Network Packet Analysis with Wireshark

6,713
-1

Published on

Presented @ ISA Safety & Security Symposium 2012
Aneheim, CA, April 2012

Wireshark is the de facto network packet analysis tool used in the industry today. It is an easily extensible open–source tool that provides a large number of capabilities for users. It’s not just for IT–based protocols either. Many industrial protocols have created packet decoders for Wireshark. This tutorial will provide the user with:
* An introduction to protocol layering
* A basic overview of packet capture and analysis
* A demonstration of how Wireshark can be used for packet capture and analysis
* Examples of some industrial protocol in Wireshark
* An explanation of some more advanced features available in Wireshark

Published in: Technology, Business
1 Comment
4 Likes
Statistics
Notes
No Downloads
Views
Total Views
6,713
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
270
Comments
1
Likes
4
Embeds 0
No embeds

No notes for slide

Network Packet Analysis with Wireshark

  1. 1. Network Packet Analysis with Wireshark Jim Gilsinn National Institute of Standards & Technology Engineering Laboratory Standards Certification Education & Training Publishing Conferences & Exhibits
  2. 2. Jim Gilsinn - Bio • Electronics Engineer with NIST/EL for over 20 years • Cybersecurity for Factory Control Systems – Co-Chair and General Editor, ISA99 Committee – Co-Chair, ISA99 WG2, Security Program – Co-Chair, ISA99 WG7, Safety & Security • Factory Equipment Network Testing Framework – Co-Investigator & Main Developer, FENT software – Extension of previous IENetP project • Education – MSEE in Controls from Johns Hopkins University – BSEE in Controls from Drexel University 2
  3. 3. What is Wireshark? • The De-Factor Network Protocol Analyzer – – – – Open-Source (GNU Public License) Multi-platform Easily extensible Large development group • Allows Users to… – Capture network traffic – Interactively browse that traffic – Decode packet protocols using dissectors • Previously Named “Ethereal” 3
  4. 4. What is Wireshark? • Development Version (as of last night @ 11:30pm) – 1,300+ Protocols – 112,600+ Protocol Header Fields • Almost Every Ethernet/TCP/IP Protocol • Many Industrial Ethernet Protocols – – – – – – – – – – – – BACnet EtherNet/IP & CIP, CIP Safety, CIP Motion DNP 3.0 EtherCAT Foundation Fieldbus IEC 61850 & GOOSE Modbus & Modbus/TCP openSAFETY Profinet SERCOS III TTEthernet Zigbee 4
  5. 5. Network Layering • Network Protocols Generally Have Some Header – – – – Who sent the information Who needs the information Information about the payload Other protocol specific information • Headers Can Be Significant Part of Packet – Ethernet/IP/UDP – Minimum 42 Bytes of Header (65%) – Minimum 64 Bytes Ethernet packet – Many industrial Ethernet protocols only transmit a few bytes of data in real-time ?? Bytes 8/20+ Bytes 20 Bytes IP Header Protocol Header UDP/TCP Header Data TCP Payload IP Payload 14 Bytes Ethernet Header Ethernet Payload 5
  6. 6. Wireshark Welcome Screen 6
  7. 7. Wireshark Packet Analysis Window 7
  8. 8. Wireshark Packet Analysis Demo • • • • Packet Decoder Window Layering Bytes on Wire Protocol Filters – Capture Filters – Display Filters 8
  9. 9. Wireshark Capture & Exporting Demo • • • • Capturing Live Traffic Saving Packet Capture Files Exporting Packet Capture Files Marking Sections of Captures 9
  10. 10. Advanced Features of Wireshark GUI • Statistics – – – – Conversations Endpoints IO Graphs Flow Graphs • Firewall ACL Rules 10
  11. 11. Using & Interfacing With Wireshark • Wireshark Strictly Uses GNU Public License – Any derived work with Wireshark code SHALL be open-source • You Can Use Wireshark Hands-Off, Though – Network Socket Interface – Tshark.exe • Network Socket Interface – Rudimentary control • Tshark.exe – Most features available through command-line interface 11
  12. 12. Developing Your Own Protocol Dissectors • Not Every Protocol Exists in Wireshark – When you need a protocol that doesn’t exist, you can relatively easily build your own dissector • Not Every Protocol Dissector Has Full Coverage – Open-source software allows anyone to modify the code – Protocols generally change over time – The original dissector developer may not exist any longer • Bugs Can Exist in Dissectors – Code almost always has bugs 12
  13. 13. For More Information… • Wireshark Website – http://www.wireshark.org • Wireshark Documentation – http://www.wireshark.org/docs/ • Wireshark Wiki – http://wiki.wireshark.org 13

×