Wi W re esshaarrkk Ju um mp psstaarrt Evve en nt No ottess ®
WIR RESHA ARKUN NIVERS SITY
Gerald Combs and Laura Chappe C ell 3 Marcch 2013 wiressharktraaining.ccom/juumpstarrt
WIRESHARKUNIVERSITY CONTENTS A Note from Laura ..................................................................................................................................................... 3 Where Do You Start? .................................................................................................................................................. 4 I Can Spell It… Does that Count? (New to Wireshark/Analysis) – Acquire Key Skills.................................. 4 I Can Capture Traffic, Can’t Always Understand It – Learn TCP/IP and Traffic Interpretation ..................... 4 I’m Comfortable with It – Improve Network Performance and Perform Network Forensics ................................ 4 I Breathe Underwater (Guru) – Become a Wireshark Certified Network Analyst ................................................ 4 About the Wireshark Jumpstart Attendees ............................................................................................................. 5 Additional Wireshark/Network Analysis Resources ........................................................................................... 5 Twitter Accounts and Hash Tags ..................................................................................................................... 5 Wireshark General Resources ........................................................................................................................... 5 Wireshark Certification ...................................................................................................................................... 5 Blogs/Mailing Lists/Newsletters..................................................................................................................... 5 Books .................................................................................................................................................................... 6 FREE Online Training ........................................................................................................................................ 7 All Access Pass (AAP) Subscription..................................................................................................................... 8 Live Course: Wireshark: 10 Essential Skills (March 26, 2013)........................................................................... 8 Live Course: Wireshark: Expert Infos Analysis (April 23, 2013) ...................................................................... 8 Live Course: Wireshark: Regular Expressions Primer (May 21, 2013) ............................................................ 8 Wireshark Certified Network Analyst (WCNA) Boot Camp (To be scheduled) ........................................... 8 Instructor-Led Classes – Traditional Format .................................................................................................. 9 Sharkfest (Wireshark User/Developer Conference) ...................................................................................... 9 Laura’s Wireshark Jumpstart Notes ....................................................................................................................... 10 Wireshark Fundamentals .................................................................................................................................... 11 Capture at the Best Location and Use Filtering When Necessary.................................................................. 14 Capture Locations ............................................................................................................................................. 14 Capture Filters ................................................................................................................................................... 16 Customize Wireshark for troubleshooting or forensics tasks......................................................................... 18 Determine the top talkers .................................................................................................................................... 19 Identify active applications/protocols (and detect malicious traffic) ........................................................... 20 Locate slow clients and servers as well as high latency paths........................................................................ 21 Filter based on IP addresses, subnets, protocols and even fields................................................................... 23 Make Wireshark “scream” when errors are detected (coloring rules) .......................................................... 24 Create a graph to correlate low throughput with network errors ................................................................. 28 Apply a quick filter to spot someone downloading an .exe file ..................................................................... 29 Reassemble a file transferred across a network ................................................................................................ 30 Right-Click Reassembly ................................................................................................................................... 30 File | Export Objects ........................................................................................................................................ 31
Copyright Chappell University, created for Wireshark University and the Wireshark Jumpstart events (www.wiresharktraining.com/jumpstart) Download the trace files used during this event from wiresharkbook.com/wireshark101.
Page 1
WIRESHARKUNIVERSITY Try it Yourself: Wireshark Filtering/Reassembling Lab ..................................................................................... 32 Try it Yourself: Cascade Pilot Lab .......................................................................................................................... 35 Cascade Pilot Personal Edition vs. Cascade Pilot............................................................................................. 39 Q&A from the Wireshark Jumpstart Events ......................................................................................................... 41 Presentation Resources ........................................................................................................................................ 41 Capturing Traffic - General ................................................................................................................................. 41 Capturing Traffic – TAPs and SPAN ................................................................................................................. 45 Laura’s Configurations ........................................................................................................................................ 46 Profiles.................................................................................................................................................................... 47 Bluetooth Support................................................................................................................................................. 47 Conferences ........................................................................................................................................................... 47 Learning Wireshark .............................................................................................................................................. 48 Fibre Channel over Ethernet (FCoE) .................................................................................................................. 50 Reassembly ............................................................................................................................................................ 50 Coloring Rules....................................................................................................................................................... 51 Time Values ........................................................................................................................................................... 51 Pcapng Format ...................................................................................................................................................... 51 Filtering .................................................................................................................................................................. 52 Troubleshooting .................................................................................................................................................... 54 WinPcap ................................................................................................................................................................. 54 Decryption ............................................................................................................................................................. 54 Statistics.................................................................................................................................................................. 54 Security – Network Forensics ............................................................................................................................. 56 Wireshark Protocol/Dissection Support ........................................................................................................... 56 OS X Questions ..................................................................................................................................................... 58 Miscellaneous Topics ........................................................................................................................................... 58
Copyright Chappell University, created for Wireshark University and the Wireshark Jumpstart events (www.wiresharktraining.com/jumpstart) Download the trace files used during this event from wiresharkbook.com/wireshark101.
Page 2
WIRES SHARKU UNIVERS SITY A NOTE E FROM L AURA Thank you u for joining us u for the Wirreshark Jump pstart. We all ow we a “thank yo ou” to Gerald d Combs for creating Etherreal (which beecame Wiresh hark). As a network analyst, a I rely on Wireshark k to help me detect the sou urce of netwo ork performan nce problemss, identify co ompromised network hostts, decipher application a beehavior, optim mize commun nications and more. If you cou uldn’t login to o the event beecause it was full, f I sincerelly apologize. I hope you jo oined us for o one of overflow events. The reegistration ra ate for this eveent was much h faster than w we anticipated—we had ov ver 5,000+ reg gistration requ uests within 48 4 hours with h another 2,0000+ signing up for the Wireshark Jumpsstart Early Nottification ema ails for future events (wiressharktraining g.com/jumpsttart). I did dn’t offer you u a copy of th he Wireshark JJumpstart slid des because… … welll... there just weren’t w many y slides used in the event— —I showed liv ve dem monstrations of o Wireshark throughout tthe Wireshark k Jumpstart event. I feeel the best wa ay to understaand Wiresharrk is to see it iin action. Thiss document in ncludes notess and instructtion on the W Wireshark Jum mpstart demon nstrations. In addition, I reeviewed, cateegorized and inclluded the Q& &A details. Gerrald did an am mazing job fieelding questio ons during the events. A ty ypical web binar may incclude 50 peop ple—we hit th he 1,000-attend dee limit with h these Wireshark Jumpsstarts. Everyo one had the op pportunity to o ask question ns. Keeping u up with that raate is a tall ordeer. Well done,, Gerald!
For thosee of you who already a have the Wiresharkk 101: Essentiaal Skills for Neetwork Analysiis, I have included calloutss in this document to the b book sections covering the current task.
I hope you u find this do ocument usefu ul. I know you u will find W Wireshark indiispensable.
Lauraa Chapppell Wireshark k University
[email protected] @LauraCh happell
Copyright Chappell University, creaated for Wireshark University U and the Wireshark W Jumpstart eevents (www.wireshharktraining.com/jum mpstart) t files used durinng this event from wiresharkbook.com/w w wireshark101. Download the trace
Page 3
WIRESHARKUNIVERSITY WHERE DO YOU START? People always ask me “Where do I start?” Here’s a recommendation on how to improve your Wireshark skills based on your answers to the pre-event survey question, “How familiar are you with Wireshark?”
I Can Spell It… Does that Count? (New to Wireshark/Analysis) – Acquire Key Skills • • • • • •
Wireshark 101: Essential Skills for Network Analysis book (Amazon) Wireshark 101 – 4-Part Free Wireshark Videos (lcuportal2.com) This Wireshark Jumpstart document Sharkfest: Wireshark User and Developer Conference All Access Pass LIVE: 10 Essential Skills Live Event (March 26th at 10:00am PDT) All Access Pass: Lab Solutions for Wireshark 101: Essential Skills for Network Analysis (recorded)
I Can Capture Traffic, Can’t Always Understand It – Learn TCP/IP and Traffic Interpretation • • • • • • • • •
Wireshark 101: Essential Skills for Network Analysis book (Amazon) Wireshark Network Analysis: the Official Wireshark Certified Network Analyst Study Guide book (Amazon) All Access Pass: Lab Solutions for Wireshark 101: Essential Skills for Network Analysis (recorded) All Access Pass LIVE: Wireshark Expert Infos Analysis (April 23nd at 10:00am PDT) All Access Pass: CS45 TCP Analysis in-Depth (recorded) All Access Pass: CS54: ICMP Analysis (recorded) All Access Pass: Slow Networks - NOPs/SACK (recorded) All Access Pass: CS44: Top 10 Reasons Your Network is Slow (recorded) All Access Pass: CS46: DHCP/ARP Analysis (recorded)
I’m Comfortable with It – Improve Network Performance and Perform Network Forensics • • • • • •
Wireshark Network Analysis: the Official Wireshark Certified Network Analyst Study Guide book (Amazon) All Access Pass LIVE: Wireshark: Regular Expressions Primer (May 21nd at 10:00am PDT) All Access Pass: CS42: Hacked Hosts (recorded) All Access Pass: Build Wireshark Filters from Snort Rules (recorded) All Access Pass: CS44: Top 10 Reasons Your Network is Slow (recorded) Wireshark Certified Network Analyst Exam Prep Guide (Amazon)
I Breathe Underwater (Guru) – Become a Wireshark Certified Network Analyst • • •
Wireshark Certified Network Analyst Exam Prep Guide (Amazon) Wireshark Certified Network Analyst Info Pack (wiresharktraining.com/certification) WCNA Exam (webassessor.com/pai)
Copyright Chappell University, created for Wireshark University and the Wireshark Jumpstart events (www.wiresharktraining.com/jumpstart) Download the trace files used during this event from wiresharkbook.com/wireshark101.
