Wireshark Introduction and Usage Guide

COMP2322 Lab 1 Introduction to Wireshark Weichao Li Jan. 22, 2016

Before the lab Review the content of communication architecture. Review TCP/IP model and protocol suite. Understand data transferring, layering, and encapsulation/demultiplexing. 2

Content Data capture basis and tools Getting started with Wireshark Advanced usage Traffic and protocol analysis 3

Packet capture Why do we need to capture packets? troubleshoot network problems examine security problems debug protocol implementations learn network protocol internals 4

Existing packet capture tools/sniffers Classic tools Wireshark (http://www.wireshark.org/) tcpdump (http://www.tcpdump.org/) Other tools Ettercap Dsniff Ntop KISMET WinDump Tshark 5

What is Wireshark? An open-source network protocol analyzer capture network packets display that packet data Decodes 1,926 protocols (V2.0.1). Supports command-line and GUI interfaces. Run on many platforms, including Windows, OS X, Linux, and UNIX. Many online resources Wireshark User s Guide (http://www.wireshark.org/download/docs/user-guide-a4.pdf) 6

How does Wireshark work? Wireshark Windows Linux Winpcap libpcap 7

Libpcap and Winpcap Libpcap and Winpcap are libraries for network traffic capture, providing the core functions of packet capturing. Linux/Unix -> libpcap Windows -> winpcap Homepage of libpcap: http://www.tcpdump.org/ Homepage of winpcap: http://www.winpcap.org 8

Tcpdump and Windump Tcpdump Unix-based command-line tool used to analyze packets Include filtering to just capture the packets of interest Homepage: http://www.tcpdump.org/ Windump The Windows version of tcpdump Homepage: http://www.winpcap.org/windump/ 9

Tshark Also a network protocol analyzer Command-line version of Wireshark User manual: https://www.wireshark.org/docs/man- pages/tshark.html 10

Basic usage of Wireshark Tip: packet capture need root / administrator privileges Packet capture: select the right interface! Save / open trace 11

Practice 1: my first packet trace Y:\Win32\WiresharkPortable_1.4 Select the right interface. Start packet capture for 10 seconds and save the trace. Question 1 (2 marks for each part in a question) A) How many interface have you observed? What are they? B) Which interface will you choose and why? 12

Advanced usage (1): filters Capture filters Only the packets meeting the rule will be captured and decoded in Wireshark. Syntax Specify protocols: ip, tcp, udp Specify host: host, dst, src More filters can be found: http://wiki.wireshark.org/CaptureFilters Display filters Do not affect captured packets. Only determine whether or not to display some packets. Syntax Useful: Follow TCP Stream More filters can be found: http://wiki.wireshark.org/DisplayFilters 13

Advanced usage (2) Follow a stream. Stream: [IP address A, port A, IP address B, port B] Adjust the layout and columns. Edit -> Preference Statistics Summary: general statistics about the current capture file Conversations: statistics of the captured conversations Conversation is the traffic between two specific endpoints Endpoints: traffic statistics of an end host IO Graphs: visualizing the number of packets in time 14

Analyze Web application The World Wide Web (WWW) is the most popular Internet application. Answer the following questions (Question 2): A) What s the relationship between Web and HTTP? B) What type of protocols does HTTP belong to? C) How many application protocols have you captured when accessing a website? 15

Practice 2: analyze HTTP traffic Y:\Win32\WiresharkPortable Select the right interface. Visit www.polyu.edu.hk. Analyze HTTP traffic (Question 3) A) What s your HTTP request method? B) What s your HTTP request version? C) What s the status code in the response? What does it mean? 16

Practice 2 (contd) Apply a display filter so that only HTTP packets are shown (Question 4) A) How many HTTP requests have been sent to the Web server? B) Write down each request (at least 3). 17

Practice 3 Try different capture filters (Question 5) A) How can I capture only HTTP traffic? B) How can I capture only the traffic from/to a specified host? Visit http://www.polyu.edu.hk again and analyze the HTTP traffic (Question 6) A) What s your IP address? B) What s the server s IP address? Visit http://www.polyu.edu.hk/test and analyze the HTTP traffic (Question 7) A) What s the difference compared with the last step? 18

Practice 3 (contd) Visit http://www.oneprobe.org and analyze HTTP traffic (Question 8) A) What s the difference compared with the previous steps? B) How many Web servers have you accessed? C) Write down the exact IP addresses of servers. D) Explain what happened in this HTTP session. 19

Practice 4 Delete capture filter Start a new capture Visit http://hk.yahoo.com/ When the page is fully loaded, stop capturing Compare the throughput between UDP and TCP in time (through Statistics->IO Graphs) 20

Practice 5 Start a new capture Visit https://www.google.com.hk When the page is fully loaded, stop capturing Identify the HTTPS traffic (Question 9) A) What s the default port of HTTPS? B) What can you see after applying follow the TCP stream ? C) Write down the process of how a https connection is established. 21

Practice 6 Visit http://www.facebook.com and analysis HTTP traffic Record the IP address of the Facebook server Save the trace Visit Facebook again at home, and compare the trace with the one obtained in campus (Question 10) A) Record the IP address of the Facebook server. B) Is the IP address recorded at home the same as the one recorded in campus? C) If not, explain why the servers are different. 22

Further reading CDN (content delivery network) http://www.nczonline.net/blog/2011/11/29/how- content-delivery-networks-cdns-work/ 23

Thanks 24