Wireshark Tutorial, Slides of Statistics

Tcpdump. ◦ Unix-based command-line tool used to intercept packets. ◦ Including filtering to just the packets of interest. ◦ Reads “live traffic” from ...

Typology: Slides

2022/2023

Uploaded on 02/28/2023

loche
loche 🇺🇸

4.3

(16)

241 documents

1 / 85

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Internet Traffic Monitoring
and Analysis:
Wireshark Tutorial
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55

Partial preview of the text

Download Wireshark Tutorial and more Slides Statistics in PDF only on Docsity!

Internet Traffic Monitoring

and Analysis:

Wireshark Tutorial

Outline

What is Wireshark? Capturing Packets Analyzing Packets Filtering Packets Saving and Manipulating Packets Packet Statistics Colorizing Specific Packets References

What is Wireshark?

Features ◦ Deep inspection of thousands of protocols ◦ Live capture and offline analysis ◦ Standard three-pane packet browser ◦ Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility ◦ The most powerful display filters in the industry ◦ Rich VoIP analysis ◦ Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others ◦ Coloring rules can be applied to the packet list for quick, intuitive analysis ◦ Output can be exported to XML, PostScript®, CSV, or plain text

What is Wireshark?

What we can: ◦ Capture network traffic ◦ Decode packet protocols using dissectors ◦ Define filters – capture and display ◦ Watch smart statistics ◦ Analyze problems ◦ Interactively browse that traffic Some examples people use Wireshark for: ◦ Network administrators: troubleshoot network problems ◦ Network security engineers: examine security problems ◦ Developers: debug protocol implementations ◦ People: learn network protocol internals

7

Tcpdump example

01:46:28.808262 IP danjo.CS.Berkeley.EDU.ssh > adsl- 69 - 228 - 230 - 7 .dsl.pltn 13 .pacbell.net. 2481 :. 2513546054:2513547434( 1380 ) ack 1268355216 win 12816 01:46:28.808271 IP danjo.CS.Berkeley.EDU.ssh > adsl- 69 - 228 - 230 - 7 .dsl.pltn 13 .pacbell.net. 2481 : P 1380:2128( 748 ) ack 1 win 12816 01:46:28.808276 IP danjo.CS.Berkeley.EDU.ssh > adsl- 69 - 228 - 230 - 7 .dsl.pltn 13 .pacbell.net. 2481 :. 2128:3508( 1380 ) ack 1 win 12816 01:46:28.890021 IP adsl- 69 - 228 - 230 - 7 .dsl.pltn 13 .pacbell.net. 2481 > danjo.CS.Berkeley.EDU.ssh: P 1:49( 48 ) ack 1380 win 16560

• Ran tcpdump on a Unix machine

• First few lines of the output:

8 01:46:28.808262 IP danjo.CS.Berkeley.EDU.ssh > adsl- 69 - 228 - 230 - 7.dsl.pltn13.pacbell.net.2481:. 2513546054:2513547434(1380) ack 1268355216 win 12816 Timestamp This is an IP packetSource host nameSource port number (22) Destination host name Destination port number TCP specific information

• Different output formats for different packet types

What does a line convey?

10

Demo 1 – Basic Run

Syntax: tcpdump [options] [filter expression] Unfortunately, Eustis machine does not allow normal users to run tcpdump I will demonstrate it on my group’s Unix machine: acnserver.fils.edu ◦ $ sudo tcpdump – i eth ◦ On your own Unix machine, you can run it using “sudo” or directly run “tcpdump” Observe the output

11

Filters

We are often not interested in all packets flowing through the network Use filters to capture only packets of interest to us

13

Demo 2 (contd.)

  1. Capture only UDP packets with destination port 53 (DNS requests)
    • tcpdump “udp dst port 53”
  2. Capture only UDP packets with source port 53 (DNS replies)
    • tcpdump “udp src port 53”
  3. Capture only UDP packets with source or destination port 53 (DNS requests and replies)
    • tcpdump “udp port 53”

14

Demo 2 (contd.)

  1. Capture only packets destined to quasar.cs.berkeley.edu
    • tcpdump “dst host quasar.cs.berkeley.edu”
  2. Capture both DNS packets and TCP packets to/from quasar.cs.berkeley.edu
    • tcpdump “(tcp and host quasar.cs.berkeley.edu) or udp port 53 ”

16

Running tcpdump

Requires superuser/administrator privileges on Unix

◦ http://www.tcpdump.org/ ◦ You can do it on your own Unix machine ◦ You can install a Linux OS in Vmware on your machine

Tcpdump for Windows

◦ WinDump: http://www.winpcap.org/windump/ ◦ Free software

So What is WireShark?

Packet sniffer/protocol analyzer Open Source Network Tool Latest version of the ethereal tool

19

Wireshark Interface

Interfaces

Packet List Packet Details Packet Bytes