This document discusses the network packet analysis tool Wireshark. It begins with an introduction to Jim Gilsinn and his background in cybersecurity and industrial control systems. It then provides an overview of Wireshark, describing it as an open-source, multi-platform network protocol analyzer that allows users to capture, interactively browse, and decode network traffic. Key features of Wireshark like its large protocol support and graphical interface are highlighted. The document concludes by discussing advanced analysis features, developing custom protocol decoders, and providing resources for more information on Wireshark.

1. Network Packet
Analysis with Wireshark
Jim Gilsinn
National Institute of Standards & Technology
Engineering Laboratory
Standards
Certification
Education & Training
Publishing
Conferences & Exhibits

2. Jim Gilsinn - Bio
• Electronics Engineer with NIST/EL for over 20 years
• Cybersecurity for Factory Control Systems
– Co-Chair and General Editor, ISA99 Committee
– Co-Chair, ISA99 WG2, Security Program
– Co-Chair, ISA99 WG7, Safety & Security
• Factory Equipment Network Testing Framework
– Co-Investigator & Main Developer, FENT software
– Extension of previous IENetP project
• Education
– MSEE in Controls from Johns Hopkins University
– BSEE in Controls from Drexel University
2

3. What is Wireshark?
• The De-Factor Network Protocol Analyzer
–
–
–
–
Open-Source (GNU Public License)
Multi-platform
Easily extensible
Large development group
• Allows Users to…
– Capture network traffic
– Interactively browse that traffic
– Decode packet protocols using dissectors
• Previously Named “Ethereal”
3

4. What is Wireshark?
• Development Version (as of last night @ 11:30pm)
– 1,300+ Protocols
– 112,600+ Protocol Header Fields
• Almost Every Ethernet/TCP/IP Protocol
• Many Industrial Ethernet Protocols
–
–
–
–
–
–
–
–
–
–
–
–
BACnet
EtherNet/IP & CIP, CIP Safety, CIP Motion
DNP 3.0
EtherCAT
Foundation Fieldbus
IEC 61850 & GOOSE
Modbus & Modbus/TCP
openSAFETY
Profinet
SERCOS III
TTEthernet
Zigbee
4

5. Network Layering
• Network Protocols Generally Have Some Header
–
–
–
–
Who sent the information
Who needs the information
Information about the payload
Other protocol specific information
• Headers Can Be Significant Part of Packet
– Ethernet/IP/UDP
– Minimum 42 Bytes of Header (65%)
– Minimum 64 Bytes Ethernet packet
– Many industrial Ethernet protocols only transmit a few bytes of data in
real-time
?? Bytes
8/20+ Bytes
20 Bytes
IP Header
Protocol
Header
UDP/TCP
Header
Data
TCP Payload
IP Payload
14 Bytes
Ethernet
Header
Ethernet Payload
5

6. Wireshark Welcome Screen
6

7. Wireshark Packet Analysis Window
7

8. Wireshark Packet Analysis Demo
•
•
•
•
Packet Decoder Window
Layering
Bytes on Wire
Protocol Filters
– Capture Filters
– Display Filters
8

9. Wireshark Capture & Exporting Demo
•
•
•
•
Capturing Live Traffic
Saving Packet Capture Files
Exporting Packet Capture Files
Marking Sections of Captures
9

10. Advanced Features of Wireshark GUI
• Statistics
–
–
–
–
Conversations
Endpoints
IO Graphs
Flow Graphs
• Firewall ACL Rules
10

11. Using & Interfacing With Wireshark
• Wireshark Strictly Uses GNU Public License
– Any derived work with Wireshark code SHALL be open-source
• You Can Use Wireshark Hands-Off, Though
– Network Socket Interface
– Tshark.exe
• Network Socket Interface
– Rudimentary control
• Tshark.exe
– Most features available through command-line interface
11

12. Developing Your Own Protocol Dissectors
• Not Every Protocol Exists in Wireshark
– When you need a protocol that doesn’t exist, you can relatively
easily build your own dissector
• Not Every Protocol Dissector Has Full Coverage
– Open-source software allows anyone to modify the code
– Protocols generally change over time
– The original dissector developer may not exist any longer
• Bugs Can Exist in Dissectors
– Code almost always has bugs
12

13. For More Information…
• Wireshark Website
– http://www.wireshark.org
• Wireshark Documentation
– http://www.wireshark.org/docs/
• Wireshark Wiki
– http://wiki.wireshark.org
13