This document discusses network monitoring and packet analysis using Wireshark. It provides an overview of Wireshark and tcpdump, examples of how to use capture and display filters to filter traffic, and how to analyze network traffic such as following TCP streams, endpoint statistics, and HTTP analysis. It also discusses improving Wireshark performance and using grep to further analyze saved packet files.
This document provides an overview of using Wireshark and tcpdump to monitor network traffic. It discusses how to capture live traffic using these tools, how to apply filters to focus on specific traffic types, and how to analyze captured packet traces in Wireshark. The document includes examples of common tcpdump and Wireshark commands as well as screenshots of Wireshark's interface demonstrating features like protocol hierarchy, following TCP streams, and endpoint statistics.
This document provides an overview of using Wireshark and tcpdump to monitor network traffic. It begins with an introduction to the motivation for network monitoring. It then covers the tools tcpdump, tshark, and Wireshark. Examples are given of using tcpdump and tshark on the command line to capture traffic. The document demonstrates Wireshark's graphical user interface and features like capture filters, display filters, following TCP streams, endpoint statistics, and flow graphs. It concludes with tips for improving Wireshark performance and using grep to analyze saved packet files.
This document provides an overview of using Wireshark and tcpdump to monitor network traffic. It discusses how to capture live traffic using these tools, how to apply filters to focus on specific traffic types, and how to analyze captured packet traces in Wireshark. The document includes examples of common tcpdump and Wireshark commands as well as screenshots of Wireshark's interface. It also describes how to view session data and endpoint statistics after capturing packets.
This document provides an overview of using Wireshark and tcpdump to monitor network traffic. It begins with an introduction to the motivation for network monitoring. It then covers the tools tcpdump, tshark, and Wireshark. Examples are given of using tcpdump and tshark on the command line to capture traffic. The document demonstrates Wireshark's graphical user interface and features for analyzing captured packets, including display filters, following TCP streams, conversations, endpoint statistics, and flow graphs. It concludes with tips for improving Wireshark performance and using grep to further analyze saved packet files.
This document discusses network traffic monitoring tools Tcpdump and Wireshark. It provides an overview of tcpdump including its purpose, basic syntax, output format, and commands. It describes tcpdump as a command line tool used to capture and analyze packets on a network interface. It then introduces Wireshark as a graphical user interface-based alternative to tcpdump that provides similar network packet sniffing and analysis capabilities.
This gives an overall idea about wireshark design and how to capture packets using wireshark, tcpdump and tshark. It also covers basics behind measuring network performance and tools to use such as bmon and iperf.
This document provides an overview and agenda for a Wireshark workshop. It introduces Wireshark as a network protocol analyzer tool that can perform deep inspection of hundreds of protocols. The workshop will cover how to use the capture screen, perform simple captures, configure capture options, use display filters to analyze specific traffic, and examine sample captures including DNS, HTTP, and ICAP traffic. Annexes provide information on handling duplicate packets, useful Wireshark resources, and HTTP status codes.
WIRESHARK is a free and open-source packet analyzer that allows users to examine network traffic and inspect packets. It can be used for basic network troubleshooting, analysis, development, and education. The tool supports live packet captures from networked interfaces as well as offline analysis of captured packet data files. It decodes hundreds of protocols and can filter traffic based on various packet attributes.
This document provides an overview of using Wireshark and tcpdump to monitor network traffic. It discusses how to capture live traffic using these tools, how to apply filters to focus on specific traffic types, and how to analyze captured packet traces in Wireshark. The document includes examples of common tcpdump and Wireshark commands as well as screenshots of Wireshark's interface demonstrating features like protocol hierarchy, following TCP streams, and endpoint statistics.
This document provides an overview of using Wireshark and tcpdump to monitor network traffic. It begins with an introduction to the motivation for network monitoring. It then covers the tools tcpdump, tshark, and Wireshark. Examples are given of using tcpdump and tshark on the command line to capture traffic. The document demonstrates Wireshark's graphical user interface and features like capture filters, display filters, following TCP streams, endpoint statistics, and flow graphs. It concludes with tips for improving Wireshark performance and using grep to analyze saved packet files.
