SlideShare a Scribd company logo

Wireshark lecture

B
Bhupesh Rawat

df

Internet
1 of 27
Download to read offline
Wireshark Tutorial Chris Neasbitt UGA Dept. of Computer Science
Contents ● Introduction ● What is a network trace? ● What is Wireshark? ● Basic UI ● Some of the most useful parts of the UI. ● Packet Capture ● How do we capture packets? ● Trace Analysis ● Individual Packet Analysis ● Filters ● Exercises
Introduction ● Network Traffic Trace ● A recording of the network packets both received by and transmitted from a network interface. ● What is a pcap file? ● pcap = Packet Capture ● File format originally designed for tcpdump/libpcap. ● Most widely used packet capture format.
Introduction ● What is Wireshark? ● A graphical network packet analyser. ● Found at http://www.wireshark.org ● The complete manual is located here. ● What some are it's uses? ● Troubleshoot network problems. ● Learn network protocol internals. ● Debug protocol/program implementation. ● Examine network-related security issues.
Basic UI
Basic UI ● File -> Open ● Opens a packet capture file. ● View -> Time Display Format ● Change the format of the packet timestamps in the packet list pane. ● Switch between absolute and relative timestamps. ● Change level of precision. ● View -> Name Resolution ● Allow wireshark to resolve names from addresses at different protocol layers.
Basic UI ● Capture -> Interfaces ● Available network interfaces for capture. ● Total packets per interface. ● Packet rate per interface.
Basic UI ● Capture -> Options ● Set various capture parameters. ● Promiscous mode ● On – record all packets reaching the interface. ● Off – record only those packets directed to the host.
Basic UI ● Analyze -> Follow TCP Stream ● Applies a filter to follow a single tcp conversation within the trace. ● Displays the reassembiled data section of each packet in the conversation. ● Useful for debugging or analyzing any TCP based application layer protocol. ● HTTP, FTP, SSH, LDAP, SMTP, etc.
Basic UI ● Statistics -> Protocol Hierarchy ● Presents descriptive statistics per protocol. ● Useful for determining the types, amounts, and relative proportions of protocols within a trace.
Basic UI ● Statistics -> Conversations ● Generates descriptive statistics about each conversation for each protocol in the trace.
Basic UI ● Statistics -> Flow Graph ● Generates a sequence graph for the selected traffic. ● Useful for understanding seq. and ack. calculations.
Packet Capture ● Interface selection ● Capture -> Interfaces ● Select the interface from which to capture packets. ● any – captures from all interfaces ● lo – captures from the loopback interface (i.e. from localhost) ● Set the desired capture parameters under the options menu. ● Start Capture ● Click the start button next to the desired interface. ● Captured traffic will be displayed in the packet list pane.
Packet Capture ● Stop Capture ● Select Capture -> Stop ● Saving Capture ● Once the capture has been stopped select File -> Save As. ● From the save dialog you can specify file type and which packets to save via the packet range menu.
Trace Analysis
Trace Analysis ● Packet list ● Displays all of the packets in the trace in the order they were recorded. ● Columns ● Time – the timestamp at which the packet crossed the interface. ● Source – the originating host of the packet. ● Destination – the host to which the packet was sent. ● Protocol – the highest level protocol that Wireshark can detect. ● Lenght – the lenght in bytes of the packet on the wire. ● Info – an informational message pertaining to the protocol in the protocol column.
Trace Analysis ● Packet list ● Default Coloring ● Gray – TCP packets • Black with red letters – TCP Packets with errors • Green – HTTP Packets ● Light Blue – UDP Packets ● Pale Blue – ARP Packets ● Lavender – ICMP Packets ● Black with green letters – ICMP Packets with errors ● Colorings can be changed under View -> Coloring Rules
