This document provides an overview of using Wireshark and tcpdump to monitor network traffic. It discusses how to capture live traffic using these tools, how to apply filters to focus on specific traffic types, and how to analyze captured packet traces in Wireshark. The document includes examples of common tcpdump and Wireshark commands as well as screenshots of Wireshark's interface. It also describes how to view session data and endpoint statistics after capturing packets.
This document provides an overview of using Wireshark and tcpdump to monitor network traffic. It begins with an introduction to the motivation for network monitoring. It then covers the tools tcpdump, tshark, and Wireshark. Examples are given of using tcpdump and tshark on the command line to capture traffic. The document demonstrates Wireshark's graphical user interface and features for analyzing captured packets, including display filters, following TCP streams, conversations, endpoint statistics, and flow graphs. It concludes with tips for improving Wireshark performance and using grep to further analyze saved packet files.
This document discusses network monitoring and packet analysis using Wireshark. It provides an overview of Wireshark and tcpdump, examples of how to use capture and display filters to filter traffic, and how to analyze network traffic such as following TCP streams, endpoint statistics, and HTTP analysis. It also discusses improving Wireshark performance and using grep to further analyze saved packet files.
This document provides an overview and agenda for a Wireshark workshop. It introduces Wireshark as a network protocol analyzer tool that can perform deep inspection of hundreds of protocols. The workshop will cover how to use the capture screen, perform simple captures, configure capture options, use display filters to analyze specific traffic, and examine sample captures including DNS, HTTP, and ICAP traffic. Annexes provide information on handling duplicate packets, useful Wireshark resources, and HTTP status codes.
This gives an overall idea about wireshark design and how to capture packets using wireshark, tcpdump and tshark. It also covers basics behind measuring network performance and tools to use such as bmon and iperf.
This document discusses network traffic monitoring tools Tcpdump and Wireshark. It provides an overview of tcpdump including its purpose, basic syntax, output format, and commands. It describes tcpdump as a command line tool used to capture and analyze packets on a network interface. It then introduces Wireshark as a graphical user interface-based alternative to tcpdump that provides similar network packet sniffing and analysis capabilities.
This document provides an overview and introduction to using the Wireshark network analysis tool. It discusses Wireshark basics and advanced features, including how to capture and filter network traffic, analyze protocols and packets, view statistics and conversations, and use Wireshark to troubleshoot network issues. Several case studies are presented showing how Wireshark can be used to analyze problems like slow connections, high load, and non-stable performance.
Practical 7 - Using Wireshark Tutorial and Hands-onQaisSaifQassim
This document discusses using Wireshark, a network packet analyzer tool. It describes what Wireshark is, how to capture and analyze packets, how to filter packets, and how to save and manipulate captured packets. Useful statistical analysis features are also outlined, including protocol hierarchies, conversations, IO graphs, and TCP stream graphs. Finally, some references for further Wireshark information and documentation are provided. A lab activity is proposed to have students launch Wireshark, capture sample traffic, answer questions about the capture, apply filters, and analyze the captured packets.
This document provides an overview of using Wireshark and tcpdump to monitor network traffic. It begins with an introduction to the motivation for network monitoring. It then covers the tools tcpdump, tshark, and Wireshark. Examples are given of using tcpdump and tshark on the command line to capture traffic. The document demonstrates Wireshark's graphical user interface and features for analyzing captured packets, including display filters, following TCP streams, conversations, endpoint statistics, and flow graphs. It concludes with tips for improving Wireshark performance and using grep to further analyze saved packet files.
This document discusses network monitoring and packet analysis using Wireshark. It provides an overview of Wireshark and tcpdump, examples of how to use capture and display filters to filter traffic, and how to analyze network traffic such as following TCP streams, endpoint statistics, and HTTP analysis. It also discusses improving Wireshark performance and using grep to further analyze saved packet files.
This document provides an overview and agenda for a Wireshark workshop. It introduces Wireshark as a network protocol analyzer tool that can perform deep inspection of hundreds of protocols. The workshop will cover how to use the capture screen, perform simple captures, configure capture options, use display filters to analyze specific traffic, and examine sample captures including DNS, HTTP, and ICAP traffic. Annexes provide information on handling duplicate packets, useful Wireshark resources, and HTTP status codes.
