Scribd Logo
Upload

Welcome to Scribd!

  • 120 views

    Wireshark Slides

    Uploaded by

    acajahuaringa
    This document provides an overview of using the Wireshark network protocol analyzer. It discusses how to start Wireshark, capture packets from different network interfaces, apply capture and display filters to filter packets, and follow TCP and UDP streams. The document also provides examples of common capture and display filters.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    Wireshark Slides

    Uploaded by

    acajahuaringa
    120 views17 pages
    This document provides an overview of using the Wireshark network protocol analyzer. It discusses how to start Wireshark, capture packets from different network interfaces, apply capture and display filters to filter packets, and follow TCP and UDP streams. The document also provides examples of common capture and display filters.

    Original Description:

    Primeros pasos y ejercicios para manejar el software de analisis de redes wireshark.

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    This document provides an overview of using the Wireshark network protocol analyzer. It discusses how to start Wireshark, capture packets from different network interfaces, apply capture and display filters to filter packets, and follow TCP and UDP streams. The document also provides examples of common capture and display filters.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    120 views17 pages

    Wireshark Slides

    Uploaded by

    acajahuaringa
    This document provides an overview of using the Wireshark network protocol analyzer. It discusses how to start Wireshark, capture packets from different network interfaces, apply capture and display filters to filter packets, and follow TCP and UDP streams. The document also provides examples of common capture and display filters.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 17

    Wireshark

    wireshark
    Capturing packets
    Capture filter
    Display filter
    Follow streams

    Wireshark

    Jose L. Muoz, Oscar Esparza, Juanjo Alins, Jorge Mata


    Telematics Engineering
    Universitat Politcnica de Catalunya (UPC)

    1/17

    Wireshark

    Outline
    wireshark
    Capturing packets
    Capture filter
    Display filter
    Follow streams

    1 wireshark

    2/17

    Wireshark

    Getting Started I
    wireshark
    Capturing packets
    Capture filter
    Display filter
    Follow streams

    Wireshark has become the defacto, open-source tool

    for protocol analysis.


    It provides low-level packet filtering, analytical capability

    and it can be used to store captured traffic in a file for


    later analysis.
    Once installed, you can run the protocol analyzer from

    a terminal typing wireshark.


    However, if you run Wireshark with an unprivileged user

    you can only open pcap files (not capture in real time).
    To run wireshark as root in Linux, type (or login as root):
    $ sudo wireshark

    In the initial Wireshark screen you have available the

    list of all the interfaces of the system.

    3/17

    Wireshark

    Getting Started II
    wireshark
    Capturing packets
    Capture filter
    Display filter
    Follow streams

    Click on one of the network interfaces to start capturing

    packets.

    4/17

    Wireshark

    Capturing Packets I
    wireshark
    Capturing packets
    Capture filter
    Display filter
    Follow streams

    To capture packets you have to select a network

    interface.
    When you select an interface, you will be able to see

    packets moving through that interface.


    When there are captured packets available, you can

    select a packet and view its fields as decoded by


    wireshark and also in ASCII and hexadecimal.
    Furthermore, in the bottom left corner of the Wireshark

    window, the protocol analyzer displays the size of the


    packet or field selected.

    5/17

    Wireshark

    Capturing Packets II
    wireshark
    Capturing packets
    Capture filter
    Display filter
    Follow streams

    In the example of the figure we have selected the IP

    source address of a packet that as you see occupies 4


    bytes as expected.

    6/17

    Wireshark

    Capture Options I
    wireshark
    Capturing packets
    Capture filter
    Display filter
    Follow streams

    You can also select the capture options before staring

    the capture.
    In our case, we will unset all the Name resolution

    options and we will set always the Capture packets in


    Promiscuous mode.
    This mode allows wireshark to capture data link layer

    frames that are not destined to our host.


    That is to say, frames that have a destination link

    address that is not the one that has our network


    interface.

    7/17

    Wireshark

    Capture Options II
    wireshark
    Capturing packets
    Capture filter
    Display filter
    Follow streams

    Finally, notice that you can select a Capture Filter.

    8/17

    Wireshark

    Capture filters I
    wireshark
    Capturing packets
    Capture filter
    Display filter
    Follow streams

    Capture filters are used to select the data to record in

    the logs.
    They are defined before starting the capture.
    The basic syntax for creating capture filters is the

    following:
    (Parameter Value) Logical_Operation (Parameter Value) ...

