Cisco ITP in eServGlobal IN

Setting up Wireshark

PS and Support Internal Training

Diegem
Imro Landveld
Implementation Practice

30 August 2006

2006 eServGlobal Ltd

Wireshark: What is it?

Open Source Network Protocol Analyser and packet sniffer

New name for Ethereal see www.wireshark.org

NOT JUST FOR IP, not just for Ethernet, useful with SS7, Sigtran

IP functionality similar to tcpdump (1), but with a GUI front-end

Capture packets live off the wire or replay other capture files

Display filters and lots of smart statistics and tools

It can understand and dissect over 800 protocol types free!!

Understands snoop files from Solaris

WiresharkOverview|2|2006eServGlobal

Wireshark Features

Available for UNIX and Windows:

Capture live packet data from a network interface

Display packets with very detailed protocol information

Open and Save packet data captured on an interface

Import and Export packet data from and to a lot of other capture
programs

Filter packets on many criteria

Search for packets on many criteria

Colorize packet display based on filters

Create various statistics

Other utilities to manipulate traffic data

Reads compressed trace files (e.g. .gz) without decompression

... and a lot more!

WiresharkOverview|3|2006eServGlobal

Wireshark: Why do we use it?

We use it during Implementation and Integration of an IN

To read Sigtran traffic snoop file off the UAS and decode TCAP

To capture and decode MTP3 traffic flowing through the ITP

To capture TCP traffic between USMS and OSS machines

To capture traffic to network managers, such as HP OpenView

to learn network protocol internals

It saves a LOT of time, and a LOT of arguments, please use it!

I have a distribution on a local server install and play!

Installation file is simple to run

Pre-installs Win PCAP for real-time capture

Uses a port of GTK-Wimp for the user interface

WiresharkOverview|4|2006eServGlobal

Wireshark: Getting Started

Read in a simple snoop trace:

Get a sample capture file from the server

Open the file Wireshark Sample telnet.pcap

wiki.wireshark.org/SampleCaptures has a lot more

View -> Normal Size (control + =) will resize the columns

By default there are three windows:

Packet list (frame number, time, source, destination, summary)

Packet detail (detailed packet decode in an exploding tree structure)

Packet bytes (the actual bytes that were captured off the wire)

Note the Filter: window well get onto that

Window can be made to zoom or compress (control + - or +)

Layout can be changed in Edit -> Preferences -> Layout

Protocol is deduced from the data and the preferences

WiresharkOverview|5|2006eServGlobal

Wireshark Following TCP Data 1/1

Click on the second frame you have now selected it

Expand the Ethernet tree in the Details pane

See the MAC addresses (you can have it translate to a human name)

Note the decode. How does it know this is TCP and telnet data?

What do you see about the port numbers?

Click the colorize button and look at frame number 18

See the RED banner showing checksum error? Why is this?

Go to Edit -> Preferences -> Protocols -> TCP and uncheck the
Validate the Checksums and Click ok (NOT Save)

Right click on packet 19 and select Follow TCP Stream

Click the clear button in the Display filter window

Now you know why you should always use SSH not Telnet

WiresharkOverview|6|2006eServGlobal

Wireshark Following TCP Data 2/2

Open Wireshark Sample Dennis.gz

It reads.gz files directly

Use the Find tool to find the string dog in one of the packets

In the Display Filter box, type the word (lowercase) pop

You see all the POP3 traffic (I removed the password packet)

Clear the filter and click to select packet 390

Open up the TCP tree and select Source Port (21)

Right Click Prepare as a filter -> Selected

This puts the selected data in the Filter box

Then packet 391, and select the Destination Port (21)

Right Click Apply as a filter -> or Selected

Display filter is (tcp.srcport == 21) || (tcp.dstport == 21)

This would be nearly the same as putting ftp in the display filter

WiresharkOverview|7|2006eServGlobal

Wireshark Following TCP Data 3/3

Continuing with Wireshark Sample Dennis.gz

Clear the filter and click Expression next to the display filter window
Select IP.dst in the Field Name, == in the Relation and
203.26.51.42 in the Value box and click apply.
What does that show? What protocol type is it?
Click the find box, Display Filter and place the expression
dns.flags == 0x0100 in the box and click Find. Whats that?
Edit -> Mark that packet and print that marked packet only.
Unmark it again
You can save common filters for later use

You can save files with only subsets of data

Save all the NTP data in another file (hint: use display option)

Mark packet 233 and 244 and save it to a file with another name.

WiresharkOverview|8|2006eServGlobal

Wireshark IP Statistics 1/1

Continuing with Wireshark Sample Dennis.gz

Look at the statistics Protocol Hierarchy Note the hierarchy of

protocols and where they all fall in relation to Ethernet, IP and TCP
Look at the statistics Conversations. Why are there only 8 Ethernet
conversations and yet there are 66 IP ones?

Select only HTTP data and Flow Graph statistics

Do the same with ICMP and NTP data (fairly simple, I know)

Select the IO graphs under statistics

Use the filter to see the distribution of various protocols, eg SSH

Graph the bytes per second of traffic going TO 192.168.29.2 versus
the traffic coming BACK from 192.168.29.2 Hint: go back to the
main window, and save 2 filters (SSH Incoming and SSH Outgoing)
and use it here. Click the Filter button to see how to save Filters
(This is a bit tricky, you need to see some quirks of the UI)

WiresharkOverview|9|2006eServGlobal

Wireshark IP Packet Capture 1/1

Select Packet Capture to find packets to/from your laptop

See the Interfaces, Options and Start buttons

Warning! Do not be tempted to misuse this, its CRIMINAL!

WiresharkOverview|10|2006

Thats it!

WiresharkOverview|11|2006

Whos Thirsty?

WiresharkOverview|12|2006