Tss academy
Sponsored Links
This presentation is the property of its rightful owner.
1 / 42

TSS Academy PowerPoint PPT Presentation


  • 206 Views
  • Uploaded on
  • Presentation posted in: General

TSS Academy. Troubleshooting with. So What is WireShark?. Open Source Network Tool Packet sniffer/protocol analyzer. 0010100100101011101010101. WiFi Packet Sniffing Association Issues. Air PCAP (Hardware). Cascade Pilot (Commercial). From the F irehose.

Download Presentation

TSS Academy

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


TSS Academy

Troubleshooting with


So What is WireShark?

  • Open Source Network Tool

  • Packet sniffer/protocol analyzer

0010100100101011101010101


WiFi Packet Sniffing

Association Issues

Air PCAP (Hardware)


Cascade Pilot (Commercial)


From the Firehose

One gigabit per second, equates to over 83,000 packets per second, or only 12 microseconds per packet. 


Wireshark Process

  • Capture Traffic

  • Display & Analyze Traffic

  • Summarize Traffic


Where do I put WireShark?


Location, Location, Location


Hub


Switches


Switch with a SPAN port


TAP


HUBS


Switch

interface FastEthernet0/1

port monitor FastEthernet0/2


Switch

interface FastEthernet0/1

port monitor FastEthernet0/2 rx

Interface FastEthernet0/3

port monitor FastEthernet0/2 tx


VLAN Monitoring

interface FastEthernet0/1

port monitor VLAN1


“Promiscuous” Mode

  • Ethernet Frames are Addressed.

  • Ethernet NICs ignore frames not for them.


Install Wireshark on Client/Server

  • Wireshark runs on demand.

  • WinPCAP can be disabled in Services.


Selectively Ignore Traffic


Capture Filter Examples

host 10.1.11.24

host 192.168.0.1 and host 10.1.11.1

net 192.168.0.0/24

net 192.168.0.0 mask 255.255.255.0

src net 192.168.0.0/24

port 53

tcp port http

ip

not broadcast not multicast

ether host 00:04:13:00:09:a3


Capture Filter


Capture Options


Capture Interfaces


Capturing Data (Capture Window)


Stopping the Packet Capture


Displaying Packets


Display (Post) Filters

  • Display filters (also called post-filters) only filter the view of what you are seeing. All packets in the capture still exist in the trace

  • Display filters use their own format and are much more powerful then capture filters


Wireshark Display Filter CheatSheet (packetlife.net)


Display Filter Expression Builder

To Search.. Just type….


Display Filter Examples

ip.src==10.1.11.24

ip.addr==192.168.1.10 && ip.addr==192.168.1.20

tcp.port==80 || tcp.port==3389

!(ip.addr==192.168.1.10 && ip.addr==192.168.1.20)

(ip.addr==192.168.1.10 && ip.addr==192.168.1.20) && (tcp.port==445 || tcp.port==139)

(ip.addr==192.168.1.10 && ip.addr==192.168.1.20) && (udp.port==67 || udp.port==68)


Display Example

dns.qry.name == "www.youtube.com"

and not dns.resp.addr == 208.70.74.21


Analyzing Data


Statistics Menu


I/O Graph (With Filters)


Protocol Hierarchy


Protocol Hierarchy


Follow TCP Stream


Follow TCP Stream

red - stuff you sent blue - stuff you get


Resources & Credits

  • Wireshark WIKI http://wiki.wireshark.org

  • http://ilta.ebiz.uapps.net/ProductFiles/productfiles/672/wireshark.ppt‎

  • www.wiresharkuniversity.com


  • Login