Capture and analysis of the network traffic with Wireshark



Similar documents
Domain Name System (DNS)

BASIC ANALYSIS OF TCP/IP NETWORKS

Lab VI Capturing and monitoring the network traffic

EINTE LAB EXERCISES LAB EXERCISE #5 - SIP PROTOCOL

CCNA Discovery Networking for Homes and Small Businesses Student Packet Tracer Lab Manual

CS 326e F2002 Lab 1. Basic Network Setup & Ethereal Time: 2 hrs

Connect the Host to attach to Fast Ethernet switch port Fa0/2. Configure the host as shown in the topology diagram above.

Computer Networks/DV2 Lab

Lab - Using Wireshark to View Network Traffic

Introduction to Wireshark Network Analysis

Wireshark Tutorial INTRODUCTION

Chapter 7 Troubleshooting

Computer Networks/DV2 Lab

Smoking and any food or drinks are not permitted in the Applications Lab!

6. INTRODUCTION TO THE LABORATORY: SOFTWARE TOOLS

Lab Conducting a Network Capture with Wireshark

Wireshark Tutorial. Figure 1: Packet sniffer structure

Management Software. Web Browser User s Guide AT-S106. For the AT-GS950/48 Gigabit Ethernet Smart Switch. Version Rev.

Introduction to Analyzer and the ARP protocol

4m. MONITORING OF ETHERNET/IP NETWORK TRAFFIC.

EKT 332/4 COMPUTER NETWORK

Procedure: You can find the problem sheet on Drive D: of the lab PCs. Part 1: Router & Switch

Lab 7.1.9b Introduction to Fluke Protocol Inspector

Technical Support Information Belkin internal use only

Packet Capture. Document Scope. SonicOS Enhanced Packet Capture

Introduction to Network Security Lab 1 - Wireshark

CET442L Lab #2. IP Configuration and Network Traffic Analysis Lab

Network Security: Workshop

What is VLAN Routing?

Chapter 10 Troubleshooting

Lab 1: Packet Sniffing and Wireshark

Module 1: Reviewing the Suite of TCP/IP Protocols

Snoopy. Objective: Equipment Needed. Background. Procedure. Due Date: Nov 1 Points: 25 Points

CCNA R&S: Introduction to Networks. Chapter 5: Ethernet

Computer Networks I Laboratory Exercise 1

1 PC to WX64 direction connection with crossover cable or hub/switch

Lab Module 3 Network Protocol Analysis with Wireshark

SOHO 6 Wireless Installation Procedure Windows 95/98/ME with Internet Explorer 5.x & 6.0

Networking Test 4 Study Guide

UPPER LAYER SWITCHING

Practical Network Forensics

BioStar Config Guide V1.0

IP Networking. Overview. Networks Impact Daily Life. IP Networking - Part 1. How Networks Impact Daily Life. How Networks Impact Daily Life

Modern snoop lab lite version

Guideline for setting up a functional VPN

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

Computer Networks CS321

Setup Manual and Programming Reference. RGA Ethernet Adapter. Stanford Research Systems. Revision 1.05 (11/2010)

ProSafe Plus Switch Utility

The OSI and TCP/IP Models. Lesson 2

SSVVP SIP School VVoIP Professional Certification

How To Analyze Bacnet (Bacnet) On A Microsoft Computer (Barcnet) (Bcfnet) And Get A Better Understanding Of The Protocol (Bafnet) From A Microsatellite) (Malware)

Lab 1: Network Devices and Technologies - Capturing Network Traffic

Chapter 2 TCP/IP Networking Basics

Chapter 4 Connecting to the Internet through an ISP

Hands-on Network Traffic Analysis Cyber Defense Boot Camp

Bercut-ETL Ethernet/Gigabit Ethernet loopback

TCP/IP Networking Basics. NETGEAR, Inc Great America Parkway Santa Clara, CA USA

How to monitor network traffic inside an ESXi host

Packet Sniffing with Wireshark and Tcpdump

Networking 4 Voice and Video over IP (VVoIP)

Procedure: You can find the problem sheet on Drive D: of the lab PCs. 1. IP address for this host computer 2. Subnet mask 3. Default gateway address