This gives an overall idea about wireshark design and how to capture packets using wireshark, tcpdump and tshark. It also covers basics behind measuring network performance and tools to use such as bmon and iperf.
This document discusses network traffic monitoring tools Tcpdump and Wireshark. It provides an overview of tcpdump including its purpose, basic syntax, output format, and commands. It describes tcpdump as a command line tool used to capture and analyze packets on a network interface. It then introduces Wireshark as a graphical user interface-based alternative to tcpdump that provides similar network packet sniffing and analysis capabilities.
This document provides an overview and introduction to using the Wireshark network analysis tool. It discusses Wireshark basics and advanced features, including how to capture and filter network traffic, analyze protocols and packets, view statistics and conversations, and use Wireshark to troubleshoot network issues. Several case studies are presented showing how Wireshark can be used to analyze problems like slow connections, high load, and non-stable performance.
Practical 7 - Using Wireshark Tutorial and Hands-onQaisSaifQassim
This document discusses using Wireshark, a network packet analyzer tool. It describes what Wireshark is, how to capture and analyze packets, how to filter packets, and how to save and manipulate captured packets. Useful statistical analysis features are also outlined, including protocol hierarchies, conversations, IO graphs, and TCP stream graphs. Finally, some references for further Wireshark information and documentation are provided. A lab activity is proposed to have students launch Wireshark, capture sample traffic, answer questions about the capture, apply filters, and analyze the captured packets.
WIRESHARK is a free and open-source packet analyzer that allows users to examine network traffic and inspect packets. It can be used for basic network troubleshooting, analysis, development, and education. The tool supports live packet captures from networked interfaces as well as offline analysis of captured packet data files. It decodes hundreds of protocols and can filter traffic based on various packet attributes.
The document discusses various network security tools including TCP/IP headers, tcpdump, ethereal, ntop, MRTG, network scanners like Nmap and Nessus. It provides examples of using these tools to analyze network traffic, scan for open ports, detect operating systems, and monitor network usage.
Chapter 3. sensors in the network domainPhu Nguyen
This chapter discusses network sensors and the data they generate. Examples of network sensors include NetFlow sensors on routers and packet capture tools like tcpdump. The chapter covers challenges of analyzing large network traffic data, and describes common data formats generated by sensors like NetFlow records and packet captures. It also discusses techniques for filtering large packet capture data, such as using rolling buffers, limiting packet snap lengths, and Berkeley Packet Filter rules.
Wireshark is a network packet analyzer that allows users to examine network packet data and traffic in detail. It can capture live packet data from interfaces, open saved capture files, and display packets with detailed protocol information. Network administrators, security engineers, and developers use Wireshark to troubleshoot network issues, examine security problems, and debug protocol implementations.
Wireshark course, Ch 03: Capture and display filtersYoram Orzach
This document provides an overview of capture and display filters in Wireshark. It describes the basics of filter syntax and examples of common filters. The objectives are to understand basic capture and display filters and how to perform packet filtering. It covers the structure and components of capture filters including primitives, operators, and examples. Display filters are explained along with field types, comparison operators, and combining expressions. The document concludes with case studies demonstrating filters for protocols like DCERPC and analyzing network issues like retransmissions.
This document provides an overview of NS-3, an open-source discrete event network simulator. It describes what NS-3 is, how to install it, and some of its key components and functionality. NS-3 allows modeling of network elements like nodes, devices, channels, and protocols. It has a collection of C++ libraries rather than a single program. Topologies can be built by configuring nodes, applications, and network elements like channels and devices. The simulator can be used to analyze network performance through tracing and logging functions.
This document introduces network analyzers and Wireshark. It discusses that network analyzers are used to capture, decode, and analyze network traffic through both hardware and software tools. Wireshark is an open-source network analyzer that can decode over 750 protocols and supports both command line and GUI interfaces. It discusses how to install Wireshark and libpcap drivers and provides an overview of how to use the basic Wireshark interface.
