packets and protocols chapter 4 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Packets and Protocols Chapter 4 PowerPoint Presentation
Download Presentation
Packets and Protocols Chapter 4

Loading in 2 Seconds...

play fullscreen
1 / 89

Packets and Protocols Chapter 4 - PowerPoint PPT Presentation


  • 104 Views
  • Uploaded on

Packets and Protocols Chapter 4. Chapter Four Using Wireshark. Packets and Protocols Chapter 4. The Wireshark main window. ■ Menu bar ■ Tool bar ■ Summary window ■ Protocol Tree window ■ Data View window ■ Filter bar ■ Information field ■ Display information.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Packets and Protocols Chapter 4' - ryder


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
packets and protocols chapter 4

Packets and ProtocolsChapter 4

Chapter Four

Using Wireshark

slide2

Packets and ProtocolsChapter 4

The Wireshark main window

■ Menu bar

■ Tool bar

■ Summary window

■ Protocol Tree window

■ Data View window

■ Filter bar

■ Information field

■ Display information

slide3

Packets and ProtocolsChapter 4

Main window components

slide4

Packets and ProtocolsChapter 4

Summary window components

slide5

Packets and ProtocolsChapter 4

Summary window example

What does this summary info tell us?

slide6

Packets and ProtocolsChapter 4

  • Protocol tree window
    • The fields in this window can be expanded or collapsed
      • The 1st line will generally tell you most of what you need but you can drill down for further detail
      • Click on the plus sign to expand
slide7

Packets and ProtocolsChapter 4

Protocol window example

What does this protocol info tell us?

slide8

Packets and ProtocolsChapter 4

  • Data View Window

Good place to find passwords and usernames!

slide9

Packets and ProtocolsChapter 4

  • Filter bar
    • Used to build display filters
      • Will not allow invalid capture filters
      • Filter is not applied until you click apply!
  • Information field (bottom of capture)
    • Displays capture filename and size
  • Display information field
    • P = Total
    • D = Displayed
    • M = Marked
slide12

Packets and ProtocolsChapter 4

  • There are several save options

Captured

Displayed

Range

slide13

Packets and ProtocolsChapter 4

  • Note that when you save a filtered capture, you strip off all other packets in the newly saved capture file
    • Make sure you do not need these packets!
slide15

Packets and ProtocolsChapter 4

  • Wireshark name resolution
    • Three modes
      • MAC name resolution
        • Uses OUI names
        • Identified by 1st 6 bytes
      • Network name resolution
        • i.e. DNS name resolution
      • Transport name resolution
        • Translates ports to names
slide16

Packets and ProtocolsChapter 4

  • Save as dialogue box

Note that many file types are available

slide17

Packets and ProtocolsChapter 4

  • Print dialog

You can print in plain text, post-script or output to a file

slide18

Packets and ProtocolsChapter 4

  • Printing options
    • The summary line
    • All packets
    • Marked packets
    • Packets from x to y
    • All or partial detail
slide21

Packets and ProtocolsChapter 4

  • Find packet
    • Allows a search by filter, hex or string value
      • Uses same filters as display filters
      • Can search by HEX characters (good for MAC addresses)
      • String search useful for usernames, etc
    • Ability to search up or down
    • Case sensitive or insensitive
slide22

Packets and ProtocolsChapter 4

  • Time reference toggle
    • Allows you to calculate intra-packet times based on packets you select
      • How long did client “B” take to respond to client “A”?
slide23

Packets and ProtocolsChapter 4

  • Preferences

Allows you to customize Wireshark to your personal liking or needs

slide24

Packets and ProtocolsChapter 4

  • The View Menu

There is a lot of customizable information on the viewing capabilities of Wireshark

slide26

Packets and ProtocolsChapter 4

  • Time display information
    • Time is gathered from LOCAL system time
    • Very important to synchronize times when doing simultaneous captures on two platforms
      • Wireshark can display time since 1st capture or delta time
    • Automatically display live capture
      • Useful when you need to watch the packet flow, but can slow the capture process
slide27

Packets and ProtocolsChapter 4

  • Color filters
    • Useful for the color-blind
    • Allows you to change the color of protocols, errors, etc.
slide28

