Workshop Wireshark

1,672 views

Published on

Wireshark workshop with basic functions and tips for troubleshooting network problems.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,672
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
107
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Workshop Wireshark

  1. 1. Wireshark Workshop Fabio Rosa / Systems Engineer
  2. 2. What is it?!        World’s most famous network protocol analyzer Powerful live-capture and display filter Used to be “Ethereal” Deep inspection of hundred of protocols, and more being added each day… Multi-platform, runs on Windows, Linux, OS, Solaris, FreeBSD, NetBSD,VxWorks, Android, and much more. Open/save many capture formats: tcpdump (libpcap), Microsoft Network Monitor, and proprietary (WildPackets *peek, CA Sniffer, RADCOM, and many others) The sponsorship (CACE) recently owned by Riverbed. (Don’t want to talk about it…)
  3. 3. Agenda:           Tool introduction The Capture Screen Performing a Simple Capture Capture options (promiscuous mode, name resolution, buffer size, etc…) Display Filters Sample Capture - DNS and HTTP (www.ebay.com) Sample Capture - ICAP Annex A – Handling Duplicate Packets Annex B – Useful Websites Annex C – HTTP Status Codes.
  4. 4. Introduction   It’s a Network Analyzer! Will capture network packets and display them as detailed as possible  Custom Capture: All packets destined to the WS Wkst.   Good to sniff traffic intended to the PC or server where Wireshark is installed Promiscuous mode: All packets on the wire    Good to sniff communication between multiple devices (ex. From Proxy, sniff DNS, Client, OCS, and so on…) / Diagnose problems. Can be captured on a mirrored port, SPAN or Network TAP for full network visibility. How it works? Network If. Uses the L2 address of FF:FF:FF:FF:FF:FF and parses all packets on the wire, instead of dropping the packets intended to other network devices.
  5. 5. The Capture Screen Captured Packet List Protocol Decode HEX Decode
  6. 6. Simple Capture
  7. 7. Capture Options Enable Promiscuous mode Limit packet size, if you don’t want to analyze the payload. (Only headers) Personalize Display options Personalize Name Resolution - MAC: vendor list (very useful) Network: RDNS resolution Do not enable … can slow down things Transport: Protocol name (very useful)
  8. 8. Display Filters   Use the filter box to enter the filter expression The expressions can be saved into the Filter Profile, for future use.
  9. 9. Display Filters (cont.)  Filter Expression example:  Ethernet     Internet Protocol     Ip.addr == Ip.src / Ip.dst == Ip.dsfield == 0x00 TIP • You can see the whole expression list using the “Expression” box on the toolbar • Its possible to search options using the “/” key • Use Boolean operators (AND, OR, NOT) TCP   Eth.addr == Eth.src / Eth.dst == Eth.vlan.id == Tcp.flag.syn / tcp.flag.ack / tcp.flag.fin == 0 or 1 Application or Protocol  HTTP, DNS, ICAP, ICMP, SOCKS…  In case a protocol is being decoded by a wrong “dissector” you can change it with the “Decode As…” option.
  10. 10. Display Filters (cont. 2)  You can create filters based on the options, selected directly from the packet capture.  Apply as a Filter   Prepare as a Filter   The filter is applied with the selected parameter The filter expression is written at the “Filter” bar on the top. Colorize as a Filter  The packets matched by the filter can be colorized with custom colors.
  11. 11. Sample Capture #1          Capture: Open www.ebay.com at the browser Open Summary (check throughput, size, packets) Select: “Follow TCP Stream” Configure “Manually Resolve Address” Configure the “Delta Time” column – Check server response time. Show “Statistics > Endpoints” Show “Statistics > Conversations” Show “Statistics > IO Graphs” Extract HTTP objects from the capture “File > Export > Objects > HTTP”
  12. 12. Sample Capture #2          Open Capture with ICAP example Check Origin and Destination Address Configure “Manually Resolve Address” for Proxy, AV and DNS Create a Display Filter for ICAP traffic only Check server response time on “Delta Time” Select a session and “Follow TCP Stream” Open Summary (check throughput, size, packets) Check server requests, response and health-check. Its also possible to retrieve HTTP objects from an ICAP connection.
  13. 13. Annex A: Duplicate Packets  Dup. Packets due to Network Retransmission   If a sending host thinks a packet is not transmitted correctly because of Packet Loss, it might Retransmit that packet. The receiving host might already got the first packet, and will receive a second one, which is a duplicated packet. To remove this packets use the filter:   not tcp.analysis.duplicate_ack and not tcp.analysis.retransmission Dup. Packets due to Routing or switching loop.   This packets can be seen when sniffing trough a mirrored port or network TAP. Use the “editcap.exe” at %ProgramFiles%/Wireshark/ to remove them.  Example: editcap -d capture.pcap dedup.pcap
  14. 14. Annex B: Useful Websites  Download Wireshark!  www.wireshark.org   This workshop was created using version 1.6.0 Capture examples:  http://wiki.wireshark.org/SampleCaptures   The SampleCapture area at the wireshark.com website has a good list of capture examples. http://packetlife.net/captures/  One of the greatest IT/Telecom blogs … offer great capture examples and Network Posters with protocol detail.
  15. 15. Annex C - HTTP Status Codes   1xx – Informational Codes 2xx – Success       200 OK  3xx – Redirection      300 Multiple Choices 301 Moved Permanently 302 Found 304 Not Modified 307 Temporary Redirect 4xx – Client Error   400 Bad Request 401 Unauthorized 403 Forbidden 404 Not Found 410 Gone 5xx – Server Error     500 Internal Server Error 501 Not Implemented 503 Service Unavailable 550 Permission denied
  16. 16. Questions?

×