Individual Packet Analysis
Individual Packet Analysis ● Packet Details ● Detailed information about the currently selected packet is displayed in the packet details pane. ● All packet layers are displayed in the tree menu. ● Any portion of any layer can be exported via a right click and selecting Export Selected Packet Bytes ● Packet Bytes ● Displays the raw packet bytes. ● The selected packet layer is highlighted.
Filters ● Filters ● Packets captures usually contain many packets irrelevant to the specific analysis task. ● To remove these packets from display or from the capture Wireshark provides the ability to create filters. ● Filters are evaluted against each individual packet. ● Boolean expresions dealing with packet properties. ● Supports regular expressions. ● Can either be manually constructed, composed via the Expressions menu or composed based on a selected packet's properties.
Filters ● Expressions Menu ● Field name – selects the packet property. ● Relation – selects the boolean test. ● Predefined values – common values against which the selected packet property is tested. ● Value – Arbitrary Textual or Numeric value against which the selected packet property is tested.
Filters ● Compound Filters ● Filters can be composed of multiple tests joined with boolean connectives. ● && - logical conjuction (i.e. AND) ● || - logical disjunction (i.e OR) ● ! - logical negation (i.e. NOT) ● Supports the order of operations. ● Regular Expressions ● Fields can be evaluated against a regular expression using the “matches” test. ● Uses Perl regex syntax.
Filters ● Filter Text Box ● Green – valid filter ● Red – invalid filter ● Yellow – may produce unexpected results ● Packet based filters ● Filters can be constructed on the basis of individual packets by right clicking on a packet and selecting either: ● Prepare as filter – creates a filter. ● Apply as filter – creates a filter and applies it to the trace. ● Follow TCP Stream – creates a filter from a TCP packet's stream number and applies it to the trace.
Filters ● Filter examples ● http.request – Display all HTTP requests. ● http.request || http.response – Display all HTTP request and responses. ● ip.addr == 127.0.0.1 – Display all IP packets whose source or destination is localhost. ● tcp.len < 100 – Display all TCP packets whose data length is less than 100 bytes. ● http.request.uri matches “(gif)$” - Display all HTTP requests in which the uri ends with “gif”. ● dns.query.name == “www.google.com” - Display all DNS queries for “www.google.com”.
Questions Any Questions? Thank you for your attention!
Exercises ● Work in groups of 2. ● Download the trace at http://cs.uga.edu/~neasbitt/files/user1_tcpdump.pcap ● Answer the following questions on a sheet of paper. ● What is the total number of HTTP Post requests in the trace? ● What is the status code for the last HTTP response in TCP stream 17? ● What is the total size in bytes for all packets containing JavaScript Object Notation (JSON) data? ● Between which two IP address where the most IP packets sent? ● What is pictured in the image bostonmusic-promo.jpg?
Exercises ● Work in groups of 2. ● Download the trace at http://cs.uga.edu/~neasbitt/files/user1_tcpdump.pcap ● Answer the following questions on a sheet of paper. ● What is the total number of HTTP Post requests in the trace? ● What is the status code for the last HTTP response in TCP stream 17? ● What is the total size in bytes for all packets containing JavaScript Object Notation (JSON) data? ● Between which two IP address where the most IP packets sent? ● What is pictured in the image bostonmusic-promo.jpg? Question Answers 1. 8 2. 302 3. 2253 4. 10.0.2.15 – 123.125.114.18 5. A stereo system.

