James P.G.

Sterbenz
ITTC
Communication Networks Laboratory

The University of Kansas EECS 780

Introduction to Protocol Analysis with Wireshark
Egemen K. etinkaya, Mohammed Alenazi and
James P.G. Sterbenz
Department of Electrical Engineering & Computer Science
Information Technology & Telecommunications Research Center

The University of Kansas

malenazi@ittc.ku.edu
jpgs@eecs.ku.edu
http://www.ittc.ku.edu/~jpgs/courses/nets
22 January 2013

rev. 13.0

20042013 James P.G. Sterbenz

ITTC

James P.G. Sterbenz

Protocol Analysis with Wireshark

Outline

L1.0
L1.1
L1.2
L1.3
L1.4

EECS 780 laboratory outline

Motivation and overview
Wireshark installation and use
Protocol analysis examples
Getting started

22 January 2013

KU EECS 780 Comm Nets Wireshark Lab

NET-L1-2

ITTC

James P.G. Sterbenz

EECS 780 Laboratories

Outline

L1.0
L1.1
L1.2
L1.3
L1.4

EECS 780 laboratory outline

Motivation and overview
Wireshark installation and use
Protocol analysis examples
Getting started

22 January 2013

KU EECS 780 Comm Nets Wireshark Lab

NET-L1-3

ITTC

James P.G. Sterbenz

EECS 780 Laboratories

Semester Outline

Wireshark labs

throughout semester, intuitive, based on textbook

Wiki and web authoring

requires EECS, KU, or ITTC account

Socket programming

relatively simple lab to demonstrate socket concepts

Network simulation

lab to introduce network simulation

Hands-on network performance evaluation

configure Cisco router, utilise open source tools

Others if time permits

programmable networks using GpENI testbed

22 January 2013

KU EECS 780 Comm Nets Wireshark Lab

NET-L1-4

ITTC

James P.G. Sterbenz

Protocol Analysis with Wireshark

Motivation and Overview

L1.0
L1.1
L1.2
L1.3
L1.4

EECS 780 laboratory outline

Motivation and overview
Wireshark installation and use
Protocol analysis examples
Getting started

22 January 2013

KU EECS 780 Comm Nets Wireshark Lab

NET-L1-5

ITTC

James P.G. Sterbenz

Motivation and Overview

Introduction1

Wireshark is a network protocol analyzer

www.wireshark.org

First released in 1998 by Gerald Combs as Ethereal

many contributors around the world

Open source and free software

Graphical alternative to tcpdump

22 January 2013

KU EECS 780 Comm Nets Wireshark Lab

NET-L1-6

ITTC

James P.G. Sterbenz

Motivation and Overview

Introduction2

Powerful tool for network troubleshooting

Sniffs and captures live traffic
Filters data for ease of analysis
Statistics and graphs available
Used in industry and academia

22 January 2013

KU EECS 780 Comm Nets Wireshark Lab

NET-L1-7

ITTC

James P.G. Sterbenz

Protocol Analysis with Wireshark

Wireshark Installation and Use

L1.0
L1.1
L1.2
L1.3
L1.4

EECS 780 laboratory outline

Motivation and overview
Wireshark installation and use
Protocol analysis examples
Getting started

22 January 2013

KU EECS 780 Comm Nets Wireshark Lab

NET-L1-8

ITTC

James P.G. Sterbenz

Wireshark Installation
Highlights

Wireshark can be installed on various platforms

UNIX, MS, Linux, Mac OS, etc

Most recent release is v.1.8.4, Nov. 2012

System requirements
section 1.2 at
http://www.wireshark.org/docs/wsug_html/
rule of thumb: fast CPU, more memory is better

FAQs and Wiki pages provide more information

22 January 2013

KU EECS 780 Comm Nets Wireshark Lab

NET-L1-9

ITTC

James P.G. Sterbenz

Wireshark Installation
Overview

Installation of Wireshark requires

downloading the relevant package
building the source into binary if the source is downloaded

install binaries to their destinations

section 2 provides detailed installation instructions
http://www.wireshark.org/docs/wsug_html/

Windows installation includes WinPcap

packet capture library (also needed for tcpdump)

Installation easy and intuitive

22 January 2013

KU EECS 780 Comm Nets Wireshark Lab

NET-L1-10

ITTC

James P.G. Sterbenz

Wireshark Usage

Windows XP Installation1
Go to
wireshark.org
Click on

Download
Wireshark
Save and run
the executable
(.exe) file
Installation
wizard is
intuitive
22 January 2013

KU EECS 780 Comm Nets Wireshark Lab

NET-L1-11

ITTC

James P.G. Sterbenz

Wireshark Usage

Windows XP Installation2
pcap library is
required to
capture lowlevel network
messages
WinPcap for
Windows,
libpcap for
UNIX/Linux
Latest
WinPcap
release 4.1.2
22 January 2013

