Wireshark Basics Self Study

1/51 Self study Wireshark basics self study
teeloran 20.05.2008, 1.0.0

COO/BE/RD&D/I&V. For internal use
Wireshark basics self study
Version 1.0.0
20.5.2008
teeloran 20.05.2008, 1.0.0
About the self study

This document is a combination of theory and practices for learning the basics of
Wireshark protocol monitoring. Wireshark was formerly known as Ethereal, of
which development and support is stopped now. The command line version of
Wireshark is known as tshark (was tethereal before).
The best this material serves to new users of Wireshark, but should give some
pointers also to a bit experienced users of Wireshark as well. The material is
done with Wireshark version 1.0.0 at use, but almost all of the material should be
usable with any late versions of Wireshark or Ethereal. However it’s strongly
recommended to always use the latest version of Wireshark!
Most of the tasks that can be considered as an ‘advanced usage’ of Wireshark,

are tightly related to certain protocols and domain area in question. Especially
doing capture or display filters for certain protocol is usually something that users
want to learn more, but since there are several hundreds of protocols supported
in Wireshark, and probably also hundreds of different use cases in NSN, the self
study can’t handle them all. Instead some general theory and practices are given
which apply to most (if not all) of the protocols. This self study should give you a
good basis to any job you are using Wireshark to.
The environment for the self-study is Linux, but almost all of the material applies
also to windows version. E.g. the command line tools are also available to
windows, they are packaged as separate .exe files and ship with Wireshark
distribution package. Linux is a preferable environment for it is the most widely
supported platform for various device interfaces and in general a lot more flexible
as a testing platform than Windows.
After going through/using this self-study, please give your feedback to the author
of the material in general and especially if found any bugs etc. Thank you!
Requirements for the self study

The reader should have some basic knowledge of protocols and understand the
idea of protocol monitoring in general. Also a Wireshark should be available
(installed/installable) and in the same monitoring PC a web browser too, for doing
the exercises in the end of this paper.
teeloran 20.05.2008, 1.0.0
Table of contents
About the self study..........................................................................................2
Requirements for the self study........................................................................2
Table of contents...............................................................................................3
References.......................................................................................................5
Version history..................................................................................................5
Terms and Abbreviations...................................................................................6
Introduction of Wireshark..................................................................................7
General............................................................................................................................................. 7
The main window.............................................................................................................................. 8
Help system...................................................................................................................................... 9
Capture media support....................................................................................................................10
Protocol support.............................................................................................................................. 10
Platform support.............................................................................................................................. 11
Support for other network analyzers and equipment........................................................................11
Installation....................................................................................................................................... 13
Wireshark........................................................................................................................................ 13
Compiling in Linux........................................................................................................................... 13
Installing ready-made binaries in Linux...................................................................................14
Packet capture library.................................................................................................................14
Separate protocol dissectors (plug-in units)....................................................................................14
Monitoring.......................................................................................................16
Where to monitor?........................................................................................................................... 16
Wireshark preferences and parameterization of dissectors.............................................................17
Starting monitoring.......................................................................................................................... 18
Capture filters.................................................................................................................................. 21
General........................................................................................................................................... 21
Filter expressions............................................................................................................................ 21
Byte offset notation.......................................................................................................................... 21
Defining capture filters via GUI........................................................................................................23
Defining capture filters with tshark...................................................................................................24
Analyzation.....................................................................................................25
Display filters................................................................................................................................... 25
General........................................................................................................................................... 25
Defining display filters manually......................................................................................................26
Defining display filters via GUI.........................................................................................................26
Defining read filters in tshark...........................................................................................................29
‘Contains’ filter................................................................................................................................. 30
teeloran 20.05.2008, 1.0.0
’Matches’ filter................................................................................................................................. 30
Coloring rules.................................................................................................................................. 31
Defining coloring rules..................................................................................................................... 31
Other methods................................................................................................................................ 34
Follow TCP stream.......................................................................................................................... 34
Tshark.............................................................................................................37
Other tools......................................................................................................38
TCPDUMP...................................................................................................................................... 38
Editcap............................................................................................................................................ 38
Mergecap........................................................................................................................................ 39
Text2pcap........................................................................................................................................ 39
Did you do the exercises?...............................................................................40
Getting help & more information.....................................................................41
Exercises........................................................................................................42
General........................................................................................................................................... 42
Capture filters.................................................................................................................................. 43
Display filters................................................................................................................................... 44
tshark.............................................................................................................................................. 45
Answers to practices.......................................................................................46
General........................................................................................................................................... 46
Capture filters.................................................................................................................................. 47
Display filters................................................................................................................................... 49
tshark.............................................................................................................................................. 50
teeloran 20.05.2008, 1.0.0
References
[GNU GPL] GNU General Public License in: http://www.gnu.org/copyleft/gpl.html
[GPLFAQ] GNU General Public License FAQ in:

http://www.gnu.org/licenses/gpl-faq.html
[NSNWIR] NSN Wireshark home page (wiki):

http://wikis.inside.nokiasiemensnetworks.com/bin/view/Wireshark/W
ebHome
[PCRE] Perl Compatible Regular Expression libraries in:

http://www.pcre.org/
[WINPCAP] Winpcap, a packet capture library for windows in:

http://winpcap.polito.it/default.htm
Version history
Date Version Author Status Summary of main changes
16.03.2005 0.0.1 teeloran Draft First version. Send for first comments.
01.04.2004 0.1.0 teeloran Final Polished the text a bit. No content changes.
20.05.2008 1.0.0 teeloran Final Updated the document to Wireshark usage.

teeloran 20.05.2008, 1.0.0
Terms and Abbreviations
ATM Asynchronous transfer mode
CLI Command line interface
GNU GPL GNU General Public License
HUB A hub functions as a multi-port repeater; signals received on any port are
immediately retransmitted to all other ports of the hub.
NIC Network interface card
PCRE Perl compatible regular expressions
SEE Software engineering environment (e.g. chosee, dmxsee, etc.)
SUT System under test
Switch Device that filters and forwards packets between LAN segments
TS Testing system
teeloran 20.05.2008, 1.0.0
Introduction of Wireshark
General
Wireshark, http://wireshark.org, is a GNU GPL [GNU GPL] licensed, free, open
source, multi-protocol and multi-platform network protocol analyzer similar in
functionality to e.g. LanAnalyzer, Etherpeek, NA Sniffer or tcpdump. In short,
GNU GPL license grants the user a freedom to read, modify and redistribute the
GNU GPL code (according to license terms). Also the user has been granted a
freedom to use it freely, unlike most of the commercial products. A good source
for GPL license information is a GNU GPL FAQ [GPLFAQ].
Wireshark can be used for monitoring network data from various HW interfaces
on-line or analyze previously taken capture files (off-line). Wireshark also can
read several capture file formats of other network analyzers and support various
capture medias.
Wireshark ships with a command line version of it called tshark.
Wireshark is now a ten year old project. The tool has a lot of features, it supports
a huge number of protocols and it’s development continues all the time. If you
know the basics of protocol monitoring, you should really have no trouble using
Wireshark.
teeloran 20.05.2008, 1.0.0
The main window

