This chapter introduces the very basics of Wireshark - how to start packet capture, where to locate it in the network and how to configure basic operations. In chapter 3 we will learn how to configure capture and display filters.

1. NDI Communications - Engineering & Training
Network analysis Using Wireshark
Lesson 2 – Introduction to Wireshark

2. Page 2
Lesson Objectives
By the end of this lesson, the participant will be able to:
To start capturing data with the Wireshark software
To configure basic parameters with Wireshark
To understand basic colorizing mechanisms
To understand basic preferences configurations

3. Page 3
Chapter Content
A brief history and introduction
Locating Wireshark
Starting the capture of data
Configuring the start window
Using time values and summaries
Configuring colouring rules and navigation techniques
Saving, printing, and exporting data
Configuring the user interface in the Preferences menu
Configuring protocol preferences

4. Page 4
What is Network Analysis
Developed by Gerald Combs in In late 1997. He called it Ethereal
First released, after several pauses in development, in July 1998 as
version 0.2.0
Additional patches and applications added by Gilbert Ramirez, Guy
Harris and Richard Sharpe and others
In 2006 the project moved house and re-emerged under a new name –
Wireshark
Acquired by Riverbed in 2010 with commitment to live as open-source

5. Page 5
What Can We Do With It, And What We
Cannot?
What we can:
Capture packets
Watch smart statistics
Define filters – capture and display
Analyze problems
What we cannot:
It is not and automatic tool
It is not suitable for long-term
monitoring
It is not a “magic” tool

6. Page 6
Chapter Content
A brief history and introduction
Locating Wireshark
Starting the capture of data
Configuring the start window
Using time values and summaries
Configuring colouring rules and navigation techniques
Saving, printing, and exporting data
Configuring the user interface in the Preferences menu
Configuring protocol preferences

7. Page 7
Reminder – How a LAN Switch Works
Sw
Segment A
Segment B
B3
A1 A2 A3
B2B1
A1
A2
A3
B1
B2
B3
C5
C6
C7
C5
C6
C7
Segment C
Decision Table
A1A3 Block
A1B1 Forward to port B
A1C7 Forward to port C
A1BC Forward to all (flood)
A1D7 Forward to all (flood)

8. Page 8
Port Mirror / Port Monitor
Monitoring
port
SDSD SD SD
Monitored
port

9. Page 9
Were to Locate the Wireshark?
To ISP
For server monitoring:
Connect the laptop to the LAN
switch, with port mirror to the
monitored server
For WAN monitoring:
Connect the laptop to the LAN
switch, with port mirror to the
monitored router
For Internet connectivity
monitoring:
Before or after the Firewall

10. Page 10
Chapter Content
A brief history and introduction
Locating Wireshark
Starting the capture of data
Configuring the start window
Using time values and summaries
Configuring colouring rules and navigation techniques
Saving, printing, and exporting data
Configuring the user interface in the Preferences menu
Configuring protocol preferences

11. Page 11
The Interface (Version 1.10.6)

12. Page 12
Choose the Right Interface

13. Page 13
Some Details:

14. Page 14
Choose the Interface and Start the
Capture

15. Page 15
And You Will Get:
Packet
List
Packet
Details
Packet
Bytes

16. Page 16
To Stop the Capture
Or Ctrl+E

17. Page 17
Configuring the Capture
Choosing the
interface
Capture in
promiscuous
mode
Capture
multiple
files
Stop
capture
Display
options
Name
resolution
Manage
Interfaces
Capture
filter

18. Page 18
A brief history and introduction
Locating Wireshark
Starting the capture of data
Configuring the start window
Using time values and summaries
Configuring colouring rules and navigation techniques
Saving, printing, and exporting data
Configuring the user interface in the Preferences menu
Configuring protocol preferences

19. Page 19
Configuring the start window
Chapter Content
Main Toolbar
Filter Toolbar
Wireless Toolbar (Turned off by default)
Status Toolbar

20. Page 20
Chapter Content
A brief history and introduction
Locating Wireshark
Starting the capture of data
Configuring the start window
Using time values and summaries
Configuring colouring rules and navigation techniques
Saving, printing, and exporting data
Configuring the user interface in the Preferences menu
Configuring protocol preferences

21. Page 21
Time Display Format

22. Page 22
Chapter Content
A brief history and introduction
Locating Wireshark
Starting the capture of data
Configuring the start window
Using time values and summaries
Configuring colouring rules and navigation techniques
Saving, printing, and exporting data
Configuring the user interface in the Preferences menu
Configuring protocol preferences

23. Page 23
Packet Colorization
You can set-up Wireshark so that it will colorize packets
according to a filter
There are two types of coloring rules in Wireshark.
Temporary ones that are only used until you quit the program.
Permanent ones that will be saved to a preference file so that they
are available on a next session

24. Page 24
Permanently Colorize Packets
Open from View  Coloring Rules

25. Page 25
Colorizing Specific Data
We want to watch a
specific protocol through
out the capture file

26. Page 26
Colorizing Specific Data

27. Page 27
Colorizing Specific Data

28. Page 28
Colorizing Specific Data (TLS Connection
Establishment)

29. Page 29
Chapter Content
A brief history and introduction
Locating Wireshark
Starting the capture of data
Configuring the start window
Using time values and summaries
Configuring colouring rules and navigation techniques
Saving, printing, and exporting data
Configuring the user interface in the Preferences menu
Configuring protocol preferences

30. Page 30
Saving and Manipulating Files
Save only displayed packets

31. Page 31
Saving and Manipulating Files
Save to XLS file

32. Page 32
And You Will Get:
Additional calculation for finding the DELAY

33. Page 33
Chapter Content
A brief history and introduction
Locating Wireshark
Starting the capture of data
Configuring the start window
Using time values and summaries
Configuring colouring rules and navigation techniques
Saving, printing, and exporting data
Configuring the user interface in the Preferences menu
Configuring protocol preferences

34. Page 34
Preferences
Open from Edit  Preferences
User interface
configuration
Protocols
configuration

35. Page 35
Chapter Content
A brief history and introduction
Locating Wireshark
Starting the capture of data
Configuring the start window
Using time values and summaries
Configuring colouring rules and navigation techniques
Saving, printing, and exporting data
Configuring the user interface in the Preferences menu
Configuring protocol preferences

36. Page 36
Control Protocol Dissection
Each protocol has its own
dissector, so dissecting a
complete packet will typically
involve several dissectors.
Wireshark tries to find the
right dissector for each
packet (using static "routes"
and heuristics "guessing")

37. Page 37
User Specified Decodes
The "Decode As"
functionality let you
temporarily divert
specific protocol
dissections.

38. Page 38
Configuration Profiles
Open from Edit  Configuration Profiles
Configuration Profiles can be used
to configure and use more than
one set of preferences and
configurations:
Preferences
Capture Filters
Display Filters
Coloring Rules
Disabled Protocols
User Accessible Tables

39. Page 39
Wireshark Shortcuts

40. Page 40
Summary
For more information, technical data and many examples and case
studies:
http://www.amazon.com/Network-Analysis-Using-Wireshark-
Cookbook/dp/1849517649
Thanks!!!
Yoram Orzach
yoram@ndi-com.com
+972-52-4899699