This document provides an overview of using Wireshark and tcpdump to monitor network traffic. It discusses how to capture live traffic using these tools, how to apply filters to focus on specific traffic types, and how to analyze captured packet traces in Wireshark. The document includes examples of common tcpdump and Wireshark commands as well as screenshots of Wireshark's interface. It also describes how to view session data and endpoint statistics after capturing packets.
This document provides an overview of using Wireshark and tcpdump to monitor network traffic. It begins with an introduction to the motivation for network monitoring. It then covers the tools tcpdump, tshark, and Wireshark. Examples are given of using tcpdump and tshark on the command line to capture traffic. The document demonstrates Wireshark's graphical user interface and features for analyzing captured packets, including display filters, following TCP streams, conversations, endpoint statistics, and flow graphs. It concludes with tips for improving Wireshark performance and using grep to further analyze saved packet files.
This document discusses network traffic monitoring tools Tcpdump and Wireshark. It provides an overview of tcpdump including its purpose, basic syntax, output format, and commands. It describes tcpdump as a command line tool used to capture and analyze packets on a network interface. It then introduces Wireshark as a graphical user interface-based alternative to tcpdump that provides similar network packet sniffing and analysis capabilities.
This gives an overall idea about wireshark design and how to capture packets using wireshark, tcpdump and tshark. It also covers basics behind measuring network performance and tools to use such as bmon and iperf.
This document provides an overview and agenda for a Wireshark workshop. It introduces Wireshark as a network protocol analyzer tool that can perform deep inspection of hundreds of protocols. The workshop will cover how to use the capture screen, perform simple captures, configure capture options, use display filters to analyze specific traffic, and examine sample captures including DNS, HTTP, and ICAP traffic. Annexes provide information on handling duplicate packets, useful Wireshark resources, and HTTP status codes.
WIRESHARK is a free and open-source packet analyzer that allows users to examine network traffic and inspect packets. It can be used for basic network troubleshooting, analysis, development, and education. The tool supports live packet captures from networked interfaces as well as offline analysis of captured packet data files. It decodes hundreds of protocols and can filter traffic based on various packet attributes.
Wireshark is a network packet analyzer that allows users to examine network packet data and traffic in detail. It can capture live packet data from interfaces, open saved capture files, and display packets with detailed protocol information. Network administrators, security engineers, and developers use Wireshark to troubleshoot network issues, examine security problems, and debug protocol implementations.
Packet Analysis - Course Technology Computing Conference
Presenter: Lisa Bock - Pennsylvania College of Technology
Most network administrators are well-versed in hardware, applications, operating systems, and network analysis tools. However, many are not trained in analyzing network traffic. Network administrators should be able to identify normal network traffic in order to determine unusual or suspicious activity. Network packet analysis is important in order to troubleshoot congestion issues, create firewall and intrusion detection system rules, and perform incident and threat detection. This hands-on presentation will review fundamental concepts necessary to analyze network traffic, beginning with an overview of network analysis, then a review the TCP/IP protocol suite and LAN operations. Participants will examine packet captures and understand the field values of the protocols and as to what is considered normal behavior, and then examine captures that show exploits, network reconnaissance, and signatures of common network attacks. The program will use Wireshark, a network protocol analyzer for Unix and Windows, to study network packets, look at basic features such as display and capture filters, and examine common protocols such as TCP, HTTP, DNS, and FTP. Time permitting, the presentation will provide suggestions on how to troubleshoot performance problems, conduct a network baseline, and how to follow a TCP or UDP stream and see HTTP artifacts. Participants should have a basic knowledge of computer networking and an interest in the subject.
This document provides an overview and introduction to using the Wireshark network analysis tool. It discusses Wireshark basics and advanced features, including how to capture and filter network traffic, analyze protocols and packets, view statistics and conversations, and use Wireshark to troubleshoot network issues. Several case studies are presented showing how Wireshark can be used to analyze problems like slow connections, high load, and non-stable performance.
Practical 7 - Using Wireshark Tutorial and Hands-onQaisSaifQassim
This document discusses using Wireshark, a network packet analyzer tool. It describes what Wireshark is, how to capture and analyze packets, how to filter packets, and how to save and manipulate captured packets. Useful statistical analysis features are also outlined, including protocol hierarchies, conversations, IO graphs, and TCP stream graphs. Finally, some references for further Wireshark information and documentation are provided. A lab activity is proposed to have students launch Wireshark, capture sample traffic, answer questions about the capture, apply filters, and analyze the captured packets.