The main window, Figure 1, shows the captured data in three panes, summary,
detail and data panes. This is the default view of Wireshark. However it can be
changed from the settings according to the user needs.
SUMMAR
Y
DETAIL
DATA
Figure 1 - Wireshark main window
The summary pane displays a one-line summary of the packet, (in this case)
containing data of: frame number, time (relative from the beginning, in this case)
source and destination address, protocol name and info field for the protocol.
User can add and remove the fields according to his/her needs.
The detail pane shows detailed information from the packet, which is selected in
the summary pane. The whole protocol tree can be browsed and individual fields
in the protocols can be studied. In the picture, a TCP protocol packet is selected,
and it’s checksum data is checked. The value of the checked field “good
checksum” is interpreted as “True”.
The data pane shows the hexadecimal presentation of the raw data (for the field
selected in the detail pane). Also in the right is the ASCII format presentation for
the selected data. In the picture, we can see that the field “Good Checksum”
takes 2 bytes from the message and has a hexadecimal value “a1 e9”.
Above the summary pane is a white display filter text box, which can be used for
filtering the view to e.g. show only the packets, which fulfill certain conditions.
teeloran 20.05.2008, 1.0.0
Above the display filter box is a traditional tool bar, which has the most often used
functionalities gathered, such as starting a new capture, closing and opening the
file, printing, saving, jumping to next/previous matching (display filter) packet etc.
Wireshark has tool tips, so moving a mouse cursor on top of the button; you’ll get
a short description of the button.
Help system
Wireshark provides a help functionality, which can be accessed from the menu:
Help | contents, in practice this opens an internet browser which shows a
“Wireshark user’s guide” page in wireshark.org. See Figure 2.
Figure 2 - Wireshark user’s guide
From the user’s guide, you should find info to any issues you have in mind.
teeloran 20.05.2008, 1.0.0
Capture media support

Wireshark can capture data from many different capture medias. Currently
supported medias can be found from wireshark.org wiki:
http://wiki.wireshark.org/CaptureSetup/NetworkMedia
Here’s a screen shot from the page, it gives you an overview of the supported
media types (see the above link for more info!), the support always depends on
the platform in question:
Figure 3 - supported media types
Protocol support
Wireshark supports almost thousand protocols at the moment. For the complete,
always up-to-date list, see Wireshark home page -> Display filter references:
http://www.wireshark.org/docs/dfref/. The list includes a lots of protocols related to
telecommunications, e.g. RADIUS, MEGACO, CORBA, GIOP, TCP/IP v4/6,
SCTP, MTP, SSCF-NNI, SIP, HTTP, SCCP, GTP, Java RMI, GIOP, ATM, to name
just a few.
Also, if you have Wireshark installed already, you can check the supported
protocols from the menu: Help | supported protocols. A dialog, Figure 4, appears
where you the list of supported protocols for that specific version of Wireshark.
teeloran 20.05.2008, 1.0.0
Figure 4 - Supported protocols dialog
Also there are some plug-in units (separate-from-main-binary protocol decoding

units, discussed more in ) made inside NSN, which are for internal use only and
are not distributed along with Wireshark by default. For the list of these protocols,
see [NSNWIR].
Platform support
Wireshark works on many different platforms, here’s the list of the most common
ones:
 AIX  NET BSD
 FreeBSD  OpenBSD
 HP-UX  Solaris
 Irix  Tru64 Unix
 Linux  Windows
 Mac OS X
Support for other network analyzers and equipment

Wireshark can read (import) [and save (export)] various capture file formats
produced by other applications or equipment. So even though Wireshark could
not capture itself on some network types, the work can be done with other tools,
teeloran 20.05.2008, 1.0.0
which support the media type. For the complete list of supported import formats,
see input file formats and for the export formats, see output file formats
teeloran 20.05.2008, 1.0.0
Installation
Wireshark
There are two ways of installing Wireshark. Installation can happen either from
ready-made binaries (e.g. .exe for windows and .rpm for Linux) or building the
tool from source.
For downloading both types of packages go to Wireshark home page ->

Wireshark | download http://www.wireshark.org/download.html or use e.g. apt-get
or it’s front-end, synaptic, if using an official Nokia Linux distribution.
Linux is the preferred environment for Wireshark. It usually has all the required
tools and libraries (all free of charge shipping in Linux distribution) installed by
default, just waiting for you to compile Wireshark. Also the capture media support
is the widest in Linux.
For windows you need to install MS Visual C++ (a license required) and some
libraries from Nokia SEE distribution packages to compile. For windows, the
installation of a ready-made binary is easy with a graphical installation wizard.
The windows & other platform installations are not handled in more details here.
However here’s some more info, if you are interested in building in windows,
Click!
Compiling in Linux
The compilation in Linux goes the traditional way:
1. unpack the Wireshark-<version nbr is here>.tar.gz or the .tar.bz2:
tar -xvzf package.tar.gz or tar -xvjf package.tar.bz2 respectively.
2. run the configure script in the folder that was just extracted from the
package, you can give the installation path separately if you want:
./configure –prefix=<installation path goes here>
3. Compile the source:
Make
4. Change to root:
su -
5. Install Wireshark:
make install
teeloran 20.05.2008, 1.0.0
If you installed Wireshark somewhere else than the default path (e.g. /usr/bin/)
you need to either put the installation path to PATH variable, or use an
absolute reference to the Wireshark binary for launching the program.
You can define system wide PATH variable in /etc/profile by adding a line
PATH="$PATH:<Wireshark installation path here>/bin/
before the ‘export PATH’ command in the file.
Installing ready-made binaries in Linux
If Wireshark is available as a separate RPM package for your Linux distribution

(for the version you have), use a command rpm –ivh <Wireshark version>.rpm
and if using apt, use command apt-get <Wireshark package name>.
Packet capture library
You also need the packet capture library, libpcap (Linux) installed in the
system to be able to capture packets. For just analyzing previously saved
capture files, the packet capture library is not needed. For Windows the packet
capture library (Winpcap) comes along with the installer and can be optionally
installed. There are also ready-made binaries and source code packets
available for the packet capture library. However there is usually no need to
compile the library, use the ready-made binaries instead and install them the
same way as instructed for Wireshark in previous chapter.
Separate protocol dissectors (plug-in units)

