1 / 8

Wireshark – What is it?

Wireshark – What is it?. Wireshark is the world's foremost network protocol analyzer, and is the de facto (and often de jure) standard across many industries and educational institutions.

vesta
Download Presentation

Wireshark – What is it?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Wireshark – What is it? Wireshark is the world's foremost network protocol analyzer, and is the de facto (and often de jure) standard across many industries and educational institutions. Wireshark development thrives thanks to the contributions of networking experts across the globe. It is the continuation of a project that started in 1998. Formerly known as Ethereal

  2. What’s Needed? • Hub • Switch with monitor port • Wireshark • www.wireshark.org/

  3. Features • Ability to inspect hundreds of protocols • Capture & Analyze traffic in real-time • Works with Window, Linux, OS X • Import from tcpdump, Microsoft Network Monitor

  4. What can’t you do? • Dual-speed hub warning • Note that "dual-speed" hubs that support both 10MBit and 100MBit ports might not send all unicast traffic between 10MBit and 100MBit ports; if so, you can only capture all traffic between hosts whose Ethernet interfaces are both running at the same speed as the Ethernet interface on the machine capturing traffic. • This means that if you have two hosts communicating at 100MBit/s, you will only be able to capture the traffic between them if the Ethernet interface of the machine capturing traffic is configured for 100MBit/s. Similarly, if you have two hosts communicating at 10MBit/s, you will only be able to capture the traffic between them if the Ethernet interface of the machine capturing traffic is configured for 10MBit/s, which is probably not the default configuration.

  5. Real Hubs • REAL HUBS: Devices that are real hubs; convenient for capturing. Side Note: This category could really be broken into hubs that are real hubs (i.e. repeaters) and hubs that are really switches with learning disabled. Most new hubs are in the latter category as it is a cost effective way for manufacturers to produce hubs using the same chips as their switches. The difference from a packet sniffing point of view is that the hub based on switch technology will only forward 'clean' packets whereas a genuine hub is an electrical repeater and has no knowledge of what a packet should look like. You could have a device on your network spitting out all kinds of malformed junk but if you're sniffing via a switch type hub, you won't see it. Neither is to be confused with a switch which operates as a switch (i.e. learns and maintains a MAC address table) but has been called a hub by well meaning but ultimately dumb people in marketing. • 3Com • OfficeConnect Dual Speed Hub 16 (3C16751B) -- GeraldCombs • OfficeConnect Dual Speed Hub 8 (3C16750B) -- T. Eric Hong • See above: From the 3com site: "The OfficeConnect Dual Speed Hub 8 features eight 10/100 Mbps Ethernet hub ports that automatically sense and match the speed of an attached network device to optimize performance. An internal built-in switch seamlessly connects users." "Tim Casey" • OfficeConnect Dual Speed Hub 8 (3C16753) -- N.B. Cannot sniff this variant -- Malcolm Doody • From the 3com site: "Designed specifically for the small company or home office, this flexible, reliable, plug-and-play hub offers a smooth way to migrate to higher Fast Ethernet performance yet still support Ethernet PCs and network devices. Eight autosensing 10/100 Mbps ports match the speed of any attached device to optimize throughput. A built-in switch seamlessly connects 10/100 Mbps users." "Tim Casey" • OfficeConnect 10 Mpbs Hub 4 (3C16704A) -- Phil Gorsuch • D-Link • DE-805TP 5 Port 10 Mbps Hub -- Rendra • DynexSeemingly manufactured for Best Buy (from looking at the box), these are currently available in B&M Best Buys (as of August, 2006). (still found as of Apr 2008) • DX-EHB4 - 4 Port 10 Mbps HUB - Byzantium • EdimaxEdimax still has a number of hubs available according to their "Fast Ethernet Switches / Hub" list: • ER-5398S • ER-5397P • ER-5390P is known to be working. • ER-5395P • Andreas Sikkema • Garrett Communications • Magnum H50 -- Kedar • Hawking • 10Base-T 4-Port Hub (PN400TP) - Jamie Rybarczyk • Hewlett-Packard • ProCurve 10Base-T Hub 8 (HP J4090A) -- PetrVacha • Level One • FHU-0400TXDS 4port 10/100Mbps (Note: no internal bridge between 10 and 100 Mbps!) - UlfLamping

  6. Fake Hubs • Linksys • EFAH05W (Grey Case) - DonMcLane • EFAH08W Version 2.0 • EFAH24 24 Port 10/100 Old (no date), has 1 fan and 2 exp slots (Didn't test across speeds, but with everything at 100 Snort is up.) • NETGEAR • DS104 Dual Speed HUB - Jens Link • DS106 Dual Speed HUB also works • DS108 Dual Speed HUB - Jens Link • DS116 Dual Speed HUB - Amy Phillips • DS524 24-port 10/100 (bridging between 10 and 100 Mbps filters packets!) - reported by Simon Bradley • DS508 8-port 10/100 - part of the same family as the DS524, so it probably behaves like the DS524 - Guy Harris • DS516 16-port 10/100 - part of the same family as the DS524, so it probably behaves like the DS524 - Guy Harris • EN104 10Base-T Hub 4port - Andy Dansby • SMC • 5208TX EX Hub 10/100 8 port - RicNepil • W-linx • SS-F05CM Mini 5 port Fast Ethernet HUB (can be powered from USB-port!!!) - SakeBlok

  7. Fake Hubs • Devices that claim to be hubs, but in fact are switches. Please add information to this list about models you know (including valuable info such as link speed and the like) .... • 3Com • OfficeConnect Dual Speed Hubs From the 3com site: "The OfficeConnect Dual Speed Hub 8 features eight 10/100 Mbps Ethernet hub ports that automatically sense and match the speed of an attached network device to optimize performance. An internal built-in switch seamlessly connects users." • Linksys • EFAH05W - ErkanAltan • Brutally-Forced Wiretap - David Savinkoff • Connect Fake-Hub Uplink RJ-45 connector to network • Connect Fake-Hub 5th RJ-45 connector to crossover cable • Connect other end of crossover cable to Sniffing computer • Connect other side of network to Fake-Hub connectors 1...4 • EFAH05W v2 • Uses Micrel KS8995 5-Port Integrated Switch IC • EFAH08W - ErkanAltan • Version 3.0 ONLY. Steven Posnack noted the differences. • EFAH16W (10/100 5-Port and 16-Port Workgroup Hubs including V2) - ErkanAltan • EF2H24 (10/100 24 Port Hub) - Joe Nardone • Version 2.0 ONLY. • NH1005 V2 - Charles Dunkirk • I was not able to get a new hub matching this version to work for passive sniffing. -- Ryan Sommers • I cannot sniff this 'hub' either. After googling around, I am fairly sure this is a rebadged switch. This hub used to be under 'REAL HUBS' so I moved it down here and kept the comments and attributions -- Rick Hull • This is not a hub, the internals are made by a company called Kendin, the IC product number is KS8995, a 10/100 switch -- Trey Keifer • Allied Telesyn • AT-FH708E (Unmanaged Fast Ethernet Hub) • SMC • EZ5808DS (Unmanaged Fast Ethernet Hub) Todd Parker • ZIO • ESB550SW (10/100 5-port Switching Hub) • Intel • InBusiness 8-Port Hub (SH10T8) • Genius KYE SYSTEM CORP • GS4080 Mini (10/100 8-port Hub) • Claims to be a HUB, but has an RTL8309SB chip inside, wich is a single-Chip 9-Port 10/100 Mbps SWITCH Controller

  8. Demo • Set Nic

More Related