Network Analyzer :Introduction to Wireshark

Computer Networking (Graduate Class)

What is Wireshark ?

Formerly known as Ethereal Wireshark is a GUI Network Protocol Analyzer Display filters in Wireshark are very powerful Follows the rules of the pcap library

Functions

Capturing network traffic Decodes packets of common protocols Displays the network traffic in humanreadable format

Wireshark Startup

Version 1.2.6

Screen Layout of Wireshark

The summary line, briefly describing what the packet is.

A protocol tree is shown, allowing you to drill down to exact protocol or field that you interested in.

a hex dump shows you exactly what the packet looks like when it goes over the wire.
Filename Of Current File

Edit -> Preferences >Columns

Enable Protocols

Capture Options

Capture Options
To Specify the interface to be monitored To Record all traffic even not for you Only Capture part of the packet Only Capture certain packet To Store the result in file

Automatic Stop Condition

To Start Monitoring

Start Capturing

Stop Capturing

Display Packet Captured

Frame #

Ethernet Header

Destination Mac Address Field in Ethernet Header

Column Sorting
Output is Sorted By Frame No By Default

Output is Sorted By Source Address

Conversation List

Saving Packets Captured

Capture Filters
The capture filter syntax follows the rules of the pcap library This syntax is different from the display filter syntax. Referring manual page of tcpdump

(http://www.tcpdump.org/tcpdump_man.html )

Sample filters:
src ip 192.168.1.1 ether src 00:50:BA:48:B5:EF

Capture Filters

A capture filter for HTTP than captures traffic to and from a particular host
-tcp port 80 and host 10.10.10.5

A capture filter for HTTP than captures traffic not from a particular host
-tcp port 80 and not host 10.10.10.5

A capture filter to and from an Ethernet address

-ether 00:00:01:01:02:22

Display Filters

C-like symbols, or through English-like abbreviations:

eq, == Equal ne, != Not equal gt, > Greater than lt, < Less Than ge, >= Greater than or Equal to le, <= Less than or Equal to

Display Filters GUI

Quick Way to Learn Display Filter Commands

Display Filters GUI

1. 3.

2.

Display Filters GUI

Why Packet Analyzing in this class ?

Useful in Developing Network Application

As a guideline when error encountered

Some Useful Information

Wireshark
- http://www.wireshark.org

TCPDUMP MAN Page

- http://www.tcpdump.org/tcpdump_man.html

IP Protocol
http://www.networksorcery.com/enp/protocol/ip.htm

Demonstration