Recommended

Blocks, procs && lambdas
Blocks, procs && lambdasBlocks, procs && lambdas
Blocks, procs && lambdas
Vidmantas Kabošis
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
Alexandre Moneger
 
Scapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stackScapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stack
Alexandre Moneger
 
Pentesting custom TLS stacks
Pentesting custom TLS stacksPentesting custom TLS stacks
Pentesting custom TLS stacks
Alexandre Moneger
 
Cryptography and secure systems
Cryptography and secure systemsCryptography and secure systems
Cryptography and secure systems
Vsevolod Stakhov
 
Live Streaming with Receiver-based Peer-division Multiplexing
Live Streaming with Receiver-based Peer-division Multiplexing Live Streaming with Receiver-based Peer-division Multiplexing
Live Streaming with Receiver-based Peer-division Multiplexing
Vamsi IV
 
Scorex, the Modular Blockchain Framework
Scorex, the Modular Blockchain FrameworkScorex, the Modular Blockchain Framework
Scorex, the Modular Blockchain Framework
Alex Chepurnoy
 
Computer network (7)
Computer network (7)Computer network (7)
Computer network (7)
NYversity
 

Recommended

Blocks, procs && lambdas
Blocks, procs && lambdasBlocks, procs && lambdas
Blocks, procs && lambdas
Vidmantas Kabošis
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
Alexandre Moneger
 
Scapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stackScapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stack
Alexandre Moneger
 
Pentesting custom TLS stacks
Pentesting custom TLS stacksPentesting custom TLS stacks
Pentesting custom TLS stacks
Alexandre Moneger
 
Cryptography and secure systems
Cryptography and secure systemsCryptography and secure systems
Cryptography and secure systems
Vsevolod Stakhov
 
Live Streaming with Receiver-based Peer-division Multiplexing
Live Streaming with Receiver-based Peer-division Multiplexing Live Streaming with Receiver-based Peer-division Multiplexing
Live Streaming with Receiver-based Peer-division Multiplexing
Vamsi IV
 
Scorex, the Modular Blockchain Framework
Scorex, the Modular Blockchain FrameworkScorex, the Modular Blockchain Framework
Scorex, the Modular Blockchain Framework
Alex Chepurnoy
 
Computer network (7)
Computer network (7)Computer network (7)
Computer network (7)
NYversity
 
rspamd-fosdem
rspamd-fosdemrspamd-fosdem
rspamd-fosdem
Vsevolod Stakhov
 
Writing an Ostinato Protocol Builder [FOSDEM 2021]
Writing an Ostinato Protocol Builder [FOSDEM 2021]Writing an Ostinato Protocol Builder [FOSDEM 2021]
Writing an Ostinato Protocol Builder [FOSDEM 2021]
pstavirs
 
Diagnosing HotSpot JVM Memory Leaks with JFR and JMC
Diagnosing HotSpot JVM Memory Leaks with JFR and JMCDiagnosing HotSpot JVM Memory Leaks with JFR and JMC
Diagnosing HotSpot JVM Memory Leaks with JFR and JMC
Mushfekur Rahman
 
Practical rsa padding oracle attacks
Practical rsa padding oracle attacksPractical rsa padding oracle attacks
Practical rsa padding oracle attacks
Alexandre Moneger
 
Blockchain For Developers
Blockchain For DevelopersBlockchain For Developers
Blockchain For Developers
Alex Chepurnoy
 
Fast dynamic analysis, Kostya Serebryany
Fast dynamic analysis, Kostya SerebryanyFast dynamic analysis, Kostya Serebryany
Fast dynamic analysis, Kostya Serebryany
yaevents
 
rspamd-slides
rspamd-slidesrspamd-slides
rspamd-slides
Vsevolod Stakhov
 
Skydive 31 janv. 2016
Skydive 31 janv. 2016Skydive 31 janv. 2016
Skydive 31 janv. 2016
Sylvain Afchain
 
NBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then iceNBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then ice
Alexandre Moneger
 
Intro to GO (Bangkok Launchpad 2014)
Intro to GO (Bangkok Launchpad 2014)Intro to GO (Bangkok Launchpad 2014)
Intro to GO (Bangkok Launchpad 2014)
Matthew Campbell
 
Skydive 5/07/2016
Skydive 5/07/2016Skydive 5/07/2016
Skydive 5/07/2016
Sylvain Afchain
 
Skydive, real-time network analyzer, container integration
Skydive, real-time network analyzer, container integrationSkydive, real-time network analyzer, container integration
Skydive, real-time network analyzer, container integration
Sylvain Afchain
 
rspamd-hyperscan
rspamd-hyperscanrspamd-hyperscan
rspamd-hyperscan
Vsevolod Stakhov
 
