• Like
Wireshark Inroduction  Li In
Upcoming SlideShare
Loading in...5

Wireshark Inroduction Li In

Uploaded on

This is a simple introductiory Wireshark Training slideshow

This is a simple introductiory Wireshark Training slideshow

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide
  • Wireshark can display, analyze and collect packets from the network.
  • Information on LUA can be found at http://en.wikipedia.org/wiki/Lua_(programming_language) or in the WIRESHARK User manual. By default LUA is disabled and can be enabled by editing the init.lua file at the WIRESHARK global configuration directory. Changing the disable_lua from true to false will do the trick. Now when the WIRESHARK is initialized if LUA is enabled it will activate the init.lua file from the user’s directory .
  • The full list of protocols can be found
  • 1 Linux Affix Bluetooth stack only. 2 PPP non-control frames only. 3 Latest libpcap CVS required 4 On some platforms: WLAN non-control frames only, with fake Ethernet headers, and only traffic to and from the machine doing the capturing. 5 Windows does not have a UNIX-style loopback interface.
  • In this architecture the PC where the WIRESHARK is installed is assumed to have the multimedia software as well. That can be a softphone like eConf from France Telecom, SJPhone (An ASTERIX based softphone), IP softphone 6.x from AVAYA etc. Or the computer is a third party equipment that is sending commands or receiving information from another network element directly involved with that. That may be the case where there is a WEB interface that manages the gateway, the SIP proxy, the multimedia system etc.
  • We are assuming that we want to capture signaling and/or RTP packets from the multimedia equipment.
  • In a HUB/Shared media all packets, unicasts to other stations as well as ours, multicasts and broadcast can be observed.
  • In a switch unicast packets not directed to the entity cannot be seen.
  • Most medium priced Ethernet switches support port mirroring/copying (Spanning). When port mirroring is configured between from one switch port (source) to a to another (destination) port then packets coming to/from source will also appear on the destination- NO the reverse won’t be true!! In sophisticated networks it is even possible to see all the traffic from one port/vlan on another switch port not necessarily on the same switch. Cisco has that. By the way Cisco names copy porting as Spanning. http://wiki.wireshark.org/SwitchReference
  • As a matter of fact after choosing an interface from the background of the picture above and then stopping the capture you can get the small window for choosing the same or another interface.
  • By clicking Capture  Interfaces  Options on the Interface menu you choose the interface you want to collect packets from. There are some important fields here.
  • “ Capture Packets in promiscuous mode ” If you do not click you will only be able to see packets specifically addressed to your computer, unless another process in your computer put the mode to promiscuous mode. Display Options: Update list of packets in real time The packets will be displayed while in capture. If not ticked then all packets will be visible only after the capturing is stopped in WIRESHARK. Automatic scrolling in live capture When ticked the scrolling to the last captured packet is done automatically. Hide capture info dialog By not ticking that option you will already see some statistics when capturing. Percentage of specific protocols in capture, total captured packets etc. While capturing the packets are stored in a small buffer. It is possible to save packets while capturing, in a single file or multiple files by limiting the size of each file. When you press start capturing starts.
  • From the main WIRESHARK window choose Edit  Preferences . Some useful fields: Time format- Normally it is relative. The first packet arriving at 0.000 seconds. You can choose absolute time or one packet’s arrival can serve as a REFERENCE from which all the other packets’ arrival times are recomputed.
  • Some protocols do not have default port numbers and/or unrecognized and as such we need to tell WIRESHARK how to parse them.
  • .
  • The display above has been obtained on a previously captured file. It is ordered by source address. It is achieved by clicking on the “Source” column. Other types of ordering can also be used. I advise to play with that.
  • Compound filters are built by combining simple filters with logical operations such as “and”, “or”.
  • A simple filter example: ip.addr==
  • Examples : frame.len < 30 ip.src ne ip.addr ==
  • You do not need to know the exact syntax of the filter expression. The WIRESHARK GUI helps you on that. When you click the “Expression” button a new window as shown above opens. By clicking on the relevant protocol’s “+” sign all the available fields appear and you can easily build the filter you want. As in the classical filter typing the last thing to do would be to press “Apply” to see packets displayed according to your filter. You can filter the display in real-time while collecting and over a capture file. In real-time you might get the wrong impression that it is also capturing according to that filter. That is not true!!
  • The filter above when activated will show only the H.245 packets among all the captured packets.
  • The lines you see in the filter window are the filters defined. If we want to define a new filter for saving purposes: 1- Click new 2- Type the name of the filter- free text 3- Type the filter string 4- Click OK Now the filter is saved. Next time the filter edit/apply button is clicked the name of this filter will also appear in the filter names window. By choosing any filter and then clicking Apply will activate the filter.
  • Among the logical operators the most interesting is the string operator which can have a couple of formats: [n:m] In this syntax n is the start of the field and m is the length of the string. For example eth.src[0:3] == 00:00:83 searches packets with MAC addresses which have the first three bytes as above. [n-m] In this syntax n is the start of the field and m is the end. If we want to have a similar filter as above in this syntax we can use eth.src[0-2] ==00:00:83. This type of filtering in the example can be very useful if you need to capture packets from/to specific company product NICs. Another simple example. (ip.src == and (ip.dst==
  • When you click the capture filter icon you get a small window. If you want to configure a new capture filter click the “ New ” button. By default the name of the capture filter and the capture string is “ new ”. Change the name of the capture filter and enter a capture filter string as will be explained. If some capture filters are already defined as is the case in the picture above then simply choose one and do whatever editing you want to do. At this stage you have only saved the new filter.
  • If we click on the new1 filter the ascii text of the filter also appears. In this example we are interested in capturing packets from /to IP address
  • By choosing Statistic  VOIP  Clicking one of the streams in the new window and  Graph. At the graph clicking on any SIP messages will take the mouse to that packet.
  • The delay/jitter all relate to the sending station and not from source to destination all the way. To do that we need to buffer packets at the source and at the destination.


