2. What is it?!
World’s most famous network protocol analyzer
Powerful live-capture and display filter
Used to be “Ethereal”
Deep inspection of hundred of protocols, and more being
added each day…
Multi-platform, runs on Windows, Linux, OS, Solaris, FreeBSD,
NetBSD,VxWorks, Android, and much more.
Open/save many capture formats: tcpdump (libpcap), Microsoft
Network Monitor, and proprietary (WildPackets *peek, CA
Sniffer, RADCOM, and many others)
The sponsorship (CACE) recently owned by Riverbed. (Don’t
want to talk about it…)
3. Agenda:
Tool introduction
The Capture Screen
Performing a Simple Capture
Capture options (promiscuous mode, name resolution,
buffer size, etc…)
Display Filters
Sample Capture - DNS and HTTP (www.ebay.com)
Sample Capture - ICAP
Annex A – Handling Duplicate Packets
Annex B – Useful Websites
Annex C – HTTP Status Codes.
4. Introduction
It’s a Network Analyzer!
Will capture network packets and display them as
detailed as possible
Custom Capture: All packets destined to the WS Wkst.
Good to sniff traffic intended to the PC or server where Wireshark is
installed
Promiscuous mode: All packets on the wire
Good to sniff communication between multiple devices (ex. From
Proxy, sniff DNS, Client, OCS, and so on…) / Diagnose problems.
Can be captured on a mirrored port, SPAN or Network TAP for full
network visibility.
How it works? Network If. Uses the L2 address of FF:FF:FF:FF:FF:FF
and parses all packets on the wire, instead of dropping the packets
intended to other network devices.
7. Capture Options
Enable Promiscuous mode
Limit packet size, if you
don’t want to analyze the
payload. (Only headers)
Personalize Display options
Personalize Name
Resolution
-
MAC: vendor list (very useful)
Network: RDNS resolution
Do not enable … can slow
down things
Transport: Protocol name (very
useful)
8. Display Filters
Use the filter box to
enter the filter
expression
The expressions can
be saved into the
Filter Profile, for
future use.
9. Display Filters (cont.)
Filter Expression example:
Ethernet
Internet Protocol
Ip.addr ==
Ip.src / Ip.dst ==
Ip.dsfield == 0x00
TIP
• You can see the whole expression list
using the “Expression” box on the
toolbar
• Its possible to search options using the
“/” key
• Use Boolean operators (AND, OR,
NOT)
TCP
Eth.addr ==
Eth.src / Eth.dst ==
Eth.vlan.id ==
Tcp.flag.syn / tcp.flag.ack / tcp.flag.fin == 0 or 1
Application or Protocol
HTTP, DNS, ICAP, ICMP, SOCKS…
In case a protocol is being decoded by a wrong “dissector” you can change it
with the “Decode As…” option.
10. Display Filters (cont. 2)
You can create filters based on the options, selected
directly from the packet capture.
Apply as a Filter
Prepare as a Filter
The filter is applied with the selected parameter
The filter expression is written at the “Filter” bar on the top.
Colorize as a Filter
The packets matched by the filter can be colorized with custom
colors.
11. Sample Capture #1
Capture: Open www.ebay.com at the browser
Open Summary (check throughput, size, packets)
Select: “Follow TCP Stream”
Configure “Manually Resolve Address”
Configure the “Delta Time” column – Check server
response time.
Show “Statistics > Endpoints”
Show “Statistics > Conversations”
Show “Statistics > IO Graphs”
Extract HTTP objects from the capture “File > Export >
Objects > HTTP”
12. Sample Capture #2
Open Capture with ICAP example
Check Origin and Destination Address
Configure “Manually Resolve Address” for Proxy, AV and
DNS
Create a Display Filter for ICAP traffic only
Check server response time on “Delta Time”
Select a session and “Follow TCP Stream”
Open Summary (check throughput, size, packets)
Check server requests, response and health-check.
Its also possible to retrieve HTTP objects from an ICAP
connection.
13. Annex A: Duplicate Packets
Dup. Packets due to Network Retransmission
If a sending host thinks a packet is not transmitted correctly
because of Packet Loss, it might Retransmit that packet. The
receiving host might already got the first packet, and will
receive a second one, which is a duplicated packet.
To remove this packets use the filter:
not tcp.analysis.duplicate_ack and not tcp.analysis.retransmission
Dup. Packets due to Routing or switching loop.
This packets can be seen when sniffing trough a mirrored port
or network TAP.
Use the “editcap.exe” at %ProgramFiles%/Wireshark/ to
remove them.
Example: editcap -d capture.pcap dedup.pcap
14. Annex B: Useful Websites
Download Wireshark!
www.wireshark.org
This workshop was created using version 1.6.0
Capture examples:
http://wiki.wireshark.org/SampleCaptures
The SampleCapture area at the wireshark.com website has a good list
of capture examples.
http://packetlife.net/captures/
One of the greatest IT/Telecom blogs … offer great capture examples
and Network Posters with protocol detail.
15. Annex C - HTTP Status Codes
1xx – Informational
Codes
2xx – Success
200 OK
3xx – Redirection
300 Multiple
Choices
301 Moved
Permanently
302 Found
304 Not Modified
307 Temporary
Redirect
4xx – Client Error
400 Bad Request
401 Unauthorized
403 Forbidden
404 Not Found
410 Gone
5xx – Server Error
500 Internal Server
Error
501 Not
Implemented
503 Service
Unavailable
550 Permission
denied