Chapter 3. sensors in the network domainPhu Nguyen
This chapter discusses network sensors and the data they generate. Examples of network sensors include NetFlow sensors on routers and packet capture tools like tcpdump. The chapter covers challenges of analyzing large network traffic data, and describes common data formats generated by sensors like NetFlow records and packet captures. It also discusses techniques for filtering large packet capture data, such as using rolling buffers, limiting packet snap lengths, and Berkeley Packet Filter rules.
The document discusses various network security tools including TCP/IP headers, tcpdump, ethereal, ntop, MRTG, network scanners like Nmap and Nessus. It provides examples of using these tools to analyze network traffic, scan for open ports, detect operating systems, and monitor network usage.
This document introduces network analyzers and Wireshark. It discusses that network analyzers are used to capture, decode, and analyze network traffic through both hardware and software tools. Wireshark is an open-source network analyzer that can decode over 750 protocols and supports both command line and GUI interfaces. It discusses how to install Wireshark and libpcap drivers and provides an overview of how to use the basic Wireshark interface.
IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...IRJET Journal
This document discusses using the TCPDUMP command to analyze network protocol packets for IPv4 and IPv6 on a local area network. TCPDUMP is used to capture network packets and display information like timestamps, source/destination IP addresses, and source/destination MAC addresses. Network administrators can use packet analysis to monitor network activity and traffic, troubleshoot problems, and improve network performance and efficiency. The methodology section describes how TCPDUMP can be used to analyze IPv4 and IPv6 packets and perform tasks like protocol analysis, identifying top network users, analyzing network activity by time or port number, and reconstructing communication between devices.
OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)Denny K
Tony Fortunato is a Senior Network Specialist with experience in design, implementation, and troubleshooting of LAN/WAN/Wireless networks, desktops and servers since 1989. His background in financial networks includes design and implementation of trading floor networks. Tony has taught at local high schools, Colleges/Universities, Networld/Interop and many onsite private classroom settings to thousands of analysts.
Nmap is a free and open-source tool for network discovery and security auditing. It can be used to discover hosts and services on a computer network by scanning target hosts and performing port scanning, version detection, and OS detection. System administrators, network engineers, and auditors use Nmap for security auditing, compliance testing, asset management, and network/system inventory. While Nmap provides useful information for hardening network security, it can also be used maliciously for reconnaissance, so permission should be obtained before using it on networks.
This document provides an overview of NS-3, an open-source discrete event network simulator. It describes what NS-3 is, how to install it, and some of its key components and functionality. NS-3 allows modeling of network elements like nodes, devices, channels, and protocols. It has a collection of C++ libraries rather than a single program. Topologies can be built by configuring nodes, applications, and network elements like channels and devices. The simulator can be used to analyze network performance through tracing and logging functions.
The document describes an automated tool called ipsnapshoter that detects misconfigured HTTP services. It scans IP addresses and ports, uses Nmap to find available hosts, takes screenshots of server responses using EyeWitness, and publishes results in an HTML report. The tool is designed to help security testers identify vulnerabilities by visually exploring misconfigurations before malicious actors. It is written in Python and uses libraries like Nmap, EyeWitness, and a simple HTTP server to efficiently scan thousands of addresses and generate consolidated reports.
Open Source Tools for the Systems AdministratorCharles Profitt
Open Source Tools for the Systems Administrator discusses four open source tools: Cacti, OSSEC, Nmap, and RackTables. Cacti is a frontend for storing and displaying historical monitoring data visually. OSSEC is a host-based intrusion detection system that integrates log analysis, file integrity checking, and real-time alerting. Nmap is a network discovery and security auditing tool useful for tasks like network inventory and service monitoring. RackTables is an asset management solution for documenting hardware, networks, rack layouts, and generating reports.