This document provides an overview of network traffic analysis. It discusses why traffic analysis is useful for gaining knowledge about a network, investigating issues, and network forensics. It also summarizes the basics of TCP/IP protocols, packet sniffing tools like Wireshark and Tcpdump, and how to analyze network traffic captures for troubleshooting and security purposes. Hands-on network forensics examples are provided to demonstrate these concepts.
The document describes an automated tool called ipsnapshoter that detects misconfigured HTTP services. It scans IP addresses and ports, uses Nmap to find available hosts, takes screenshots of server responses using EyeWitness, and publishes results in an HTML report. The tool is designed to help security testers identify vulnerabilities by visually exploring misconfigurations before malicious actors. It is written in Python and uses libraries like Nmap, EyeWitness, and a simple HTTP server to efficiently scan thousands of addresses and generate consolidated reports.
Tshark pen testing, very good insight of the pent testclaudiu59
This document provides an overview of using the TShark network analyzer tool. It discusses what network traffic is, how to capture traffic using TShark, read from and write to files, use various output formats and display filters, and analyze endpoints. TShark can capture and analyze live network traffic or read from pcap files. It provides powerful decoding and filtering and can output data in several formats like XML, JSON, text for further analysis. Endpoint analysis generates statistics on devices in the captured traffic.
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Finalmasoodnt10
The document discusses denial of service (DoS) attacks and how to mitigate them. It begins by defining DoS attacks and some common types like Smurf and Fraggle attacks. It then discusses tools like hping that can be used to craft packets for DoS attacks or testing defenses. The document concludes by outlining techniques to prevent networks from being used in DoS amplification attacks and recommends configuring firewalls and filters to detect and block flood traffic.
OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)Denny K
Tony Fortunato is a Senior Network Specialist with experience in design, implementation, and troubleshooting of LAN/WAN/Wireless networks, desktops and servers since 1989. His background in financial networks includes design and implementation of trading floor networks. Tony has taught at local high schools, Colleges/Universities, Networld/Interop and many onsite private classroom settings to thousands of analysts.
Hunting for APT in network logs workshop presentationOlehLevytskyi1
Nonamecon 2021 presentation.
Network logs are one of the most efficient sources to hunt adversaries, but building good analytics capabilities require a deep understanding of benign activity and attacker behavior. This training focuses on detecting real-case attacks, tools and scenarios by the past year.
The training is highly interactive and retains a good balance between theory and a lot of hands-on exercises for the students to get used to the detection engineering methodology and prepare them to start implementing this at their organizations.
Presentation topics:
- Netflow Mitre Matrix view
- Full packet captures vs Netflow
- Zeek
- Zeek packages
- RDP initial comprometation
- Empire Powershell and CobaltStrike or what to expect after initial loader execution.
- Empire powershell initial connection
- Beaconing. RITA
- Scanning detection
- Internal enumeration detection
- Lateral movement techniques widely used
- Kerberos attacks
- PSExec and fileless ways of delivering payloads in the network
- Zerologon detection
- Data exfiltration
- Data exfiltration over C2 channel
- Data exfiltration using time size limits (data chunks)
- DNS exfiltration
- Detecting ransomware in your network
- Real incident investigation
Authors:
Oleh Levytskyi (https://twitter.com/LeOleg97)
Bogdan Vennyk (https://twitter.com/bogdanvennyk)
Firewalls rules using iptables in linuxaamir lucky
This document discusses firewall rules using Iptables on Linux. It defines a firewall, Iptables, and the key Iptables files and components. It then explains how firewalls work using protocols, packets, and ports. It describes the Netfilter subsystem and provides examples of Iptables commands, options, chains, and targets. It gives examples of viewing existing rules, allowing SSH, and saving and reloading rules.
Abandon Decades-Old TCPdump for Modern TroubleshootingAvi Networks
Are you tired of troubleshooting with TCPdump? The Avi Vantage Platform is here to help. Learn how you can abandon your decades-old CPU-intensive logging tools – and gain intuitive, real-time analytics, faster time-to-resolution, modern SSL encryption, and (most importantly) happy IT teams focused on delivering applications.
