Wireshark

Network Packet Analyzer

1. Introduction
Wireshark is an open source network packet analyzer (previously known as Ethereal).
A network packet analyzer captures packets from various interfaces, NICs, etc.
Captured packets can be used to troubleshoot network problems, analyze network
security or involved protocol.

Features: Available for both Windows and most of the Unix platforms. Has the
ability to capture live packet from different type of network such as Ethernet, ATM,
Token ring etc. Can provide details such as packet source and destination addresses,
interface type, frames lengh etc. It is able to filter and capture packets according to
user requirements as well as visualise specific packets using colouring.

2. Installation
Installing Wireshark on Windows platform is very much straight forward. It can be
installed from the installation package (.exe file). However, Wireshark needs a
packet capturing driver installed on the system such as WinPcap for MS-Windows
platform or libpCap for Unix plaftorm. Thus, they must be present in the system or
have to be installed together with Wireshark.

3. Packet Capturing
In general, a root/administrator privileges are required to capture packet on a
network. To start packet capturing you need to select a local interface. It is possible
to run multiple wireshark instances simultaneously to capture different interfaces at
the same time.

Excercise 1: Capture live packet

1. From Capture menu select Interfaces. ‘Capture Interfaces’ dialog box will
display all local interface cards (Fig. 1) that can be captured. Before start
capturing let’s have a look at options.

2. Select Options.

3. Select an interface from the first drop down list box you want to capture.

4. Check ‘Capture packets in promiscuos mode’ if you want to capture packets

from LAN broadcast. Uncheck to only capture packets to and from that specific
computer.
 5. In the display option dialog box Uncheck ‘Hide capture info’ checkbox. This will
display summarise information on captured packet.

6. Check all name resoulation checkbox. This will resolve MAC and network
address into more readable format.

7. Click Start to commence packet capturing.

Figure 1: Select capture Interfaces.

Some network activity required to generate packet transmission over the network
interface. If internet connection is available simple internet browsing will initiate TCP
and other types packet transmission OR a simple PING command to any LAN
computer will trasmit some ICMP packets. Trasmitted packet will be caputured and
displayed in the Wireshark main window (see Fig. 2).

Figure 2: Captured packets are displayed by Wireshark

4. Filtering Packets
You might not want to capture all types packet rather might be interested in some
specific destined or kind of packets to analyze a network issue. We can filter packets
two ways while viewing packets and while capturing packets.

Filtering based on protocol type is simple. For example, to filter and display all ICMP
packet, type ICMP in the ‘Filter’ textbox in the Wireshark main window. To withdraw
the filter click ‘Clear’ button besides the textbox. We need to use comparison
operators to filter packets based on their field values and source or destination
address. Operators are based on ‘C’ programming language, however an equivelent
English can be used. Following table describes available operators.

Operator English-Like Description

s
== eq Equal
Example: ip.addr==192.186.0.1
!= ne Not Equal
Example: ip.addr!=192.186.0.1
> gt Greater Than
Example: frame.pkt_len>100
< lt Less Than
Example: frame.pkt_len<10
>= ge Greater Than or Equal
Example: frame.pkt_len ge 0x100
Here English-like comparison operator and field value are
used to compare.
<= le Less Than or Equal
Example: frame.pkt_len <=50
(frame size always in bytes)
&& and Logical AND
Example: tcp.window_size == 0 && tcp.flags.reset != 1
Here, when TCP window size equals to 0 and reset flag is
false means destination TCP buffer is full and can not
receive any more packets.
|| or Logical OR
Example: tcp.port ==25 || icmp
Here will be displayed only SMTP packets on port 25 or
ICMP packets.

^^ xor Logical XOR

Example: ip.src==192.168.0.1 XOR ip.dst==192.168.1.10

! not Logical NOT

Example: !(ip.addr==192.168.0.3)

Excercise 2. Filter Packets while viewing

Filter packet using expression dialog box (see Fig. 3):

1. Click Expression button besides Filter textbox

2. Choose a protocol from ‘field name’

3. Choose a Relation

4. Choose a suitable Value for the protocol

Figure 3: Packet Filter by expression

Also, specific type of packet can be filtered from the pop-up menu by right clicking
on a packet.

