Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Wireshark

6,871 views

Published on

  • Login to see the comments

Wireshark

  1. 1. An Introduction to Protocol Analysis
  2. 2. INTRODUCTIONS
  3. 3. Gerald Combs Author Founder Developer Community Leader
  4. 4. Cace Technologies Where Gerald Works (for now) Home of AirPcap  For wireless captures of 802.11 frames TurboCap Wireshark Appliances Pilot Reporting Software
  5. 5. PILOT
  6. 6. Laura Chappell Where to begin Is an independent Runs  Wireshark University  Chappell University  Heads up Wireshark Certification
  7. 7. Wireshark University Training Materials Videos Captures Books CD/DVD
  8. 8. Other Tools T Shark  TCPDump  Included with wireshark  Native to *nix Netmonitor  Windows version Capsa  Snoop Cain  Sun Microsystems Windump  Ettercap  Dsniff  Ngrep
  9. 9. OVERVIEW
  10. 10. Purpose Troubleshooting  Slow Networks  Application Problems  DNS Issues  Web Servers  DHCP Issues
  11. 11. Review of OSI Layer 7 Application (Net Process to App) Layer 6 Presentation (Data Rep. & Encrypt) Layer 5 Session (Interhost Comm) Layer 4 Transport (Delivery Protocol) Layer 3 Network (Logical Addressing) Layer 2 Data Link (Physical Addressing) • MAC • LLC Layer 1 Physical (Media, signal & Bin)
  12. 12. Review of OSI Layer 8 Politics & Money
  13. 13. Review of Ethernet
  14. 14. Ethernet Frame Structure
  15. 15. Review of IP
  16. 16. IP Packet Structure
  17. 17. Review of TCP
  18. 18. TCP Segment Structure
  19. 19. Review of TCP/IP TCP  IP  Layer 4 Transport  Layer 3 Logical  RES/NONCE/CWR/ECHO Addressing Protocol  URG/ACK/PSH/RST/SYN/ (10.1.0.22/24) FIN  Connection Oriented UDP  Layer 4 Transport Protocol  Connectionless
  20. 20. TCP Flags• Special Flags (first one reserved) • NS = Nonce Sum • CWR = Congestion Window Reduced • ECE = ECN-Echo• URG = Urgent• ACK = Acknowledgement• PSH = Push• RST = Reset• SYN = Synchronize• FIN = Finish
  21. 21. See Appendix A
  22. 22. Basic Network Applications FTP - TCP  SIP – TCP/UDP  Ports 20 & 21  Port 5060 Telnet - TCP  SQL - TCP  Port 23  Port 1433 SMTP - TCP  RDP - TCP  Port 25  Port 3389 DNS - UDP  PPTP - TCP  Port 53  1723 & 1725 HTTP - TCP  Syslog – UDP  Port 80  Port 514
  23. 23. TCP HADNSHAKE
  24. 24. DATA TRANSFER
  25. 25. SESSION CLOSURE
  26. 26. LAB/BREAK
  27. 27. A Guided Tour
  28. 28. Profiles
  29. 29. Preferences
  30. 30. DIRECTORY STRUCTURE
  31. 31. Personal Settings C:users<username>AppDataRoamingWireshark profiles  Profiles  cfilters  preferences
  32. 32. System Settings C:program fileswireshark  Dfilters – display filters  Dumpcap - program  Editcap – edit .pcap files  Mergecap – merge .pcap files  Rawshark – capture in “raw” format  Text2pcap – conversion tool  Tshark – cli version of wireshark  Colorfilters (don’t touch!)
  33. 33. Ring Buffers What are they  Configuring Where are they stored  Single/multiple Why are they useful  What size  How often  How many  Stopping
  34. 34. Selecting an Interface Preferences  Manually
  35. 35. Saving Files Where? How big? How many? What format? Speed to disk
  36. 36. Placement Hubbing Out -> Easy but loss of data Port Spanning -> Good on less busy net In Line Taps -> Best but pricey
  37. 37. CAPTURESGet as close as possible!
  38. 38. Captures Where to store them How much space do they take up How to store them
  39. 39. Display Filters Not my MAC
  40. 40. Capture Filters Not my MAC
  41. 41. Colorizing Built in scheme Change on the fly
  42. 42. LAB 1
  43. 43. LAB 2
  44. 44. LAB 3
  45. 45. LAB 4
  46. 46. LAB 5
  47. 47. Statistics and Reporting
  48. 48.  Statistics  Advanced Statistics  Conversations  Conversation lists  Endpoints  IP Addresses  IP Endpoints  IP Protocol Types  UDP Multicast Streams WLAN Traffic
  49. 49. RESOURCES www.wireshark.org  Wireshark www.cacetech.com  Wireshark Certification www.chappellseminars.c Guide om  Wireshark Certification www.wiresharkuniversity Exm Prep Guide .com
  50. 50. STAY SECURE!

×