Watch this Avi webinar to #ByeByeTCPdump forever and learn:
- Why TCPdump should be your tool of last resort
- How headers compressed with HTTP/2, SSL leveraging PFS, and distributed systems have rendered certain tools useless
- How automation and visibility can help you troubleshoot more quickly
- How you can replace TCPdump with intelligent logs and analytics
Watch the full webinar: https://info.avinetworks.com/webinars-avi-tech-corner-episode-1
Packet Analysis - Course Technology Computing Conference
Presenter: Lisa Bock - Pennsylvania College of Technology
Most network administrators are well-versed in hardware, applications, operating systems, and network analysis tools. However, many are not trained in analyzing network traffic. Network administrators should be able to identify normal network traffic in order to determine unusual or suspicious activity. Network packet analysis is important in order to troubleshoot congestion issues, create firewall and intrusion detection system rules, and perform incident and threat detection. This hands-on presentation will review fundamental concepts necessary to analyze network traffic, beginning with an overview of network analysis, then a review the TCP/IP protocol suite and LAN operations. Participants will examine packet captures and understand the field values of the protocols and as to what is considered normal behavior, and then examine captures that show exploits, network reconnaissance, and signatures of common network attacks. The program will use Wireshark, a network protocol analyzer for Unix and Windows, to study network packets, look at basic features such as display and capture filters, and examine common protocols such as TCP, HTTP, DNS, and FTP. Time permitting, the presentation will provide suggestions on how to troubleshoot performance problems, conduct a network baseline, and how to follow a TCP or UDP stream and see HTTP artifacts. Participants should have a basic knowledge of computer networking and an interest in the subject.
IP network scanning involves gathering information about devices on a network such as which hosts are active and which services and ports are open. The document discusses common scanning techniques including ping sweeps to discover active hosts, port scanning to identify open ports, and methods for detecting operating systems and software versions running on remote hosts. It provides examples using the free and open-source nmap tool, which is considered the standard for port scanning and network discovery.
This document provides an overview of firewalls, including what they are (isolating an internal network from the internet), why they are used (to prevent attacks and unauthorized access), and the main types (packet filtering and application gateways). It also discusses limitations of firewalls and how they work in Linux using netfilter and iptables commands. Examples are given of common iptables rules to filter traffic, accept/reject connections, and drop packets.
Nmap is a free and open-source tool for network discovery and security auditing. It can be used to discover hosts and services on a computer network by scanning target hosts and performing port scanning, version detection, and OS detection. System administrators, network engineers, and auditors use Nmap for security auditing, compliance testing, asset management, and network/system inventory. While Nmap provides useful information for hardening network security, it can also be used maliciously for reconnaissance, so permission should be obtained before using it on networks.
WIRESHARK is a free and open-source packet analyzer that allows users to examine network traffic and inspect packets. It can be used for basic network troubleshooting, analysis, development, and education. The tool supports live packet captures from networked interfaces as well as offline analysis of captured packet data files. It decodes hundreds of protocols and can filter traffic based on various packet attributes.
The document discusses various network security tools including TCP/IP headers, tcpdump, ethereal, ntop, MRTG, network scanners like Nmap and Nessus. It provides examples of using these tools to analyze network traffic, scan for open ports, detect operating systems, and monitor network usage.
Chapter 3. sensors in the network domainPhu Nguyen
This chapter discusses network sensors and the data they generate. Examples of network sensors include NetFlow sensors on routers and packet capture tools like tcpdump. The chapter covers challenges of analyzing large network traffic data, and describes common data formats generated by sensors like NetFlow records and packet captures. It also discusses techniques for filtering large packet capture data, such as using rolling buffers, limiting packet snap lengths, and Berkeley Packet Filter rules.
Wireshark is a network packet analyzer that allows users to examine network packet data and traffic in detail. It can capture live packet data from interfaces, open saved capture files, and display packets with detailed protocol information. Network administrators, security engineers, and developers use Wireshark to troubleshoot network issues, examine security problems, and debug protocol implementations.