The document discusses using tcpdump and ssldump on an F5 device to analyze network traffic. It provides examples of commands to capture full traffic flows, including specifying filters. It also describes how to use tcpdump to troubleshoot issues like traffic not reaching servers. The document discusses using Wireshark with the F5 plugin to decrypt SSL traffic for analysis and provides instructions for configuring Wireshark. It briefly mentions using sFlow for performance monitoring and analytics.
Network analysis Using Wireshark 4: Capture FiltersYoram Orzach
• By the end of this lesson, the participant will be able to:
▫ Understand basic capture filters
▫ Perform basic capture filtering
Used to define which packets are going to be captured (be
careful!!!)
What are Capture Filters
• Wireshark uses the libpcap filter language for capture filters
3.7.10 Lab Use Wireshark to View Network TrafficRio Ap
Skenario soal latihan lengkap Lab 3.7.10 dari materi Cisco CCNA 1 v7. Untuk mengetahui kegunaan wireshark dalam mengcapture dan menganalisa traffic jaringan. Di skenario ini menggunakan protocol ICMP yang dipakai pada saat melakukan perintah Ping dari command line interface windows 10.
This document provides an overview of network traffic analysis. It discusses why traffic analysis is useful for gaining knowledge about a network, investigating issues, and network forensics. It also summarizes the basics of TCP/IP protocols, packet sniffing tools like Wireshark and Tcpdump, and how to analyze network traffic captures for troubleshooting and security purposes. Hands-on network forensics examples are provided to demonstrate these concepts.
The document provides an overview of the OSI model, TCP/IP protocols, Cisco IOS modes, router components, cabling, router management, LAN switching concepts, IP addressing, routing protocols, and IPv6 migration methods. It summarizes key topics for the CCNA exam in 10 sentences or less per section.
Abandon Decades-Old TCPdump for Modern TroubleshootingAvi Networks
Are you tired of troubleshooting with TCPdump? The Avi Vantage Platform is here to help. Learn how you can abandon your decades-old CPU-intensive logging tools – and gain intuitive, real-time analytics, faster time-to-resolution, modern SSL encryption, and (most importantly) happy IT teams focused on delivering applications.
Watch this Avi webinar to #ByeByeTCPdump forever and learn:
- Why TCPdump should be your tool of last resort
- How headers compressed with HTTP/2, SSL leveraging PFS, and distributed systems have rendered certain tools useless
- How automation and visibility can help you troubleshoot more quickly
- How you can replace TCPdump with intelligent logs and analytics
Watch the full webinar: https://info.avinetworks.com/webinars-avi-tech-corner-episode-1
Gen Z and the marketplaces - let's translate their needsLaura Szabó
The product workshop focused on exploring the requirements of Generation Z in relation to marketplace dynamics. We delved into their specific needs, examined the specifics in their shopping preferences, and analyzed their preferred methods for accessing information and making purchases within a marketplace. Through the study of real-life cases , we tried to gain valuable insights into enhancing the marketplace experience for Generation Z.
The workshop was held on the DMA Conference in Vienna June 2024.
Wireshark is a network packet analyzer that allows users to examine network packet data and traffic in detail. It can capture live packet data from interfaces, open saved capture files, and display packets with detailed protocol information. Network administrators, security engineers, and developers use Wireshark to troubleshoot network issues, examine security problems, and debug protocol implementations.
Packet Analysis - Course Technology Computing Conference
Presenter: Lisa Bock - Pennsylvania College of Technology
Most network administrators are well-versed in hardware, applications, operating systems, and network analysis tools. However, many are not trained in analyzing network traffic. Network administrators should be able to identify normal network traffic in order to determine unusual or suspicious activity. Network packet analysis is important in order to troubleshoot congestion issues, create firewall and intrusion detection system rules, and perform incident and threat detection. This hands-on presentation will review fundamental concepts necessary to analyze network traffic, beginning with an overview of network analysis, then a review the TCP/IP protocol suite and LAN operations. Participants will examine packet captures and understand the field values of the protocols and as to what is considered normal behavior, and then examine captures that show exploits, network reconnaissance, and signatures of common network attacks. The program will use Wireshark, a network protocol analyzer for Unix and Windows, to study network packets, look at basic features such as display and capture filters, and examine common protocols such as TCP, HTTP, DNS, and FTP. Time permitting, the presentation will provide suggestions on how to troubleshoot performance problems, conduct a network baseline, and how to follow a TCP or UDP stream and see HTTP artifacts. Participants should have a basic knowledge of computer networking and an interest in the subject.