Page 4
WIRES SHARKU UNIVERS SITY ABOUT T THE WIR RESHARK JUMPSTA ART ATTEN NDEES What is your y specialty y?
miliar are you with Wiresha ark? How fam
Countriess represented d: Andorra Arab Emiirates Argentina a Australia Austria Belgium Bolivia Bosnia Brazil Brunei Canada Chile Croatia
Cyprus Czech Republic Denmark Ecuador El Salvador Estonia Finland France Gambia Germany Greece Hong Kong
Hu ungary Iceland Ind dia Ind donesia Irelland Itally Jam maica Jap pan Lattvia Ma acedonia Ma alaysia Meexico Mo orocco
Netheerlands New Z Zealand Pakisttan Parag guay Portug gal Qatar Russiaa Serbiaa Singap pore Slovak kia South h Africa Spain Sri Laanka
Sweden Switzerlaand Trinidad and Tobago Tunisia Turkey United Kingdom m United Sttates
Copyright Chappell University, creaated for Wireshark University U and the Wireshark W Jumpstart eevents (www.wireshharktraining.com/jum mpstart) t files used durinng this event from wiresharkbook.com/w w wireshark101. Download the trace
Page 5
WIRESHARKUNIVERSITY ADDITIONAL WIRESHARK/NETWORK ANALYSIS RESOURCES You can’t memorize everything, so know where your resources are located.
TWITTER ACCOUNTS AND HASH TAGS • • • • •
Gerald Combs ................................................................................................................... @geraldcombs Laura Chappell .............................................................................................................. @LauraChappell Wireshark University ......................................................................................................... @wiresharkU Wireshark ................................................................................................................................ #wireshark Wireshark Jumpstart Events .................................................................................................. #jumpstart
WIRESHARK GENERAL RESOURCES • • • • • • • • •
Wireshark Main Site ............................................................................................... www.wireshark.org Wireshark Download Page ............................................................... www.wireshark.org/download Wireshark Q&A Forum .............................................................................................. ask.wireshark.org Wireshark Certified Network Analyst Program .......... www.wiresharktraining.com/certification Wireshark University .............................................................................. www.wiresharktraining.com IPv4 and IPv6 Connectivity Test ............................................ www.wireshark.org/tools/v46status OUI Lookup Tool .................................................................. www.wireshark.org/tools/oui-lookup String-Matching Capture Filter Generator ............................... www.wireshark.org/tools/string-cf WPA PSK Generator ................................................................. www.wireshark.org/tools/wpa-psk
WIRESHARK CERTIFICATION • • • •
Wireshark University Main Page .......................................................... www.wiresharktraining.com Wireshark University Certification Page ...................... www.wiresharktraining.com/certification WebAssessor Login Page .................................................................................... webassessor.com/pai Wireshark Certified Network Analyst (WCNA) Portal ............................................ wcnaportal.com
BLOGS/MAILING LISTS/NEWSLETTERS • • • • • •
In Laura’s Lab Blog ........................................................................ lcuportal2.com/blog-in-lauras-lab Laura’s Newsletter (Monthly) .................................................................... chappellu.com/newsletter Wireshark Blog ......................................................................................................... blog.wireshark.org Wireshark Announcement ..............www.wireshark.org/mailman/listinfo/wireshark-announce Wireshark Jumpstart Early Notification....................................... wiresharktraining.com/jumpstart Wireshark Training Newsletter ................................................... wiresharktraining.com/newsletter
Copyright Chappell University, created for Wireshark University and the Wireshark Jumpstart events (www.wiresharktraining.com/jumpstart) Download the trace files used during this event from wiresharkbook.com/wireshark101.
Page 5
WIRES SHARKU UNIVERS SITY BOOKS Wiresh hark 101: Esseential Skills fo for Network A Analysis Formatt: Paperback and a Kindle Page Count: 370 Paperb back ISBN: 978 8-1-893939-722-1 Kindle ASIN: B00BF F50LD0 Contact:
[email protected] m or +1 408-3378-7841 Website: www.wiresharkbook.co de om/studyguid Wiresh hark Network k Analysis: th e Official Wiireshark Certiified Network k Analysst Study Guid de (Second Ediition) Formatt: Paperback and a Kindle Page Count: 986 pag ges 94-3 ISBN: 978-1-8939399 Kindle ASIN: B008G G65O7O Book/E Exam Version n: Version 2 (W WCNA-102x Exam) Contact:
[email protected] m or +1 408-3378-7841 Website: www.wiresharkbook.co om/wireshark k101 Wireshaark Certified Network N Analysst Exam Prep G Guide (Secondd Edition) Formatt: Paperback and a Kindle Page Count: 202 pag ges 90-5 ISBN: 978-1-8939399 Kindle ASIN: B008J6 6WOCY Book/E Exam Version n: Version 2 (W WCNA-102x Exam) Contact:
[email protected] m or +1 408-3378-7841 Website: www.wiresharkbook.co om/epg
Copyright Chappell University, creaated for Wireshark University U and the Wireshark W Jumpstart eevents (www.wireshharktraining.com/jum mpstart) t files used durinng this event from wiresharkbook.com/w w wireshark101. Download the trace
Page 6
WIRES SHARKU UNIVERS SITY FREE O NLINE TR RAINING During th he event, I mentioned the frree Wireshark k 101 videos tthat are availaable online. You can view w the videos o online or download th hem at the All Access Pass Free Wireshark Cllass page: www.lcuportal2.com/wirreshark101.httml. The free Wireeshark 101 co ourse includess the following fou ur videos: Part 1 - Interrnals and Placcement Tips (17690 Kb) – 14:17 Part 2 - Profiiles and Captture Filters (23887 Kb) – 10:54 nd Coloring R Rules Part 3 - Display Filters an (33802 Kb) – 14:17 rts and Graph hs Part 4 - Chart (32029 Kb) – 15:00
Copyright Chappell University, creaated for Wireshark University U and the Wireshark W Jumpstart eevents (www.wireshharktraining.com/jum mpstart) t files used durinng this event from wiresharkbook.com/w w wireshark101. Download the trace
Page 7
WIRESHARKUNIVERSITY ALL ACCESS PASS (AAP) SUBSCRIPTION All of Laura’s training courses are available online in the All Access Pass. Registration Page: www.lcuportal2.com • • •
Yearly subscription to all online courses and live AAP events Transcript system (in-progress; completed; CPE credit details) Course Completion Certificates
Upcoming All Access Pass Exclusive live events are listed below.
Live Course: Wireshark: 10 Essential Skills (March 26, 2013) Join Laura as she takes you through 10 essential skills that you must master with Wireshark. These skills include key word filtering, host name extraction (tshark), profile importing, filter expression buttons, advanced IO graphing with logarithmic scales, TCP delta graphing and more.
Live Course: Wireshark: Expert Infos Analysis (April 23, 2013) Join Laura as she takes you through numerous Expert Infos Errors, Warnings and Notes, explaining each as she progresses. She will show you how to use the Expert Infos in your analysis (including graphing details).
Live Course: Wireshark: Regular Expressions Primer (May 21, 2013) If you are new to Regular Expressions, this is the class for you! Join Laura as she walks you through the essentials of Regular Expressions as it relates to Wireshark. Create keyword filters, use variable length wildcards, case insensitivity, multiple word search, and more.
Wireshark Certified Network Analyst (WCNA) Boot Camp (To be scheduled) This course will be scheduled after the Sharkfest conference’s WCNA Boot Camp course. Sign up for AAP Notifications to receive an alert when this class is available in the AAP. Laura is in the process of recording the 33 Sections of the Wireshark Network Analysis Study Guide for this course.
Copyright Chappell University, created for Wireshark University and the Wireshark Jumpstart events (www.wiresharktraining.com/jumpstart) Download the trace files used during this event from wiresharkbook.com/wireshark101.
Page 8
WIRES SHARKU UNIVERS SITY INSTRU UCTOR-LED D CLASSE S – TRADIITIONAL F FORMAT • • •
Troubleshootin ng TCP/IP Networks N with h Wireshark (G Global Know wledge, SCOS)) Wireshark W Cerrtified Networrk Analyst Bo oot Camp (Sh harkfest 2013; sh harkfest.wiresshark.org/bo ootcamp) Wireshark W 101: Essential Sk kills for Netwo ork Analysts (just released d) If you are a a training g organization n or training m manager, you u might be interessted in using the t new Wireeshark 101 cou urseware. For mo ore informatio on on purchassing Wireshaark 101 courseeware, contact us at info@ @chappellU.ccom.
SHARK FEST (WIR RESHARK USER/DEV VELOPER CONFERE ENCE) SHARK KFEST ’13 – Ju une 16-19, 2013 UC Berkeleey Informa ation/Registra ation: sharkfeest.wireshark k.org WCNA Boot Camp (JJune 19-21): sharkfest.wire s eshark.org/bo ootcamp (Instructor: Laura Ch happell) Of coursee, Gerald and I will be at Sh harkfest! Thiss is a great con nference to m mingle with th he developers and other Wirreshark users. Early bird d registration is open until April 15th, so o register todaay. Registratiion Fees
Early Birrd Conferencee Registration Regular Registration R - April 16 - Jun ne 15 Early Birrd Conferencee & WCNA Bo oot Camp Regular Conference C & WCNA Boott Camp - Apriil 16 - June 155
$695.000 $895.000 $1,4900.00 $1,6900.00
Copyright Chappell University, creaated for Wireshark University U and the Wireshark W Jumpstart eevents (www.wireshharktraining.com/jum mpstart) t files used durinng this event from wiresharkbook.com/w w wireshark101. Download the trace
Page 9
WIRESHARKUNIVERSITY LAURA’S WIRESHARK JUMPSTART NOTES The following pages provide notes on the various demonstrations I performed during the three Wireshark Jumpstart events. During the event, I covered 11 key areas: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11.
Wireshark fundamentals Capture at the best location and use filtering when necessary Customize Wireshark for troubleshooting or forensics tasks Determine the top talkers Identify active applications/protocols (and detect malicious traffic) Locate slow clients and servers as well as high latency paths Filter based on IP addresses, subnets, protocols and even fields Make Wireshark “scream” when errors are detected (coloring rules) Create a graph to correlate low throughput with network errors Apply a quick filter to spot someone downloading an .exe file Reassemble a file transferred across a network
It was a lot to cover in one hour, but I hope this gives you a feel for Wireshark’s capability and some tricks on being a more efficient analyst.
