Article by Mark Boyd

www.simpleit.tumblr.com

Using Wireshark for traffic analysis

M ost all of t he inf ormat ion in this below writ ing piec e is inf ormat ion dis s eminat ed f rom www. s ans . org and its af f iliat es. M y ex perienc e is in t he M anaged Serv ic es Prov ider s ect or , more s pec if ic ally, t he Educ at ion v ert ic al

Troubleshooting Network Problems: Wireshark We have all been there, two servers not talking to each other, two domain controllers not replicating information, workstations getting some policies but not others, workstations not getting out to the internet. At a lower level, we have all had the complaint The internet is slow or The network is slow You know that is such a subjective sentence that it enrages you, whether on a limited budget or a huge budget, you know that throwing money at a network infrastructure refresh might not solve the problem, you might be the I.T Manager / I.T admin because no one else in the organisation was knowledgeable enough to do it. Whos to say throwing money at a network refresh will solve these problems? Do you know how many users are out there? Do you know the origins of the network traffic? Do you configure your switches to prioritise traffic, do you even know if your switches are configured? Do you know if your switches are capable of being configured? First up we will look at Wireshark , formerly Ethereal. Wireshark can be daunting, the information you see can be look foreign, alien even, or worse, like programming code. Who likes programming? No one that is who. Any resemblance Wireshark packet captures have to programming is enough to scare me away. Here is a screenshot of a standard Wireshark packet capture:1

So, right now, you are about to close this document and say No wayI am out, not doing this, no way I am going to be a part of this, what is this madness? What is this Crazy alien output I am seeing?

To install and or configure Wireshark, and for perhaps better examples of how to use it visit here

Thursday, 23 June 2011

Page 1

Article by Mark Boyd

www.simpleit.tumblr.com

In the words of Professor Farnsworth (Futurama) Good news everybody! do not worry, you dont have to know everything there is to this program, you dont need to understand every bit and byte of a packet capture. Below is a single sentence, the one statement that could help you troubleshoot any and all network problems you may have now or in the future. Ask yourself 1. What you know, 2. What you are expecting to see and 3. What should be happening? Alright, so we have a statement, now for the scenario, you want to troubleshoot your inability to use Microsoft Remote Desktop to a given server. It simply isnt working. So, lets analyse. What do you know about Remote Desktop? It uses port 3389 to connect to the desired server / workstation You can connect using an I.P Address or a computer name There might be multiple hops along the way. You already know what IP Addresses exist between you and your destination You dont know where it is failing when you try to RDP

Enter Wireshark. Remember that screenshot above, all the letters, numbers, all the TCP this and ACK that? Well, you need to know none of it, all you need to know, is the single most important element critical to RDP functioning, in this case, traffic across port 3389, or even more important, traffic with the destination of the server you are trying to connect to. See screenshot below.

See what we did there, we applied a filter. It is as simple as that, a filter shows us all traffic to and from our intended destination, if the destination never appears, traffic is blocked somewhere My contention is that armed with some common filters, you can discover what is happening with your traffic. There are quite literally thousands of built in filters and expressions, where you cant find anything in Wireshark help, remember, Google is your friend. Click here or here for a more comprehensive guide, or, use the help system in Wireshark The moral of the story, dont be afraid, Wireshark is brilliant under every scenario, and you dont need to have a Bachelor of Computer Science (a mostly worthless piece of paper anyway) to understand what the outputs say. All you need is some practice, the application of some common I.T knowledge and an appreciation of how the filters work. This article was inspired by the following case study http://www.sans.org/reading_room/whitepapers/casestudies/simple-traffic-analysis-ethereal_1631 Next article: Building a secure network, the fundamentals, the high level concepts

Thursday, 23 June 2011

Page 2