ZeroMQ with NodeJS
ZeroMQ with NodeJSZeroMQ with NodeJS
ZeroMQ with NodeJS
Fernando Sanabria
 
Socket Programming using Java
Socket Programming using JavaSocket Programming using Java
Socket Programming using Java
Rahul Hada
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port Scanning
Sam Bowne
 
CNIT 141: 8. Authenticated Encryption
CNIT 141: 8. Authenticated EncryptionCNIT 141: 8. Authenticated Encryption
CNIT 141: 8. Authenticated Encryption
Sam Bowne
 
CNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis ToolsCNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis Tools
Sam Bowne
 
CNIT 1417. Keyed Hashing
CNIT 1417. Keyed HashingCNIT 1417. Keyed Hashing
CNIT 1417. Keyed Hashing
Sam Bowne
 
Practical 7 - Using Wireshark Tutorial and Hands-on
Practical 7 - Using Wireshark Tutorial and Hands-onPractical 7 - Using Wireshark Tutorial and Hands-on
Practical 7 - Using Wireshark Tutorial and Hands-on
QaisSaifQassim
 
Traffic monitoring
Traffic monitoringTraffic monitoring
Traffic monitoring
Radu Galbenu
 
Traffic-Monitoring.ppt
Traffic-Monitoring.pptTraffic-Monitoring.ppt
Traffic-Monitoring.ppt
Senthil Vit
 

More Related Content

What's hot

Fast dynamic analysis, Kostya Serebryany
Fast dynamic analysis, Kostya SerebryanyFast dynamic analysis, Kostya Serebryany
Fast dynamic analysis, Kostya Serebryany
yaevents
 
Socket Programming using Java
Socket Programming using JavaSocket Programming using Java
Socket Programming using Java
Rahul Hada
 

What's hot (19)

rspamd-fosdem
rspamd-fosdemrspamd-fosdem
rspamd-fosdem
 
Writing an Ostinato Protocol Builder [FOSDEM 2021]
Writing an Ostinato Protocol Builder [FOSDEM 2021]Writing an Ostinato Protocol Builder [FOSDEM 2021]
Writing an Ostinato Protocol Builder [FOSDEM 2021]
 
Diagnosing HotSpot JVM Memory Leaks with JFR and JMC
Diagnosing HotSpot JVM Memory Leaks with JFR and JMCDiagnosing HotSpot JVM Memory Leaks with JFR and JMC
Diagnosing HotSpot JVM Memory Leaks with JFR and JMC
 
Practical rsa padding oracle attacks
Practical rsa padding oracle attacksPractical rsa padding oracle attacks
Practical rsa padding oracle attacks
 
Blockchain For Developers
Blockchain For DevelopersBlockchain For Developers
Blockchain For Developers
 
Fast dynamic analysis, Kostya Serebryany
Fast dynamic analysis, Kostya SerebryanyFast dynamic analysis, Kostya Serebryany
Fast dynamic analysis, Kostya Serebryany
 
rspamd-slides
rspamd-slidesrspamd-slides
rspamd-slides
 
Skydive 31 janv. 2016
Skydive 31 janv. 2016Skydive 31 janv. 2016
Skydive 31 janv. 2016
 
NBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then iceNBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then ice
 
Intro to GO (Bangkok Launchpad 2014)
Intro to GO (Bangkok Launchpad 2014)Intro to GO (Bangkok Launchpad 2014)
Intro to GO (Bangkok Launchpad 2014)
 
Skydive 5/07/2016
Skydive 5/07/2016Skydive 5/07/2016
Skydive 5/07/2016
 
Skydive, real-time network analyzer, container integration
Skydive, real-time network analyzer, container integrationSkydive, real-time network analyzer, container integration
Skydive, real-time network analyzer, container integration
 
rspamd-hyperscan
rspamd-hyperscanrspamd-hyperscan
rspamd-hyperscan
 
ZeroMQ with NodeJS
ZeroMQ with NodeJSZeroMQ with NodeJS
ZeroMQ with NodeJS
 
Socket Programming using Java
Socket Programming using JavaSocket Programming using Java
Socket Programming using Java
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port Scanning
 