This document provides an overview and introduction to using the Wireshark network analysis tool. It discusses Wireshark basics and advanced features, including how to capture and filter network traffic, analyze protocols and packets, view statistics and conversations, and use Wireshark to troubleshoot network issues. Several case studies are presented showing how Wireshark can be used to analyze problems like slow connections, high load, and non-stable performance.
Practical 7 - Using Wireshark Tutorial and Hands-onQaisSaifQassim
This document discusses using Wireshark, a network packet analyzer tool. It describes what Wireshark is, how to capture and analyze packets, how to filter packets, and how to save and manipulate captured packets. Useful statistical analysis features are also outlined, including protocol hierarchies, conversations, IO graphs, and TCP stream graphs. Finally, some references for further Wireshark information and documentation are provided. A lab activity is proposed to have students launch Wireshark, capture sample traffic, answer questions about the capture, apply filters, and analyze the captured packets.
Chapter 3. sensors in the network domainPhu Nguyen
This chapter discusses network sensors and the data they generate. Examples of network sensors include NetFlow sensors on routers and packet capture tools like tcpdump. The chapter covers challenges of analyzing large network traffic data, and describes common data formats generated by sensors like NetFlow records and packet captures. It also discusses techniques for filtering large packet capture data, such as using rolling buffers, limiting packet snap lengths, and Berkeley Packet Filter rules.
The document discusses various network security tools including TCP/IP headers, tcpdump, ethereal, ntop, MRTG, network scanners like Nmap and Nessus. It provides examples of using these tools to analyze network traffic, scan for open ports, detect operating systems, and monitor network usage.
This document introduces network analyzers and Wireshark. It discusses that network analyzers are used to capture, decode, and analyze network traffic through both hardware and software tools. Wireshark is an open-source network analyzer that can decode over 750 protocols and supports both command line and GUI interfaces. It discusses how to install Wireshark and libpcap drivers and provides an overview of how to use the basic Wireshark interface.
IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...IRJET Journal
This document discusses using the TCPDUMP command to analyze network protocol packets for IPv4 and IPv6 on a local area network. TCPDUMP is used to capture network packets and display information like timestamps, source/destination IP addresses, and source/destination MAC addresses. Network administrators can use packet analysis to monitor network activity and traffic, troubleshoot problems, and improve network performance and efficiency. The methodology section describes how TCPDUMP can be used to analyze IPv4 and IPv6 packets and perform tasks like protocol analysis, identifying top network users, analyzing network activity by time or port number, and reconstructing communication between devices.
OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)Denny K
Tony Fortunato is a Senior Network Specialist with experience in design, implementation, and troubleshooting of LAN/WAN/Wireless networks, desktops and servers since 1989. His background in financial networks includes design and implementation of trading floor networks. Tony has taught at local high schools, Colleges/Universities, Networld/Interop and many onsite private classroom settings to thousands of analysts.
Nmap is a free and open-source tool for network discovery and security auditing. It can be used to discover hosts and services on a computer network by scanning target hosts and performing port scanning, version detection, and OS detection. System administrators, network engineers, and auditors use Nmap for security auditing, compliance testing, asset management, and network/system inventory. While Nmap provides useful information for hardening network security, it can also be used maliciously for reconnaissance, so permission should be obtained before using it on networks.
This document provides an overview of NS-3, an open-source discrete event network simulator. It describes what NS-3 is, how to install it, and some of its key components and functionality. NS-3 allows modeling of network elements like nodes, devices, channels, and protocols. It has a collection of C++ libraries rather than a single program. Topologies can be built by configuring nodes, applications, and network elements like channels and devices. The simulator can be used to analyze network performance through tracing and logging functions.
The document describes an automated tool called ipsnapshoter that detects misconfigured HTTP services. It scans IP addresses and ports, uses Nmap to find available hosts, takes screenshots of server responses using EyeWitness, and publishes results in an HTML report. The tool is designed to help security testers identify vulnerabilities by visually exploring misconfigurations before malicious actors. It is written in Python and uses libraries like Nmap, EyeWitness, and a simple HTTP server to efficiently scan thousands of addresses and generate consolidated reports.