Wireshark course, Ch 03: Capture and display filtersYoram Orzach
This document provides an overview of capture and display filters in Wireshark. It describes the basics of filter syntax and examples of common filters. The objectives are to understand basic capture and display filters and how to perform packet filtering. It covers the structure and components of capture filters including primitives, operators, and examples. Display filters are explained along with field types, comparison operators, and combining expressions. The document concludes with case studies demonstrating filters for protocols like DCERPC and analyzing network issues like retransmissions.
This document provides an overview of NS-3, an open-source discrete event network simulator. It describes what NS-3 is, how to install it, and some of its key components and functionality. NS-3 allows modeling of network elements like nodes, devices, channels, and protocols. It has a collection of C++ libraries rather than a single program. Topologies can be built by configuring nodes, applications, and network elements like channels and devices. The simulator can be used to analyze network performance through tracing and logging functions.
This document introduces network analyzers and Wireshark. It discusses that network analyzers are used to capture, decode, and analyze network traffic through both hardware and software tools. Wireshark is an open-source network analyzer that can decode over 750 protocols and supports both command line and GUI interfaces. It discusses how to install Wireshark and libpcap drivers and provides an overview of how to use the basic Wireshark interface.
This document provides an overview of network traffic analysis. It discusses why traffic analysis is useful for gaining knowledge about a network, investigating issues, and network forensics. It also summarizes the basics of TCP/IP protocols, packet sniffing tools like Wireshark and Tcpdump, and how to analyze network traffic captures for troubleshooting and security purposes. Hands-on network forensics examples are provided to demonstrate these concepts.
The document describes an automated tool called ipsnapshoter that detects misconfigured HTTP services. It scans IP addresses and ports, uses Nmap to find available hosts, takes screenshots of server responses using EyeWitness, and publishes results in an HTML report. The tool is designed to help security testers identify vulnerabilities by visually exploring misconfigurations before malicious actors. It is written in Python and uses libraries like Nmap, EyeWitness, and a simple HTTP server to efficiently scan thousands of addresses and generate consolidated reports.
Tshark pen testing, very good insight of the pent testclaudiu59
This document provides an overview of using the TShark network analyzer tool. It discusses what network traffic is, how to capture traffic using TShark, read from and write to files, use various output formats and display filters, and analyze endpoints. TShark can capture and analyze live network traffic or read from pcap files. It provides powerful decoding and filtering and can output data in several formats like XML, JSON, text for further analysis. Endpoint analysis generates statistics on devices in the captured traffic.
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Finalmasoodnt10
The document discusses denial of service (DoS) attacks and how to mitigate them. It begins by defining DoS attacks and some common types like Smurf and Fraggle attacks. It then discusses tools like hping that can be used to craft packets for DoS attacks or testing defenses. The document concludes by outlining techniques to prevent networks from being used in DoS amplification attacks and recommends configuring firewalls and filters to detect and block flood traffic.
OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)Denny K
Tony Fortunato is a Senior Network Specialist with experience in design, implementation, and troubleshooting of LAN/WAN/Wireless networks, desktops and servers since 1989. His background in financial networks includes design and implementation of trading floor networks. Tony has taught at local high schools, Colleges/Universities, Networld/Interop and many onsite private classroom settings to thousands of analysts.
Hunting for APT in network logs workshop presentationOlehLevytskyi1
Nonamecon 2021 presentation.
Network logs are one of the most efficient sources to hunt adversaries, but building good analytics capabilities require a deep understanding of benign activity and attacker behavior. This training focuses on detecting real-case attacks, tools and scenarios by the past year.
The training is highly interactive and retains a good balance between theory and a lot of hands-on exercises for the students to get used to the detection engineering methodology and prepare them to start implementing this at their organizations.
Presentation topics:
- Netflow Mitre Matrix view
- Full packet captures vs Netflow
- Zeek
- Zeek packages
- RDP initial comprometation
- Empire Powershell and CobaltStrike or what to expect after initial loader execution.
