Presented in May 2010
This presentation goes through the Wireshark network analyzer. It presents an overview of the different features that I've found useful while doing network performance analysis for ICS network protocols.
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Wireshark Network Protocol Analyzer
1. Manufacturing Engineering Laboratory (MEL)
National Institute of Standards & Technology (NIST)
U.S. Department of Commerce, Technology Administration
Wireshark Network Protocol
Analyzer
Jim Gilsinn
Manufacturing Engineering Laboratory (MEL)
National Institute of Standards & Technology (NIST)
Sensor Standardization & Harmonization Working Group
May 18, 2010
1
2. Manufacturing Engineering Laboratory (MEL)
National Institute of Standards & Technology (NIST)
U.S. Department of Commerce, Technology Administration
Overview
•
•
•
•
•
Wireshark: What Is It?
A Brief History
What Can It Do?
How Do I Use It?
Demo
–
–
–
–
Starting Screen
Capture Screen
Capture File Statistics
Packet Filtering
• Summary
• Where Can I Get It?
Sensor Standardization & Harmonization Working Group
May 18, 2010
2
3. Manufacturing Engineering Laboratory (MEL)
National Institute of Standards & Technology (NIST)
U.S. Department of Commerce, Technology Administration
Wireshark: What Is It?
• De-facto network packet analyzer
• Open-source
– GNU General Public License
– Over 680 Contributors
• Multi-platform
– Pre-compiled installers for PC/Mac
– Source code & instructions for Unix & Linux
• Extensible
– Add-ons and extensions are relatively easy to build
Sensor Standardization & Harmonization Working Group
May 18, 2010
3
4. Manufacturing Engineering Laboratory (MEL)
National Institute of Standards & Technology (NIST)
U.S. Department of Commerce, Technology Administration
A Brief History
• Started out in 1998 as Ethereal 0.2.0
• Became Wireshark in 2006
– Original developer changed companies
– Name remained property of previous company
– Started as Wireshark 0.99
• Currently 3 versions available
– Version 1.0.13 – Old stable release
– Version 1.2.8 – Stable release
– Version 1.3.5 – Development release
Sensor Standardization & Harmonization Working Group
May 18, 2010
4
5. Manufacturing Engineering Laboratory (MEL)
National Institute of Standards & Technology (NIST)
U.S. Department of Commerce, Technology Administration
What Can It Do?
• Capture live network traffic
– Variety of networks (Ethernet, WiFi, Bluetooth, USB, etc.)
• Import capture files from multiple packages
– 35 different file network capture file formats
• Display packets in great detail
– Over 1000 different protocol decoders have been written
• Identify bad packets
– Wireshark knows what the packets should look like
• Search and filter packets
– Over 75k different filter variables
• Track “conversations”
Sensor Standardization & Harmonization Working Group
May 18, 2010
5
6. Manufacturing Engineering Laboratory (MEL)
National Institute of Standards & Technology (NIST)
U.S. Department of Commerce, Technology Administration
How Do I Use It?
• Protocol & data analysis
– Analyze client-server interaction, errors, network data
verification
• Latency
– Client-server request-response timing
Sensor Standardization & Harmonization Working Group
May 18, 2010
6
7. Manufacturing Engineering Laboratory (MEL)
National Institute of Standards & Technology (NIST)
U.S. Department of Commerce, Technology Administration
How Do I Use It?
• Non-web-based applications
– Jitter on repeating network packets
– Hardware-assisted packet analysis
Sensor Standardization & Harmonization Working Group
May 18, 2010
7
8. Manufacturing Engineering Laboratory (MEL)
National Institute of Standards & Technology (NIST)
U.S. Department of Commerce, Technology Administration
How Do I Use It?