Copyright Chappell University, created for Wireshark University and the Wireshark Jumpstart events (www.wiresharktraining.com/jumpstart) Download the trace files used during this event from wiresharkbook.com/wireshark101.
Page 10
WIRESHARKUNIVERSITY WIRESHARK FUNDAMENTALS We began with a look at the internals of Wireshark. Key things to remember: • • • • • •
When performing a live capture, you use one of three link layer drivers and go up through the Capture Engine (dumpcap). Dumpcap.exe is actually launched to do the capturing – wireshark.exe does not have capture capability itself. Capture filters cannot be used when you open a trace file from disk – notice the location of capture filters in the diagram below. Wireshark’s Wiretap Library recognizes LOTS of trace file formats. Dissectors are the powerful elements that pick apart the contents of packets and display their field names and in some cases field interpretations. Display filters can be used whether you are performing a live capture or opening a saved trace file.
Copyright Chappell University, created for Wireshark University and the Wireshark Jumpstart events (www.wiresharktraining.com/jumpstart) Download the trace files used during this event from wiresharkbook.com/wireshark101.
Page 11
WIRES SHARKU UNIVERS SITY In the Wirreshark Jump pstart, I quicklly provided an a overview o of the Wireshaark interface highlighting the following g areas: 1. Title Bar: B Will show w you the opeened trace filee name or info ormation regaarding the intterface on wh hich you are currently ca apturing traffic. 2. Main Menu: M Tradittional menu – click on each h menu item tto check it ou ut – you saw m me use File | Exportt Specified Pa ackets and th he File | Expo ort Objects | HTTP to reasssemble an im mage downloaaded during g a web browssing session. I also built so ome graphs ussing Statistics | IO Graph h. 3. Toolba ar Menu: Lea arn it, love it! You Y can do so o many thing gs using the riight-click metthod and this Toolba ar menu. Hov ver over each button b for too oltips. You saaw me click on n the first buttton to list my y availab ble interfaces and the secon nd button to jump j directly y to the Captu ure Options w window. 4. Displa ay Filter Toollbar: Harness the power off display filterrs! These filteers use a prop prietary syntax (not the sam me as the captture filter syn ntax). I have lo ots of display y filter examp ples in this doccument.
packet. Rightt click on any packet to seee 5. Packett List Pane: Here’s H the basiic information n about each p what options o are av vailable to you u. I right-click ked to Follow w Streams wheen reassembliing traffic. 6. Packett Details Pane e: Now you can see the disssectors at wo ork. Right-clicck and select Expand All to o see each piece of a pack ket. Right-click k on any line to quickly bu uild a column n or filter baseed on that linee. 7. Packett Bytes Pane: We don’t speend too much h time here, bu ut it’s nice to have.
Copyright Chappell University, creaated for Wireshark University U and the Wireshark W Jumpstart eevents (www.wireshharktraining.com/jum mpstart) t files used durinng this event from wiresharkbook.com/w w wireshark101. Download the trace
Page 12
WIRES SHARKU UNIVERS SITY 8. Status Bar: This is where w the Exp pert Infos button and Anno otation button n reside. You u can also learrn the display y filter syntax x by clicking on o a field in th he Packet Dettails pane and d looking herre. Your curreent profilee is listed to th he far right on n the Status Bar.
See Chapteer 0 Skills: Exploore Key Wireshaark Elements andd Traffic Flows oof the Wiresharkk 101 book. Specificallyy, section 0.8 covvers the Wireshaark interface. Maake sure you go through sectionn 0.9 (Analyze W Web Browsing Traffic T and Analyyze Sample Backkground Traffic) to get a better feeel for using thee Wireshark interrface.
Copyright Chappell University, creaated for Wireshark University U and the Wireshark W Jumpstart eevents (www.wireshharktraining.com/jum mpstart) t files used durinng this event from wiresharkbook.com/w w wireshark101. Download the trace
Page 13
WIRES SHARKU UNIVERS SITY CAPTU RE AT THE E BEST LO OCATION AND A USE F FILTERING G WHEN N NECESSAR RY CAPTU RE LOCAT TIONS I stressed the importan nce of beginniing your capture process aas close to the complaining g user as possible. This enab bles you to seee the issues from the persp pective of thatt user’s trafficc.
Your prim mary capture options are: 1. 2. 3.
Load Wiresharrk on the userr’s system Use U switch porrt mirroring Connect C a tap between the user u system and a the upstreeam switch
My preferrence is option 3 because (a a) I don’t hav ve to load softtware on a sysstem that is aalready having g problems or is compromised, (b) yo ou can see all MAC-layer M errrors (not posssible with sw witch port mirroring g), and (c) you u see what is truly t sent on the t network ((task offloadiing may preveent us from seeeing true packeets if we use option o 1). If you are troubleshootting packet lo oss, you will need n to move Wireshark clloser to the ho ost sending d data to see wheree the packet lo oss occurs.
Hintt When loca ating the poin nt of packet lo oss, use a TCP P-based file trransfer processs. When you u see the origiinal packet an nd the retransm mission, you are capturing g before the p point of packeet loss. When you see only retransmiissions, you arre capturing after a the poin nt of packet lo oss. Creating a display filteer on the TCP P Sequence Number field d can help yo ou determine if i you have caaptured the o original packeet and the retransmiission or just the t retransmiission.
Copyright Chappell University, creaated for Wireshark University U and the Wireshark W Jumpstart eevents (www.wireshharktraining.com/jum mpstart) t files used durinng this event from wiresharkbook.com/w w wireshark101. Download the trace
Page 14
WIRES SHARKU UNIVERS SITY We jumpeed into the capture processs by clicking on o the Capturre Interfaces b button to deteermine how m many interfaces Wireshark co ould see. To define d our cap pture filters, w we could click k the Optionss button from m within thee Capture Inteerfaces windo ow or click th he Capture Op ptions button n on the Main Toolbar.
mine the Best Caapture Method and a Apply Captuure Filters of the Wireshark 101 bbook. You should See Determ master cappturing to file setss, using the ring buffer as well aas applying captuure filters. Per seection 2.5 though, you must questtion why you aree seeing so muchh traffic—are youu capturing in thhe best location??
Copyright Chappell University, creaated for Wireshark University U and the Wireshark W Jumpstart eevents (www.wireshharktraining.com/jum mpstart) t files used durinng this event from wiresharkbook.com/w w wireshark101. Download the trace
Page 15
WIRESHARKUNIVERSITY CAPTURE FILTERS I demonstrated a simple capture filter for all port 80 traffic to or from my own machine’s IP address (host 192.168.1.72 and port 80). The following table lists several popular capture filters:
Capture Filter Example
Purpose
ether host 00:08:15:00:08:15
Capture traffic to or from hardware address 00:08:15:00:08:15
host 10.3.1.1
Capture traffic to/from 10.3.1.1
host 2406:da00:ff00::6b16:f02d
Capture traffic to/from the IPv6 address 2406:da00:ff00::6b16:f02d
not host 10.3.1.1
Capture all traffic except traffic to/from 10.3.1.1
src host 10.3.1.1
Capture traffic from 10.3.1.1
host 10.3.1.1 or host 10.3.1.2
Capture traffic to/from 10.3.1.1 and any host it is communicating with and traffic to/from 10.3.1.2 and any host it is communicating with
host www.espn.com
Capture traffic to/from any IP address that resolves to www.espn.com (this will only work if the host name can be resolved by Wireshark prior to capture)
net 10.3.0.0/16
Capture traffic to/from any host on network 10.3.0.0
port 53
Capture UDP/TCP traffic to or from port 53 (typically DNS traffic)
tcp port 21
Capture TCP traffic to or from port 21 (typically the FTP command channel)
portrange 1-80
Capture UDP/TCP traffic to or from ports from 1 through 80
tcp portrange 1-80
Capture TCP traffic to or from ports from 1 through 80
host 10.3.1.1 and port 80
Capture UDP/TCP traffic to or from port 80 that is being sent to or from 10.3.1.1
icmp[0]=8
Capture all ICMP Type 8 (Echo Request) packets.
Copyright Chappell University, created for Wireshark University and the Wireshark Jumpstart events (www.wiresharktraining.com/jumpstart) Download the trace files used during this event from wiresharkbook.com/wireshark101.
Page 16
WIRES SHARKU UNIVERS SITY To apply a capture filteer, double-clicck any adapteer listed in th he Capture Op ptions window w. To use a saaved capture filter, or save a capture you have just creeated, click thee Capture Filtter button. Ottherwise, you u can simply typ pe in your capture filter an nd click OK. Color-coding C indicates wh hether the filteer syntax is acceptablee (green), una acceptable (reed), or questio onable (yellow w).
Hintt Use captu ure filters sparringly. It can be very frustrrating to look k at a trace filee containing w web browsing g traffic and d find that all DNS traffic had h been filteered out durin ng capture. Th hat DNS trafffic would hav ve been grea at to see.
m Your IP Addre ss and Lab 13: C Capture Only Trraffic to or from See Lab 122: Capture Only Traffic to or from Everyone Else’s E MAC Addrress of the Wiresshark 101 book.. During these laabs you will buildd and test capturre filters based on address infformation.
Copyright Chappell University, creaated for Wireshark University U and the Wireshark W Jumpstart eevents (www.wireshharktraining.com/jum mpstart) t files used durinng this event from wiresharkbook.com/w w wireshark101. Download the trace
Page 17
WIRES SHARKU UNIVERS SITY CUSTOM MIZE WIR ESHARK FOR F TROU UBLESHOO OTING OR FORENSIC CS TASKS At this po oint, I demonsstrated the process of creatting a new pr ofile called “W Wireshark Jum mpstart.” The currently loaded profile p is show wn on the righ ht-hand colum mn of the Stattus Bar. Click k to select another profile an nd right-click to t create a new profile.