Click ‘Capture Filters’ from Capture menu to setup filtering while packets are
captured. Select ‘Filter Name’ and enter logical expression in the ‘filter string’
textbox. See some more filter examples below.

Example 1: Assumes, we want to capture some UDP packets which payload first 3-
byte has a sequence such as 0x81, 0x60, 0x03. Then, the filter will be:

udp[8:3]==81:60:03
Here, to capture UDP payload, we must skip UDP 8 bytes header. The sub-string
operator […] has been used to tell WireShark to skip first 8 bytes and then capture
subsequent 3 bytes (i.e. [8:3] ) and compare it with the given value (i.e. 81:60:03).

Example 2: The first 3 bytes of any MAC address used is Organizationally Unique Part
(OUI), used to uniquely identify hardware manufacturer. Suppose we want to capture
packet generating from a Dell machine only. Our filter expression will be:

eth.addr[0:3]==00:06:5B

Here, WireShark will compare first 3 bytes of all MAC addresses and will capture if it
matched with a given OUI.

Example 3: Welchia worm infect a system by sending an ICMP echo request which is
92 bytes long and it contains an ICMP payload begins with four A’s bytes. To detect
this worm our filter will be:

icmp[icmptype] == icmp-echo AND ip[2:2] == 92 and icmp[8:4] == 0xAAAAAAAA

5. TCP Stream
The captured packets in WireShark main window are displayed in Hexa-decimal
dump, which is not a easier to understand. We can use Wireshark built-in converter
to view packet contents.

Excercise 3: TCP Stream

1. Select a Specific TCP packet

2. Select Follow TCP Stream from Analyze menu

3. Select Entire Conversation from the drop down list box.

Note that traffic from initiating node (i.e. sending node) is in BLUE colour and traffic
generated from target node (i.e. destination node) is in RED colour (see figure 4).

4. Select any format from ASCII, EBCDIC, Hex dump, C Arrays and Raw from lower
right corner.

5. After analysis click Filter Out This Stream, if you want to filter such packet.
 Figure 4: Following a TCP stream

Excercise 4: Using Expert infos

Expert infos can be used to quickly identify an error or trace an unwanted network
behaviour.

1. Select Expert Info from Analyze menu

2. Choose a Severity Filter to customize your display.

By default Chat Packet displays in grey colour. Indicates an usual workflow i.e. TCP
SYN flag. Note Packets are displayed in cyan colour, indicates an unsual error code
such as HTTP 404 error. Warn Packets are displayed in yellow colour, indicates error
such as a connection problem. A packet is presented with red colour when there is a
serious problem.

All Errors and Warning also can be displayed in a composite view. To do this...

3. Select Expert Info Composite from Analyze menu

6. Use of Statistics
WireShark can generate wide range of network statistics. It can produce summary on
the captured file and can display protocol hierarchy of any captured packets. Also, it
can display amount of traffic between two specific ip address (called conversation).
An IO graph can visually display traffic over a certain period of time.

Excercise 5: Statistics

1. Select Summary from Statistics menu to display summary information on

average packet/sec, average packet size, total bandwidth used and many others.
2. Select Protocol Hierarchy from Statistics menu to display all protocol within a
packet in a hierarchical view. The percentage usages of packet of the frame are
displayed.

3. Select Conversation from Statistics menu to analyze traffic between to ip

address.

4. To resolve hardware MAC address into readable format Make sure Name
Resolution checkbox is checked.

5. Click Ipv4 and TCP tab to analyze conversation between different ip address.

6. To graphically display packet traffic select IO Graphs from Statistics menu.

7. Click Filter for Graph1 and select an select filter string

8. Repeat for Graph2 and so on to visually analyze certain type packet traffic.

7. Customizing Visualisation by Colouring Captured

Packets
Default colouring scheme can be changed to more visualise packet as they captured.
In next excercise will set a colouring rule for a worm.

Excercise 6: Colouring Rules

1. Select Coloring Rules from View menu.

2. Click New button and fill text box as follows

Name: Blaster Worm

String: dst port 135 AND tcp port 135 AND ip[2:2] == 48

3. Select a distinguisable Background and Foreground Colour for this rule.