A protocol support to Wireshark can be implemented two ways. The individual
units, which take care of one protocol at a time in Wireshark, are called protocol
dissectors. The dissectors can be built inside the Wireshark binary or
implemented as separate plug-in units. For the easy distribution and a possibility
to compile the dissector separately from the main binary, the plug-in units are the
favorable option for implementing and distributing new dissectors in NSN.
If you have pre-compiled, binary-form plug-in unit units available, and you need to
get them into use, copy them to one of these folders:
/usr/share/wireshark/plugins, /usr/local/share/wireshark/plugins,
$HOME/.wireshark/plugins or try:
<Wireshark installation directory>/lib/wireshark/plugins/<version>/ and they

should be automatically recognized by Wireshark.
You can get a list (with version info) of plug-in units available from Wireshark
menu: Help | About Wireshark -> Plugins. See Figure 5.
teeloran 20.05.2008, 1.0.0
Figure 5 - Wireshark plugins dialog

teeloran 20.05.2008, 1.0.0
Monitoring
Where to monitor?
In short, depending on the SUT and TS, you can monitor in the SUT and/or in the
TS itself. See chapter Capture media support for capture media and chapter
Platform support for platform support. Also you can use a separate monitoring
PC, as long as the PC can see the traffic you are interested in.
There are several ways of arranging environment so that a separate monitoring

PC can be used. And in many cases no separate arrangements are needed at all.
E.g. in Ethernet LAN, where the monitoring PC is in the same (sub)network as the
SUT of which Ethernet traffic you are interested in and you use promiscuous
mode (see capture options dialog Figure 8) in your NIC, you should be able to
see the traffic of the SUT with Wireshark.
You can put a HUB in the system to be able to connect a separate monitoring PC
in the existing network. A HUB is a ‘dummy’ box, which blindly forwards all the
traffic from any of it’s ports to all the other ports. See Figure 6 for few examples
on how to use a HUB, TS or SUT for monitoring.
Figure 6 - Wireshark placement
Switches in the network are just a bit more problematic. A switch does not repeat
the traffic of one port blindly to all the other ports, it routes the traffic only to the
port where the receiver for the data lays. However with certain switches you can
teeloran 20.05.2008, 1.0.0
mirror (terms: “port mirroring” or “port spanning”. Check also Wireshark wiki!) the
wanted traffic of some port also to some other port, where you can plug your
monitoring PC.
Note! Some HUBs are actually not traditional HUBs, but are more like switches.
Once they have found out, to what port the packet belongs to, it may not be
forwarded elsewhere, to other ports, any more.
In any case, contact your local laboratory staff for more details and support.
Wireshark preferences and parameterization of dissectors

Some protocols dissectors in Wireshark offer a means for giving parameters to
the decoding and change the default behavior somehow. Select from menu: Edit |
preferences --> protocols. E.g. for TCP protocol, you might want to check ‘allow
subdissectors to desegment TCP streams’ so if the feature is implemented in the
subdissector, those can desegment messages when needed. And e.g. for GTP
protocol, you can set various port numbers according to your environment, see
Figure 7. From the preferences dialog you can also set the general preferences to
Wireshark (use vertical scrollbar -> go up).
Figure 7 - Wireshark preferences dialog

teeloran 20.05.2008, 1.0.0
Starting monitoring
In this chapter we use telnet as an example on how to start monitoring data.
Select Capture | Options from the menu. A following capture dialog appears (see
Figure 8 below). From the Interface drop-down menu, you can select which
interface you want to monitor. For telnet, we need to monitor Ethernet card, in this
case the ‘eth0’. Note that you need to be root user in Linux to see the interface in
the menu.
Next we define if we want to monitor data in promiscuous mode or not. In this

case we don’t, hence a ‘Capture packets in promiscuous mode’ is not selected. If
the interface is monitored in promiscuous mode, all the traffic, which the network
card sees is captured, not only the traffic directed to or sent from the monitoring
pc. Make sure other options are also as seen in the Figure 8.
Next we have defined a capture filter, ‘port 23’, which results only the data in port
23 (telnet port) to be captured, everything else in other ports is ignored. Pressing
‘Start’ starts the capturing. Capture filters are handled more deeply later on in
chapter Capture filters.
There are several options in the capture dialog; the rest are not explained here,
since they should be pretty self-explanatory and with a little reasoning people
knowing the very basics of protocol monitoring should know what to do with them.
Figure 8 - Wireshark capture options dialogue

teeloran 20.05.2008, 1.0.0
(TIP: Performance-wise it’s good to use these options: unchecking the ‘Update
list of packets in real time’, not checking ‘Automatic scrolling in live capture’ and
not checking the ‘Enable network name resolution’.)
After pressing ‘Start’ a capture dialog, Figure 9, appears. In this case we have
done a successful telnet login in the monitoring PC, which results 69 TCP packets
to be captured. This can be seen in the figure below.
Figure 9 - Wireshark capture packets dialog
Pressing ‘Stop’, stops the capturing, capture dialog disappears and the captured
packets’ info is filled in the Wireshark main window Figure 10 (unless you have
checked the ‘update packets in real time’, in which case the main window is filled
real-time as the data is captured). In the figure, we can see that the user has
selected packet number 20 into a deeper study. The packet’s details are seen in
the middle pane and there only the telnet protocol of the protocol tree is opened
(the minus sign in the left) and selected. The corresponding hexadecimal raw
data is highlighted in the data pane below the details pane. In the example a
telnet server has send a prompt ‘Login:’ in to the users telnet program.
teeloran 20.05.2008, 1.0.0
Figure 10 - Wireshark telnet data captured

teeloran 20.05.2008, 1.0.0
Capture filters
General
Capture filters are used to capture only the relevant data/filter out all the
unnecessary data during the capture. E.g. capturing only the data to and from
port 23, lets the user see and capture the packets exchanged during telnet
session, nothing else. Using capture filter eases the analyzation of the trace, is
good performance-vise and also lowers the size of the produced capture file.
Filter expressions
Wireshark capture filters are the same as in TCPDUMP, since they both use
libpcap for packet capturing. A good quick-source for getting help on the filters in
*nix is the man page of tcpdump, give the command: man tcpdump.
With capture filters you can set filters up to the TCP/UDP layer, the above layers
are not supported.
The comparison operators are: >, <, >=, <=, = and != or alternatively not.
You can define filters with source & destination port/network/IP and protocol name
as parameters, here’s few examples:
Capture all packets going to or coming from port 5000: port 5000
Capture all packets coming from port 5000: src port 5000
Capture all packets going to host 172.22.50.10: dst host 172.22.50.10
You can also combine the filter expressions by using:

&& or and for concatenation and || or for alternation. See below an example of
utilizing these both:
Capture all packets coming from/going to 172.22.50.10 with source or destination

port something other that 80: host 172.22.50.10 && not port 80
A Protocol name can be also used as an expression: e.g. capture all packets
going to/coming from net 10.8.150.20, which are UDP packets:
net 10.10.10.10 && udp
Byte offset notation