- Empire powershell initial connection
- Beaconing. RITA
- Scanning detection
- Internal enumeration detection
- Lateral movement techniques widely used
- Kerberos attacks
- PSExec and fileless ways of delivering payloads in the network
- Zerologon detection
- Data exfiltration
- Data exfiltration over C2 channel
- Data exfiltration using time size limits (data chunks)
- DNS exfiltration
- Detecting ransomware in your network
- Real incident investigation
Authors:
Oleh Levytskyi (https://twitter.com/LeOleg97)
Bogdan Vennyk (https://twitter.com/bogdanvennyk)
Firewalls rules using iptables in linuxaamir lucky
This document discusses firewall rules using Iptables on Linux. It defines a firewall, Iptables, and the key Iptables files and components. It then explains how firewalls work using protocols, packets, and ports. It describes the Netfilter subsystem and provides examples of Iptables commands, options, chains, and targets. It gives examples of viewing existing rules, allowing SSH, and saving and reloading rules.
Abandon Decades-Old TCPdump for Modern TroubleshootingAvi Networks
Are you tired of troubleshooting with TCPdump? The Avi Vantage Platform is here to help. Learn how you can abandon your decades-old CPU-intensive logging tools – and gain intuitive, real-time analytics, faster time-to-resolution, modern SSL encryption, and (most importantly) happy IT teams focused on delivering applications.
Watch this Avi webinar to #ByeByeTCPdump forever and learn:
- Why TCPdump should be your tool of last resort
- How headers compressed with HTTP/2, SSL leveraging PFS, and distributed systems have rendered certain tools useless
- How automation and visibility can help you troubleshoot more quickly
- How you can replace TCPdump with intelligent logs and analytics
Watch the full webinar: https://info.avinetworks.com/webinars-avi-tech-corner-episode-1
Packet Analysis - Course Technology Computing Conference
Presenter: Lisa Bock - Pennsylvania College of Technology
Most network administrators are well-versed in hardware, applications, operating systems, and network analysis tools. However, many are not trained in analyzing network traffic. Network administrators should be able to identify normal network traffic in order to determine unusual or suspicious activity. Network packet analysis is important in order to troubleshoot congestion issues, create firewall and intrusion detection system rules, and perform incident and threat detection. This hands-on presentation will review fundamental concepts necessary to analyze network traffic, beginning with an overview of network analysis, then a review the TCP/IP protocol suite and LAN operations. Participants will examine packet captures and understand the field values of the protocols and as to what is considered normal behavior, and then examine captures that show exploits, network reconnaissance, and signatures of common network attacks. The program will use Wireshark, a network protocol analyzer for Unix and Windows, to study network packets, look at basic features such as display and capture filters, and examine common protocols such as TCP, HTTP, DNS, and FTP. Time permitting, the presentation will provide suggestions on how to troubleshoot performance problems, conduct a network baseline, and how to follow a TCP or UDP stream and see HTTP artifacts. Participants should have a basic knowledge of computer networking and an interest in the subject.
IP network scanning involves gathering information about devices on a network such as which hosts are active and which services and ports are open. The document discusses common scanning techniques including ping sweeps to discover active hosts, port scanning to identify open ports, and methods for detecting operating systems and software versions running on remote hosts. It provides examples using the free and open-source nmap tool, which is considered the standard for port scanning and network discovery.
This document provides an overview of firewalls, including what they are (isolating an internal network from the internet), why they are used (to prevent attacks and unauthorized access), and the main types (packet filtering and application gateways). It also discusses limitations of firewalls and how they work in Linux using netfilter and iptables commands. Examples are given of common iptables rules to filter traffic, accept/reject connections, and drop packets.
Nmap is a free and open-source tool for network discovery and security auditing. It can be used to discover hosts and services on a computer network by scanning target hosts and performing port scanning, version detection, and OS detection. System administrators, network engineers, and auditors use Nmap for security auditing, compliance testing, asset management, and network/system inventory. While Nmap provides useful information for hardening network security, it can also be used maliciously for reconnaissance, so permission should be obtained before using it on networks.