AXIS Installation Monitor. User s Manual

How To Understand and Configure Your Network for IntraVUE

LAB THREE STATIC ROUTING

Vocia MS-1 Network Considerations for VoIP. Vocia MS-1 and Network Port Configuration. VoIP Network Switch. Control Network Switch

1 crossover cable. the PCs. network

DSL Installation Guide

Interfacing Basler GigE Cameras With Cognex VisionPro 7.2

Configure A VoIP Network

Packet Monitor in SonicOS 5.8

TCP Packet Tracing Part 1

8/16-Port IP KVM Switch IKVM-8010 / IKVM Quick Installation Guide

IP Filter/Firewall Setup

Network Traffic Analysis

Lab Configuring Access Policies and DMZ Settings

Essential Curriculum Computer Networking 1. PC Systems Fundamentals 35 hours teaching time

SSVP SIP School VoIP Professional Certification

Ethereal: Getting Started

Multi-Homing Dual WAN Firewall Router

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Table of Contents. 0. Internet Connectivity Assumptions Identifying the Network Wall Jack Identifying the Ethernet Cable..

COMPUTER NETWORK TECHNOLOGY (300)

NAS 307 Link Aggregation

ProSAFE 8-Port and 16-Port Gigabit Click Switch

Chapter 1 Personal Computer Hardware hours

Exhibit n.2: The layers of a hierarchical network

Wireshark Quick-Start Guide. Instructions on Using the Wireshark Packet Analyzer

PRI (T1/E1) Call Recorder User Manual Rev 1.0 (December 2013)

SNMP Web card. User s Manual. Management Software for Uninterruptible Power Supply Systems

Overview of TCP/IP. TCP/IP and Internet

Load Balancer LB-2. User s Guide

Multi-Homing Security Gateway

NXT Controller Manual IP Assignment in WAN Environments Application Note

Load Balancing Router. User s Guide

Lecture (02) Networking Model (TCP/IP) Networking Standard (OSI) (I)

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

Transcription:

Capture and analysis of the network traffic with Wireshark Lab Objectives Understanding the purpose of Wireshark Studying configuration settings and capture options of Wireshark Studying Wireshark filters and filter building Studying Wireshark result panel windows and toolbar items. Practicing on capturing and analysis of the network traffic using Wireshark Background Information Wireshark functions Wireshark (earlier - Ethereal) is a most popular program analyzer of the network traffic. Wireshark allows capturing packets of protocols, transmitted over the Ethernet network and present this data in a user GUI interface for further analysis. Wireshark can be considered as a measuring device that is used to view and examine whatever is transmitted by the network cable and view in real time the entire network traffic. The Wireshark main window At the start, the Wireshark main screen looks like following (See Fig.0-1) Fig.0-1 Wireshark start window Wireshark main toolbar has the following tools available (see Fig.0-2)

Wireshark filter toolbar Fig.0-2 Wireshark toolbar With the help of Wireshark filter toolbar (See Fig.0-3) it is possible to create, store, apply and remove filters, enabling to filter the information of the captured network traffic. 1 Filter entry field 3 4 5 6 Fig.0-3 Wireshark filter toolbar Wireshark filter toolbar has the following fields and tools (See Fig.0-3) Filter (pointer 1 in Fig.0-3) opens a dialog box to create or edit custom filters Expression (pointer 3 in Fig.0-3) opens a dialog box assistant for building filter expressions Clear (pointer 4 in Fig.0-3) halts the filter action and clearing the filter field Apply (pointer 5 in Fig.0-3) applies the filter action Save (pointer 6 in Fig.0-3) saves the filter expression for further use List of available network adapters The window with a list of available adapters (Fig.0-4) can be opened by pressing Interface List button on the Wireshark toolbar (Fig.0-2). 1 2 3 Fig.0-4 List of available adapters To execute the lab work select a real (not Virtual) adapter (pointer 1 in Fig.0-4) Options button (pointer 2 in Fig.0-4) opens the traffic capture options dialog window (Fig.0-5)