Customiz zed capture fillters, display filters, colorin ng rules, prottocol settings,, filter expressions buttonss and more can be saved in profiles. p I mad de several cha anges to settin ngs during th he Wireshark JJumpstart - each new settin ng was saved in my Wiresh hark Jumpsta art profile. To find a profile’s settings, select He elp | About Wireshark W | Folders | Perrsonal Config guration | profiles | profile namee. All profile configuration files are simp c ply text files. They can be o opened, revieewed, and edited d with a simp ple text editorr.
Hintt If you hav ve some traitss that you wan nt to use with h all your pro ofiles, create a “Master” pro ofile and copy y that profile wh hen creating new n ones.
HTTP Errors Proofile of the Wiresshark 101 book. To save time whhen customizing See Lab 8: Import a DNS/H Wireshark, review this secttion and becomee comfortable witth the location oof configuration ffiles.
Copyright Chappell University, creaated for Wireshark University U and the Wireshark W Jumpstart eevents (www.wireshharktraining.com/jum mpstart) t files used durinng this event from wiresharkbook.com/w w wireshark101. Download the trace
Page 18
WIRES SHARKU UNIVERS SITY DETERM MINE THE E TOP TAL KERS You can easily e determiine the top tallkers based on n MAC addreess (local conv versations on nly), IPv4/IPv v6 addressess, network addresses and port p numbers,, etc. Select Statistics | Conv versations. Click C on any acctive tab to viiew the conveersations. Clicck twice on th he Bytes colu umn heading to sort from high h to low to o detect the m most active conversation (b based on bytes).
You can right-click on any listed con nversation to apply a displlay filter on th hat conversattion, find a paacket in that con nversation or colorize thatt conversation n in the main Wireshark w window. Expand th he Conversatiions window to see the Du uration colum mn on the righ ht side. Keep iin mind that T TCPbased com mmunicationss may have a lagging FIN or o RST (reset)) process thatt makes the du uration of thee conversattion seem long g. Always filtter on the con nversation and d look at the eend of it to deetermine if yo ou have a lon ng delay before termination.
Hintt Select Statistics | Endp points | IPv4 4/IPv6 | Map to use GeoIP P! You can do ownload the frree MaxMind d GeoIP bin nary files (max xmind.com), copy them to o a directory aand point Wirreshark to thaat directory (E Edit | Preferencces | Name Resolution R | GeoIP G Database Directoriies). When yo ou click on thee IPv4 or IPv66 tab in the End dpoints windo ow, you will see a Map bu utton. Click it to launch an image of the world with th he IP addressess in the trace file f plotted on n it. Nice!
See Chapteer 5 Skills: Buildd and Interpret Taables and Graphhs of the Wireshark 101 book. TThere are two greeat labs dealingg with the most active TCP convversation (Lab 331: Filter on the M Most Active TCP P Conversation) and GeoIP mappping (Lab 32: Set S up GeoIP to Map M Targets Gloobally).
Copyright Chappell University, creaated for Wireshark University U and the Wireshark W Jumpstart eevents (www.wireshharktraining.com/jum mpstart) t files used durinng this event from wiresharkbook.com/w w wireshark101. Download the trace
Page 19
WIRES SHARKU UNIVERS SITY IDENTI FY ACTIV E APPLICA ATIONS/P PROTOCOL LS (AND DETECT D MA ALICIOUS S TRAFFIC)) This is a first f step whe en dealing with security issues. Select Statistics | Proto ocol Hierarch hy to identify y the protocolss and applicaations running g on a networrk. Percentag ge values show wn indicate th he percentagee of total trafffic. In the Wirreshark Jumpstart, I showeed the Protocol Hierarchy H win ndow from seec-concern101.pcapng. We n noted that 4.477% of all trafffic seen is Inteernet Relay Cha at (IRC) trafficc. We also seee some Trivia al File Transfeer Protocol (TF FTP) traffic. H Hmmm.
You can right-click on any item listeed to apply a display filter on that proto ocol or appliccation, find th hat type of pa acket or coloriize that proto ocol or applica ation’s traffic.
Hintt Watch forr protocols or applications that you don n’t expect to seee on your neetwork. For ex xample, if you ur network doesn’t d typica ally support IR RC or FTP tra affic, that mig ght be someth hing on which h to right-click k and filter. In addition, a when Wireshark does not reco ognize a proto ocol or application, it will ssimply list it aas “data.” Siince Wiresharrk recognizes so many prottocols and ap pplications, th his would be cconsidered “suspiciou us.”
o Applications oof the Wireshark 101 book. In this lab you will bee See Lab 333: Detect Suspiccious Protocols or working witth a trace file thaat indicates a host may be comppromised. You w will open the Prottocol Hierarchy w window first when analyzing a the traaffic.
Copyright Chappell University, creaated for Wireshark University U and the Wireshark W Jumpstart eevents (www.wireshharktraining.com/jum mpstart) t files used durinng this event from wiresharkbook.com/w w wireshark101. Download the trace
Page 20
WIRESHARKUNIVERSITY LOCATE SLOW CLIENTS AND SERVERS AS WELL AS HIGH LATENCY PATHS Wireshark should be a first responder tool when users complain of network performance problems. When you capture and analyze traffic to and from a complaining host, you can always tell where the problem occurred—it cannot tell you why a problem occurred, however. Regardless, you will stop a lot of finger-pointing by looking at the traffic first. The easiest way to determine whether a high path, client, or server latency situation exists is by looking at a single TCP conversation. I opened up http-download101.pcapng (this trace file – and every trace file shown in the Wireshark Jumpstart – is available in the book supplements area at www.wiresharkbook.com/wireshark101). Step 1: I changed the Time column setting (View | Time Display Format | Seconds Since Previous Displayed Frame). Step 2: Examine the time between the TCP SYN [frame 1] and SYN/ACK [frame 2]—this is the round trip time. If the time is too high, then this snapshot of the round trip time indicates that there is likely a path latency problem.
Step 3: Examine the time between the ACK to the GET request [frame 5] and the HTTP response [frame 6]. If this value is high, then you have server latency to consider.
Step 4: Examine the time between a client’s ACK and the next request [not seen in this trace file] to determine if high client latency exists. This is the rarest form of delay, but may be seen when a user delays sending another request to the server.
Copyright Chappell University, created for Wireshark University and the Wireshark Jumpstart events (www.wiresharktraining.com/jumpstart) Download the trace files used during this event from wiresharkbook.com/wireshark101.
Page 21
WIRES SHARKU UNIVERS SITY In http-dow wnload101.pcaapng, we see high h path lateency as indicaated by a largee value betweeen the SYN aand SYN/ACK K, which is seeen in the Tim me column of frame 2.
If your tra ace file has nu umerous TCP P conversation ns, consider en nabling the C Calculate Con nversation Timestam mps TCP settin ng and adding g a Time sincee previous fram me in this TCP stream colum mn. In Wiresh hark Jumpstarrt, I enabled th he Calculate Conversation C T Timestamps TC CP setting and d added a Tim me since previious frame in th his TCP stream m column. Th his new colum mn will depictt the time from m the end of o one packet of a specific TCP P conversatio on to the end of the next paacket in that ssame conversation. 1. 2. 3. 4.
Right-click R on a TCP headerr in the Packeet Details pan ne. Seelect Protocoll Preferences | Calculate Conversation C n Timestamp ps (checked). Right-click R thee TCP header and choose Expand E Subtrrees. Right-click R thee Time since prrevious frame in n this TCP strream line and select Apply as Column.
Hintt After add ding the [Timeestamps] sectiion in Wiresh hark, you can build colorin ng rules and d display filters to quickly id dentify large delays d within n TCP converssations. We’lll see that nextt.
See sectionn 1.7 (Configuree Time Columns to Spot Latencyy Problems) and run through Labb 9: Spot Path annd Server Lateency Problems of o the Wireshark 101 book. Oncee you configure W Wireshark propeerly, it should bee easy to determinne if high latencyy is occurring andd where it is occcurring.
Copyright Chappell University, creaated for Wireshark University U and the Wireshark W Jumpstart eevents (www.wireshharktraining.com/jum mpstart) t files used durinng this event from wiresharkbook.com/w w wireshark101. Download the trace
Page 22
WIRES SHARKU UNIVERS SITY FILTER BASED ON N IP ADDR RESSES, SU UBNETS, P PROTOCOL LS AND EV VEN FIELD DS In this casse, we are usin ng display fillters. Display filters use a p proprietary sy yntax whereaas capture filteers use the Beerkeley Packeet Filtering (BP PF) filtering syntax. s There are six basic typees of display filters, f as listeed in the tablee below. pe Filter Typ
Filterr Example
Protocol
arp
Applicatio on
dns
Field Exisstence
http p.host
Characterristic Existencce
tcp.analysis.ze ero_window
Field Valu ue
http p.host=="www w.wireshark .org"
Regex Sea arch Term
exe" http p.host match hes "\.(?i)e
In the Wirreshark Jump pstart, I demonstrated the auto-complete a e and error d detection featu ures. These caan help a lot when you are new to Wireeshark. I also show wed you how w to click Savee on the displlay filter area to save your favorite display filters as ffilter expression n buttons. Yo ou can enable/ /disable filterr expression b buttons using g Edit | Prefeerences | Filteer Expressio ons.
Hintt Use port numbers n rath her than proto ocol or applica ation names w when filtering g on TCP-based traffic. Forr TCP connectiion setup, example, use tcp.port t==80 instead d of http. Thiis ensures you u can see the T maintenan nce and tear down d processs as well as th he HTTP trafffic.
See Chapteer 3 Skills: Applyy Display Filters to Focus on Speecific Traffic of the Wireshark 1001 book. Become a master of fiiltering to really focus f on the prooblem and removve false positives from view. Theere are 11 labs in this section of the book. I tried to t ensure that when w you move oon to the next chhapter, you havee very strong dispplay filtering skillls. This is a skill I use constantlyy.
Copyright Chappell University, creaated for Wireshark University U and the Wireshark W Jumpstart eevents (www.wireshharktraining.com/jum mpstart) t files used durinng this event from wiresharkbook.com/w w wireshark101. Download the trace
Page 23
WIRES SHARKU UNIVERS SITY MAKE WIRESHAR W RK “SCREA AM” WHE N ERRORSS ARE DET TECTED (COLOR RING RULE ES) Wireshark k contains a set of default coloring c ruless to help you identify the ttraffic types. To determ mine why a fra ame is colored a certain wa ay, expand th he Frame secttion and look for the Colorring Rule Nam me and Coloring Rule Strin ng lines. Colorring rules are based on thee display filterr syntax.
