Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Network Packet
Analysis with Wireshark
Jim Gilsinn
National Institute of Standards & Technology
Engineering Laboratory
Sta...
Jim Gilsinn - Bio
• Electronics Engineer with NIST/EL for over 20 years
• Cybersecurity for Factory Control Systems
– Co-C...
What is Wireshark?
• The De-Factor Network Protocol Analyzer
–
–
–
–

Open-Source (GNU Public License)
Multi-platform
Easi...
What is Wireshark?
• Development Version (as of last night @ 11:30pm)
– 1,300+ Protocols
– 112,600+ Protocol Header Fields...
Network Layering
• Network Protocols Generally Have Some Header
–
–
–
–

Who sent the information
Who needs the informatio...
Wireshark Welcome Screen

6
Wireshark Packet Analysis Window

7
Wireshark Packet Analysis Demo
•
•
•
•

Packet Decoder Window
Layering
Bytes on Wire
Protocol Filters
– Capture Filters
– ...
Wireshark Capture & Exporting Demo
•
•
•
•

Capturing Live Traffic
Saving Packet Capture Files
Exporting Packet Capture Fi...
Advanced Features of Wireshark GUI
• Statistics
–
–
–
–

Conversations
Endpoints
IO Graphs
Flow Graphs

• Firewall ACL Rul...
Using & Interfacing With Wireshark
• Wireshark Strictly Uses GNU Public License
– Any derived work with Wireshark code SHA...
Developing Your Own Protocol Dissectors
• Not Every Protocol Exists in Wireshark
– When you need a protocol that doesn’t e...
For More Information…
• Wireshark Website
– http://www.wireshark.org

• Wireshark Documentation
– http://www.wireshark.org...
Upcoming SlideShare
Loading in …5
×

Network Packet Analysis with Wireshark

11,429 views

Published on

Presented @ ISA Safety & Security Symposium 2012
Aneheim, CA, April 2012

Wireshark is the de facto network packet analysis tool used in the industry today. It is an easily extensible open–source tool that provides a large number of capabilities for users. It’s not just for IT–based protocols either. Many industrial protocols have created packet decoders for Wireshark. This tutorial will provide the user with:
* An introduction to protocol layering
* A basic overview of packet capture and analysis
* A demonstration of how Wireshark can be used for packet capture and analysis
* Examples of some industrial protocol in Wireshark
* An explanation of some more advanced features available in Wireshark

Published in: Technology, Business

Network Packet Analysis with Wireshark

  1. 1. Network Packet Analysis with Wireshark Jim Gilsinn National Institute of Standards & Technology Engineering Laboratory Standards Certification Education & Training Publishing Conferences & Exhibits
  2. 2. Jim Gilsinn - Bio • Electronics Engineer with NIST/EL for over 20 years • Cybersecurity for Factory Control Systems – Co-Chair and General Editor, ISA99 Committee – Co-Chair, ISA99 WG2, Security Program – Co-Chair, ISA99 WG7, Safety & Security • Factory Equipment Network Testing Framework – Co-Investigator & Main Developer, FENT software – Extension of previous IENetP project • Education – MSEE in Controls from Johns Hopkins University – BSEE in Controls from Drexel University 2
  3. 3. What is Wireshark? • The De-Factor Network Protocol Analyzer – – – – Open-Source (GNU Public License) Multi-platform Easily extensible Large development group • Allows Users to… – Capture network traffic – Interactively browse that traffic – Decode packet protocols using dissectors • Previously Named “Ethereal” 3
  4. 4. What is Wireshark? • Development Version (as of last night @ 11:30pm) – 1,300+ Protocols – 112,600+ Protocol Header Fields • Almost Every Ethernet/TCP/IP Protocol • Many Industrial Ethernet Protocols – – – – – – – – – – – – BACnet EtherNet/IP & CIP, CIP Safety, CIP Motion DNP 3.0 EtherCAT Foundation Fieldbus IEC 61850 & GOOSE Modbus & Modbus/TCP openSAFETY Profinet SERCOS III TTEthernet Zigbee 4
  5. 5. Network Layering • Network Protocols Generally Have Some Header – – – – Who sent the information Who needs the information Information about the payload Other protocol specific information • Headers Can Be Significant Part of Packet – Ethernet/IP/UDP – Minimum 42 Bytes of Header (65%) – Minimum 64 Bytes Ethernet packet – Many industrial Ethernet protocols only transmit a few bytes of data in real-time ?? Bytes 8/20+ Bytes 20 Bytes IP Header Protocol Header UDP/TCP Header Data TCP Payload IP Payload 14 Bytes Ethernet Header Ethernet Payload 5
  6. 6. Wireshark Welcome Screen 6
  7. 7. Wireshark Packet Analysis Window 7
  8. 8. Wireshark Packet Analysis Demo • • • • Packet Decoder Window Layering Bytes on Wire Protocol Filters – Capture Filters – Display Filters 8
  9. 9. Wireshark Capture & Exporting Demo • • • • Capturing Live Traffic Saving Packet Capture Files Exporting Packet Capture Files Marking Sections of Captures 9
  10. 10. Advanced Features of Wireshark GUI • Statistics – – – – Conversations Endpoints IO Graphs Flow Graphs • Firewall ACL Rules 10
  11. 11. Using & Interfacing With Wireshark • Wireshark Strictly Uses GNU Public License – Any derived work with Wireshark code SHALL be open-source • You Can Use Wireshark Hands-Off, Though – Network Socket Interface – Tshark.exe • Network Socket Interface – Rudimentary control • Tshark.exe – Most features available through command-line interface 11
  12. 12. Developing Your Own Protocol Dissectors • Not Every Protocol Exists in Wireshark – When you need a protocol that doesn’t exist, you can relatively easily build your own dissector • Not Every Protocol Dissector Has Full Coverage – Open-source software allows anyone to modify the code – Protocols generally change over time – The original dissector developer may not exist any longer • Bugs Can Exist in Dissectors – Code almost always has bugs 12
  13. 13. For More Information… • Wireshark Website – http://www.wireshark.org • Wireshark Documentation – http://www.wireshark.org/docs/ • Wireshark Wiki – http://wiki.wireshark.org 13

×