CNIT 141: 8. Authenticated Encryption
CNIT 141: 8. Authenticated EncryptionCNIT 141: 8. Authenticated Encryption
CNIT 141: 8. Authenticated Encryption
 
CNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis ToolsCNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis Tools
 
CNIT 1417. Keyed Hashing
CNIT 1417. Keyed HashingCNIT 1417. Keyed Hashing
CNIT 1417. Keyed Hashing
 

Similar to Wireshark lecture

Aceleracion TCP Mikrotik.pdf
Aceleracion TCP Mikrotik.pdfAceleracion TCP Mikrotik.pdf
Aceleracion TCP Mikrotik.pdf
WifiCren
 
Packet Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing ConferencePacket Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing Conference
Cengage Learning
 
PLNOG 5: Elżbieta Jasińska - Plot Your Network
PLNOG 5: Elżbieta Jasińska - Plot Your Network PLNOG 5: Elżbieta Jasińska - Plot Your Network
PLNOG 5: Elżbieta Jasińska - Plot Your Network
PROIDEA
 

Similar to Wireshark lecture (20)

Practical 7 - Using Wireshark Tutorial and Hands-on
Practical 7 - Using Wireshark Tutorial and Hands-onPractical 7 - Using Wireshark Tutorial and Hands-on
Practical 7 - Using Wireshark Tutorial and Hands-on
 
Traffic monitoring
Traffic monitoringTraffic monitoring
Traffic monitoring
 
Traffic-Monitoring.ppt
Traffic-Monitoring.pptTraffic-Monitoring.ppt
Traffic-Monitoring.ppt
 
Traffic-Monitoring.ppt
Traffic-Monitoring.pptTraffic-Monitoring.ppt
Traffic-Monitoring.ppt
 
Traffic-Monitoring.ppt
Traffic-Monitoring.pptTraffic-Monitoring.ppt
Traffic-Monitoring.ppt
 
Aceleracion TCP Mikrotik.pdf
Aceleracion TCP Mikrotik.pdfAceleracion TCP Mikrotik.pdf
Aceleracion TCP Mikrotik.pdf
 
wireshark.pdf
wireshark.pdfwireshark.pdf
wireshark.pdf
 
Dpdk accelerated Ostinato
Dpdk accelerated OstinatoDpdk accelerated Ostinato
Dpdk accelerated Ostinato
 
Wireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance toolsWireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance tools
 
Packet capture in network security
Packet capture in network securityPacket capture in network security
Packet capture in network security
 
NS3 Overview
NS3 OverviewNS3 Overview
NS3 Overview
 
Queue Type on Mikrotik
Queue Type on MikrotikQueue Type on Mikrotik
Queue Type on Mikrotik
 
Wireshark Packet Analyzer.pptx
Wireshark Packet Analyzer.pptxWireshark Packet Analyzer.pptx
Wireshark Packet Analyzer.pptx
 
Wireshark Inroduction Li In
Wireshark Inroduction Li InWireshark Inroduction Li In
Wireshark Inroduction Li In
 
Javaiostream
JavaiostreamJavaiostream
Javaiostream
 
Linux and firewall
Linux and firewallLinux and firewall
Linux and firewall
 
Proactive monitoring with Monit
Proactive monitoring with MonitProactive monitoring with Monit
Proactive monitoring with Monit
 
Feature Selection Strategies for HTTP Botnet Traffic Detection
Feature Selection Strategies for HTTP Botnet Traffic DetectionFeature Selection Strategies for HTTP Botnet Traffic Detection
Feature Selection Strategies for HTTP Botnet Traffic Detection
 
Packet Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing ConferencePacket Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing Conference
 
PLNOG 5: Elżbieta Jasińska - Plot Your Network
PLNOG 5: Elżbieta Jasińska - Plot Your Network PLNOG 5: Elżbieta Jasińska - Plot Your Network
PLNOG 5: Elżbieta Jasińska - Plot Your Network
 

