Documente Academic
Documente Profesional
Documente Cultură
Wh hatisWire eshark?
Wireshark kisanetworkprotocolan nalyzer,alsok knownasane etworksniffe er.Formerlyk knownasEthereal, wireshark kisacomputerapplicationthatcaptur resanddecod despacketso ofinformationfromanetwork. Wireshark can captu live netw ure work traffic o read data from a file and translat the data t be or te to 1 dinaformattheusercanunderstand . presented
Wh hyWiresha ark?
Wireshark kisavaluabletoolforad dministrators thatallowst themtomon nitoralltraffic cthatpasses sona network.Itisveryusef fulforanalyzi ing,diagnosin ngandtroubl leshootingproblemsthatm mayoccur. turesofwires shark 2 : Somefeat Data can be captured from a network connection or read from previous re c m m ecords of cap ptured pa ackets. Li ivedatacan bereadfrom mEthernet,FD DDI,PPP,tok kenring,IEEE E802.11,clas ssicalIPover ATM, an ndloopback interfaces(at tleastonsom meplatforms;notallofth hosetypesaresupported onall platforms). Capturedfiles canbe prog grammatically yeditedorco onvertedvia commandlin neswitchest tothe "e editcap"prog gram. Capturednetw workdatacan nbebrowsedviaaGUI,or rviatheterm minal(comma andline)versi ionof th heutility,tsha ark. Displayfiltersc canalsobeusedtoselecti ivelyhighlightandcolorpa acketsumma aryinformatio on. Datadisplayca anberefinedusingadisplayfilter. . Hundredsofprotocolscanbedissected.
1 2
HowtogetW Wireshark?
The lates copy/version of wireshark can be found on the st e officialwe ebsite: http://ww ww.wireshark k.org Eachdow wnloadpackag gecomeswith hthelatestpcap(alsokno ownaslibcap) )forUNIXoperatingsystemsor WinPcap,adevicedriv veranddynam miclinklibrar ry(DLL)thatp providesapca apinterfacef forWindows programs swhichisrequiredforlivepacketcaptu ure. Ifneeded,thelatestre eleaseofWinPcapcanbef foundon:htt tp://www.win npcap.org/ins stall/default.h htm
Gettingstarte edwithWireshark
Wireshar has a frien rk ndly graphica user interf al face (GUI) thatmake esiteasierfo ortheuserto oanalyzeand ddiagnose packetsth hatarepassin ngthroughth henetwork. No data will initially be displayed when the user runs d wireshark k. The environment an usage o wireshark will be nd of k explained dfurtherinthisdocument. . apturingpack ketsyouneed dtoselectthe einterfacewhichisconne ectedtothenetwork. Tostartca Thiscanb bedonebych hoosingCaptu ure>>Interfa acesfromtheMenubar.
OrbyclickingthefirsticonontheCommandsmenu
WiresharkLab:Introduction
Interfaces
ThedifferentinterfacesavailablethatWinPcapdriverseesinthemachineareshownandyoucaneither clickstartorclickoptionsformoreoptionsregardingcapturingpacketsbeforestartingthecapture.
ThefollowingfigurerepresentstheCaptureOptionsWindow
2 3 4
ComputerNetworksandInternetsbyDouglasComer
2009PearsonEducationInc.,UpperSaddleRiver,NJ.Allrightsreserved.
SupervisedbyLamiKayaandPreparedbyMunaOckba
WiresharkLab:Introduction
Switchbetweendifferentinterfaces.YoucanonlycaptureononeoftheinterfacesthatWiresharkfound onthesystematatime. CapturepacketsinpromiscuousmodecheckboxallowsWiresharknotonlytocapturethepacketsgoing toorfromyourcomputer,butalsoallpacketsonyourLANsegment. Limit each packet to n bytes field allows you to specify the maximum amount of data that will be capturedforeachpacket,andissometimesreferredtoasthesnaplen 3 . Capture filters are to be explained thoroughly in the next document. The default is not choosing any filterswhencapturing. DisplayOptions: Updatelistofpacketsinrealtimeto displaythepacketsrightawayonce captured.Ifit isnotchosen Wireshark will display the packets captured when you stop the capture. It is important to know that choosingthisoptiondecreasestheabilitytocapturepacketsinhighrates. Automaticscrollinginlivecaptureautomaticallyscrollsdowntothelastpacketcaptured.Ifthisoptionis not chosen Wireshark adds new packets to the end of the list, but does not scroll to the end of the packetspane.Youcantogglethisofffromthecommandsmenuatanytimeasshowninthefollowing page. Hidecaptureinfodialog:Toggleon/offtohide/showthecaptureinfodialogwhilecapturing.
NameResolutionOptions: Enable MAC name resolution option: Toggle on/off to allow whether Wireshark translates MAC addressesintonamesornot. Enablenetworknameresolutionoption:Toggleon/offtoallowwhetherWiresharktranslatesnetwork addressesintonamesornot. Enabletransportnameresolutionoption:Toggleon/offtoallowwhetherWiresharktranslatestransport addressesintoprotocolsornot.
http://www.wireshark.org/docs/wsug_html_chunked/ChCapCaptureOptions.html#ChCapCaptureOptionsDialog
ComputerNetworksandInternetsbyDouglasComer
2009PearsonEducationInc.,UpperSaddleRiver,NJ.Allrightsreserved.
SupervisedbyLamiKayaandPreparedbyMunaOckba
WiresharkLab:Introduction
CaptureInfoDialog
1 2 3 4 5 6 7 8 9
1 2 3 4 5 6 7 8 9
Listavailablecaptureinterfaces Showthecaptureoptions Startanewlivecapture Stoptherunninglivecapture Restarttherunninglivecapture Colorizepacketlist(Togglebutton) Autoscrollpacketlistinlivecapture(Togglebutton) Editpreferences Showsomehelp ComputerNetworksandInternetsbyDouglasComer
2009PearsonEducationInc.,UpperSaddleRiver,NJ.Allrightsreserved.
SupervisedbyLamiKayaandPreparedbyMunaOckba
WiresharkLab:Introduction
An interesting way to set up the environment in wireshark to a default interface and some default optionsinsteadofchoosingthemeachandeverytimeyourunwiresharkisbyclickingthepreferences iconfromthecommandsmenuandchoosingtheCapturetab. OptionssimilartothosefoundintheCaptureoptionsdialogboxcanbefound.
ComputerNetworksandInternetsbyDouglasComer
2009PearsonEducationInc.,UpperSaddleRiver,NJ.Allrightsreserved.
SupervisedbyLamiKayaandPreparedbyMunaOckba