Tss academy
Sponsored Links
This presentation is the property of its rightful owner.
1 / 42

TSS Academy PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

TSS Academy. Troubleshooting with. So What is WireShark?. Open Source Network Tool Packet sniffer/protocol analyzer. 0010100100101011101010101. WiFi Packet Sniffing Association Issues. Air PCAP (Hardware). Cascade Pilot (Commercial). From the F irehose.

Download Presentation

TSS Academy

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

TSS Academy

Troubleshooting with

So What is WireShark?

  • Open Source Network Tool

  • Packet sniffer/protocol analyzer


WiFi Packet Sniffing

Association Issues

Air PCAP (Hardware)

Cascade Pilot (Commercial)

From the Firehose

One gigabit per second, equates to over 83,000 packets per second, or only 12 microseconds per packet. 

Wireshark Process

  • Capture Traffic

  • Display & Analyze Traffic

  • Summarize Traffic

Where do I put WireShark?

Location, Location, Location



Switch with a SPAN port




interface FastEthernet0/1

port monitor FastEthernet0/2


interface FastEthernet0/1

port monitor FastEthernet0/2 rx

Interface FastEthernet0/3

port monitor FastEthernet0/2 tx

VLAN Monitoring

interface FastEthernet0/1

port monitor VLAN1

“Promiscuous” Mode

  • Ethernet Frames are Addressed.

  • Ethernet NICs ignore frames not for them.

Install Wireshark on Client/Server

  • Wireshark runs on demand.

  • WinPCAP can be disabled in Services.

Selectively Ignore Traffic

Capture Filter Examples


host and host


net mask

src net

port 53

tcp port http


not broadcast not multicast

ether host 00:04:13:00:09:a3

Capture Filter

Capture Options

Capture Interfaces

Capturing Data (Capture Window)

Stopping the Packet Capture

Displaying Packets

Display (Post) Filters

  • Display filters (also called post-filters) only filter the view of what you are seeing. All packets in the capture still exist in the trace

  • Display filters use their own format and are much more powerful then capture filters

Wireshark Display Filter CheatSheet (packetlife.net)

Display Filter Expression Builder

To Search.. Just type….

Display Filter Examples


ip.addr== && ip.addr==

tcp.port==80 || tcp.port==3389

!(ip.addr== && ip.addr==

(ip.addr== && ip.addr== && (tcp.port==445 || tcp.port==139)

(ip.addr== && ip.addr== && (udp.port==67 || udp.port==68)

Display Example

dns.qry.name == "www.youtube.com"

and not dns.resp.addr ==

Analyzing Data

Statistics Menu

I/O Graph (With Filters)

Protocol Hierarchy

Protocol Hierarchy

Follow TCP Stream

Follow TCP Stream

red - stuff you sent blue - stuff you get

Resources & Credits

  • Wireshark WIKI http://wiki.wireshark.org

  • http://ilta.ebiz.uapps.net/ProductFiles/productfiles/672/wireshark.ppt‎

  • www.wiresharkuniversity.com

  • Login