Wireshark k includes a set s of coloring g rules, but yo ou can easily aadd onto thatt set. You can n create coloring rules usin ng the right-cllick method, by b clicking on n the Coloring g Rules button n on the icon toolbar or by y selecting View V | Colorring Rules. In the Wirreshark Jump pstart, I copied d and pasted my dns.flag gs.rcode != =0 display filtter into a colo oring rule. I useed the followiing steps: 1. 2. 3. 4. 5. 6. 7.
Copy C the existing display fiilter from the display filterr area (I used Ctrl+C). Click C the Edit Coloring C Rulees button on the t main toollbar. Click C New. Enter DNS Errrors as the name and pastee the display ffilter into the string area. Click C Backgrou und and enterr salmon in th he Color Nam me field. Tab tto see the new w color. Click C OK to acccept the back kground colorr. Click OK ag gain to accept the new colo oring rule. Cllick OK O again to cllose the Colorring Rules win ndow. I tested t this on n dns-errors101 1.pcapng.
Copyright Chappell University, creaated for Wireshark University U and the Wireshark W Jumpstart eevents (www.wireshharktraining.com/jum mpstart) t files used durinng this event from wiresharkbook.com/w w wireshark101. Download the trace
Page 24
WIRES SHARKU UNIVERS SITY Hintt I am a big g believer in customizing Wireshark W to fit f a specific p purpose. For eexample, I’d ccreate a Troublesh hooting profille that contain ns all the colo oring rules forr error respon nses and largee delays in a ttrace file.
See Chapteer 4 Skills: Colorr and Export Inteeresting Packetss of the Wiresharrk 101 book. In LLab 27: Build a Coloring Ruule to Highlight FTP F User Namees, Passwords, aand More, you geet a chance to create a very interesting coloring rule bassed on the FTP Argument field. This will come inn handy in later labs.
k uses the Pan ngo color tablles (based on the X.11) colo ors (shown on n the followin ng pages). Wireshark
Copyright Chappell University, creaated for Wireshark University U and the Wireshark W Jumpstart eevents (www.wireshharktraining.com/jum mpstart) t files used durinng this event from wiresharkbook.com/w w wireshark101. Download the trace
Page 25
WIRESHARKUNIVERSITY Want to know what colors are available to you? Here’s a list of the X.11 color tables. In the difference Wireshark Jumpstart sessions, I used Salmon, but I also like to use Olivedrab and Firebrick.
Color Color Name LightPink Pink Crimson LavenderBlush PaleVioletRed HotPink DeepPink MediumVioletRed Orchid Thistle Plum Violet Magenta Fuchsia DarkMagenta Purple MediumOrchid DarkViolet DarkOrchid Indigo BlueViolet MediumPurple MediumSlateBlue SlateBlue DarkSlateBlue Lavender GhostWhite Blue MediumBlue MidnightBlue DarkBlue Navy RoyalBlue
RGB Value #FFB6C1 #FFC0CB #DC143C #FFF0F5 #DB7093 #FF69B4 #FF1493 #C71585 #DA70D6 #D8BFD8 #DDA0DD #EE82EE #FF00FF #FF00FF #8B008B #800080 #BA55D3 #9400D3 #9932CC #4B0082 #8A2BE2 #9370DB #7B68EE #6A5ACD #483D8B #E6E6FA #F8F8FF #0000FF #0000CD #191970 #00008B #000080 #4169E1
CornflowerBlue LightSteelBlue LightSlateGray SlateGray DodgerBlue AliceBlue SteelBlue LightSkyBlue SkyBlue DeepSkyBlue LightBlue PowderBlue CadetBlue Azure LightCyan PaleTurquoise Cyan Aqua DarkTurquoise DarkSlateGray DarkCyan Teal MediumTurquoise LightSeaGreen Turquoise Aquamarine MediumAquamarine MediumSpringGreen MintCream SpringGreen MediumSeaGreen SeaGreen Honeydew LightGreen PaleGreen
#6495ED #B0C4DE #778899 #708090 #1E90FF #F0F8FF #4682B4 #87CEFA #87CEEB #00BFFF #ADD8E6 #B0E0E6 #5F9EA0 #F0FFFF #E0FFFF #AFEEEE #00FFFF #00FFFF #00CED1 #2F4F4F #008B8B #008080 #48D1CC #20B2AA #40E0D0 #7FFFD4 #66CDAA #00FA9A #F5FFFA #00FF7F #3CB371 #2E8B57 #F0FFF0 #90EE90 #98FB98
Copyright Chappell University, created for Wireshark University and the Wireshark Jumpstart events (www.wiresharktraining.com/jumpstart) Download the trace files used during this event from wiresharkbook.com/wireshark101.
Page 26
WIRESHARKUNIVERSITY #8FBC8F DarkSeaGreen #32CD32 LimeGreen #00FF00 Lime #228B22 ForestGreen #008000 Green #006400 DarkGreen #7FFF00 Chartreuse #7CFC00 LawnGreen #ADFF2F GreenYellow #556B2F DarkOliveGreen #9ACD32 YellowGreen #6B8E23 OliveDrab #F5F5DC Beige LightGoldenrodYellow #FAFAD2 #FFFFF0 Ivory #FFFFE0 LightYellow #FFFF00 Yellow #808000 Olive #BDB76B DarkKhaki #FFFACD LemonChiffon #EEE8AA PaleGoldenrod #F0E68C Khaki #FFD700 Gold #FFF8DC Cornsilk #DAA520 Goldenrod #B8860B DarkGoldenrod #FFFAF0 FloralWhite #FDF5E6 OldLace #F5DEB3 Wheat #FFE4B5 Moccasin #FFA500 Orange #FFEFD5 PapayaWhip #FFEBCD BlanchedAlmond #FFDEAD NavajoWhite #FAEBD7 AntiqueWhite #D2B48C Tan #DEB887 BurlyWood
Bisque DarkOrange Linen Peru PeachPuff SandyBrown Chocolate SaddleBrown Seashell Sienna LightSalmon Coral OrangeRed DarkSalmon Tomato MistyRose Salmon Snow LightCoral RosyBrown IndianRed Red Brown FireBrick DarkRed Maroon White WhiteSmoke Gainsboro LightGrey Silver DarkGray Gray DimGray Black
#FFE4C4 #FF8C00 #FAF0E6 #CD853F #FFDAB9 #F4A460 #D2691E #8B4513 #FFF5EE #A0522D #FFA07A #FF7F50 #FF4500 #E9967A #FF6347 #FFE4E1 #FA8072 #FFFAFA #F08080 #BC8F8F #CD5C5C #FF0000 #A52A2A #B22222 #8B0000 #800000 #FFFFFF #F5F5F5 #DCDCDC #D3D3D3 #C0C0C0 #A9A9A9 #808080 #696969 #000000
Copyright Chappell University, created for Wireshark University and the Wireshark Jumpstart events (www.wiresharktraining.com/jumpstart) Download the trace files used during this event from wiresharkbook.com/wireshark101.
Page 27
WIRES SHARKU UNIVERS SITY CREATE E A GRAPH H TO COR RRELATE LOW L THRO OUGHPUT WITH NETWORK N ERRORS Throughp put problems are most ofteen caused by network n prob blems or appllication problems (visible aas client or server s problem ms). If you ru ule out networrk problems, tthen you kno ow to look forr application problems. In Wiresh hark Jumpstarrt, I was work king with http p-download1011.pcang when I selected Staatistics | IO Graph. In nitially, this grraph displayss the packets per p second raate seen in thee trace file. I changed d the Y axis va alue to Bits/T Tick (since wee usually talk about megab bits per second d). In addition n, I added thee filter tcp.an nalysis.flags && !tcp. .analysis.wi indow_updat te1 to Graph 2 2, selected thee Fbar style and clicked the Graph G 2 button n. I changed the t Y axis valu ue to 1,000,0000 as well. Using thiss technique, we w can easily correlate drop ps in through hput to increaases in TCP neetwork probleems. Each timee a TCP analysis flagged pa acket (other th han a Window w Update) ap ppears, the ov verall bits perr second rate drops. It ap ppears we have a network k problem.
You can expand e this grraph by addin ng additionall graphs for t cp.analysis s.lost segme ent and tcp.analysis.retran nsmission || tcp.analy ysis.fast_re etransmissi ion.
Hintt Cascade Pilot P offers ton ns of great graphs to visua alize network performancee and problem ms. Follow alo ong with Try it i Yourself: Casscade Pilot Labb on page 35.
5 Graph Appliication and Host Bandwidth Usagge, of the Wiresshark 101 book yyou have a channce to In section 5.4, apply filter to your graphs. There’s a great lab (Lab 34: Com mpare Traffic to//from a Subnet tto Other Traffic) that provides prractice building and a manipulatingg an IO Graph.
This is the t string used by the Bad TCP coloring g rule. You can n cut and passte it from theere rather than n type it in. 1
Copyright Chappell University, creaated for Wireshark University U and the Wireshark W Jumpstart eevents (www.wireshharktraining.com/jum mpstart) t files used durinng this event from wiresharkbook.com/w w wireshark101. Download the trace
Page 28
WIRES SHARKU UNIVERS SITY APPLY A QUICK FILTER TO O SPOT SO OMEONE D DOWNLOA ADING AN N .EXE FILE E There are several wayss to locate som meone downloading an .exxe file. You can n begin by caasting a “widee net” and possibly catch packets that reallly don’t indiccate someone was downloaading an .exe file. Then you u can become more m specific on o packet loca ation, case (up pper, lower o or either), and d even specify y the location within a field. f When yo ou use the “m matches” operrator, you ind dicate that wh hat follows is a regular expression n (Regex) value.