Fig.0-5 Traffic capture options window Details button (Pointer 3 in Fig.0-4) opens the window with statistical characteristics of the network adapter. Traffic capture options window With the help of this window the following settings may be assigned to capture the network traffic (See Fig.0-5): Selecting the interface for traffic capture Capturing packets in promiscuous mode: in this mode the program will capture all protocol data units (PDU), incoming to the network adapter. When this option is disabled, the program captures only those PDUs, which are addressed to the given adapter (i.e. the computer, on which they are located) Enable MAC name resolution (for example: 00:09:5b:11:22:33 -> Netgear_11:22:33) To apply filter perform the following steps: Enter / edit the filter expression into the filter entry field (See Pointer 2 in Fig.0-3) Press Apply button (See Pointer 5 in Fig.0-3) The green color of the filter field would mean that the filter has been entered in line with the filter building rules. The red color of the filter field would mean that there is error in filter entry. Building filters Wireshark allows two level filtering: Filter by protocol: filtering at the level of captured packets/ frames; filtering will be carried out by appropriate protocols

Filtering by a protocol packet filter (Display filter): filters at the level of values of the fields of the captured packets/ frames; filtering will be carried out by specified values of the fields in the protocol headers. To apply filtering by protocol, enter the name of protocol (for example, dhcpv6) into the filter entry field and press Apply button (see Fig.0-6 and Fig.0-7) Fig.0-6: Before applying the filter Fig.0-7: After applying the filter Filtering on the level of the values of fields of the captured packets/ frames

The names of fields that can be used when building filter expressions are available through the filter builder. To build the filters perform the following steps: Run assistant-builder of filter expressions, pressing Expression button (pointer 6 in Fig.0-8) In the Field name list in the opened box select the name of the field (for example, ip.src) that will be used for building (pointer 1 in Fig.0-8) In the Relation list select correlation sign (pointer 2 in Fig.0-8) Enter selected value (for example, 192.168.4.249, which is taken in this case: See pointer 5 in Fig. 6) in the Value field (pointer 3 in Fig.0-8). 4 6 5 2 3 1 Fig.0-8 Building a filter on the level of fields values Press ОК The filter field will be filled with the newly built filter expression (ip.src == 192.168.4.249) (See Pointer 1 in Fig.0-9) Press Apply (pointer 2 in Fig.0-9) The window will show only the data, relevant to the current filter (pointer 3 in Fig.0-9)

1 2 3 Fig.0-9 Using the filter on the level of field Two or more elementary conditions can be combined in the filter (pointer 1 in Fig.0-9), using logical operators in the following format: Condition 1 Logical operator Condition 2 Example of the combined filter: ip.src == 192.168.4.249 and ip.dst == 192.168.4.239 ip and ip.src == 192.168.4.249 As an elementary condition expression filters of both types can be used (See the second example above) Data panels of the main window The result window of Wireshark has three panels: child windows (See Figure below). Panel with the list of captured packets/frames Packet details window Packet bytes window Wireshark has the following three child data panels:

The first window: the packet list window, a panel with the list of captured packets/frames (Protocol Data Unit - PDU) The second window: the packet details window, a detailed information window, showing the content of the current packet, selected on the PDU panel (in the first window) The third window: the packet bytes window, a byte-presentation window, displaying the content of the current packet, selected on the PDU panel (in the first window) in the hexadecimal format Packet list window contains aggregated information on the entire traffic, captured by Wireshark. Each line specifies a separately captured packet and contains following fields (Fig.0-10): Fig.0-10: PDU panel No.: sequential number of the captured PDU Time: time stamp, the period (in seconds) elapsed since the start of PDU capturing Source: the network address of the sender (IPv4 / IPv6) Destination: the network address of the recipient (IPv4 / IPv6) Protocol: type of the protocol Length: length of the captured packet Info: additional information about the captured PDU Detailed information window: this panel displays the content of the packet selected in the PDU panel (See pointer 1 in Fig. 9) in the hierarchic structures (pointer 2 in Fig.0-11): 1 2

Fig.0-11 Panel of the list of captured packets and panel of the packet detailed information Frame: displays information on captured PDU, such as the capture time, PDU length, etc. Ethernet II: displays information about the data link layer protocol header Internet Protocol: displays information about the network layer protocol header User Defined Protocol (UDP): displays information about the transport layer protocol header Hypertext: displays information about the header of the application protocol