You can also filter according to a rule which triggers with some byte offset in the
data, e.g. a filter expression ip[8] = 1 will capture all IP packets (for IP protocol
teeloran 20.05.2008, 1.0.0
structure, see the table below.) where the IP ‘Time To Live’ field is set to ‘1’ (it’s
the 9th byte from the beginning, first’s index being 0).
IP Protocol structure:
4 8 16 32 bits
Ver. IHL Type of service Total length
Identification Flags Fragment offset
Time to live Protocol Header checksum
Source address
Destination address
Option + Padding
Data
An expression tcp[13] & 0x02 will capture all the TCP* packets (for TCP protocol
structure, see table below) where the SYN flag is set (value is ‘1’).
This happens by doing bitmasking with the 14th byte (here has a hexadecimal
value 53H) and the hexadecimal bit mask 2H:
SYN flag offset : x
14th byte, 0x53 : 01010011
Bit mask, 0x2 : 00000010
Result is ‘1’ : ------1-
TCP protocol structure:
16 32 bits
Source port Destination
port
Sequence number
Acknowledgement number
Offset Resrvd U A P R S F Window
Checksum Urgent
pointer
Option + Padding
Data
You can also use the byte offset notation like this: tcp[0:2] – meaning two 2 bytes
from the start of the TCP packet are used for filtering (source port).
teeloran 20.05.2008, 1.0.0
The syntax is [Offset in bytes from the start of the header:Number of bytes
to check]
teeloran 20.05.2008, 1.0.0
Defining capture filters via GUI

You can define capture filters and save them with the name you want for later
use. Select from menu: Capture | Capture filters or press the Wireshark capture
filter button Figure 11 in the toolbar.
Figure 11 - Wireshark capture filter button
A capture filter dialog opens, see Figure 12 (in the picture there is already the
filter which will be created).
Press the ‘New’ button for creating new capture filters. A new line to Filter pane
appears with the name ‘new’. Edit the name in ‘Filter name:’ text box to: ‘HTTP in
ta-linux’ and edit the ‘Filter string’ text box to ‘host 10.8.150.100 && port 8080’
(replace the IP with your PC’s IP, which can be obtained with command ‘ifconfig’
in Linux, as root, or with command ‘ipconfig’ in windows command prompt. Also
the port in your case might be 80). Now you have one own capture filter created
and the situation should be as seen in Figure 12.
Figure 12 - Wireshark capture filter dialog

Later on you can use the saved capture filter when starting a new capture. See
Figure 8, you can either define the capture filter manually to the text box or via the
‘Capture filter’ button, which provides you the capture filter dialog seen in Figure
12.
teeloran 20.05.2008, 1.0.0
Defining capture filters with tshark
For tshark the capture filters are defined with command line switch ‘-f’. E.g.
monitoring HTTP protocol data going to/coming from ta-linux PC:
tshark -i eth0 -f 'host ta-linux && port 80'
If you like, you can now do the exercises in chapter Capture filters or do them in
the end after going through all the theory in this paper.
teeloran 20.05.2008, 1.0.0
Analyzation
Wireshark provides few mechanisms, which eases the analyzation phase. In this
chapter the display filters and coloring rules are explained.
Display filters
General
Display filters (also referred as read filters in tshark) are used to filter the viewed
data once the data has been captured. Capture filters offer much more richer
mechanism for filtering than capture filters. They can offer a user a huge selection
of filter parameters, which are based on the data content of the protocol in
question. The amount of filter parameters depends always on the protocol in
question. For a list of all available display filters, select from the menu: Help |
Supported protocols -> Display Filter fields. The dialog that opens can be seen in
Figure 13.
Figure 13 - Wireshark display filters dialog

teeloran 20.05.2008, 1.0.0
Defining display filters manually

The easiest display filter is simply a protocol name. E.g. by typing ‘UDP’ in the
display filter text box, only the packets which have an UDP protocol somewhere
in the protocol tree, are shown in Wireshark. If the display filter entered in the
display filter text box is a valid display filter expression, the background of the text
box will become green. If the expression in not valid, it will remain red.
The valid comparison operators can be seen in Figure 18 and they should be self-
explanatory.
See Figure 14 for an example screenshot of the above case. In the picture, two
DNS queries have been captured, and only those packets are shown in
Wireshark, since other captured packets didn’t have UDP protocol in them.
Figure 14 - Wireshark with UDP display filter
Defining display filters via GUI
Since one protocol can have tens of display filters (referring to some data fields in
the protocol) one can’t remember how to type them all without some notes or
teeloran 20.05.2008, 1.0.0
further study of the protocol structure and fields. For this Wireshark offers a GUI,
with which you can easily construct display filter expressions with few mouse
clicks and save those for the later use with the name you choose.
Select Analyze | Display filters from the menu or press display filter button Figure
15 or the another display filter button Figure 16 on the right form the display filter
text box in the tool bar to define new display filters.
Figure 15 – Wireshark display filter button
Figure 16 - Wireshark display filter button (another)
The following display filter dialog appears, see Figure 17. In the picture, there is a
filter named with ‘src_port - 10k-30k. It is selected and it’s content is shown in the
‘Filter string’ text box below. The meaning of a filter is to show only packets, which
have TCP protocol in them and the TCP port range is in 10001-29999. Again,
when the filter expression is valid, the background of the filter string text box is
green.
Figure 17 – Wireshark display filter dialog
For creating new display filters, press the ‘new’ button. After that, edit a new
name for the filter in the ‘Filter name’ text box. In this example we create a name
‘IP data from TS’. The meaning of this filter is to filter out, from the Wireshark
teeloran 20.05.2008, 1.0.0
main view, all the other data except the IP traffic, which is sourced from TS (of
which IP address here would be 10.8.150.100).
Clear the possibly existing filter string text from the ‘Filter string’ text box and
press the ‘Expression’ button to define a filter string.
A following dialog appears, see Figure 18. Next find ‘IP’ protocol from the ‘Field
name’ box and under that select ‘ip.src’ field. Next define a relation from the
middle box to ‘==’ (the relations should be self-explanatory and hence not
handled here in more details, except the ‘contains’ relation, which will be handled
in chapter ‘Contains’ filter) and edit the value to ’10.8.150.100’. Finally press ‘OK’
button.
Figure 18 - Wireshark filter expression dialog
Now you should have a predefined display filter named ‘IP data from TS’ and the
syntax should be constructed to string ‘ip.src == 10.8.150.100’. And obviously it
should be in green background.
If you want to use the filter, just press ‘OK’ or ‘Apply’.
For more help on the dialog, press the ‘Help’ button.