  • 1. WIRESHARK Basics Moshe Haviv January 2010 [email_address]
  • 2. Contents
    • What is WIRESHARK?
    • Basic Network Sniffing
    • Display filtering
    • Capture filtering
    • RTP Stream Analysis
  • 3. What is WIRESHARK?
    • WIRESHARK is a Network Packet Analyzer
    • If installed with WinPcap it can also collect packets from the network
    • If AirpCap(Not free) installed full USB based 802.11 capture and analysis is possible
    • The latest WIRESHARK version on December 2009 is 1.2.5
    • It is an Open Source Software project
  • 4. Who needs/uses WIRESHARK?
    • Any regular user who wants to know what his/her computer sends to the network and receives from it.
    • R&D Engineers to debug their protocol implementations
      • Signaling protocols
      • Applications that communicate with other network devices/applications- send/receive payloads
    • Network administrators to troubleshoot their networks
    • Network Security Engineers to discover security breaches and deficiencies
    • Technical personnel that want to learn the workings of the protocols – Signaling and media-
  • 5. Installing WIRESHARK
    • Get the latest version from the official site http:// www.wireshark.org /
    • WIRESHARK can be installed as an application or the source code can be downloaded to create a new tailored application
    • By using LUA,a lightweight scripting language new dissectors, properties can be added http:// en.wikipedia.org/wiki/Lua_(programming_language )
  • 6. Basic WIRESHARK features
    • WIRESHARK supports hundreds of protocols http:// www.wireshark.org/docs/dfref /
    • Live capture and offline analysis
    • Multiplatform support: Windows, Linux, Solaris, MAC
    • Multi-media support: Ethernet, ATM etc.
    • Rich VOIP analysis
    • Captured data browsing in GUI or in TTY mode (TSHARK)
    • R/W many different capture file formats:
    • tcpdump (libpcap), MS Network Monitor, Network General Sniffer®,
    • RADCOM WAN/LAN Analyzer and many others.
    • Output can be exported to XML, PostScript® or simple text
  • 7. Platform/Media support table
  • 8. How do we capture packets from the network? Where to connect?
    • What do we want to capture?
      • Packets entering/going out of our computer
      • Basic Architecture
      • Packets entering/going out of any network equipment connected to the network
      • Network Architecture
    • Once we know where and how to connect the computer with the WIRESHARK installed- Capturing architecture- we can start doing basic capturing
  • 9. Basic Architecture Capturing
    • In this architecture the signaling and/or media for the communication ends/starts at the WIRESHARK computer
      • Connect the NIC(s) you want to collect packets from the network
      • Start WIRESHARK
      • Choose the relevant NIC in WIRESHARK menu
      • Start Collecting packets
  • 10. Network Capturing Architecture WIRESHARK
  • 11. Network Capture Architecture- Both entities connected to a HUB – Shared Media Simply start capturing WIRESHARK Hub
  • 12. Network Capture Architecture- Multimedia entity/PC connected to a switch(1)
    • Connect WIRESHARK and Network entity to HUB
    • Connect HUB to SWITCH with an uplink
    • Start Capturing
  • 13. Network Capture Architecture- Multimedia entity/PC both connected to a switch(2)
    • Configure port mirroring (spanning) on the switch
    • Start capturing
  • 14. Basic Network packet capturing-1- When you activate the WIRESHARK you get the following view
  • 15. Basic Network packet capturing -2-
  • 16. Basic Network packet capturing -3-
  • 17. Basic Network packet capturing -4-
  • 18.
    • The GUI can be changed for
      • GUI layout
      • Columns
      • Time format
      • Coloring preferences
      • Field values for specific protocols
      • …….
    • Different profiles can be defined and saved
    WIRESHARK preferences
  • 19. Basic displayed/captured packet manipulations
    • Forcing a protocol to an unknown protocol packet
    • Marking a packet or a group of packets
    • Saving all or part of the captured packets
    • Exporting a trace
    • Printing all or part of the captured packets
  • 20.  
  • 21.  
  • 22. Display filtering
    • By arranging the display sort field/order changed
      • Sort order of time/packet number
      • Sort order per IP/MAC address of source/destination
      • Sort order per protocol
    • By marking specific packets manually
    • By configuring filters for
      • Address
      • Protocol
      • Protocol field value
      • Frame length
      • String
  • 23. Display filtering- by changing display sort order
  • 24. Display Filter configuration
