Review of OSI Layer 8 Politics & Money
    13. 13. Review of Ethernet
    14. 14. Ethernet Frame Structure
    15. 15. Review of IP
    16. 16. IP Packet Structure
    17. 17. Review of TCP
    18. 18. TCP Segment Structure
    19. 19. Review of TCP/IP TCP  IP  Layer 4 Transport  Layer 3 Logical  RES/NONCE/CWR/ECHO Addressing Protocol  URG/ACK/PSH/RST/SYN/ (10.1.0.22/24) FIN  Connection Oriented UDP  Layer 4 Transport Protocol  Connectionless
    20. 20. TCP Flags• Special Flags (first one reserved) • NS = Nonce Sum • CWR = Congestion Window Reduced • ECE = ECN-Echo• URG = Urgent• ACK = Acknowledgement• PSH = Push• RST = Reset• SYN = Synchronize• FIN = Finish
    21. 21. See Appendix A
    22. 22. Basic Network Applications FTP - TCP  SIP – TCP/UDP  Ports 20 & 21  Port 5060 Telnet - TCP  SQL - TCP  Port 23  Port 1433 SMTP - TCP  RDP - TCP  Port 25  Port 3389 DNS - UDP  PPTP - TCP  Port 53  1723 & 1725 HTTP - TCP  Syslog – UDP  Port 80  Port 514
    23. 23. TCP HADNSHAKE
    24. 24. DATA TRANSFER
    25. 25. SESSION CLOSURE
    26. 26. LAB/BREAK
    27. 27. A Guided Tour
    28. 28. Profiles
    29. 29. Preferences
    30. 30. DIRECTORY STRUCTURE
    31. 31. Personal Settings C:users<username>AppDataRoamingWireshark profiles  Profiles  cfilters  preferences
    32. 32. System Settings C:program fileswireshark  Dfilters – display filters  Dumpcap - program  Editcap – edit .pcap files  Mergecap – merge .pcap files  Rawshark – capture in “raw” format  Text2pcap – conversion tool  Tshark – cli version of wireshark  Colorfilters (don’t touch!)
    33. 33. Ring Buffers What are they  Configuring Where are they stored  Single/multiple Why are they useful  What size  How often  How many  Stopping
    34. 34. Selecting an Interface Preferences  Manually
    35. 35. Saving Files Where? How big? How many? What format? Speed to disk
    36. 36. Placement Hubbing Out -> Easy but loss of data Port Spanning -> Good on less busy net In Line Taps -> Best but pricey
    37. 37. CAPTURESGet as close as possible!
    38. 38. Captures Where to store them How much space do they take up How to store them
    39. 39. Display Filters Not my MAC
    40. 40. Capture Filters Not my MAC
    41. 41. Colorizing Built in scheme Change on the fly
    42. 42. LAB 1
    43. 43. LAB 2
    44. 44. LAB 3
    45. 45. LAB 4
    46. 46. LAB 5
    47. 47. Statistics and Reporting
    48. 48.  Statistics  Advanced Statistics  Conversations  Conversation lists  Endpoints  IP Addresses  IP Endpoints  IP Protocol Types  UDP Multicast Streams WLAN Traffic
    49. 49. RESOURCES www.wireshark.org  Wireshark www.cacetech.com  Wireshark Certification www.chappellseminars.c Guide om  Wireshark Certification www.wiresharkuniversity Exm Prep Guide .com
    50. 50. STAY SECURE!

    ×