teeloran 20.05.2008, 1.0.0
Defining read filters in tshark

Tshark (discussed more in Tshark) can also use ‘display filters’, they are called
‘read filters’ in this context. The command line switch is ‘-R’. E.g. for seeing what
diameter protocol data is going on in Ethernet card 0, use command:
tshark -i eth0 -R 'diameter' -V
For other protocols, you can replace the ‘diameter’ with the protocol name of your
interest.
teeloran 20.05.2008, 1.0.0
‘Contains’ filter
The ‘contains’ is a display filter operator. It can be used for searching sequences
of bytes or characters from a protocol. Wireshark regards all bytes in the packet
as belonging to the ‘frame’ pseudo-protocol. Therefore you can use the ‘frame’
protocol for searching some data from the whole packet. E.g. for searching if the
packet, in some of it’s protocol layers, contains bytes ’00 01 02 03 04’, you can
use the following display filter syntax:
Frame contains 00:01:02:03:04
And for searching some text, use quotation marks:
Frame contains “Kawasaki”
The ‘contains’ operator, seen in Figure 18, is disabled, since it’s not applicable for
IP protocol’s source addresses (ip.src) field. But e.g. for any string format protocol
fields, as ‘diameter.avp.data.string’, it is available. By choosing a filter expression
in the filter expression dialog, you’ll see weather the ‘contains’ operator is
disabled or not.
’Matches’ filter
‘Matches’ operator works the same way as ‘contains’ operator, but in the syntax
you can use Perl compatible regular expression syntax. Regular expressions are
not handled more deeply here, but here’s one example to demonstrate the usage:
Use matches operator to find the HTTP protocol packets containing the web
browser name ‘Mozilla’:
http matches Mozilla
To use the ’matches’ operator, Wireshark needs to be compiled with PCRE library
[PCRE]. Weather or not this is the case for the version available to you (unless
compiling yourself) can be seen quickly from tshark:
$ $ ./tshark -version
TShark 1.0.0
Copyright 1998-2008 Gerald Combs <gerald@wireshark.org> and

contributors.
This is free software; see the source for copying

conditions. There is NO
teeloran 20.05.2008, 1.0.0
warranty; not even for MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE.
Compiled with GLib 2.2.1, with libpcap 0.7.2, with libz

1.1.4, with POSIX
capabilities (Linux), without libpcre, without SMI, without

ADNS, without Lua,
without GnuTLS, without Gcrypt, without Kerberos.
NOTE: this build doesn't support the "matches" operator for

Wireshark filter syntax.
or from Wireshark menu: Help | About Wireshark.
If you like you can now do the exercises in chapter Display filters or do them in
the end after going through all the theory in this paper.
Coloring rules
Coloring rules are ‘sort of display filters’, which are used - after the packet capture
is taken - to color packets in summary pane for easing the analyzation phase.
Color filters use display filter expressions.
Defining coloring rules

To define coloring rules, select from menu: View | Coloring Rules or press the
‘Coloring Rules’ Figure 19 button in the tool bar.
Figure 19 – Wireshark Edit coloring rules button
A coloring rules dialog appears, see Figure 20. In the example screenshot, two
own coloring rules, named ‘ta-linux incoming data’ and “ta-linux outgoing data”
are defined. The user has pressed ‘New’ button for creating new coloring rules
and a ‘Edit color filter’ dialog has appeared. In the first text box a name for the
rule is defined and in second, the display filter expression used as a rule is
defined. The syntax can be added from the ‘Add expression’ button exactly the
teeloran 20.05.2008, 1.0.0
same way as it is done for display filter. Also a foreground color or a background
color (see the buttons in the picture) should be defined to set the colors used to
the packets, which match the display filter syntax.
Figure 20 - Wireshark coloring rules dialogs
As seen in the picture, coloring rules can be exported and imported via the
‘Import’ and ‘Export’ buttons in the left.
Pressing ‘Apply’ will apply all the defined coloring rules to the view in Wireshark
main window. In the example screenshot, Figure 21, the coloring rules defined
above are in action. From ta-linux point of view, all incoming packets are colored
with violet and all outgoing packets are colored with green (the packet in blue is
selected with mouse). Also a display filter is set to show only HTTP protocol
packets. NOTE! For achieving this, other enabled display filters were disabled.
teeloran 20.05.2008, 1.0.0
Figure 21 - Wireshark coloring rules in action

teeloran 20.05.2008, 1.0.0
Other methods
Besides display filters and coloring rules, Wireshark offers many other features
especially designed for analyzation. The number of them is quite big and they all
can’t be handled here. As an example case, and as one of the best and most
commonly used analyzation features a ‘follow TCP stream’ feature is studied in
next chapter. For the complete list of analyzation methods, study the Wireshark
menus ‘Analyze’ and ‘Statistics’. Depending on the capture and selected packet,
the options are either enabled or disabled.
Follow TCP stream
‘Follow TCP stream’ is probably one of the most used analyzation features of
Wireshark. It will offer you a filtered view – by using/generating display filters –
where you can see only those packets, which belong to a certain TCP stream - to
the TCP stream where the packet you have selected belongs to, to be more
precise.
Lets imagine a simple imaginary case: we have an application, which uses HTTP
for its communication to SUT. During testing, we have captured the
communication against the SUT with Wireshark and we’ll look at the ‘IO Graph’ of
the capture (Statistics | IO Graphs). The graph looks like here in Figure 22 (The
picture captured from an earlier version of Wireshark – actually from Wireshark):
teeloran 20.05.2008, 1.0.0
Figure 22 - Wireshark IO Graphs Dialog
(ps. You can add display filters to the filter boxes to Iograph window, so you can
separate e.g. the http part from other types of packets with it’s own graph colored
e.g. with blue)
Straight away we see a lot of data has been changed during seconds 20-48
(calculated from the beginning of the case). We know the system has been doing
some periodic replication via HTTP and we are not interested in that data. We just
need to analyze the data sent before and after the replication part, so we’ll need
to filter everything else out.
Here’s how we do it using ‘follow TCP stream’ feature: First we choose one
packet between the seconds 20-48 from the details pane. Then we use the ‘follow
TCP stream’ functionality by choosing either from the main menu: Analyze |
Follow Tcp Stream or with the mouse-right: ‘Follow Tcp Stream’.
Wireshark will generate a complex display filter, which shows only packets related
to the replication part, everything else is excluded in the view. Next we modify the
display filter by doing a negation to it: we’ll put the whole expression into extra
parenthesis and add a word ‘not’ in front of it. See figure Figure 23.
teeloran 20.05.2008, 1.0.0
Figure 23 - Wireshark automatically generated display filter
Now we have a view, where everything else is shown except the replication part.
We can now save the relevant data into a new capture file from the menu: File |
Save As… and checking the button ‘displayed’ (see Figure 24), so only the
currently displayed packets, not everything, will be saved.
Figure 24 - Wireshark save as -> displayed packets

teeloran 20.05.2008, 1.0.0
Tshark
Tshark a CLI version of Wireshark, which was known as tethereal, when the
graphical version was still called Ethereal. All the basic tasks can be done with
the tshark as with Wireshark. It can/must be used when there is no graphical
environment available.
Wireshark is an excellent tool when automated tests come in question. Tshark

can be easily included in your test script runs to automatically produce monitoring
files, which can be later on analyzed – also automatically - with some other
scripts.
Here’s the list of the most often used command switches for Wireshark:
-I Define interface where the capture is taken, e.g. eth0, atm0

or lo.
-f Define a capture filter, uses the same syntax as TCPDUMP.

