Capture and analysis of the network traffic with Wireshark

Transcription

1 Capture and analysis of the network traffic with Wireshark Lab Objectives Understanding the purpose of Wireshark Studying configuration settings and capture options of Wireshark Studying Wireshark filters and filter building Studying Wireshark result panel windows and toolbar items. Practicing on capturing and analysis of the network traffic using Wireshark Background Information Wireshark functions Wireshark (earlier - Ethereal) is a most popular program analyzer of the network traffic. Wireshark allows capturing packets of protocols, transmitted over the Ethernet network and present this data in a user GUI interface for further analysis. Wireshark can be considered as a measuring device that is used to view and examine whatever is transmitted by the network cable and view in real time the entire network traffic. The Wireshark main window At the start, the Wireshark main screen looks like following (See Fig.0-1) Fig.0-1 Wireshark start window Wireshark main toolbar has the following tools available (see Fig.0-2)

2 Wireshark filter toolbar Fig.0-2 Wireshark toolbar With the help of Wireshark filter toolbar (See Fig.0-3) it is possible to create, store, apply and remove filters, enabling to filter the information of the captured network traffic. 1 Filter entry field Fig.0-3 Wireshark filter toolbar Wireshark filter toolbar has the following fields and tools (See Fig.0-3) Filter (pointer 1 in Fig.0-3) opens a dialog box to create or edit custom filters Expression (pointer 3 in Fig.0-3) opens a dialog box assistant for building filter expressions Clear (pointer 4 in Fig.0-3) halts the filter action and clearing the filter field Apply (pointer 5 in Fig.0-3) applies the filter action Save (pointer 6 in Fig.0-3) saves the filter expression for further use List of available network adapters The window with a list of available adapters (Fig.0-4) can be opened by pressing Interface List button on the Wireshark toolbar (Fig.0-2) Fig.0-4 List of available adapters To execute the lab work select a real (not Virtual) adapter (pointer 1 in Fig.0-4) Options button (pointer 2 in Fig.0-4) opens the traffic capture options dialog window (Fig.0-5)

3 Fig.0-5 Traffic capture options window Details button (Pointer 3 in Fig.0-4) opens the window with statistical characteristics of the network adapter. Traffic capture options window With the help of this window the following settings may be assigned to capture the network traffic (See Fig.0-5): Selecting the interface for traffic capture Capturing packets in promiscuous mode: in this mode the program will capture all protocol data units (PDU), incoming to the network adapter. When this option is disabled, the program captures only those PDUs, which are addressed to the given adapter (i.e. the computer, on which they are located) Enable MAC name resolution (for example: 00:09:5b:11:22:33 -> Netgear_11:22:33) To apply filter perform the following steps: Enter / edit the filter expression into the filter entry field (See Pointer 2 in Fig.0-3) Press Apply button (See Pointer 5 in Fig.0-3) The green color of the filter field would mean that the filter has been entered in line with the filter building rules. The red color of the filter field would mean that there is error in filter entry. Building filters Wireshark allows two level filtering: Filter by protocol: filtering at the level of captured packets/ frames; filtering will be carried out by appropriate protocols

4 Filtering by a protocol packet filter (Display filter): filters at the level of values of the fields of the captured packets/ frames; filtering will be carried out by specified values of the fields in the protocol headers. To apply filtering by protocol, enter the name of protocol (for example, dhcpv6) into the filter entry field and press Apply button (see Fig.0-6 and Fig.0-7) Fig.0-6: Before applying the filter Fig.0-7: After applying the filter Filtering on the level of the values of fields of the captured packets/ frames

5 The names of fields that can be used when building filter expressions are available through the filter builder. To build the filters perform the following steps: Run assistant-builder of filter expressions, pressing Expression button (pointer 6 in Fig.0-8) In the Field name list in the opened box select the name of the field (for example, ip.src) that will be used for building (pointer 1 in Fig.0-8) In the Relation list select correlation sign (pointer 2 in Fig.0-8) Enter selected value (for example, , which is taken in this case: See pointer 5 in Fig. 6) in the Value field (pointer 3 in Fig.0-8) Fig.0-8 Building a filter on the level of fields values Press ОК The filter field will be filled with the newly built filter expression (ip.src == ) (See Pointer 1 in Fig.0-9) Press Apply (pointer 2 in Fig.0-9) The window will show only the data, relevant to the current filter (pointer 3 in Fig.0-9)

6 1 2 3 Fig.0-9 Using the filter on the level of field Two or more elementary conditions can be combined in the filter (pointer 1 in Fig.0-9), using logical operators in the following format: Condition 1 Logical operator Condition 2 Example of the combined filter: ip.src == and ip.dst == ip and ip.src == As an elementary condition expression filters of both types can be used (See the second example above) Data panels of the main window The result window of Wireshark has three panels: child windows (See Figure below). Panel with the list of captured packets/frames Packet details window Packet bytes window Wireshark has the following three child data panels:

7 The first window: the packet list window, a panel with the list of captured packets/frames (Protocol Data Unit - PDU) The second window: the packet details window, a detailed information window, showing the content of the current packet, selected on the PDU panel (in the first window) The third window: the packet bytes window, a byte-presentation window, displaying the content of the current packet, selected on the PDU panel (in the first window) in the hexadecimal format Packet list window contains aggregated information on the entire traffic, captured by Wireshark. Each line specifies a separately captured packet and contains following fields (Fig.0-10): Fig.0-10: PDU panel No.: sequential number of the captured PDU Time: time stamp, the period (in seconds) elapsed since the start of PDU capturing Source: the network address of the sender (IPv4 / IPv6) Destination: the network address of the recipient (IPv4 / IPv6) Protocol: type of the protocol Length: length of the captured packet Info: additional information about the captured PDU Detailed information window: this panel displays the content of the packet selected in the PDU panel (See pointer 1 in Fig. 9) in the hierarchic structures (pointer 2 in Fig.0-11): 1 2

8 Fig.0-11 Panel of the list of captured packets and panel of the packet detailed information Frame: displays information on captured PDU, such as the capture time, PDU length, etc. Ethernet II: displays information about the data link layer protocol header Internet Protocol: displays information about the network layer protocol header User Defined Protocol (UDP): displays information about the transport layer protocol header Hypertext: displays information about the header of the application protocol

9 Lab Assignment In this work the network traffic of the PC adapter is captured and analyzed by network traffic analyzer Wireshark when a ping echo request is sent to single board computer in the network. Requisite Equipment Personal computer (PC) with installed network adapter and Windows 7 Wireshark program, installed in Windows 7 «Mini2440» FriendlyARM single board computer (1) NI ELVIS II workstation NETWORK TEST BENCH board (NTB) Network switch Mounted straight-through UTP 5cat cable with RJ-45 connectors (2 pcs.) Lab Assignment Make sure that required equipment is available Make sure that PC network adapter is available Make sure that Windows Firewall is turned OFF (see Error! Reference source not found. Error! Reference source not found.) With the help of NI ELVIS II workstation make sure that the network cables are mounted properly (See Lab work 1.) Lay out the equipment comfortably for work. Step-By-Step Instructions 1. With the help of PC, «mini2440» FriendlyARM single board computer and network switch build a Star -topology LAN (See Lab work 6). 2. Assign the names to the LAN computers: Assign the PC name as TestLab (See Point 8.2). Assign the name of the single board computer as mini (See Point 8.5) 3. Disconnect the PC and single board computer network cables from the switch 4. Launch Wireshark program 5. Press Capture options button (See Fig.0-2: second from the left) on toolbar 6. Traffic capture options window opens (Fig.0-12). With the help of this window, make network packets capture settings, as shown in Fig.0-12

10 Fig.0-12 Traffic capture setting window 7. Press Start (See. bottom right corner in Fig.0-12) 8. Since the PC network cable is disconnected, there will be no network traffic by that cable and Wireshark will be unable to capture packets. Therefore, Wireshark windows should remain empty. 9. Connect the disconnected cable of the single board computer to the switch 10. Observe that network packets are not captured by Wireshark (Wireshark is installed on the PC) 11. To start capturing the network packets (or network traffic capture), connect the disconnected PC cable to the switch 12. Wireshark will immediately start capturing network packets and display them on the user interface (See Fig.0-13). This witnesses that the PC adapter and the switch started information exchange, for example, to detect dynamic addresses or to find network services.

11 Fig.0-13: The main information window of Wireshark after connection of the PC network cable Thus we have captured the network traffic and possess enough captured packets for their further filtration and analysis. 13. Examine the first window. Observe that in the upper first window (Fig.0-13) in Protocol column we can see the various protocols names (DHCP, DHCPv6, ARP, UDP, SSDP etc.). Source and Destination columns display the IP addresses of the parties, communicating using these protocols (source and recipient). The Info column displays additional information. 14. Perform filtering of the captured network packets by two protocol names: In the liter entry field enter dhcpv6 (to filter by DHCPv6 protocol) (See Pointer 1 in Fig.0-14) and press Enter. The window of the list with captured packets will display the list of captured packets, filtered by DHCPv6 protocol (Fig.0-14).

12 1 2 Fig.0-14: Wireshark window: filtered by DHCPv6 protocol In the filter entry field enter http (pointer 1 in Fig.0-15) and press Enter. The captured packet listing window will display the list of captured packets, filtered by http protocol (Fig.0-15) Fig.0-15 Window Wireshark filtered by HTTP protocol 15. Superficially examine the second information window (more detailed examinations are made in the lab works 7 and 8). In the top first window (Fig.0-15) select one packet from the captured packets list, for example, the first line (pointer 3 in Fig.0-15) 16. The second (middle) window will display the list of hierarchic structures of the selected packet (pointer 4 in Fig.0-15). These structures are separately studied in lab works 7 and 8.

13 17. The third (bottom) window will display the content of the selected packet in hexadecimal format (pointer 5 in Fig.0-15)

14 Test Questions 1. What are the functions of Wireshark program? 2. What are the main options that can be set in Wireshark program? 3. What are the windows in the Wireshark program graphic user interface? 4. What is the function of the filter in Wireshark? 5. What kind of filters can be created/ applied in Wireshark? Answers 1. Wireshark is a program used for the capture and analysis of the Ethernet network traffic 2. The following settings can be made in Wireshark: Network adapter The range of packets capture: all or specifically addresses Real time list updating Display the capture data in real time Switch on network names resolution 3. Wireshark graphical user interface has the following windows: The packet list window The packet details window The packet bytes window 4. Filter performs the captured data filtering by various criteria. 5. Filters can be divided into two levels: Filters of the level of the captured packets/ frames; filtration will be performed by specified protocols. Filters of the level of values of the fields of captured packets/ frames.