Capture Filter Example
Purpose P
frame co ontains ".ex xe"
Look L for “.exe”” (in lower casse only) anywhhere in any fram me
http con ntains ".exe e"
Look L for “.exe”” (in lower casse only) only inn the HTTP areea of a frame
http.req quest.uri co ontains ".ex xe"
Look L for “.exe”” (in lower casse only) only inn the http.requeest.uri field f of a framee
frame ma atches "\.ex xe"
Use U Regular Exxpressions to llook for “.exe”” (in lower casee only) o anywheree in any frame
frame ma atches "\.(? ?i)exe"
Use U Regular Exxpressions to llook for “.exe”” (in upper or loower case) c anywheree in any frame
http.req quest.uri ma atches "\.(?i)exe"
Use U Regular Exxpressions to llook for “.exe”” (in upper or loower case) c in the http tp.request.uri ffield of a framee
In the Wirreshark Jump pstart, I openeed ftp-downloaad101.pcapng ffirst. We saw there is an .exxe in this file, but it is a directtory listing. Th he user didn’t download an a executable (no RETR wiith an .exe deffined). Next, I op pened http-missctraffic101.pccapng. We see a GET requesst matched ou ur filter for fr rame contai ins ".exe". We W can see in the Info colum mn that someeone downloaaded the Metaasploit executtable.
Hintt I LOVE ussing regular expressions e with w Wiresharrk. You can crreate a filter to o detect a credit card num mber, email add dress, social seecurity numb ber/national identification number anyw where in a traace file. Checck out Regex Bud ddy and Regeex Magic at reegular-expressiions.info. Thesse tools are allso listed on tthe Wireshark k book reso ources page (w wiresharkbook.com/resou urces.html).
In the Wireshhark 101 book, thhere are two labss (Lab 22: Filterr to Locate a Sett of Key Words inn a Trace File annd Lab 23: Filterr with Wildcards between Wordss) that provide steep-by-step instruuctions on usingg regular expresssions in your displaay filters.
All Accesss Pass membeers are invited d to a live Reg gular Expresssions Primer cclass in May. I’ll be showin ng you all sorts of Regex tricks t you can n use with Wiireshark. For m more informaation on the A All Access Passs, visit www w.chappellu.com/online.httml.
Copyright Chappell University, creaated for Wireshark University U and the Wireshark W Jumpstart eevents (www.wireshharktraining.com/jum mpstart) t files used durinng this event from wiresharkbook.com/w w wireshark101. Download the trace
Page 29
WIRES SHARKU UNIVERS SITY REASSE EMBLE A FILE F TRAN NSFERRED ACROSS A NETWO RK There are two main wa ays to perform m reassembly y—right-click and Export S Specified Objeects.
RIGHT--CLICK RE ASSEMBLY Y You can use u this process to understa and the comm mands and daata sent betweeen hosts. In aaddition, you u can select Sav ve As to extracct the data to a file. If head der informatio on was contaiined in the ex xport, you’ll n need to clean th hat up with a hex editor. This T function can c be used o on any traffic that contains a TCP or UD DP header, ass well as any SSL S traffic (no ot too useful unless you haave a key to d decrypt the traffic first). In the Wirreshark Jump pstart, I demonstrated reasssembly and eextraction usin ng ftp-clientsidde101.pcapng. I right-click ked on a FTP--Data packet in i the Packet List pane and d selected Folllow TCP Strream. I clicked d Save As and a named th he file.
This featu ure is especiallly useful wheen you have some s traffic th hat Wireshark k does not reccognize (e.g., there is no disseector for the application). a Right-click R an nd follow the stream to loo ok at what thee hosts are say ying to each otther. Often yo ou will see som mething in th he Follow Streeam window that you can use to identiffy the applicatio on in use.
Hintt I typically y disable Allow w Subdissectorr to reassemblee TCP stream w when analyzin ng general H HTTP traffic, b but enable it when w I need to t use File | Export E Objectts | HTTP.
Copyright Chappell University, creaated for Wireshark University U and the Wireshark W Jumpstart eevents (www.wireshharktraining.com/jum mpstart) t files used durinng this event from wiresharkbook.com/w w wireshark101. Download the trace
Page 30
WIRES SHARKU UNIVERS SITY FILE | EXPORT E OBJECTS O Important:: You must en nsure Allow Su ubdissector to reassemble TC CP streams (a T TCP preference setting) is enabled to o export objeccts. This featu ure is available to export HTTP, H SMB an nd DICOM traaffic. In the W Wireshark Jum mpstart, I open ned http-colleg ge101.pcapng and a selected File F | Export Objects | HT TTP. In one sesssion, I reassembled 1d3d34 456f85b71163d d9a3487a85c12290-how-long--would-you-su urvive-the-zom mbieapocalypsee.jpg. In anoth her session I opened o up an n image relatin ng to Toddlerrs and Tiaras and it was prretty scary.
f Faster Analyssis of the Wireshhark 101 book. LLab 37: Use See Chapteer 6 Skills: Reasssemble Traffic for Reassemblly to Find a Webb Site’s Hidden HTTP H Message iis especially fun.
Copyright Chappell University, creaated for Wireshark University U and the Wireshark W Jumpstart eevents (www.wireshharktraining.com/jum mpstart) t files used durinng this event from wiresharkbook.com/w w wireshark101. Download the trace
Page 31
WIRES SHARKU UNIVERS SITY TRY IT YOURSEL LF: WIRES HARK FIL LTERING/R REASSEM MBLING LA AB In this lab b, you will hav ve a chance to o capture trafffic to or from m your own M MAC address, filter on a fieeld value and d apply a colo oring rule and d filter expresssion button to o detect HTTP P errors fasterr in the futuree. Step 1: Launch Wiresh hark. Step 2: Open O http-chap ppellu101b.pcaapng (availablee at wireshark kbook.com/w wireshark101). Step 3: Enter an http. .response.code display filter to view a all packets th hat contain HT TTP responsee co odes. Click Ap pply.
Step 4:
Examine the Status Bar. You should seee that either 337 or 38 packeets matched y your display ffilter. The differencce is based on n whether the Allow subdisssector to reasseemble TCP streeams TCP settting is enabled or diisabled.
Step 5:
Look through h the Info colu umn. Note th hat there are lo ots of differen nt response co odes visible. T These include somee 404 Not Fou und, 302 Moveed Temporar ily, and 304 N Not Modified responses.
Step 6:
In the display y filter area, change c your filter f to http. .response.co ode > 299. C Click Apply. Only 18 pack kets should match m your new w filter.
Copyright Chappell University, creaated for Wireshark University U and the Wireshark W Jumpstart eevents (www.wireshharktraining.com/jum mpstart) t files used durinng this event from wiresharkbook.com/w w wireshark101. Download the trace
Page 32
WIRES SHARKU UNIVERS SITY Step 7:
Now we wan nt to turn thiss new filter intto a filter exp pression butto on. Click Savee and name your filter expresssion button HTTP>299. Cliick OK.
Step 8:
You should see s your new Filter Expression button o on the display y filter toolbarr, as shown below.
Step 9:
Now click Cllear to remov ve your displa ay filter. Open n http-browse1101b.pcapng an nd click your HTTP>299 fiilter expressio on button. On nly one packeet should matcch your filter—packet 56.
nd scroll up th hrough the trrace file to find out what Step 10: Although you could clear your filter an request triggered this 404 response, it might m take too o long—theree are many in ntertwined HT TTP conversation ns. Right-click th his packet in the t Packet Lisst Pane and seelect Follow T TCP Stream. You can easilly correlate the 404 responsee with the GET T /maxheight.jjs HTTP/1.1 reequest. ule (Salmon) to o the HTTP eerror traffic. E Error responsees in Step 11: Now let’s build a butt-uglly coloring ru the 400 rangee indicate clieent errors. Serrver error resp ponses are in the 500 rangee. Click the Colloring Rules button b on thee Main Toolbaar. Step 12: Click New. Enter E the nam me HTTP Erro ors. Use the sttring http.re esponse.code e > 399. Step 13: Click Backgrround and typ pe salmon in the color nam me area. When n you tab away from this ffield you will see the t new back kground colorr in the color d display window. Click OK K. Your Edit C Color Filters windo ow should loo ok like this:
Copyright Chappell University, creaated for Wireshark University U and the Wireshark W Jumpstart eevents (www.wireshharktraining.com/jum mpstart) t files used durinng this event from wiresharkbook.com/w w wireshark101. Download the trace
Page 33
WIRESHARKUNIVERSITY Step 14: Click OK to close the Edit Color Filters window. Your new coloring rule should be at the top of the coloring rules list. That’s a perfect spot. Click OK. Step 15: Now open up http-chappellu101b.pcapng again. You should be able to easily spot the two 404 responses in the trace file just based on coloring. Easy, eh? The reason the Wireshark 101 book is 350 pages instead of 250 pages is the labs. I love labs. There are 46 labs in the book. Each lab helps you sharpen your Wireshark skills.
Copyright Chappell University, created for Wireshark University and the Wireshark Jumpstart events (www.wiresharktraining.com/jumpstart) Download the trace files used during this event from wiresharkbook.com/wireshark101.
Page 34
WIRES SHARKU UNIVERS SITY TRY IT YOURSEL LF: CASCA ADE PILOT T LAB I mention ned Cascade Pilot P during th he Wireshark Jumpstart. Iff you haven’t taken this prroduct out forr a spin, now w is the time. Here’s H a lab sh howing you some s cool fun nctions in Casscade Pilot – y you can perfo orm this lab ussing the 30-da ay trial versio on available att the link belo ow. We’ll be lo ooking at web b performancce problems using u http-slow w101.pcapng. Short Link k:
http:// /bit.ly/15irhO O2
Full Link:
http:// /www.riverb bed.com/us/ccontact/cascaade-pilot-30-d day-trial.php
Webinar:
If you want a deepeer dive into th he innards of Pilot, a Cascaade Product ffamily webinaar that feeatures Cascad de Pilot and other o compon nents is deliveered every W Wednesday. Date-sspecific registrration links ca an be found aat http://bit.lly/XVqrqL.
Step 1:
Follow eitherr of the links above a to dow wnload the Caascade Pilot 300-Day Trial. G Go through th he installation and a product reegistration prrocess and lau unch Cascadee Pilot (“Pilot””).