More efficient than read filter, but also poorer filter
capabilities.
-R Define a read filter, uses richer filter mechanism but is not

so efficient as capture filter, since the data is filtered
after the capture is already done.
-r Read a captured file (is raw binary data)
-w Write captured data to file (is raw binary data)
-V Show packet data in verbose mode (all protocol layers are in

human readable form).
-x Show packet data in hex form
Here’s an example how to capture data, from loopback address, the data which is
sourced/destined from/to port 8002 and save the captured data to a file:
tshark -i lo -f 'port 8002' -w port_8002_data.cap
If you like, you can now do the exercises in chapter tshark or do them in the end
after going through all the theory in this paper.
teeloran 20.05.2008, 1.0.0
Other tools
This chapter lists and shortly describes few other tools coming along with
Wireshark package or otherwise related to Wireshark monitoring.
TCPDUMP
A well-known network analyzer, which uses the same mechanism, libpcap packet
capture library, for capturing the data and hence automatically can produce
capture files for Wireshark. Usage goes pretty far the same way as with tshark,
except it’s necessary to define a snaplength for captured packets. The command
line switches are pretty much same in both.
Here’s an example how to monitor HTTP protocol traffic (in port 80) with tcpdump
and save the captured data to a file called ‘http_capture.cap’:
$ tcpdump –i eth0 -s 0 'tcp port 80' –w http_capture.cap
Editcap
Editcap can be used to select or remove packets from a capture file and/or to
translate the capture file format to some other capture file format.
Here’s an example how to use editcap to take all packets, except packets 30-100,
from file ‘all_http_packet.cap’ and save them to a new file called
‘http_packets_30_to_100.cap’:
$ editcap –v all_http_packets.cap http_packets_30_to_100.cap

30-100
So by default the packet range defined in the command means an exclusive list of
packets, with a command switch ‘-r’ the operation is reverse, meaning the above
command would have written only packets 30-100 to the destination file.
See ‘editcap –h’ for more details on using the tool.

teeloran 20.05.2008, 1.0.0
Mergecap
Mergecap can be used to combine capture files into a single file. Mergecap can
read all of the same types of files than Wireshark can and also write the outcome
into several other file formats than the default one, libpcap.
Here’s an example how to combine two files into one, with all the packets in
chronological order based on their timestamps (-a would ignore the timestamps
and would just merge the files one after the other):
$ mergecap -w outfile.cap infile1.cap infile2.cap
See ‘mergecap –h’ for more details on using the tool.
Text2pcap
Text2pcap can be used for generating libpcap capture files from ASCII
hexadecimal format text files. E.g. it can be used for reading a text file (produced
e.g. with HIT from some network element service terminal extension), which has
several packets of application layer data and transforming this data into a binary
format capture file. Text2pcap can generate the necessary dummy Ethernet, IP,
TCP/UDP layers to the libpcap file, if they are not in the source text file already.
Text2pcap reads octal dump (od) format of hexadecimal output. With ‘od’ unix
command you can generate a text2pcap compatible format file from another file
or from standard input. (The format can be generated by other methods too, e.g.
HIT scripts.) The syntax for od command is ‘od –t x1’, x1 specifying the format of
the hexadecimal presentation. The format looks like this:
0000 00 05 5d ee 7e 53 08 00 20 cf 5b 39 08 00 45 00 ..].S.. .
[9..E.
0010 00 9a 13 9e 40 00 3c 06 e0 70 c0 a8 64 7a c0 a8
....@.<..p..dz.
0020 64 84 00 17 05 49 0e a9 91 43 8e d8 e3 6a 50 18
d....I...C...jP.
0030 c1 e8 ba 7b 00 00 4c 61 73 74 20 6c 6f 67 69 6e ...{..Last
login
aso…
or
000000 00 e0 1e a7 05 6f 00 10 ........
000008 5a a0 b9 12 08 00 46 00 ........
teeloran 20.05.2008, 1.0.0
000010 03 68 00 00 00 00 0a 2e ........
aso…
The most simple usage example, converting a text file containing the either of the
above hexadecimal packet data to a new libpcap format capture file:
$ text2pcap hex_tex_file.txt outputfile.cap
See ‘text2pcap –h’ for more details on using the tool.
Did you do the exercises?

The theory in this paper was here. Now if you did not do the exercises earlier, go
to chapter Exercises. And if you did, still do at least the exercises in chapter
General, there was no link to these exercises earlier in this material.
For help on the exercises, there are links back to the theory part. You can also
use information which you can find through sources defined in next chapter,
Getting help & more information.
teeloran 20.05.2008, 1.0.0
Getting help & more information

In the end, this self-study is really only a scratch on what you probably need to
know of Wireshark. The rest is up to how well you find the necessary information
from web and can determine by yourself or with help of others how to use
Wireshark to your specific needs. This chapter lists sources for getting more
information for Wireshark usage and for the protocols in general.
NSN Wireshark intranet page
Wireshark (.org) home page
Wireshark (.org) wiki
Wireshark official mailing lists (NOTE: see instruction here first)
Wireshark intranet mailing list & support
TCPDUMP home page
Designing capture filters
Wireshark documentation
Wireshark training materials
Information about protocols at protocols.com
3GPP protocols
Google!!
teeloran 20.05.2008, 1.0.0
Exercises
TIP. For getting HTTP and IP protocol data, needed in these exercises, do this:
<define possible capture filters> --> Start monitoring -> browse to www.linux.com
with your web browser --> stop monitoring --> <define possible display filters> -->
Save the capture file to disk, you can use the same file afterwards.
General
Answers to practices in this chapter can be found in chapter General.
1. Solve, by monitoring, which is the number, in IP protocols’ ‘protocol’ field,

which defines that the next layer protocol the IP packet is carrying, is TCP
protocol.
2. Find out what destination port is your web browser using.
3. Can the media descriptor of the MEGACO command be used as a display

filter for MEGACO protocol?
4. Can you use Wireshark in test automation to automatically monitor data and
analyze it with separate python/perl/HIT scripts?
5. Can you monitor DHCP version 6 with Wireshark?
6. Why don’t I see any interfaces in the capture dialog drop down menu in
Linux?
7. What is libpcap?
8. Can I disable some Wireshark protocols from Wireshark. E.g. to avoid

