Documente Academic
Documente Profesional
Documente Cultură
Features: Available for both Windows and most of the Unix platforms. Has the
ability to capture live packet from different type of network such as Ethernet, ATM,
Token ring etc. Can provide details such as packet source and destination addresses,
interface type, frames lengh etc. It is able to filter and capture packets according to
user requirements as well as visualise specific packets using colouring.
2. Installation
Installing Wireshark on Windows platform is very much straight forward. It can be
installed from the installation package (.exe file). However, Wireshark needs a
packet capturing driver installed on the system such as WinPcap for MS-Windows
platform or libpCap for Unix plaftorm. Thus, they must be present in the system or
have to be installed together with Wireshark.
3. Packet Capturing
In general, a root/administrator privileges are required to capture packet on a
network. To start packet capturing you need to select a local interface. It is possible
to run multiple wireshark instances simultaneously to capture different interfaces at
the same time.
1. From Capture menu select Interfaces. ‘Capture Interfaces’ dialog box will
display all local interface cards (Fig. 1) that can be captured. Before start
capturing let’s have a look at options.
2. Select Options.
3. Select an interface from the first drop down list box you want to capture.
6. Check all name resoulation checkbox. This will resolve MAC and network
address into more readable format.
Some network activity required to generate packet transmission over the network
interface. If internet connection is available simple internet browsing will initiate TCP
and other types packet transmission OR a simple PING command to any LAN
computer will trasmit some ICMP packets. Trasmitted packet will be caputured and
displayed in the Wireshark main window (see Fig. 2).
Filtering based on protocol type is simple. For example, to filter and display all ICMP
packet, type ICMP in the ‘Filter’ textbox in the Wireshark main window. To withdraw
the filter click ‘Clear’ button besides the textbox. We need to use comparison
operators to filter packets based on their field values and source or destination
address. Operators are based on ‘C’ programming language, however an equivelent
English can be used. Following table describes available operators.
3. Choose a Relation
Also, specific type of packet can be filtered from the pop-up menu by right clicking
on a packet.
Click ‘Capture Filters’ from Capture menu to setup filtering while packets are
captured. Select ‘Filter Name’ and enter logical expression in the ‘filter string’
textbox. See some more filter examples below.
Example 1: Assumes, we want to capture some UDP packets which payload first 3-
byte has a sequence such as 0x81, 0x60, 0x03. Then, the filter will be:
udp[8:3]==81:60:03
Here, to capture UDP payload, we must skip UDP 8 bytes header. The sub-string
operator […] has been used to tell WireShark to skip first 8 bytes and then capture
subsequent 3 bytes (i.e. [8:3] ) and compare it with the given value (i.e. 81:60:03).
Example 2: The first 3 bytes of any MAC address used is Organizationally Unique Part
(OUI), used to uniquely identify hardware manufacturer. Suppose we want to capture
packet generating from a Dell machine only. Our filter expression will be:
eth.addr[0:3]==00:06:5B
Here, WireShark will compare first 3 bytes of all MAC addresses and will capture if it
matched with a given OUI.
Example 3: Welchia worm infect a system by sending an ICMP echo request which is
92 bytes long and it contains an ICMP payload begins with four A’s bytes. To detect
this worm our filter will be:
5. TCP Stream
The captured packets in WireShark main window are displayed in Hexa-decimal
dump, which is not a easier to understand. We can use Wireshark built-in converter
to view packet contents.
Note that traffic from initiating node (i.e. sending node) is in BLUE colour and traffic
generated from target node (i.e. destination node) is in RED colour (see figure 4).
4. Select any format from ASCII, EBCDIC, Hex dump, C Arrays and Raw from lower
right corner.
5. After analysis click Filter Out This Stream, if you want to filter such packet.
Figure 4: Following a TCP stream
Expert infos can be used to quickly identify an error or trace an unwanted network
behaviour.
By default Chat Packet displays in grey colour. Indicates an usual workflow i.e. TCP
SYN flag. Note Packets are displayed in cyan colour, indicates an unsual error code
such as HTTP 404 error. Warn Packets are displayed in yellow colour, indicates error
such as a connection problem. A packet is presented with red colour when there is a
serious problem.
All Errors and Warning also can be displayed in a composite view. To do this...
6. Use of Statistics
WireShark can generate wide range of network statistics. It can produce summary on
the captured file and can display protocol hierarchy of any captured packets. Also, it
can display amount of traffic between two specific ip address (called conversation).
An IO graph can visually display traffic over a certain period of time.
Excercise 5: Statistics
4. To resolve hardware MAC address into readable format Make sure Name
Resolution checkbox is checked.
5. Click Ipv4 and TCP tab to analyze conversation between different ip address.
8. Repeat for Graph2 and so on to visually analyze certain type packet traffic.
String: dst port 135 AND tcp port 135 AND ip[2:2] == 48