Step 2:
When Pilot la aunches, you are presented d with nine Q Quick-Start Viideo Tutorialss. These are g great videos that sh how Pilot in action. a Take a moment and d look throug gh the short videos.
Copyright Chappell University, creaated for Wireshark University U and the Wireshark W Jumpstart eevents (www.wireshharktraining.com/jum mpstart) t files used durinng this event from wiresharkbook.com/w w wireshark101. Download the trace
Page 35
WIRES SHARKU UNIVERS SITY Step 3:
Copy the Wirreshark 101 book b supplem ments (availab ble at wiresharrkbook.com/ /wireshark1011) to a folder called wireshark10 01traces. Click k the Add Fold der button an nd select yourr wireshark101 1traces directo ory. Click OK K.
Step 4:
In the File vieew, scroll dow wn until you see http-slow1101.pcapng. In n the Views seection, click and drag Bandwiidth Over Tim me to the http p-slow101.pcappng trace file. Notice how tthe bandwidtth seems to “fla at line” at seveeral points. Siince a user co omplains of po oor performaance, we need d to check out thee cause of these delays.
Copyright Chappell University, creaated for Wireshark University U and the Wireshark W Jumpstart eevents (www.wireshharktraining.com/jum mpstart) t files used durinng this event from wiresharkbook.com/w w wireshark101. Download the trace
Page 36
WIRES SHARKU UNIVERS SITY Step 5:
In the File vieew, expand Performance P and a Errors | W Web | Web S Server Perforrmance. Click k and drag Service Response Tiime by Web Object-Light O t to the http-sloow101.pcapngg trace file. A n new view appearss. Bingo! It’s the t web serveer that’s slooo ooow to respo ond.
Now – to be fair f here, I kn now it takes a while for wirreshark.org to o server up th he dissector liist and protocol list – but 41 seconds? s That’s just waaay y too slow. Step 6:
Let’s send that slowest ressponse over to o Wireshark ffor a closer lo ook. Click on tthe first line iin the table (the Ob bject URL of epan/ with ov ver a 41 secon nd response tiime) and then n click on Sen nd to Wireshark. You will be prompted p to select s a file format. Just say y “No” at thiss time.
Copyright Chappell University, creaated for Wireshark University U and the Wireshark W Jumpstart eevents (www.wireshharktraining.com/jum mpstart) t files used durinng this event from wiresharkbook.com/w w wireshark101. Download the trace
Page 37
WIRES SHARKU UNIVERS SITY There it is. If you have dissabled Allow subdissector to reassemblee TCP stream ms (TCP Preference) set, s it’s easy to o see the slow w HTTP/1.1 2000 OK respon nse.
s other in nteresting view ws to apply to o the Wireshaark 101 book trace files: Here are some • • •
se ec-nessus101..pcapng: App ply the Protoccol Distributio on – bits view w. Hmmm…. Very suspicio ous. Seeeing that “un nknown” colu umn is like seeeing “data” iin the Protoco ol Hierarchy v view – it’s wo orth cllicking on and d sending to Wireshark W forr further inveestigation. htttp-sfgate101 1.pcapng: App ply IP Converrsations view w. Right-click o on the largestt circle in the view (tthe client), and d select Drill Down | Performance and d Errors | TCP P | TCP Errorrs | TCP Erro ors Overview. O You u can see exacctly where errrors occur as w well as the errror types. Alsso apply htttp-espn101.p pcapng: Applly LAN and Network N | DN NS | All DNS S Queried Ad ddresses. Thatt’s a lo ot of resolutio on to load a sp ports page!
Copyright Chappell University, creaated for Wireshark University U and the Wireshark W Jumpstart eevents (www.wireshharktraining.com/jum mpstart) t files used durinng this event from wiresharkbook.com/w w wireshark101. Download the trace
Page 38
WIRESHARKUNIVERSITY CASCADE PILOT PERSONAL EDITION VS. CASCADE PILOT I pointed you towards the download location for the Cascade Pilot (Enterprise edition) 30-day demo. Some of you asked the difference between the two versions. Here you go! Cascade Pilot Personal Edition: • • • • • • • •
Can be trialed on a 10-day basis by completing the request/registration form at http://www.riverbed.com/us/contact/cascade-pilot-pe-10-day-trial.php Is available for purchase on-line at www.cacetech.com/products/catalog. Can analyze live data from a local NIC only (Ethernet built-in NIC, TurboCap, AirPcap, e.g) Can analyze packet traces from locally-presented, saved pcap and pcap-ng files Will continue to be upgraded and enhanced for local analysis for the foreseeable future (TCP View enhancements mainly, but **no** WAN Analysis, bounce diagrams, Multi-segment analysis, other protocol (database, FIX, CIFS, VXLAN, etc.) additions No packet slicing on capture capability Not optimized for long-term capture, trending or monitoring No ability to connect to, or interact with, Shark appliances, Cascade Profilers, Riverbed Steelheads with Cascade Embedded Shark enabled, or Cascade Shark Virtual Edition for live, proactive troubleshooting or analysis exercises
Cascade Pilot: • • •
• •
• • • • • •
Can be trialed on a 30-day basis by completing the request/registration form at http://www.riverbed.com/us/contact/cascade-pilot-30-day-trial.php. Can only be purchased indirectly through channels unless a direct purchase agreement is in place. Can analyze from local sources (Ethernet NIC, AirPcap, pcap files) and also interacts with Shark appliances, Cascade Profilers, Riverbed Steelheads with RiOS 7.0 or later and Cascade Embedded Shark enabled, and Cascade Shark Virtual Edition probes to provide live, remote, and distributed analysis capabilities. Can analyze packet traces from locally or remotely presented pcap and pcap-ng files Connects to the Shark packet recorder through a web management interface to establish, control, and manage one or more live capture jobs on Shark appliance probes. The physical Shark Appliance and Cascade Shark Virtual Edition probes have the ability to slice packets while performing captures. Includes FIX, SQL, Multi-Segment, CIFS, VDI, Citrix, VXLAN Analysis Views Includes a Views Editor to allow users to customize existing Views or build new ones Includes bounce diagram for conversation path analysis and latency discovery Will continue to be developed, along with the Shark Appliance software, to optimize analysis of LAN and WAN environments Works with Shark appliances to deliver high-performance, high-fidelity 24x7x365 data capture and analysis with zero packet loss Works with Shark appliances to deliver long-term capture, monitoring and trending
Copyright Chappell University, created for Wireshark University and the Wireshark Jumpstart events (www.wiresharktraining.com/jumpstart) Download the trace files used during this event from wiresharkbook.com/wireshark101.
Page 39
WIRESHARKUNIVERSITY Summary: • • • • •
Both products will continue to be upgraded and enhanced but the PE edition will not have any integration with other Riverbed products and will not follow the same development path in terms of the breadth of protocols and analysis features supported. Both products support Ethernet and 802.11 analysis. Cascade Pilot Personal Edition will be enhanced for a LAN environment Cascade Pilot will be enhanced for a LAN/WAN environment and for increasingly rich integration with the Riverbed product family, including Steelheads and the Cascade Profiler. Both products must be purchased with their respective support components
Copyright Chappell University, created for Wireshark University and the Wireshark Jumpstart events (www.wiresharktraining.com/jumpstart) Download the trace files used during this event from wiresharkbook.com/wireshark101.
Page 40
WIRESHARKUNIVERSITY Q&A FROM THE WIRESHARK JUMPSTART EVENTS Gerald was feverishly typing responses to hundreds of questions asked during the events. Let’s hope his hands aren’t cramping up – there are Wireshark releases to do! After the session, I waded through our Question and Answer logs to clean them up and fill in questions that didn’t get answered during the webinars. It’s fascinating to read through. Questions Asked by Attendee
Presentation Resources Q: What was the code displayed in the beginning? What is it used for? A: The All Access Pass is $699USD for a one year online training subscription. Use the discount code WS39JS (expires April 30, 2013) for $100 off. You will get hours of training and access to the live online events that are not open to the general public. Visit www.lcuportal2.com to subscribe.
Q: I thought there was a different URL for the trace files she would be talking about. A: You can find all of the trace files used in this demo at www.wiresharkbook.com/wireshark101 under book supplements.
Q: Can you drop the 4-part Wireshark videos link once again ? A: www.lcuportal2.com/wireshark101.html.
Q: I have received this invite through a friend, how to join the portal to receive all updates and watch out for any upcoming session? A: Join the Newsletter at wiresharktraining.com or sign up for the Early Wireshark Jumpstart Notification at www.wiresharktraining.com/jumpstart for upcoming live events.
Q: I own the original Wireshark Network Analysis book. Is there a discount upgrade path to the new book? A: The book is ordered through Amazon and they do not offer discount coupons. I'm sorry!
Capturing Traffic - General Q: What brand USB wifi adapters work well with AirPcap? A: AirPcap is a USB adapter + driver combo. That is, you don't purchase a separate adapter.
Q: So install Wireshark on a client PC? A: That is one option. Remember, however, that traffic outbound from that host may not match what the traffic actually looks like on the network. Task offloading will occur after Wireshark has captured a copy of outbound packets.
Copyright Chappell University, created for Wireshark University and the Wireshark Jumpstart events (www.wiresharktraining.com/jumpstart) Download the trace files used during this event from wiresharkbook.com/wireshark101.
Page 41
WIRESHARKUNIVERSITY Q: Is there a setting in Wireshark which triggers creation of a trace file? A: No. There is no “triggered start” capability at this time.
Q: Does Wireshark supports capturing traffic between virtual machines (ex., VirtualBox) and the host? When I run Wireshark on my Mac (host), and trying to capture traffic to/from a virtual Linux on the host, only one way traffic was captured (forgot which way). A: Which version of VirtualBox are you running? Historically support for capture on VM hosts has been spotty with both VirtualBox and VMWare. It looks like VirtualBox has fixed a capturing bug recently: www.virtualbox.org/ticket/8076/
Q: Does/Will Wireshark support packet capture on a Windows laptop Wi-Fi network interface? A: On Windows your best bet is to use AirPcap. If Linux is an option you could use any standard adapter.