Open Source Tools for the Systems AdministratorCharles Profitt
Open Source Tools for the Systems Administrator discusses four open source tools: Cacti, OSSEC, Nmap, and RackTables. Cacti is a frontend for storing and displaying historical monitoring data visually. OSSEC is a host-based intrusion detection system that integrates log analysis, file integrity checking, and real-time alerting. Nmap is a network discovery and security auditing tool useful for tasks like network inventory and service monitoring. RackTables is an asset management solution for documenting hardware, networks, rack layouts, and generating reports.
The document discusses using tcpdump and ssldump on an F5 device to analyze network traffic. It provides examples of commands to capture full traffic flows, including specifying filters. It also describes how to use tcpdump to troubleshoot issues like traffic not reaching servers. The document discusses using Wireshark with the F5 plugin to decrypt SSL traffic for analysis and provides instructions for configuring Wireshark. It briefly mentions using sFlow for performance monitoring and analytics.
Network analysis Using Wireshark 4: Capture FiltersYoram Orzach
• By the end of this lesson, the participant will be able to:
▫ Understand basic capture filters
▫ Perform basic capture filtering
Used to define which packets are going to be captured (be
careful!!!)
What are Capture Filters
• Wireshark uses the libpcap filter language for capture filters
3.7.10 Lab Use Wireshark to View Network TrafficRio Ap
Skenario soal latihan lengkap Lab 3.7.10 dari materi Cisco CCNA 1 v7. Untuk mengetahui kegunaan wireshark dalam mengcapture dan menganalisa traffic jaringan. Di skenario ini menggunakan protocol ICMP yang dipakai pada saat melakukan perintah Ping dari command line interface windows 10.
This document provides an overview of network traffic analysis. It discusses why traffic analysis is useful for gaining knowledge about a network, investigating issues, and network forensics. It also summarizes the basics of TCP/IP protocols, packet sniffing tools like Wireshark and Tcpdump, and how to analyze network traffic captures for troubleshooting and security purposes. Hands-on network forensics examples are provided to demonstrate these concepts.
The document provides an overview of the OSI model, TCP/IP protocols, Cisco IOS modes, router components, cabling, router management, LAN switching concepts, IP addressing, routing protocols, and IPv6 migration methods. It summarizes key topics for the CCNA exam in 10 sentences or less per section.
Abandon Decades-Old TCPdump for Modern TroubleshootingAvi Networks
Are you tired of troubleshooting with TCPdump? The Avi Vantage Platform is here to help. Learn how you can abandon your decades-old CPU-intensive logging tools – and gain intuitive, real-time analytics, faster time-to-resolution, modern SSL encryption, and (most importantly) happy IT teams focused on delivering applications.
Watch this Avi webinar to #ByeByeTCPdump forever and learn:
- Why TCPdump should be your tool of last resort
- How headers compressed with HTTP/2, SSL leveraging PFS, and distributed systems have rendered certain tools useless
- How automation and visibility can help you troubleshoot more quickly
- How you can replace TCPdump with intelligent logs and analytics
Watch the full webinar: https://info.avinetworks.com/webinars-avi-tech-corner-episode-1
Gen Z and the marketplaces - let's translate their needsLaura Szabó
The product workshop focused on exploring the requirements of Generation Z in relation to marketplace dynamics. We delved into their specific needs, examined the specifics in their shopping preferences, and analyzed their preferred methods for accessing information and making purchases within a marketplace. Through the study of real-life cases , we tried to gain valuable insights into enhancing the marketplace experience for Generation Z.
The workshop was held on the DMA Conference in Vienna June 2024.
Discover the benefits of outsourcing SEO to Indiadavidjhones387
"Discover the benefits of outsourcing SEO to India! From cost-effective services and expert professionals to round-the-clock work advantages, learn how your business can achieve digital success with Indian SEO solutions.
Ready to Unlock the Power of Blockchain!Toptal Tech
Imagine a world where data flows freely, yet remains secure. A world where trust is built into the fabric of every transaction. This is the promise of blockchain, a revolutionary technology poised to reshape our digital landscape.
