190 likes | 486 Views
Wireshark. CSE 471 – Data Communication and Computer Networks. basics. Wireshark is a GUI Network Protocol Analyzer We can Capture network traffic Decode packets of common protocols Display the network traffic in human-readable format We cannot Monitor for long time
E N D
Wireshark CSE 471 – Data Communication and Computer Networks
basics • Wireshark is a GUI Network Protocol Analyzer • We can • Capture network traffic • Decode packets of common protocols • Display the network traffic in human-readable format • We cannot • Monitor for long time • Automatically do things • Do magic.
Basics • Intended purposes of Wireshark • Network administrators use it to troubleshoot network problems • Network security engineers use it to examine security problems • Developers use it to debug protocol implementations • People use it to learn network protocol internals • Features • Capture live packet data from a network interface. • Display packets with very detailed protocol information. • Filter packets on many criteria. • etc.
GUI 2. Start capturing. 1. Choose network interface to listen
gui Stop when enough packets are captured. Filter toolbar, use to filter captured packets. Packet List Pane, summary of each packet captured. Packet Details Pane, Displays selected packet in more detail. Packet Bytes Pane, Displays raw data of the captured packet.
Case study (TCP) • Download this file somewhere in your computer • Now, go to this page. • Browse the alice.txt that you previously downloaded. • WAIT before clicking on Upload. • Run Wireshark and choose your appropriate interface. • Start capturing! • Upload your file. • Stop capturing! • Now, we have data!
Case study (TCP) • Since we examine TCP now, disable HTTP protocol analyzing to see more of TCP. (Analyze > Enabled Protocols > Uncheck HTTP) • You will notice there are lots of packets. Those are all packets that circulate in your local network. • Filter only the tcp packets by typing tcpto filter. • Oh! There are still many packets to examine. Let’s filter packets which used to upload the file. • First, find out IP address of your machine and destination machine (website that you uploaded alice.txt) by using ipconfig and nslookup. • Now filter packets from your machine to destination address and vice versa using the binary expression • tcp and ((ip.srceqYOUR IP and ip.dsteqDEST IP) or (ip.srceqDEST IP and ip.dsteqYOUR IP))
Case study (TCP) • Notice the three-way handshaking in TCP • Inspect the first packet in Packet Details Pane. Expand IPv4 and locate source and destination IP addresses. • Find the port numbers used in your and target computer. • Now Answer the questions: • What is the sequence number of the first TCP SYN segment used to establish connection? • Find the packet where POST is sent to server (Check data field of the packet. • Let’s see TCP congestion control mechanism. Click on Statistics > TCP Stream Graph > Time-Sequence Graph (Stevens). Examine the plot.
Case study (http) • Enable HTTP analyzing again (Analyze > Enabled Protocols > Check HTTP). • Start capturing packets. • Go to this website. • Stop capturing. • Filter with http • You should see something like this
Case study (http) • What version of HTTP you are using? • What languages does your browser accept? • What connection state does your browser requests? • What is the response of the server? • When is the file on server last modified? • Now, start capturing again and reload the page. Stop capturing. Do you see any differences? Where is the page data? • See HTTP requests with documents with embedded objects. Capture this site. • Now let’s inspect a website with password protection. Navigate to here with username wireshark-students and password network. Look if you can see the credentials. What to do now?
Case study (dns) • Clear browser cache and flush your DNS. • Start capturing packets on Wireshark. • Do an nslookup on www.mit.edu • Stop capturing. • Filter the results with (ip.addreq YOUR_IP_ADDRESS) • Now do the following • Locate DNS query. Are they sent over TCP or UDP? • What is the destination IP and port of DNS query? • What type of DNS query is it? How many answers returned from server? • Now capture this website. • Website contains images. Are there DNS queries for images in the website?
Case study (dhcp) • Release your IP address by doing ipconfig /release • Now, you will see your IP address is now 0.0.0.0 • Start capturing packets on Wireshark. • Get a new IP address by doing ipconfig /renew • Wait until you get an IP address. Now renew your IP again. • When you get your new IP now release it again. • Finally get an IP address once more. • Drop capturing packets. • Filter results with bootp.
Case study (dhcp) • Notice that when renew command is called, 4 DHCP packets are generated. A DHCP Discover packet, a DHCP offer packet, a DHCP Request packet and a DHCP ACK packet. • What is the target IP address of Discover packet, why? • What is offer packet and its destination IP? • What protocol is being used? Why?