    • We will configure simple filters
    • For a specific IP address
    • For a specific protocol
    • For a specific field value of a protocol
    • Compound filters
  • 25. Filter elements
    • Filter fields (protocol fields )
    • The full list can be found at http:// www.wireshark.org/docs/dfref /
    • Display field comparison operators
    • Display filters logical operators
    • They are used to build complex filters by combining simple filters
  • 26. Some basic filter field examples
    • ip.src Source IP address
    • ip.dst Destination IP address
    • ip.addr IP address (source or destination)
    • eth.dst Destination MAC address
    • udp,sip, HTTP,H225,H245…………..
    • H263.dbq, sip.Method , h323.fastStart , rtp.payload , diameter.User-Name ………
  • 27. Filter Comparison operators
    • English and C-like operators can be used (also mixed)
    • English operators
      • eq Equal
      • ne Not Equal
      • gt Greater then
      • lt Less then
      • ge Greater then or equal
      • le Less then or equal
    • C-like operators
      • ==
      • !=
      • >
      • <
      • >=
      • <=
  • 28. Some simple filter examples
    • ip.addr ==
    • ip.src !=
    • sip.Method==REGISTER
    • h263.unrestricted_motion_vector == 0
    • sip.from.addr == &quot;sip:39260722@“
    • h245.masterSlaveDetermination
  • 29. How to build filter from the GUI
    • Type your filter inside the filter toolbar
    • Click “Apply”
  • 30. How to build filter from the GUI-2-
  • 31.  
  • 32. Filter save-activate
    • Filters can be saved/edited by clicking the edit/apply filter button
    • A new window
    • opens
  • 33. Display filter logical operators
    • These are used to build compound filters from simple expressions
    • When in doubt use parenthesis before applying the operator
    • The logical operators can have English or C-like syntax
  • 34. Display filter logical operators (Contd.) and && Logical and or || Logical or xor ^^ Logical XOR not ! Logical Not […] Substring operator
  • 35. Capture filtering
    • When capturing packets they are stored in temporary files on the computer
    • We can configure WIRESHARK to capture packets directly to a single or multiple files
    • For heavy traffic network capturing or long time capturing the file/buffer sizes might overwhelm the computer or might even crash it.
    • To prevent accumulating huge file/files if we know what we are looking for we should apply capture filtering
  • 36. Capture filtering-2-
    • WIRESHARK utilizes the libpcap filter language for capture filtering
    • Details for libpcap can be found at http:// www.tcpdump.org/tcpdump_man.html
    • Any type of display filter can also be defined for capture but with a different syntax and different activation procedure
  • 37. Capture filtering – 3 -
  • 38.
    • Choose the relevant capture filter in “options”
    • Start capturing
    Capture filtering – 4 – Activating capture filter
  • 39. Capture filtering – 5 –
  • 40. Capture filtering – 6 –
  • 41. Capture filter syntax by examples
    • host
    • Capture packets from/to IP address
    • src host
    • Capture packets from IP
    • tcp port 23 and host
    • ether src 00:11:6b:80:47:96
    • tcp port 23 and not src host
    • ip multicast
  • 42. Basic Capture filter syntax
    • [src|dst] host <host>
    • ether [src|dst] host <ehost>
    • [src|dst] net <net> [{mask <mask>}|{len <len>}]
    • [tcp|udp] [src|dst] port <port>
    • less|greater <length>
  • 43. Statistics and data analysis
    • We can get graphical or written statistics real-time or from captured file
    • Statistics per protocol
    • VOIP pairs visualization
    • RTP stream analysis
  • 44. Statistics menu – Statistics  Summary
  • 45. Statistics menu – Statistics  Hierarchy Statistics
  • 46. I/O Statistics – Real-time or offline
  • 47. VOIP statistics Statistics  VOIP
  • 48. VOIP statistics Statistics  VOIP (Contd.)
  • 49.
    • WIRESHARK can identify separate RTP streams
    • RTP parameters can be retrieved
      • Total RTP packets sent
      • Delay
      • Jitter
    RTP Stream Analysis
  • 50. RTP streams – Outline Statistics  RTP  Show all Streams
  • 51. RTP streams – Outline Statistics  RTP  Show all Streams Choose one of the streams  Analyze
  • 52.  
  • 53. References and important URLs
    • http:// www.wireshark.org /
    • http://www.wireshark.org/docs/
    • http://www.winpcap.org/
    • http://wiki.wireshark.org/CaptureSetup/NetworkMedia
    • http://wiki.wireshark.org/Preferences.
    • http://www.wireshark.org/lists/wireshark-bugs/
    • http:// www.cs.columbia.edu/irt/software/rtptools /