3. Motivation for Network Monitoring
Essential for Network Management
Router and Firewall policy
Detecting abnormal/error in networking
Access control
Security Management
Detecting abnormal traffic
Traffic log for future forensic analysis
3
4. 4
Tools Overview
Tcpdump
Unix-based command-line tool used to intercept
packets
Including filtering to just the packets of interest
Reads “live traffic” from interface specified using -i
option …
… or from a previously recorded trace file specified
using -r option
You create these when capturing live traffic using -w option
Tshark
Tcpdump-like capture program that comes w/
Wireshark
Very similar behavior & flags to tcpdump
Wireshark
GUI for displaying tcpdump/tshark packet traces
5. 5
Tcpdump example
01:46:28.808262 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230-
7.dsl.pltn13.pacbell.net.2481: . 2513546054:2513547434(1380) ack
1268355216 win 12816
01:46:28.808271 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230-
7.dsl.pltn13.pacbell.net.2481: P 1380:2128(748) ack 1 win 12816
01:46:28.808276 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230-
7.dsl.pltn13.pacbell.net.2481: . 2128:3508(1380) ack 1 win 12816
01:46:28.890021 IP adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481 >
danjo.CS.Berkeley.EDU.ssh: P 1:49(48) ack 1380 win 16560
• Ran tcpdump on a Unix machine
• First few lines of the output:
6. 6
01:46:28.808262 IP danjo.CS.Berkeley.EDU.ssh >
adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481: .
2513546054:2513547434(1380) ack 1268355216 win 12816
Timestamp This is an IP packet
Source host name
Source port number (22)
Destination host name Destination port number
TCP specific information
• Different output formats for different packet types
What does a line convey?
8. 8
Demo 1 – Basic Run
Syntax:
tcpdump [options] [filter expression]
Unfortunately, Eustis machine does not
allow normal users to run tcpdump
$ sudo tcpdump –i eth0
Sudo command allows you to run tcpdump in root
previlege
On your own Unix machine, you can run it
using “sudo” or directly run “tcpdump” if you
have root previliege
Observe the output
9. 9
Filters
We are often not interested in all packets
flowing through the network
Use filters to capture only packets of
interest to us
10. 10
Demo 2
1. Capture only udp packets
• tcpdump “udp”
2. Capture only tcp packets
• tcpdump “tcp”
11. 11
Demo 2 (contd.)
1. Capture only UDP packets with
destination port 53 (DNS requests)
• tcpdump “udp dst port 53”
2. Capture only UDP packets with source
port 53 (DNS replies)
• tcpdump “udp src port 53”
3. Capture only UDP packets with source or
destination port 53 (DNS requests and
replies)
• tcpdump “udp port 53”
12. 12
Demo 2 (contd.)
1. Capture only packets destined to
longwood.eecs.ucf.edu
• tcpdump “dst host longwood.eecs.ucf.edu”
2. Capture both DNS packets and TCP
packets to/from longwood.eecs.ucf.edu
• tcpdump “(tcp and host
longwood.eecs.ucf.edu) or udp port 53”
13. 13
How to write filters
Refer the tcpdump/tshark man page
Many example webpages on the Internet
14. 14
Running tcpdump
Requires superuser/administrator privileges on
Unix
http://www.tcpdump.org/
You can do it on your own Unix machine
You can install a Linux OS in Vmware on your
windows machine
Tcpdump for Windows
WinDump: http://www.winpcap.org/windump/
Free software
15. So What is WireShark?
Packet sniffer/protocol analyzer
Open Source Network Tool
Latest version of the ethereal tool
16. What is tShark?
The command-line based packet capture
tool
Equivalent to Wireshark
16
17. 17
Network Layered Structure
What is the Internet?