Recently uploaded

一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理
A
 
一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样
一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样
一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样
AS
 
一比一原版(Soton毕业证书)南安普顿大学毕业证原件一模一样
一比一原版(Soton毕业证书)南安普顿大学毕业证原件一模一样一比一原版(Soton毕业证书)南安普顿大学毕业证原件一模一样
一比一原版(Soton毕业证书)南安普顿大学毕业证原件一模一样
Fi
 
一比一定制波士顿学院毕业证学位证书
一比一定制波士顿学院毕业证学位证书一比一定制波士顿学院毕业证学位证书
一比一定制波士顿学院毕业证学位证书
A
 
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证
hfkmxufye
 
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
AS
 
一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书
一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书
一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书
B
 
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
AS
 
一比一定制美国罗格斯大学毕业证学位证书
一比一定制美国罗格斯大学毕业证学位证书一比一定制美国罗格斯大学毕业证学位证书
一比一定制美国罗格斯大学毕业证学位证书
A
 
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
AS
 
一比一原版英国格林多大学毕业证如何办理
一比一原版英国格林多大学毕业证如何办理一比一原版英国格林多大学毕业证如何办理
一比一原版英国格林多大学毕业证如何办理
AS
 
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
musaddumba454
 
一比一原版美国北卡罗莱纳大学毕业证如何办理
一比一原版美国北卡罗莱纳大学毕业证如何办理一比一原版美国北卡罗莱纳大学毕业证如何办理
一比一原版美国北卡罗莱纳大学毕业证如何办理
A
 

Recently uploaded (20)

一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理
 
一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样
一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样
一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样
 
Down bad crying at the gym t shirtsDown bad crying at the gym t shirts
Down bad crying at the gym t shirtsDown bad crying at the gym t shirtsDown bad crying at the gym t shirtsDown bad crying at the gym t shirts
Down bad crying at the gym t shirtsDown bad crying at the gym t shirts
 
一比一原版(Soton毕业证书)南安普顿大学毕业证原件一模一样
一比一原版(Soton毕业证书)南安普顿大学毕业证原件一模一样一比一原版(Soton毕业证书)南安普顿大学毕业证原件一模一样
一比一原版(Soton毕业证书)南安普顿大学毕业证原件一模一样
 
一比一定制波士顿学院毕业证学位证书
一比一定制波士顿学院毕业证学位证书一比一定制波士顿学院毕业证学位证书
一比一定制波士顿学院毕业证学位证书
 
I’ll See Y’All Motherfuckers In Game 7 Shirt
I’ll See Y’All Motherfuckers In Game 7 ShirtI’ll See Y’All Motherfuckers In Game 7 Shirt
I’ll See Y’All Motherfuckers In Game 7 Shirt
 
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证
 
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
 
一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书
一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书
一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书
 
GOOGLE Io 2024 At takes center stage.pdf
GOOGLE Io 2024 At takes center stage.pdfGOOGLE Io 2024 At takes center stage.pdf
GOOGLE Io 2024 At takes center stage.pdf
 
Washington Football Commanders Redskins Feathers Shirt
Washington Football Commanders Redskins Feathers ShirtWashington Football Commanders Redskins Feathers Shirt
Washington Football Commanders Redskins Feathers Shirt
 
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
 
一比一定制美国罗格斯大学毕业证学位证书
一比一定制美国罗格斯大学毕业证学位证书一比一定制美国罗格斯大学毕业证学位证书
一比一定制美国罗格斯大学毕业证学位证书
 
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
 
一比一原版英国格林多大学毕业证如何办理
一比一原版英国格林多大学毕业证如何办理一比一原版英国格林多大学毕业证如何办理
一比一原版英国格林多大学毕业证如何办理
 
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
 
The Rise of Subscription-Based Digital Services.pdf
The Rise of Subscription-Based Digital Services.pdfThe Rise of Subscription-Based Digital Services.pdf
The Rise of Subscription-Based Digital Services.pdf
 
Subdomain enumeration is a crucial phase in cybersecurity, particularly durin...
Subdomain enumeration is a crucial phase in cybersecurity, particularly durin...Subdomain enumeration is a crucial phase in cybersecurity, particularly durin...
Subdomain enumeration is a crucial phase in cybersecurity, particularly durin...
 