Packets and ProtocolsChapter 4

A color coded display can help you troubleshoot

slide29

Packets and ProtocolsChapter 4

  • Show packet in new window
    • Allows you to zero in on a single packet
slide30

Packets and ProtocolsChapter 4

  • Go menu
    • Allows you to navigate thru the capture
slide32

Packets and ProtocolsChapter 4

  • You can capture on any single interface on you Wireshark PC

* The packet count and packets per second displayed in the Capture Interfaces dialog box are not the total seen by the interfaces, but are the total count and rate seen by the interface from the time the Capture Interface dialog box was opened

slide35

Packets and ProtocolsChapter 4

  • Protocol (Ethernet) Tab
slide37

Packets and ProtocolsChapter 4

  • Capture Options
    • How
      • To display?
    • What
      • Is captured?
    • Where
      • To store?
    • When
      • To capture?
slide38

Packets and ProtocolsChapter 4

What interface?

Buffer size?

Promiscuous?

Capture filter?

Where to save?

Use multiple Files?

How many?

When to stop?

slide39

Packets and ProtocolsChapter 4

  • Buffer size vs. Capture size
    • Buffer size is dependant upon RAM
    • Capture size is dependant upon hard drive size
  • Too large a buffer can slow the capture process and cause data loss – too small will not give the HDD time to write the data
    • Defaults are best!
slide40

Packets and ProtocolsChapter 4

  • Capture options
    • While you can stop a capture based on:
      • Capture a number of packets and stop
      • Capture for a period of time and stop
      • Capture a number of kilobytes and then stop
    • There is no way to start a capture automatically (with Wireshark)
slide41

Packets and ProtocolsChapter 4

  • The capture dialog box
slide42

Packets and ProtocolsChapter 4

  • Ringing the capture buffer
    • Allows you to save multiple captures
      • Select “Use multiple files”
      • Select “Next file every …” Minutes or KB
      • Figure how many files to keep “Ring buffer”
      • Decide when to stop the capture
        • Stop capture after
          • X ring captures
          • X minutes/hours/days
          • Kb/Mb/Gb
slide44

Packets and ProtocolsChapter 4

  • Capture filter list
    • Name the filter
    • Create the filter
slide45

Packets and ProtocolsChapter 4

  • Capture filters vs. Display filters
    • Capture filters are used before the capture to narrow what is gathered
    • Display filters are used after the capture to filter the output
  • Capture and display filters are different
    • Capture = tcp port http
    • Display = protocol=http
      • Both do the same thing!
slide47

Packets and ProtocolsChapter 4

  • There are literally thousands of capture options available and the good news is most have already been written for you.
slide48

Packets and ProtocolsChapter 4

  • Edit display filter list
    • Allows you to create display filters via GUI
  • Select Major protocol…
slide49

Packets and ProtocolsChapter 4

  • Operators include:
  • ==
  • !=
  • >
  • <
  • >=
  • <=
  • Select operator
slide50

Packets and ProtocolsChapter 4

  • Select value
  • Note that the value will change depending upon the protocol chosen
slide51

Packets and ProtocolsChapter 4

  • Display Filter dialog box

Filter Name

Filter String

slide52

Packets and ProtocolsChapter 4

  • Apply as filter vs. prepare a filter
    • The Apply as Filter and Prepare a Filter submenus have the same options and behave in the same way with one exception:
      • The Prepare a Filter submenu items prepare a display filter string and place it in the Filter text box.
      • The Apply as Filter submenu items prepare a display filter string, place it in the Filter text box, and apply it to the capture.
slide54

Packets and ProtocolsChapter 4

  • Apply as filter examples:
  • Note the importance of the operators!
slide55

Packets and ProtocolsChapter 4

  • To enable or not to enable?
    • Disabling protocols may make your sniffer run faster (maybe)
slide56

Packets and ProtocolsChapter 4

  • Decode as…

Not used very often – best not to override defaults

  • Forces Wireshark to decode a protocol the way you decide.
slide57

Packets and ProtocolsChapter 4

  • Since Wireshark is open source, there are already many, many protocols pre-programmed in. The “decode as” option is not generally needed unless you are sniffing a proprietary protocol.
slide58