Sensor Standardization & Harmonization Working Group
May 18, 2010
8
9. Manufacturing Engineering Laboratory (MEL)
National Institute of Standards & Technology (NIST)
U.S. Department of Commerce, Technology Administration
Starting Screen
Sensor Standardization & Harmonization Working Group
May 18, 2010
9
10. Manufacturing Engineering Laboratory (MEL)
National Institute of Standards & Technology (NIST)
U.S. Department of Commerce, Technology Administration
Capture Screen
Sensor Standardization & Harmonization Working Group
May 18, 2010
10
11. Manufacturing Engineering Laboratory (MEL)
National Institute of Standards & Technology (NIST)
U.S. Department of Commerce, Technology Administration
Capture Screen: Filtered Packets
Sensor Standardization & Harmonization Working Group
May 18, 2010
11
12. Manufacturing Engineering Laboratory (MEL)
National Institute of Standards & Technology (NIST)
U.S. Department of Commerce, Technology Administration
Capture Screen: Packet Details
Sensor Standardization & Harmonization Working Group
May 18, 2010
12
13. Manufacturing Engineering Laboratory (MEL)
National Institute of Standards & Technology (NIST)
U.S. Department of Commerce, Technology Administration
Capture Screen: Packet Hex/ASCII
Sensor Standardization & Harmonization Working Group
May 18, 2010
13
14. Manufacturing Engineering Laboratory (MEL)
National Institute of Standards & Technology (NIST)
U.S. Department of Commerce, Technology Administration
Capture File Statistics
Sensor Standardization & Harmonization Working Group
May 18, 2010
14
15. Manufacturing Engineering Laboratory (MEL)
National Institute of Standards & Technology (NIST)
U.S. Department of Commerce, Technology Administration
Statistics: Summary
• Basic information
about the file
• File format
• Number of packets
• Capture duration
• Average
packets/second
Sensor Standardization & Harmonization Working Group
May 18, 2010
15
16. Manufacturing Engineering Laboratory (MEL)
National Institute of Standards & Technology (NIST)
U.S. Department of Commerce, Technology Administration
Statistics: Protocol Hierarchy
• Displays protocol layering
• Shows basic statistics for each protocol layer
Sensor Standardization & Harmonization Working Group
May 18, 2010
16
17. Manufacturing Engineering Laboratory (MEL)
National Institute of Standards & Technology (NIST)
U.S. Department of Commerce, Technology Administration
Statistics: Conversations
• Identifies and tracks individual streams of traffic
• Can track multiple protocols
Sensor Standardization & Harmonization Working Group
May 18, 2010
17
18. Manufacturing Engineering Laboratory (MEL)
National Institute of Standards & Technology (NIST)
U.S. Department of Commerce, Technology Administration
Statistics: IO Graph
• Graphical representation of packet timing
• Helps identify causes/effects for packets
Sensor Standardization & Harmonization Working Group
May 18, 2010
18
19. Manufacturing Engineering Laboratory (MEL)
National Institute of Standards & Technology (NIST)
U.S. Department of Commerce, Technology Administration
Packet Filtering
Sensor Standardization & Harmonization Working Group
May 18, 2010
19
20. Manufacturing Engineering Laboratory (MEL)
National Institute of Standards & Technology (NIST)
U.S. Department of Commerce, Technology Administration
Building Packet Filters
Sensor Standardization & Harmonization Working Group
May 18, 2010
20
21. Manufacturing Engineering Laboratory (MEL)
National Institute of Standards & Technology (NIST)
U.S. Department of Commerce, Technology Administration
Summary
• Wireshark is the de-factor standard
– Very versatile
– Extensible
• Wireshark provides insight into what’s
happening on the network
– Capture and view network traffic
– Investigate network issues
– Monitor application interactions
• The only way to understand your network is to
understand the packets
Sensor Standardization & Harmonization Working Group
May 18, 2010
21
22. Manufacturing Engineering Laboratory (MEL)
National Institute of Standards & Technology (NIST)
U.S. Department of Commerce, Technology Administration
Where Can I Get It?
• Wireshark Website
– http://www.wireshark.org
• Wireshark Download
– http://www.wireshark.org/download.html
• Wireshark Documentation
– http://www.wireshark.org/docs/
• Wireshark Wiki
– http://wiki.wireshark.org/
Sensor Standardization & Harmonization Working Group
May 18, 2010
22
23. Manufacturing Engineering Laboratory (MEL)
National Institute of Standards & Technology (NIST)
U.S. Department of Commerce, Technology Administration
Questions?
• Jim Gilsinn
– Intelligent Systems Division
Manufacturing Engineering Laboratory
National Institute of Standards & Technology
100 Bureau Drive, Stop 8230
Gaithersburg, MD 20899-8230
– 301-975-3865
– james.gilsinn@nist.gov
– http://www.nist.gov/mel/isd
Sensor Standardization & Harmonization Working Group
May 18, 2010
23