security issues found from those dissectors?
teeloran 20.05.2008, 1.0.0
Capture filters
Answers to exercises in this chapter can be found in chapter Capture filters.
Theory for these exercises is in chapter Capture filters.
1. Define a capture filter in Wireshark, which captures only (HTTP protocol) data
using port 8080.
2. Define a capture filter with byte offset notation (Byte offset notation), which
captures all IP packets which ‘time to live’ field is greater than 5.
3. Define a capture filter, which captures all packets which destination port is
8080 (HTTP) and which destination is 172.22.232.15.
Note: unless you are using 172.22.232.15 as your https proxy (can be set
manually in browser) this may not be checked in practice with monitoring, in
that case you need to modify the IP according to your settings.
4. Define a capture filter which captures only ICMP protocol packets going to
www.connecting.nokia.com. Generate the traffic with a command ‘ping
www.connecting.nokia.com’
Save the trace with a name ‘ping_a_domain.cap’. Note that for later analysis
of the file you should change the owner and group to your username and your
group. Use commands chown <your user name> ping_a_domain.cap and
chgrp <your group> ping_a_domain.cap. You don’t need to be root for
analyzation phase.
5. Use byte offset notation (Byte offset notation) to capture only packets, which
are destined to port 8080.
6. Use byte offset notation to capture only packets which IP header length (IHL
field) is 5.
Info: Internet header length is the length of the Internet header in 32-bit
words. It points to the beginning of the data. The minimum value for a correct
header is 5.
7. Define a capture filter, which captures data from UDP port 1299 but same
time excludes the data if its sourced from 10.8.150.199.
teeloran 20.05.2008, 1.0.0
Display filters
Answers to practices in this chapter can be found in chapter Display filters.
Theory for these exercises is in chapter Display filters.
1. Define a display filter, which shows only packets containing HTTP protocol in
them.
2. Filter the view so that you see only http protocol packets (data for www-
browser), which tells the web-browser version used is ‘Mozilla’ (or use the text
for your browser of choice).
TIP: The text ‘Mozilla’ can be seen in plain text in the HTTP protocol.
3. Do the previous exercise, but use hexadecimal values instead of text ‘Mozilla’
for finding the packets containing string ‘Mozilla’.
4. Define a display filter, which shows only packets where diameter protocol is
present in the packet and it’s field ‘avp.data.v4addr’ equals to IP address
10.10.10.10.
5. Define a display filter which shows only HTTP packets, which have request
method ‘GET’ in them (a www page is asked, there is a string “GET” in the
packet)
6. Define a display filter, which shows the first 15 frames and excludes the rest.
7. Define a display filter, which shows packets, which TCP packet length is
between 200 and 500.
8. Define a display filter, which shows all the packets, which have a TCP option
flag ‘push’ set.
teeloran 20.05.2008, 1.0.0
tshark
Answers to practices in this chapter can be found in chapter tshark.
Theory for these exercises is in chapter Tshark.
These exercises have capture & read filter issues as well as general tshark usage
issues.
1. Define a capture filter with tshark, which captures only HTTP protocol data
from ports 80 and 8080.
2. Filter loopback ip (lo interface name) and only ICMP protocol. Generate data
with a command ping localhost. View only one line per captured packet.
# /opt/wireshark/as_hak_0_10_4/bin/tshark -i lo -f 'icmp'
3. Do the same as in exercise 2 above, but show all the protocol details as well
as a hex dump of the packet.
4. Do the same as in exercise 2 above, but save the trace to a file called
ping_localhost.cap. Then read the capture from the file with all the protocol
details shown.
5. Define a command which shows real-time only the checksums (string is

“Checksum”) of the IP protocol when monitoring the ping command to
localhost (as done in exercise 2). (*nix only).
6. Use a read filter to show only the UDP packets from the capture file
ping_localhost.cap. How many were there?
7. Define a read filter, which shows - from the file ping_localhost.cap – only the
packets, which “icmp type” field has a value ‘8’.
teeloran 20.05.2008, 1.0.0
Answers to practices
General
These are the answer to questions in chapter General.
1. Solve, by monitoring, which is the number, in IP protocols’ ‘protocol’ field,

which defines the next layer protocol that the IP packet is carrying is TCP
protocol
Answer: by monitoring any TCP/IP data and looking to the IP packet’s

‘protocol’ field (where TCP is on top of that IP packet), the field should be set
to ‘06’, which means TCP is carried as a payload of IP.
2. Find out what destination port is your web browser using
Answer: Monitor the Ethernet card of your PC (with which you use browser)
when browsing to e.g. www.linux.com. Stop capturing after the page has
been served. Use a display filter ‘http’ to find out all the www browser related
packets. From one captured packet, browse the protocol tree in details pane
and look at the first TCP field, ‘Source port’, value. It should be 8080 (a Nokia
HTTP proxy server uses this) or possibly in some cases also the standard
‘80’.
3. Can the media descriptor of the MEGACO command be used as a display

filter for MEGACO protocol?
Answer: yes, it can be found from the list from the display filter ‘filter
expression’ dialog.
4. Can you use Wireshark in test automation to automatically monitor data and
analyze it with separate Python/Perl/HIT scripts?
Answer: yes you can. Use the command line version, tshark. The output can
be directed to any text file with all the protocol details opened. Text files can
be easily analyzed with any scripting languages.
5. Can you monitor DHCP version 6 with Wireshark?
Answer: yes, see e.g. the display filter reference:

http://www.wireshark.org/docs/dfref/d/dhcpv6.html
6. Why don’t I see any interfaces in the capture dialog drop down menu in
Linux?
Answer: You need to be ‘root’ user, see the user manual for version 1.0.0,
chapter 4.2: http://www.wireshark.org/download/docs/user-guide-us.pdf
7. What is libpcap?
teeloran 20.05.2008, 1.0.0
Answer: It’s the packet capture library which Wireshark and TCPDUMP both
use for capturing packets.
8. Can I disable some Wireshark protocols from Wireshark. E.g. to avoid

security issues found from those dissectors?
Answer: yes, see the menu: Analyze | Enabled protocols
Capture filters
These are the answer to question in chapter Capture filters.
1. Define a capture filter in Wireshark, which captures only (HTTP protocol) data
using port 8080.
Answer: ‘ tcp port 8080'
2. Define a capture filter with byte offset notation, which captures all IP packets
which ‘time to live’ field is greater than 63 and smaller than 120.
Answer: ip[8] > 63 and ip[8] < 120
3. Define a capture filter, which captures all packets which destination port is
8080 (http) and which destination is 172.22.232.15.
Answer: dst port 8080 && dst host 172.22.232.15
4. Define a capture filter, which captures only ICMP protocol packets going to
www.connecting.nokia.com. Generate the traffic with a command ‘ping
www.connecting.nokia.com’
Answer: icmp && dst host www.connecting.nokia.com
5. Use byte offset notation to capture only packets, which are destined to port
8080.
Answer: tcp[2:2] == 8080
6. Use byte offset notation to capture only packets which IP header length (IHL
field) is 5
Answer:
IHL bits in IP protocols 1st byte : xxxx