Toptal Tech is at the forefront of this innovation, connecting you with the brightest minds in blockchain development. Together, we can unlock the potential of this transformative technology, building a future of transparency, security, and endless possibilities.
2. Motivation for Network Monitoring
— Essential for Network Management
◦ Router and Firewall policy
◦ Detecting abnormal/error in networking
◦ Access control
— Security Management
◦ Detecting abnormal traffic
◦ Traffic log for future forensic analysis
2
3. 3
Tools Overview
— Tcpdump
◦ Unix-based command-line tool used to intercept packets
– Including filtering to just the packets of interest
— Wireshark
◦ GUI for displaying tcpdump/tshark packet traces
4. 4
Tcpdump example
01:46:28.808262 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230-
7.dsl.pltn13.pacbell.net.2481: . 2513546054:2513547434(1380) ack
1268355216 win 12816
01:46:28.808271 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230-
7.dsl.pltn13.pacbell.net.2481: P 1380:2128(748) ack 1 win 12816
01:46:28.808276 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230-
7.dsl.pltn13.pacbell.net.2481: . 2128:3508(1380) ack 1 win 12816
01:46:28.890021 IP adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481 >
danjo.CS.Berkeley.EDU.ssh: P 1:49(48) ack 1380 win 16560
• Ran tcpdump on a Unix machine
• First few lines of the output:
5. 5
Filters
— We are often not interested in all packets
flowing through the network
— Use filters to capture only packets of
interest to us
— How to write filters?
◦ Refer the tcpdump/tshark man page
◦ Many example webpages on the Internet
7. 7
Example (contd.)
1. Capture only UDP packets with destination
port 53 (DNS requests)
• tcpdump “udp dst port 53”
2. Capture only UDP packets with source port
53 (DNS replies)
• tcpdump “udp src port 53”
3. Capture only UDP packets with source or
destination port 53 (DNS requests and
replies)
• tcpdump “udp port 53”
8. 8
Example (contd.)
1. Capture only packets destined to
longwood.eecs.ucf.edu
• tcpdump “dst host longwood.eecs.ucf.edu”
2. Capture both DNS packets andTCP
packets to/from longwood.eecs.ucf.edu
• tcpdump “(tcp and host
longwood.eecs.ucf.edu) or udp port 53”
9. 9
Running tcpdump
— Requires superuser/administrator privileges on Unix
◦ http://www.tcpdump.org/
◦ You can do it on your own Unix machine
◦ You can install a Linux OS inVmware on your windows
machine
— Tcpdump forWindows
◦ WinDump: http://www.winpcap.org/windump/
– Free software
10. SoWhat isWireShark?
— Packet sniffer/protocol analyzer
— Open Source NetworkTool
— Latest version of the ethereal tool
11. What is tShark?
— The command-line based packet capture
tool
— Equivalent toWireshark
11
12. 12
Network Layered Structure
— What is the Internet?
Application Application
Network Network
Data Link
Transport Transport
Data Link
Physical link
Web, Email, VOIP
TCP, UDP
IP
Ethernet, cellular
16. Capture Options
Promiscuous mode is used to
Capture all traffic
In many cases this does not work:
• Network driver does not support
• You are on a switch LAN
18. Capture Filter examples
host 10.1.11.24
host 192.168.0.1 and host 10.1.11.1
tcp port http
ip
not broadcast not multicast
ether host 00:04:13:00:09:a3
21. Display Filters (Post-Filters)
— Display filters (also called post-filters)
◦ Only filter the view of what you are seeing
◦ All packets in the capture still exist in the
trace
— Display filters use their own format and
are much more powerful then capture
filters
24. Display Filter
24
There are thousands of pre-defined
protocol fields that
You can use in the display filter!
25. TCP segment structure
source port # dest port #
32 bits
application
data
(variable length)
sequence number
acknowledgement number
Receive window
Urg data pnter
checksum
F
S
R
P
A
U
head
len
not
used
Options (variable length)
URG: urgent data
(generally not used)
ACK: ACK #
valid
PSH: push data now
RST, SYN, FIN:
connection estab
(setup, teardown
commands)
# bytes
rcvr willing
to accept
counting
by bytes
of data
(not segments!)