Lab Assignment In this work the network traffic of the PC adapter is captured and analyzed by network traffic analyzer Wireshark when a ping echo request is sent to single board computer in the network. Requisite Equipment Personal computer (PC) with installed network adapter and Windows 7 Wireshark program, installed in Windows 7 «Mini2440» FriendlyARM single board computer (1) NI ELVIS II workstation NETWORK TEST BENCH board (NTB) Network switch Mounted straight-through UTP 5cat cable with RJ-45 connectors (2 pcs.) Lab Assignment Make sure that required equipment is available Make sure that PC network adapter is available Make sure that Windows Firewall is turned OFF (see Error! Reference source not found. Error! Reference source not found.) With the help of NI ELVIS II workstation make sure that the network cables are mounted properly (See Lab work 1.) Lay out the equipment comfortably for work. Step-By-Step Instructions 1. With the help of PC, «mini2440» FriendlyARM single board computer and network switch build a Star -topology LAN (See Lab work 6). 2. Assign the names to the LAN computers: Assign the PC name as TestLab (See Point 8.2). Assign the name of the single board computer as mini2440-1 (See Point 8.5) 3. Disconnect the PC and single board computer network cables from the switch 4. Launch Wireshark program 5. Press Capture options button (See Fig.0-2: second from the left) on toolbar 6. Traffic capture options window opens (Fig.0-12). With the help of this window, make network packets capture settings, as shown in Fig.0-12

Fig.0-12 Traffic capture setting window 7. Press Start (See. bottom right corner in Fig.0-12) 8. Since the PC network cable is disconnected, there will be no network traffic by that cable and Wireshark will be unable to capture packets. Therefore, Wireshark windows should remain empty. 9. Connect the disconnected cable of the single board computer to the switch 10. Observe that network packets are not captured by Wireshark (Wireshark is installed on the PC) 11. To start capturing the network packets (or network traffic capture), connect the disconnected PC cable to the switch 12. Wireshark will immediately start capturing network packets and display them on the user interface (See Fig.0-13). This witnesses that the PC adapter and the switch started information exchange, for example, to detect dynamic addresses or to find network services.

Fig.0-13: The main information window of Wireshark after connection of the PC network cable Thus we have captured the network traffic and possess enough captured packets for their further filtration and analysis. 13. Examine the first window. Observe that in the upper first window (Fig.0-13) in Protocol column we can see the various protocols names (DHCP, DHCPv6, ARP, UDP, SSDP etc.). Source and Destination columns display the IP addresses of the parties, communicating using these protocols (source and recipient). The Info column displays additional information. 14. Perform filtering of the captured network packets by two protocol names: In the liter entry field enter dhcpv6 (to filter by DHCPv6 protocol) (See Pointer 1 in Fig.0-14) and press Enter. The window of the list with captured packets will display the list of captured packets, filtered by DHCPv6 protocol (Fig.0-14).

1 2 Fig.0-14: Wireshark window: filtered by DHCPv6 protocol In the filter entry field enter http (pointer 1 in Fig.0-15) and press Enter. The captured packet listing window will display the list of captured packets, filtered by http protocol (Fig.0-15). 1 3 2 4 5 Fig.0-15 Window Wireshark filtered by HTTP protocol 15. Superficially examine the second information window (more detailed examinations are made in the lab works 7 and 8). In the top first window (Fig.0-15) select one packet from the captured packets list, for example, the first line (pointer 3 in Fig.0-15) 16. The second (middle) window will display the list of hierarchic structures of the selected packet (pointer 4 in Fig.0-15). These structures are separately studied in lab works 7 and 8.

17. The third (bottom) window will display the content of the selected packet in hexadecimal format (pointer 5 in Fig.0-15)

Test Questions 1. What are the functions of Wireshark program? 2. What are the main options that can be set in Wireshark program? 3. What are the windows in the Wireshark program graphic user interface? 4. What is the function of the filter in Wireshark? 5. What kind of filters can be created/ applied in Wireshark? Answers 1. Wireshark is a program used for the capture and analysis of the Ethernet network traffic 2. The following settings can be made in Wireshark: Network adapter The range of packets capture: all or specifically addresses Real time list updating Display the capture data in real time Switch on network names resolution 3. Wireshark graphical user interface has the following windows: The packet list window The packet details window The packet bytes window 4. Filter performs the captured data filtering by various criteria. 5. Filters can be divided into two levels: Filters of the level of the captured packets/ frames; filtration will be performed by specified protocols. Filters of the level of values of the fields of captured packets/ frames.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information