Application Application
Network Network
Data Link
Transport Transport
Data Link
Physical
link
Web, Email, VOIP
TCP, UDP
IP
Ethernet, cellular
23. Capture Filter examples
host 10.1.11.24
host 192.168.0.1 and host 10.1.11.1
tcp port http
ip
not broadcast not multicast
ether host 00:04:13:00:09:a3
30. Display Filters (Post-Filters)
Display filters (also called post-filters) only
filter the view of what you are seeing. All
packets in the capture still exist in the
trace
Display filters use their own format and
are much more powerful then capture
filters
34. TCP segment structure
source port # dest port #
32 bits
application
data
(variable length)
sequence number
acknowledgement number
Receive window
Urg data pnter
checksum
F
S
R
P
A
U
head
len
not
used
Options (variable length)
URG: urgent data
(generally not used)
ACK: ACK #
valid
PSH: push data now
RST, SYN, FIN:
connection estab
(setup, teardown
commands)
# bytes
rcvr willing
to accept
counting
by bytes
of data
(not segments!)
Internet
checksum
(as in UDP)
35. Display Filter
String1, String2 (Optional settings):
Sub protocol categories inside the protocol.
Look for a protocol and then click on the "+"
character.
Example:
tcp.srcport == 80
tcp.flags == 2
SYN packet
Tcp.flags.syn==1
tcp.flags == 18
SYN/ACK
Note of TCP Flag field:
35
36. Display Filter Expressions
snmp || dns || icmp
Display the SNMP or DNS or ICMP
traffics.
tcp.port == 25
Display packets with TCP source or
destination port 25.
tcp.flags
Display packets having a TCP flags
tcp.flags.syn == 0x02
Display packets with a TCP SYN flag.
36
If the filter syntax is correct, it will be highlighted in green,
otherwise if there is a syntax mistake it will be highlighted in red.
Correct syntax
Wrong syntax
37. Save Filtered Packets After Using Display Filter
We can also save all filtered packets in text file
for further analysis
Operation:
37
FileExport packet dissections
as “plain text” file
1). In “packet range” option, select
“Displayed”
2). In choose “summary line” or
“detail”
42. Filter out/in Single TCP Stream
When click “filter out this TCP stream” in previous
page’s box, new filter string will contain like:
http and !(tcp.stream eq 5)
So, if you use “tcp.stream eq 5” as filter string, you keep
this HTTP session
42
47. Use the “Copy” button to copy all text into
clipboard
Then, you can analyze this text file to get
what statistics you want
47
48. Find EndPoint Statistics
Menu “statistics” “endpoint list”
“TCP”
You can sort by field
“Tx” : transmit “Rx” : receive
48
49. Find EndPoint Statistics
Use the “Copy” button to copy all text into
clipboard
Then, you can analyze this text file to get
what statistics you want
49
51. Flow Graphs
• The “displayed packet” option could let you only
Show the flow of packets shown up
for example, only display http traffic, then show
The flow to analyze
59. Improving WireShark Performance
Don’t use capture filters
Increase your read buffer size
Don’t update the screen dynamically
Get a faster computer
Use a TAP
Don’t resolve names
60. Post-Processing Text File
For saved text-format packet files, further
analysis needs coding or special tools
One useful tool on Unix: Grep
On Windows: PowerGrep
http://www.powergrep.com/
Command-line based utility for searching
plain-text data sets for lines matching a
regular expression.
60
61. Basic usage of Grep
Command-line text-search program in Linux
Some useful usage:
Grep ‘word’ filename # find lines with ‘word’
Grep –v ‘word’ filename # find lines without ‘word’
Grep ‘^word’ filename # find lines beginning with ‘word’
Grep ‘word’ filename > file2 # output lines with ‘word’ to file2
ls -l | grep rwxrwxrwx # list files that have ‘rwxrwxrwx’ feature
grep '^[0-4]‘ filename # find lines beginning with any of the numbers
from 0-4
Grep –c ‘word’ filename # find lines with ‘word’ and print out the
number of these lines
Grep –i ‘word’ filename # find lines with ‘word’ regardless of case
Many tutorials on grep online
http://www.cyberciti.biz/faq/howto-use-grep-command-in-linux-unix/
http://www.thegeekstuff.com/2009/03/15-practical-unix-grep-command-
examples/
61
62. On-line Wireshark Trace Files
Public available .pcap files:
http://www.netresec.com/?page=PcapFiles
http://www.tp.org/jay/nwanalysis/traces/Lab%20
Trace%20Files/
Wiki Sample capture
https://wiki.wireshark.org/SampleCaptures
62