Internet
checksum
(as in UDP)
26. Display Filter
— String1, String2 (Optional settings):
◦ Sub protocol categories inside the protocol.
◦ Look for a protocol and then click on the "+"
character.
◦ Example:
◦ tcp.srcport == 80
◦ tcp.flags == 2
– SYN packet
– Or use “Tcp.flags.syn==1”
◦ tcp.flags == 18
– SYN/ACK
◦ Note ofTCP Flag field: 26
27. Display Filter Expressions
— snmp || dns || icmp
◦ Display the SNMP or DNS or ICMP traffics.
— tcp.port == 25
◦ Display packets with TCP source or destination
port 25.
— tcp.flags
◦ Display packets having aTCP flags
— tcp.flags.syn == 0x02
◦ Display packets with aTCP SYN flag.
27
If the filter syntax is correct, it will be highlighted in green,
otherwise if there is a syntax mistake it will be highlighted in red.
Correct syntax
Wrong syntax
28. Save Filtered Packets asText After Using Display
Filter
— We can save all filtered packets in text file for
further analysis
— Operation:
28
FileàExport packet dissections
àas “plain text” file
1). In “packet range” option,
select “Displayed”
2). In choose “summary line” or
“detail”
29. Save Filtered Packets inWireshark format After
Using Display Filter
— We can also save all filtered packets in the original
wireshark format for further analysis
— Operation:
29
1. Enter Display filter to show
packets you want
2. Go to "Edit>" and choose
"Mark all displayed packets“
3. Go to “File” à Export specific
packets…
4. Choose the option “Marked
packets” to save the file
34. Filter out/in SingleTCP Stream
— When click “filter out this TCP stream” in previous page’s
box, new filter string will contain like:
◦ http and !(tcp.stream eq 5)
— So, if you use “tcp.stream eq 5” as filter string, you keep this
HTTP session
34
39. — Use the “Copy” button to copy all text into
clipboard
— Then, you can analyze this text file to get what
statistics you want
39
40. Find EndPoint Statistics
— Menu “statistics” à “endpoint list” à “TCP”
— You can sort by field
— “Tx” : transmit “Rx” : receive
40
41. Find EndPoint Statistics
— Use the “Copy” button to copy all text into
clipboard
— Then, you can analyze this text file to get
what statistics you want 41
48. Improving WireShark Performance
— Don’t use capture filters
— Increase your read buffer size
— Don’t update the screen dynamically
— Get a faster computer
— Use aTAP
— Don’t resolve DNS hostnames
49. Post-ProcessingText File
— For saved text-format packet files, further
analysis needs coding or special tools
— One useful tool on Unix: Grep
◦ OnWindows: PowerGrep
http://www.powergrep.com/
◦ Command-line based utility for searching
plain-text data sets for lines matching a
regular expression.
49
50. Basic usage of Grep
— Command-line text-search program in Linux
— Some useful usage:
◦ Grep ‘word’ filename # find lines with ‘word’
◦ Grep –v ‘word’ filename # find lines without ‘word’
◦ Grep ‘^word’ filename # find lines beginning with ‘word’
◦ Grep ‘word’ filename > file2 # output lines with ‘word’ to file2
◦ ls -l | grep rwxrwxrwx # list files that have ‘rwxrwxrwx’ feature
◦ grep '^[0-4]‘ filename # find lines beginning with any of the numbers from 0-4
◦ Grep –c ‘word’ filename # find lines with ‘word’ and print out the number of
these lines
◦ Grep –i ‘word’ filename # find lines with ‘word’ regardless of case
— Many tutorials on grep online
◦ http://www.cyberciti.biz/faq/howto-use-grep-command-in-linux-unix/
◦ http://www.thegeekstuff.com/2009/03/15-practical-unix-grep-command-
examples/ 50
51. On-lineWiresharkTrace Files
— Public available .pcap files:
◦ http://www.netresec.com/?page=PcapFiles
— http://www.tp.org/jay/nwanalysis/traces/Lab%20
Trace%20Files/
— Wiki Sample capture
◦ https://wiki.wireshark.org/SampleCaptures
51