KU EECS 780 Comm Nets Wireshark Lab

NET-L1-12

ITTC

James P.G. Sterbenz

Wireshark Installation
Windows XP Installation3

22 January 2013

KU EECS 780 Comm Nets Wireshark Lab

NET-L1-13

ITTC

James P.G. Sterbenz

Wireshark Usage
Main Features

Capturing live traffic

data can be captured on wired or wireless medium

Numerous protocols can be captured and analyzed

Filtering is essential when dealing with lots of packets
filters can be applied on protocols, fields, values, etc.
filtering while capturing packets is possible

22 January 2013

KU EECS 780 Comm Nets Wireshark Lab

NET-L1-14

ITTC

James P.G. Sterbenz

Wireshark GUI
Main Window

menu
main toolbar
filter toolbar
packet list
pane

packet details
pane
packet bytes
pane
status bar
22 January 2013

KU EECS 780 Comm Nets Wireshark Lab

NET-L1-15

ITTC

James P.G. Sterbenz

Wireshark Usage
Starting Capture

To capture:
go to Capture
menu and
select
Interfaces
Start
capturing on
interface that
has IP address
Other ways of
capturing
possible
22 January 2013

KU EECS 780 Comm Nets Wireshark Lab

NET-L1-16

ITTC

James P.G. Sterbenz

Wireshark Usage
Capturing1

Once the
capturing
starts,
until the data
is exchanged
on Network
Interface Card
(NIC),
main window
will be blank

22 January 2013

KU EECS 780 Comm Nets Wireshark Lab

NET-L1-17

ITTC

James P.G. Sterbenz

Wireshark Usage
Capturing2

When packets
exchanged on
NIC,
the packets
will be
dumped to
main window

22 January 2013

KU EECS 780 Comm Nets Wireshark Lab

NET-L1-18

ITTC

James P.G. Sterbenz

Wireshark Usage
Stopping Capture

Capturing can
be stopped by
clicking on
Stop the
running
capture
button on the
main toolbar

22 January 2013

KU EECS 780 Comm Nets Wireshark Lab

NET-L1-19

ITTC

James P.G. Sterbenz

Wireshark Usage
Filtering

Filter by
entering the
protocol
name or field
name and
click the apply
button in the
filter menu
Detailed filters
can be applied
by creating
expressions
22 January 2013

KU EECS 780 Comm Nets Wireshark Lab

NET-L1-20

ITTC

James P.G. Sterbenz

Protocol Analysis with Wireshark

Protocol Analysis and Examples

L1.0
L1.1
L1.2
L1.3
L1.4

EECS 780 laboratory outline

Motivation and overview
Wireshark installation and use
Protocol analysis and examples
Getting started

22 January 2013

KU EECS 780 Comm Nets Wireshark Lab

NET-L1-21

ITTC

James P.G. Sterbenz

Protocol Analysis with Wireshark

Protocol Analysis

Packets/protocols can be analyzed after capturing

Individual fields in protocols can be easily seen
Graphs and flow diagrams can be helpful in analysis

22 January 2013

KU EECS 780 Comm Nets Wireshark Lab

NET-L1-22

ITTC

James P.G. Sterbenz

Protocol Analysis and Examples

Packet Details Pane

Analysis is
performed
manually
Example
shows TCP
segment with
SYN and ACK
fields set to 1

22 January 2013

KU EECS 780 Comm Nets Wireshark Lab

NET-L1-23

ITTC

James P.G. Sterbenz

Protocol Analysis and Examples

Packet Byte Pane

Zoom in or
out is possible
in main
toolbar
Packet Byte
pane consists
of offset, Hex,
and ASCII
fields

22 January 2013

KU EECS 780 Comm Nets Wireshark Lab

NET-L1-24

ITTC

James P.G. Sterbenz

Protocol Analysis and Examples

Statistics Flow Graph Example

TCP plots and

flow graphs
are available
in
Statistics
menu
Example
shows a flow
diagram of
ping utility

22 January 2013

KU EECS 780 Comm Nets Wireshark Lab

NET-L1-25

ITTC

James P.G. Sterbenz

Protocol Analysis with Wireshark

Getting Started

L1.0
L1.1
L1.2
L1.3
L1.4

EECS 780 laboratory outline

Motivation and overview
Wireshark installation and use
Protocol analysis and examples
Getting started

22 January 2013

KU EECS 780 Comm Nets Wireshark Lab

NET-L1-26

ITTC

James P.G. Sterbenz

Getting Started

Installation and First Lab Exercise

Install Wireshark
Go to student resources web page at

http://http://www.pearsonhighered.com/pearsonhigheredus/educator/product/
products_detail.page?isbn=9780132856201

Complete first Wireshark Lab Getting Started

Familiarize yourself with Wireshark

22 January 2013

KU EECS 780 Comm Nets Wireshark Lab

NET-L1-27

ITTC

James P.G. Sterbenz

Protocol Analysis with Wireshark

Acknowledgements

Some material in these foils comes from the textbook

supplementary materials:
Kurose & Ross,
Computer Networking:
A Top-Down Approach, 6th ed.
http://kuroseross.com
http://www.wireshark.org/
http://www.winpcap.org/

22 January 2013

KU EECS 780 Comm Nets Wireshark Lab

NET-L1-28