一比一原版美国北卡罗莱纳大学毕业证如何办理
一比一原版美国北卡罗莱纳大学毕业证如何办理一比一原版美国北卡罗莱纳大学毕业证如何办理
一比一原版美国北卡罗莱纳大学毕业证如何办理
 
[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
 

Wireshark lecture

  • 1. Wireshark Tutorial Chris Neasbitt UGA Dept. of Computer Science
  • 2. Contents ● Introduction ● What is a network trace? ● What is Wireshark? ● Basic UI ● Some of the most useful parts of the UI. ● Packet Capture ● How do we capture packets? ● Trace Analysis ● Individual Packet Analysis ● Filters ● Exercises
  • 3. Introduction ● Network Traffic Trace ● A recording of the network packets both received by and transmitted from a network interface. ● What is a pcap file? ● pcap = Packet Capture ● File format originally designed for tcpdump/libpcap. ● Most widely used packet capture format.
  • 4. Introduction ● What is Wireshark? ● A graphical network packet analyser. ● Found at http://www.wireshark.org ● The complete manual is located here. ● What some are it's uses? ● Troubleshoot network problems. ● Learn network protocol internals. ● Debug protocol/program implementation. ● Examine network-related security issues.
  • 6. Basic UI ● File -> Open ● Opens a packet capture file. ● View -> Time Display Format ● Change the format of the packet timestamps in the packet list pane. ● Switch between absolute and relative timestamps. ● Change level of precision. ● View -> Name Resolution ● Allow wireshark to resolve names from addresses at different protocol layers.
  • 7. Basic UI ● Capture -> Interfaces ● Available network interfaces for capture. ● Total packets per interface. ● Packet rate per interface.
  • 8. Basic UI ● Capture -> Options ● Set various capture parameters. ● Promiscous mode ● On – record all packets reaching the interface. ● Off – record only those packets directed to the host.
  • 9. Basic UI ● Analyze -> Follow TCP Stream ● Applies a filter to follow a single tcp conversation within the trace. ● Displays the reassembiled data section of each packet in the conversation. ● Useful for debugging or analyzing any TCP based application layer protocol. ● HTTP, FTP, SSH, LDAP, SMTP, etc.
  • 10. Basic UI ● Statistics -> Protocol Hierarchy ● Presents descriptive statistics per protocol. ● Useful for determining the types, amounts, and relative proportions of protocols within a trace.
  • 11. Basic UI ● Statistics -> Conversations ● Generates descriptive statistics about each conversation for each protocol in the trace.
  • 12. Basic UI ● Statistics -> Flow Graph ● Generates a sequence graph for the selected traffic. ● Useful for understanding seq. and ack. calculations.
  • 13. Packet Capture ● Interface selection ● Capture -> Interfaces ● Select the interface from which to capture packets. ● any – captures from all interfaces ● lo – captures from the loopback interface (i.e. from localhost) ● Set the desired capture parameters under the options menu. ● Start Capture ● Click the start button next to the desired interface. ● Captured traffic will be displayed in the packet list pane.
  • 14. Packet Capture ● Stop Capture ● Select Capture -> Stop ● Saving Capture ● Once the capture has been stopped select File -> Save As. ● From the save dialog you can specify file type and which packets to save via the packet range menu.
  • 16. Trace Analysis ● Packet list ● Displays all of the packets in the trace in the order they were recorded. ● Columns ● Time – the timestamp at which the packet crossed the interface. ● Source – the originating host of the packet. ● Destination – the host to which the packet was sent. ● Protocol – the highest level protocol that Wireshark can detect. ● Lenght – the lenght in bytes of the packet on the wire. ● Info – an informational message pertaining to the protocol in the protocol column.
  • 17. Trace Analysis ● Packet list ● Default Coloring ● Gray – TCP packets • Black with red letters – TCP Packets with errors • Green – HTTP Packets ● Light Blue – UDP Packets ● Pale Blue – ARP Packets ● Lavender – ICMP Packets ● Black with green letters – ICMP Packets with errors ● Colorings can be changed under View -> Coloring Rules
