1 / 89

Packets and Protocols Chapter 4

Packets and Protocols Chapter 4. Chapter Four Using Wireshark. Packets and Protocols Chapter 4. The Wireshark main window. ■ Menu bar ■ Tool bar ■ Summary window ■ Protocol Tree window ■ Data View window ■ Filter bar ■ Information field ■ Display information.

ryder
Download Presentation

Packets and Protocols Chapter 4

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Packets and ProtocolsChapter 4 Chapter Four Using Wireshark

  2. Packets and ProtocolsChapter 4 The Wireshark main window ■ Menu bar ■ Tool bar ■ Summary window ■ Protocol Tree window ■ Data View window ■ Filter bar ■ Information field ■ Display information

  3. Packets and ProtocolsChapter 4 Main window components

  4. Packets and ProtocolsChapter 4 Summary window components

  5. Packets and ProtocolsChapter 4 Summary window example What does this summary info tell us?

  6. Packets and ProtocolsChapter 4 • Protocol tree window • The fields in this window can be expanded or collapsed • The 1st line will generally tell you most of what you need but you can drill down for further detail • Click on the plus sign to expand

  7. Packets and ProtocolsChapter 4 Protocol window example What does this protocol info tell us?

  8. Packets and ProtocolsChapter 4 • Data View Window Good place to find passwords and usernames!

  9. Packets and ProtocolsChapter 4 • Filter bar • Used to build display filters • Will not allow invalid capture filters • Filter is not applied until you click apply! • Information field (bottom of capture) • Displays capture filename and size • Display information field • P = Total • D = Displayed • M = Marked

  10. Packets and ProtocolsChapter 4 • File menu

  11. Packets and ProtocolsChapter 4

  12. Packets and ProtocolsChapter 4 • There are several save options Captured Displayed Range

  13. Packets and ProtocolsChapter 4 • Note that when you save a filtered capture, you strip off all other packets in the newly saved capture file • Make sure you do not need these packets!

  14. Packets and ProtocolsChapter 4

  15. Packets and ProtocolsChapter 4 • Wireshark name resolution • Three modes • MAC name resolution • Uses OUI names • Identified by 1st 6 bytes • Network name resolution • i.e. DNS name resolution • Transport name resolution • Translates ports to names

  16. Packets and ProtocolsChapter 4 • Save as dialogue box Note that many file types are available

  17. Packets and ProtocolsChapter 4 • Print dialog You can print in plain text, post-script or output to a file

  18. Packets and ProtocolsChapter 4 • Printing options • The summary line • All packets • Marked packets • Packets from x to y • All or partial detail

  19. Packets and ProtocolsChapter 4 • The Edit menu

  20. Packets and ProtocolsChapter 4

  21. Packets and ProtocolsChapter 4 • Find packet • Allows a search by filter, hex or string value • Uses same filters as display filters • Can search by HEX characters (good for MAC addresses) • String search useful for usernames, etc • Ability to search up or down • Case sensitive or insensitive

  22. Packets and ProtocolsChapter 4 • Time reference toggle • Allows you to calculate intra-packet times based on packets you select • How long did client “B” take to respond to client “A”?

  23. Packets and ProtocolsChapter 4 • Preferences Allows you to customize Wireshark to your personal liking or needs

  24. Packets and ProtocolsChapter 4 • The View Menu There is a lot of customizable information on the viewing capabilities of Wireshark

  25. Packets and ProtocolsChapter 4

  26. Packets and ProtocolsChapter 4 • Time display information • Time is gathered from LOCAL system time • Very important to synchronize times when doing simultaneous captures on two platforms • Wireshark can display time since 1st capture or delta time • Automatically display live capture • Useful when you need to watch the packet flow, but can slow the capture process

  27. Packets and ProtocolsChapter 4 • Color filters • Useful for the color-blind • Allows you to change the color of protocols, errors, etc.

  28. Packets and ProtocolsChapter 4 A color coded display can help you troubleshoot

  29. Packets and ProtocolsChapter 4 • Show packet in new window • Allows you to zero in on a single packet

  30. Packets and ProtocolsChapter 4 • Go menu • Allows you to navigate thru the capture

  31. Packets and ProtocolsChapter 4 • Capture menu

  32. Packets and ProtocolsChapter 4 • You can capture on any single interface on you Wireshark PC * The packet count and packets per second displayed in the Capture Interfaces dialog box are not the total seen by the interfaces, but are the total count and rate seen by the interface from the time the Capture Interface dialog box was opened

  33. Packets and ProtocolsChapter 4 • Characteristics Tab

  34. Packets and ProtocolsChapter 4 • Statistics Tab

  35. Packets and ProtocolsChapter 4 • Protocol (Ethernet) Tab

  36. Packets and ProtocolsChapter 4 • WLAN Tab

  37. Packets and ProtocolsChapter 4 • Capture Options • How • To display? • What • Is captured? • Where • To store? • When • To capture?

  38. Packets and ProtocolsChapter 4 What interface? Buffer size? Promiscuous? Capture filter? Where to save? Use multiple Files? How many? When to stop?

  39. Packets and ProtocolsChapter 4 • Buffer size vs. Capture size • Buffer size is dependant upon RAM • Capture size is dependant upon hard drive size • Too large a buffer can slow the capture process and cause data loss – too small will not give the HDD time to write the data • Defaults are best!

  40. Packets and ProtocolsChapter 4 • Capture options • While you can stop a capture based on: • Capture a number of packets and stop • Capture for a period of time and stop • Capture a number of kilobytes and then stop • There is no way to start a capture automatically (with Wireshark)

  41. Packets and ProtocolsChapter 4 • The capture dialog box

  42. Packets and ProtocolsChapter 4 • Ringing the capture buffer • Allows you to save multiple captures • Select “Use multiple files” • Select “Next file every …” Minutes or KB • Figure how many files to keep “Ring buffer” • Decide when to stop the capture • Stop capture after • X ring captures • X minutes/hours/days • Kb/Mb/Gb

  43. Packets and ProtocolsChapter 4

  44. Packets and ProtocolsChapter 4 • Capture filter list • Name the filter • Create the filter

  45. Packets and ProtocolsChapter 4 • Capture filters vs. Display filters • Capture filters are used before the capture to narrow what is gathered • Display filters are used after the capture to filter the output • Capture and display filters are different • Capture = tcp port http • Display = protocol=http • Both do the same thing!

  46. Packets and ProtocolsChapter 4 • Analyze Menu Option

  47. Packets and ProtocolsChapter 4 • There are literally thousands of capture options available and the good news is most have already been written for you.

  48. Packets and ProtocolsChapter 4 • Edit display filter list • Allows you to create display filters via GUI • Select Major protocol…

  49. Packets and ProtocolsChapter 4 • Operators include: • == • != • > • < • >= • <= • Select operator

  50. Packets and ProtocolsChapter 4 • Select value • Note that the value will change depending upon the protocol chosen

More Related