1st byte value, here 0x45 : 01000101
Bit mask, 0xF : 00001111
AND result is 1101 : - - - -0101 = 5 = 0x5 --> means the
length is 5 x 32 bit words.
--> define a capture filter ip[0:1] & 0xF == 0x5

teeloran 20.05.2008, 1.0.0
7. Define a capture filter, which captures data from UDP port 1299 but same
time excludes the data if its sourced from 10.8.150.199.
Answer: udp port 1299 && not src host 10.8.150.199

teeloran 20.05.2008, 1.0.0
Display filters
These are the answers to questions in chapter Display filters.
1. Define a display filter which shows only packets containing HTTP protocol in
them
Answer: Use display filter: http
2. Filter the view so that you see only http protocol packets (data for www-
browser), which tells the web-browser version used is ‘Mozilla’ (or use the text
for your browser of choice).
Answer: Use ‘contains’ operator: http contains “Mozilla”
3. Do the same as in previous exercise, but use hexadecimal values for finding
the packets containing string ‘Mozilla’
Answer: Use ‘contains’ operator with the hexadecimal ASCII values of the
string ‘Mozilla’: http contains 4D:6F:7A:69:6C:6C:61
Note the capital ‘M’!
4. Define a display filter, which shows only packets where diameter protocol is
present in the packet and it’s field ‘avp.data.v4addr’ equals to IP address
10.10.10.10
Answer: Build a display filter either manually or via the filter expression GUI:
diameter.avp.data.v4addr == 10.10.10.10
5. Define a display filter which shows only HTTP packets, which have request
method GET in them (a www page is asked, GET is a string in the packet)
Answer: use contains operator: http contains “GET”
6. Define a display filter, which shows the first 15 frames and excludes the rest
Answer: frame.number <= 15
7. Define a display filter, which shows packets which TCP packet length is
between 200 and 500.
Answer: tcp.len >199 && tcp.len < 501
8. Define a display filter, which shows all the packets, which have a TCP option
flag ‘push’ set.
Answer: tcp.flags.push == 1
teeloran 20.05.2008, 1.0.0
tshark
These are the answer to question in chapter tshark.
1. Define a capture filter in tshark, which captures only HTTP protocol data from
ports 80 and 8080.
Answer: tshark -i eth0 -f 'tcp port 80 || tcp port 8080'
2. Filter loopback ip (lo interface name) and only ICMP protocol. Generate data
with a command ping localhost. View only one line per captured packet.
Answer: tshark -i lo -f 'icmp'
3. Do the same as in exercise 2 above, but show all the protocol details as well
as a hex dump of the packet.
Answer: tshark -i lo -f 'icmp' –V -x
4. Do the same as in exercise 2 above, but save the trace to a file called
ping_localhost.cap. Then read the capture from the file with all the protocol
details shown.
Answer: tshark -i lo -f 'icmp' -w ping_localhost.cap & tshark -V -r

ping_localhost.cap
5. Define a command, which shows real-time in the screen only the checksums
of the IP protocol when monitoring the ping command to localhost (as in
exercise 2).(*nix only)
Answer: tshark -i lo -f 'icmp' -V | grep Checksum
6. Use a read filter to show only the UDP packets from the capture file
ping_localhost.cap. How many were there?
Answer: tshark -R 'udp' -r ping_localhost.cap. No UDP packets should be

found, since only icmp protocol was monitored earlier.
7. Define a read filter which shows - from the file ping_localhost.cap – only the
packets, which “icmp type” field has a value ‘8’.
Answer: tshark -r ping_localhost.cap -R 'icmp.type == 8'. The outcome

should show all the ‘ping request’ packets.

Wireshark Basics Self Study

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Wireshark Basics Self Study

Încărcat de

Drepturi de autor:

Formate disponibile

1/51 Self study Wireshark basics self study

teeloran 20.05.2008, 1.0.0

Wireshark basics self study

About the self study

Most of the tasks that can be considered as an ‘advanced usage’ of Wireshark,

Requirements for the self study

Requirements for the self study........................................................................2

Terms and Abbreviations...................................................................................6

Did you do the exercises?...............................................................................40

Getting help & more information.....................................................................41

[GNU GPL] GNU General Public License in: http://www.gnu.org/copyleft/gpl.html

[GPLFAQ] GNU General Public License FAQ in:

[NSNWIR] NSN Wireshark home page (wiki):

[PCRE] Perl Compatible Regular Expression libraries in:

[WINPCAP] Winpcap, a packet capture library for windows in:

Date Version Author Status Summary of main changes

20.05.2008 1.0.0 teeloran Final Updated the document to Wireshark usage.

Terms and Abbreviations

ATM Asynchronous transfer mode

CLI Command line interface

GNU GPL GNU General Public License

NIC Network interface card

PCRE Perl compatible regular expressions

SEE Software engineering environment (e.g. chosee, dmxsee, etc.)

SUT System under test

Wireshark ships with a command line version of it called tshark.

The main window

Figure 1 - Wireshark main window

Figure 2 - Wireshark user’s guide

Capture media support

Figure 3 - supported media types

Figure 4 - Supported protocols dialog

Also there are some plug-in units (separate-from-main-binary protocol decoding

 AIX  NET BSD

 Irix  Tru64 Unix

Support for other network analyzers and equipment

For downloading both types of packages go to Wireshark home page ->

1. unpack the Wireshark-<version nbr is here>.tar.gz or the .tar.bz2:

tar -xvzf package.tar.gz or tar -xvjf package.tar.bz2 respectively.

./configure –prefix=<installation path goes here>

3. Compile the source:

PATH="$PATH:<Wireshark installation path here>/bin/

before the ‘export PATH’ command in the file.

Installing ready-made binaries in Linux

If Wireshark is available as a separate RPM package for your Linux distribution

Packet capture library

Separate protocol dissectors (plug-in units)

<Wireshark installation directory>/lib/wireshark/plugins/<version>/ and they

Figure 5 - Wireshark plugins dialog

There are several ways of arranging environment so that a separate monitoring

Figure 6 - Wireshark placement

Wireshark preferences and parameterization of dissectors

Figure 7 - Wireshark preferences dialog

Next we define if we want to monitor data in promiscuous mode or not. In this

Figure 8 - Wireshark capture options dialogue

Figure 9 - Wireshark capture packets dialog

Figure 10 - Wireshark telnet data captured

Capture all packets going to host 172.22.50.10: dst host 172.22.50.10

You can also combine the filter expressions by using:

Capture all packets coming from/going to 172.22.50.10 with source or destination

net 10.10.10.10 && udp

Byte offset notation

TCP protocol structure:

Defining capture filters via GUI