  • 19. Individual Packet Analysis ● Packet Details ● Detailed information about the currently selected packet is displayed in the packet details pane. ● All packet layers are displayed in the tree menu. ● Any portion of any layer can be exported via a right click and selecting Export Selected Packet Bytes ● Packet Bytes ● Displays the raw packet bytes. ● The selected packet layer is highlighted.
  • 20. Filters ● Filters ● Packets captures usually contain many packets irrelevant to the specific analysis task. ● To remove these packets from display or from the capture Wireshark provides the ability to create filters. ● Filters are evaluted against each individual packet. ● Boolean expresions dealing with packet properties. ● Supports regular expressions. ● Can either be manually constructed, composed via the Expressions menu or composed based on a selected packet's properties.
  • 21. Filters ● Expressions Menu ● Field name – selects the packet property. ● Relation – selects the boolean test. ● Predefined values – common values against which the selected packet property is tested. ● Value – Arbitrary Textual or Numeric value against which the selected packet property is tested.
  • 22. Filters ● Compound Filters ● Filters can be composed of multiple tests joined with boolean connectives. ● && - logical conjuction (i.e. AND) ● || - logical disjunction (i.e OR) ● ! - logical negation (i.e. NOT) ● Supports the order of operations. ● Regular Expressions ● Fields can be evaluated against a regular expression using the “matches” test. ● Uses Perl regex syntax.
  • 23. Filters ● Filter Text Box ● Green – valid filter ● Red – invalid filter ● Yellow – may produce unexpected results ● Packet based filters ● Filters can be constructed on the basis of individual packets by right clicking on a packet and selecting either: ● Prepare as filter – creates a filter. ● Apply as filter – creates a filter and applies it to the trace. ● Follow TCP Stream – creates a filter from a TCP packet's stream number and applies it to the trace.
  • 24. Filters ● Filter examples ● http.request – Display all HTTP requests. ● http.request || http.response – Display all HTTP request and responses. ● ip.addr == 127.0.0.1 – Display all IP packets whose source or destination is localhost. ● tcp.len < 100 – Display all TCP packets whose data length is less than 100 bytes. ● http.request.uri matches “(gif)$” - Display all HTTP requests in which the uri ends with “gif”. ● dns.query.name == “www.google.com” - Display all DNS queries for “www.google.com”.
  • 25. Questions Any Questions? Thank you for your attention!
  • 26. Exercises ● Work in groups of 2. ● Download the trace at http://cs.uga.edu/~neasbitt/files/user1_tcpdump.pcap ● Answer the following questions on a sheet of paper. ● What is the total number of HTTP Post requests in the trace? ● What is the status code for the last HTTP response in TCP stream 17? ● What is the total size in bytes for all packets containing JavaScript Object Notation (JSON) data? ● Between which two IP address where the most IP packets sent? ● What is pictured in the image bostonmusic-promo.jpg?
  • 27. Exercises ● Work in groups of 2. ● Download the trace at http://cs.uga.edu/~neasbitt/files/user1_tcpdump.pcap ● Answer the following questions on a sheet of paper. ● What is the total number of HTTP Post requests in the trace? ● What is the status code for the last HTTP response in TCP stream 17? ● What is the total size in bytes for all packets containing JavaScript Object Notation (JSON) data? ● Between which two IP address where the most IP packets sent? ● What is pictured in the image bostonmusic-promo.jpg? Question Answers 1. 8 2. 302 3. 2253 4. 10.0.2.15 – 123.125.114.18 5. A stereo system.