    9/17

    Wireshark

    Examples I
    wireshark
    Capturing packets
    Capture filter
    Display filter
    Follow streams

    To capture only traffic to or from IP address 172.18.5.4,

    you can type the following capture filter:


    host 172.18.5.4

    To capture traffic to or from a range of IP addresses,

    you can type the following capture filter (both are


    equivalent):
    net 192.168.0.0/24
    net 192.168.0.0 mask 255.255.255.0

    To capture traffic from a range of IP addresses, you can

    type the following capture filter (both are equivalent):


    src net 192.168.0.0/24
    src net 192.168.0.0 mask 255.255.255.0

    10/17

    Wireshark

    Examples II
    wireshark
    Capturing packets
    Capture filter
    Display filter
    Follow streams

    To capture traffic to a range of IP addresses, you can

    type the following capture filter (both are equivalent):


    dst net 192.168.0.0/24
    dst net 192.168.0.0 mask 255.255.255.0

    To capture only HTTP (port 80) traffic, you can type the

    following capture filter:


    port 80

    To capture non-HTTP and non-SSH traffic on

    192.168.0.1, you can type the following capture filter


    (both are equivalent):
    host 192.168.0.1 and not (port 80 or port 22)
    host 192.168.0.1 and not port 80 and not port 22

    11/17

    Wireshark

    Examples III
    wireshark
    Capturing packets
    Capture filter
    Display filter
    Follow streams

    To capture all traffic except ICMP and HTTP traffic, you

    can type the following capture filter:


    port not 80 and not icmp

    To capture traffic within a range of ports, for example

    TCP ports between 2001 and 2500, you can type the
    following capture filter:
    tcp portrange 2001-2500

    To capture packets with source IP address 10.4.1.12 or

    source network 10.6.0.0/16 and having destination TCP


    port range from 2001 to 2500 and destination IP
    network 10.0.0.0/8, you can type the following capture
    filter:
    (src host 10.4.1.12 or src net 10.6.0.0/16) and
    tcp dst portrange 2001-2500 and dst net 10.0.0.0/8

    12/17

    Wireshark

    Display Filter I
    wireshark
    Capturing packets
    Capture filter
    Display filter
    Follow streams

    Display filters are used to search inside the captured

    logs.
    They can be applied and modified while data is being

    captured.
    You may wonder if you should use a capture or a

    display filter.
    Notice that the goals of the two filters are different.
    The capture filter is used as a first large filter to limit the

    size of captured data to avoid generating a log too big.

    13/17

    Wireshark

    Display Filter II
    wireshark
    Capturing packets
    Capture filter
    Display filter
    Follow streams

    The display filter is much more powerful (and complex);

    it will permit you to search exactly the data you want.


    Wireshark uses display filters for general packet

    filtering while viewing and for its coloring rules.


    The basics and the syntax of the display filters are

    described in the Wireshark Users Guide and you can


    also use the Analyze menu (option Display filters) to
    build your display filter.

    14/17

    Wireshark

    Examples I
    wireshark
    Capturing packets
    Capture filter
    Display filter
    Follow streams

    To display only HTTP (port 80) and ICMP traffic, you

    can type the following display filter:


    tcp.port eq 80 or icmp

    To display only traffic between workstations in the LAN

    192.168.0.0/16, you can type the following display filter:


    ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16

    To match HTTP requests where the last characters in

    the URL/URI are the characters html, you can type


    the following display filter:
    http.request.uri matches "html$"

    Note: The $ character is a regular expression that

    matches the end of a string, in this case the end of


    http.request.uri field.

    15/17

    Wireshark

    Streams I
    wireshark
    Capturing packets
    Capture filter
    Display filter
    Follow streams

    Another very useful functionality of Wireshark that we

    are going to use is the Follow stream.


    This feature can be selected from the Analyze menu
    and it works as follows:
    If you have a TCP or UDP packet selected and you

    select Follow TCP stream or Follow UDP stream, it


    will appear in a separate window all the contents of the
    data stream to which that packet belongs.
    In addition, the main display of Wireshark will leave the
    list of packets in a filtered state, with only those packets
    that are part of that TCP or UDP stream being
    displayed.
    You can revert to your old view by pressing ENTER in
    the display filter text box, thereby invoking your old
    display filter (or resetting it back to no display filter).

    16/17

    Wireshark

    Streams II
    wireshark
    Capturing packets
    Capture filter
    Display filter
    Follow streams

    17/17

    You might also like