Packets and ProtocolsChapter 4

  • Following a TCP or SSL stream

Very useful for following a conversation but usually only if the data is sent in the clear (telnet, SMTP, etc)

slide59

Packets and ProtocolsChapter 4

  • SMTP follow TCP stream example
slide60

Packets and ProtocolsChapter 4

  • Expert info (and expert info composite) is used to sort errors and problems
    • The Expert Info and Expert Info Composite menu options provide identical information in similar layouts. Both options provide a breakdown of the current capture, and display summary information about current conversations, errors, and warnings that can be derived from the traffic patterns. These options are a great method to use to begin troubleshooting traffic-related issues, as they provide some simple error related information without having to analyze each packet by hand.
slide62

Packets and ProtocolsChapter 4

  • The statistics menu
    • Provides many useful traffic statistics
slide63

Packets and ProtocolsChapter 4

  • Statistics menu options
slide64

Packets and ProtocolsChapter 4

  • Statistics menu options
slide65

Packets and ProtocolsChapter 4

  • Statistics menu options
slide66

Packets and ProtocolsChapter 4

  • Capture Summary dialogue box
    • Gives a great quick summary of the capture statistics
slide67

Packets and ProtocolsChapter 4

  • Protocol hierarchy statistics
    • Gives statistics broken down by each protocol
slide68

Packets and ProtocolsChapter 4

  • Protocol hierarchy statistics columns
slide70

Packets and ProtocolsChapter 4

  • TCP Stream Graph Options
slide71

Packets and ProtocolsChapter 4

  • The RTT graph shows the RTT vs. the sequence number . You can see the RTT spike around sequence number 1000000, which is roughly the same sequence number where you will see discontinuity in the time sequence graphs.
slide72

Packets and ProtocolsChapter 4

  • The throughput graph shows the throughput of the TCP stream vs. time.
slide73

Packets and ProtocolsChapter 4

  • The time-sequence graph (Stevens) produces a simple graph of TCP sequence numbers vs. time for the TCP stream containing the packet that was selected in the Summary window
slide74

Packets and ProtocolsChapter 4

  • The time-sequence graph (tcptrace) is also primarily a graph of TCP sequence numbers vs. time. Unlike the Stevens’ style time-sequence graph, however, it conveys a lot more information about the TCP stream.
slide75

Packets and ProtocolsChapter 4

  • Using graphs for trouble-shooting dropped segments

Note the packet drop errors (REF pg 200)

slide76

Packets and ProtocolsChapter 4

  • Using graphs for trouble-shooting throughput issues

Why does the throughput drop off? REF pg 201

slide77

Packets and ProtocolsChapter 4

  • Using graphs for trouble-shooting throughput issues (cont)

Why is the throughput so jagged?

slide78

Packets and ProtocolsChapter 4

  • Troubleshooting with a sniffer (whether via graphs or data) becomes a piece of cake!*

*This is, of course after you know what a normal network sniffer capture looks like!

slide79

Packets and ProtocolsChapter 4

  • Graph Control
    • Many aspect of the graph functions can be customized including
      • Zoom
        • Zoom in/out of graph sections
      • Magnify
        • Allows you to dig more deeply

into parts of the gathered data

      • Origin
        • Start/Stop at any point in the

capture

      • Cross
        • Turn crosshairs on/off
      • Graph Type
        • Select the type of graph
slide81

Packets and ProtocolsChapter 4

  • Manual Pages submenu
slide83

Packets and ProtocolsChapter 4

  • Special Menus
    • Pop up menus

Summary menu options

slide84

Packets and ProtocolsChapter 4

  • Special Menu
    • Summary pop up
slide85

Packets and ProtocolsChapter 4

  • Special Menu
    • Protocol tree

Protocol tree menu options

slide86

Packets and ProtocolsChapter 4

  • Special Menu
    • Protocol tree pop up
slide87

Packets and ProtocolsChapter 4

  • Special Menu
    • Data view

Data view menu options

slide88

Packets and ProtocolsChapter 4

  • Command line options
    • Wireshark can also be run via command line.
slide89

Packets and ProtocolsChapter 4

  • To capture on interface eth0 immediately and write the results to a ring buffer with three files of maximum size 100 kilobytes with base filename test.libpcap, execute the following at the command line:

Wireshark –i eth0 –k –w test.libpcap –b 3 –a filesize:100