Professional Documents
Culture Documents
Reti Di Calcolatori - Slide 21
Reti Di Calcolatori - Slide 21
Wireshark (http://www.wireshark.org/)
Introduction
Wireshark is a network packet analyzer. A network packet analyzer will try to capture network packets and tries to display that packet data as detailed as possible Here are some examples people use Wireshark for:
network administrators use it to troubleshoot network problems network security engineers use it to examine security problems developers use it to debug protocol implementations people use it to learn network protocol internals
Wireshark features
Live capture from many different network media Import files from many other capture programs Export files for many other capture programs Many protocol decoders Open Source Software What Wireshark is not:
Wireshark isn't an intrusion detection system Wireshark will not manipulate things on the network, it will only "measure" things from it
Description: The interface description provided by the operating system IP: The first IP address Wireshark could resolve from this interface Packets: The number of packets captured from this interface Packets/s : Number of packets captured in the last second Stop: Stop a currently running capture Capture: Start a capture on this interface immediately Options: Open the Capture Options dialog with this interface selected Details (Win32 only): Open a dialog with detailed information about the interface. Close: Close this dialog box
8
Primitives
[src|dst] host <host>: this primitive allows you to filter on a host IP address or name ether [src|dst] host <ehost>: this primitive allows you to filter on Ethernet host addresses gateway host <host>: this primitive allows you to filter on packets that used host as a gateway [src|dst] net <net> [{mask <mask>}|{len <len>}]: this primitive allows you to filter on network numbers [tcp|udp] [src|dst] port <port>: this primitive allows you to filter on TCP and UDP port numbers less|greater <length>: this primitive allows you to filter on packets whose length was less than or equal to the specified length ip|ether proto <protocol>: this primitive allows you to filter on the specified protocol at either the Ethernet layer or the IP layer ether|ip broadcast|multicast: this primitive allows you to filter on either Ethernet or IP broadcasts or multicasts. <expr> relop <expr>: this primitive allows you to create complex filter expressions that select bytes or ranges of bytes in packets
11
This dialog box will inform you about the number of captured packets and the time since the capture was started. The selection of which protocols are counted cannot be changed
12
Viewing packets
Once you have captured some packets, or you have opened a previously saved capture file, you can view the packets that are displayed in the packet list pane by simply clicking on a packet in the packet list pane, which will bring up the selected packet in the tree view and byte view panes
13
Wireshark provides a simple but powerful display filter language that you can build quite complex filter expressions with. You can compare values in packets as well as combine expressions into more specific expressions
14
Equal: ip.addr == 10.0.0.5 Not equal: ip.addr != 10.0.0.5 Greater than: frame.pkt_len > 10 Less than: lt<frame.pkt_len < 128 Greater than or equal to: frame.pkt_len ge 0x100 Less than or equal to: frame.pkt_len <= 0x20 You can also combine filter expressions in Wireshark using the logical operators (&&, ||, !, )
15
Examples
ip.addr==192.168.10.10 ether.addr==ff.ff.ff.ff.ff.ff Frame.pkt_len > 1500 Ip.len > 43000 http.request.uri==http://www.repubblica.it protocol=tcp
16
If you are working with TCP based protocols it can be very helpful to see the data from a TCP stream in the way that the application layer sees it. Simply select a TCP packet in the packet list of the stream/connection you are interested in and then select the Follow TCP Stream menu item from the Wireshark Tools menu
17
18
Advanced topics
Packet Reassembling For some of the network protocols Wireshark knows of, a mechanism is implemented to find, decode and display these chunks of data. Wireshark will try to find the corresponding packets of this chunk, and will show the combined data as additional pages in the "Packet Bytes" pane Name Resolution Name resolution tries to resolve some of the numerical address values into a human readable format Checksums Several network protocols use checksums to ensure data integrity. Wireshark will validate the checksums of several protocols, e.g.: IP, TCP, ... .It will do the same calculation as a "normal receiver" would do, and shows the checksum fields in the packet details with a comment, e.g.: [correct] [invalid, must be 0x12345678] or alike
19
Statistics
General statistics:
Summary about the capture file Protocol Hierarchy of the captured packets Endpoints e.g. traffic to and from an IP addresses Conversations e.g. traffic between specific IP addresses IO Graphs visualizing the number of packets (or similar) in time
20
21
22
Endpoints
A network endpoint is the logical endpoint of separate protocol traffic of a specific protocol layer
23
Conversations
A network conversation is the traffic between two specific endpoints. For example, an IP conversation is all the traffic between two IP addresses.
24
25