Q: Does this Capture location information also apply when deploying say a Shark Appliance? A: We are focusing on Wireshark placement. Placing a Cascade Shark appliance off a single user workstation might be a big of overkill. The Cascade Shark appliance is designed to provide full packet capture at GbE line speed with zero packet loss. It is most often placed inside the infrastructure or server room where data rates are greater than at the client.
Q: What does the setting “capture all in promiscuous mode” do? A: It indicates that you want to capture all traffic – even if the traffic is not addressed to your own hardware address, broadcast or multicast. This is desired if you are analyzing someone else’s traffic.
Q: With respect to IPv4IPv6 dual stack... if dual stack is enabled on a client, it can have two concurrent IP sessions, one IPv4 and one IPv6 such that the end device can create a "virtual bridge" between IPv4 and IPv6 stack. Can Wireshark capture this if you are capturing on IPv4 and IPv6 interfaces? A: Wireshark captures on an interface. It doesn't care what kind of traffic traverses that interface. It could be IPv4, IPv6, ARP, spanning tree, IPX, DECnet, or anything else.
Q: On busy networks, can the volume of traffic be too much to be captured by Wireshark, especially if Wireshark is running on a laptop? A: Absolutely. Wireshark can only save as fast as the NIC can read packets, the OS can process them, and the I/O subsystem can write them to disk. Many companies use dedicated capture hardware for this very reason.
Q: In your experience, do you think Wireshark can act as passive probing solution for medium bandwidth requirements (e.g. up to 10 Mbit)? A: Most modern hardware can capture 10 Mbps without too much trouble.
Copyright Chappell University, created for Wireshark University and the Wireshark Jumpstart events (www.wiresharktraining.com/jumpstart) Download the trace files used during this event from wiresharkbook.com/wireshark101.
Page 42
WIRESHARKUNIVERSITY Q: I do the majority of my captures on Linux servers using tcpdump - are there any drawbacks or limitations to be aware of using tcpdump? i.e. - am I missing anything? A: Nope. I have two tcpdump captures running right now as a matter of fact. As long as you're aware of its behavior (e.g. snapshot length ("-s") and "vlan" in a BPF filter), you should be fine.
Q: What can be done about eliminating “dropped packets”? A: Low-hanging fruit: Use a tap instead of a SPAN port and capture using dumpcap instead of Wireshark. Beyond that you might have to look at dedicated capture hardware.
Q: How would you eliminate the “dropped packets” you get sometimes when capturing? A: That's quite an open-ended question. :) This depends on the method and hardware you're using for tapping and the I/O and CPU capabilities on your capture device. If you're capturing using a general purpose PC or laptop you can run dumpcap (part of Wireshark) from the command line. If you're still dropping packets you might want to look into taps and dedicated capture hardware.
Q: Can this be effectively used on VDIs (Virtual Desktop Infrastructures)? A: If the question is “can I capture remotely using VDI?”, then the answer is yes. Wireshark is just an application and runs like any other with remote access. Keep in mind, however, that you will be adding traffic to the network when running Wireshark this way. If the network is already having problems, you may compound the problem.
Q: While analyzing a trace, how can you tell that you have packet loss? A: Wireshark can detect packet loss on TCP-based communications (Previous Segment Not Captured, Duplicate ACKs, Retransmissions, and Fast Retransmissions).
Q: What is the lowest layer on the OSI model that Wireshark can capture? A: In most cases (e.g. capturing from a standard NIC on Windows/OSX/Linux) it's layer 2. Some specialized hardware and software can expose part (or all) of the physical layer, e.g. the 802.11 PLCP or Ethernet or FC preamble and Wireshark can dissect it.
Q: If i wanted to capture packets traversing the network, say, on a local area network at home, and all computers in question are connected to the same switch, how can this be done? All I seem to be able to do is check traffic going to and from my own computer. A: A plain switch can be problematic since by default it will only show you your unicast + broadcast + multicast. You can use ARP poisoning (which turns your switch into a hub, and which I DON'T recommend at work) or you might look into a cheap managed switch.
Q: What would be an ideal configuration for a Wireshark capture to prevent packet loss on the capture station during high-speed network captures? A: Consider using the command-line tool dumpcap (included with Wireshark) instead of trying to capture from within Wireshark itself.
Copyright Chappell University, created for Wireshark University and the Wireshark Jumpstart events (www.wiresharktraining.com/jumpstart) Download the trace files used during this event from wiresharkbook.com/wireshark101.
Page 43
WIRESHARKUNIVERSITY Q: In order to capture WLAN traffic, do I need AirPcap special WiFi adapters? Which ones? A: On Linux and OS X any standard adapter will do. On Windows you usually need AirPcap.
Q: Will you go into the problem of capturing tagged and untagged traffic (VLAN, offset problem)? A: I don't think it will be covered in this session but the problem and possible solutions were discussed recently on the tcpdump-workers list: seclists.org/tcpdump/2013/q1/index.html#29.
Q: Are there certain brands of hardware that perform well in a capture role - NICs, laptop models, etc? A: I think Riverbed's Shark Appliance performs exceptionally well, but I'm biased. :-). If you're capturing using general purpose hardware you need to make sure your disk I/O is as fast as possible, not only for writing but for reading. You should also keep in mind that a mechanical disk's performance will go way down as you fill it up, particularly when you're about 10% away from the end.
Q: There seems to be a difference between the way Wireshark on windows (or maybe WinPcap) captures VLAN-tagged traffic then tcpdump does in Linux in that one needs to specify VLANtagged traffic explicitly when using tcpdump on Linux whereas Wireshark on windows captures all traffic (both VLAN-tagged and not). Does the Linux version of Wireshark suffer from the same VLAN tagging issues as tcpdump? Or is this not a Wireshark issue at all? A: It's the underlying OS. The behavior of VLAN capture varies between different versions of Linux and there's some odd behavior that kernel and libpcap teams are working to fix. On Windows depends on the NIC driver.
Q: Is it possible to create a filter that capture packets in some specific VLAN ? A: You can do this with the "vlan" BPF filter, but this depends on your hardware, driver, and OS. "vlan" also has a side effect in BPF. It shifts the offset by 2: blog.wireshark.org/2009/10/capture-filters-andoffsets/.
Q: Can I capture data at the client, send the capture file to someone who captured data at the server side and then merge the captured files to get a better perspective of what is happening? Can I send the capture file to someone who is using Cascade Pilot for similar purpose? A: You can merge and compare captures within Wireshark but that feature is still immature. I have to admit Pilot's multi-segment analysis is nicer. :)
Copyright Chappell University, created for Wireshark University and the Wireshark Jumpstart events (www.wiresharktraining.com/jumpstart) Download the trace files used during this event from wiresharkbook.com/wireshark101.
Page 44
WIRESHARKUNIVERSITY Capturing Traffic – TAPs and SPAN Q: Do TAPs capture at Layer 1 or 2? A: A tap is a physical layer device. You could almost say a proper tap is layer zero since it's completely passive.
Q: Thanks, again about SPAN. Using this kind of capture I wouldn't get MAC error frames, and what about the impact in the network traffic that needs to go through the switch? A: SPAN's performance impact depends on the switch model and can even depend the location of the source and destination port. Most modern switches will sacrifice (drop) packets destined the SPAN destination port in favor of performance. There are exceptions (e.g. SPANning 10 G ports on many Cisco switches).
Q: A "Full-wire-tap" - In the case of copper Ethernet - is that the equivalent of a "dumb" hub? A: Not at all. A hub is an active part of the network and will affect performance. Specifically it will force you to use half-duplex. A proper tap is completely passive and can effectively be invisible even in the event of hardware failure (e.g. fail-to-wire).
Q: Would you ever recommend using a HUB instead of a FDX tap? A: If a hub gets you the traffic you need, e.g. you have a 100 Mbps hub attached to a 6 Mbps DSL link, then by all means - use one. However, managed switches and low-end taps are pretty cheap nowadays.
Q: The capture we are seeing is showing traffic from several sources. It seems the traffic was captured in a SPAN port. How can you make that kind of captures? A: You log into your switch and configure a SPAN port. :-) In order to set up a SPAN/mirror/monitor port you need to designate one or more source ports or VLANs along with a destination port. This has to be explicitly configured in the switch's management interface by you. Different switch models let you do different things, e.g. transmit only or receive only.
Q: Is a FDX Tap analogous to "port mirroring"? A: Port mirroring (aka monitoring or SPAN) is a feature offered by various switches, and how well it works depends on the switch hardware and software. If the switch is too busy (or if you have a crappy switch) you can drop packets. Taps are passive devices external to the switch and help to eliminate drops.
Q: When collecting from the client side, is it preferred to load Wireshark on the client or span port on switch? A: SPAN if you can, that way you're not affecting performance on the client.
Q: Who makes these full duplex taps you've mentioned? A: Laura has a lot of NetOptics (www.netoptics.com) taps around the office here.
Copyright Chappell University, created for Wireshark University and the Wireshark Jumpstart events (www.wiresharktraining.com/jumpstart) Download the trace files used during this event from wiresharkbook.com/wireshark101.
Page 45
WIRESHARKUNIVERSITY Q: Is there an open source solution for tapping that is built on top of Unix and commodity hardware like Intel Server NICs? A: Proper taps are electrically passive. That is, they interject themselves into the network as little as possible and shouldn't introduce any delay or do any sort of low-level negotiation. Doing that with commodity hardware would be difficult.
Laura’s Configurations Q: What version of Wireshark did Laura run in the webinar? A: Laura is running Wireshark version 1.8.6 which is the most current version right now. There is also a development version (1.9.x) available to play with at www.wireshark.org/download/automated).
Q: Is it possible to export/import profiles? Are Laura's changes easily imported, or defined somewhere? A: Profiles are held as simple text-based configuration files in a profiles directory. You can just copy a profile directory to another Wireshark system. I have several profiles on the wiresharkbook.com website in the Wireshark 101 book and Wireshark Network Analysis (Study Guide) book supplements areas.
Q: Why are all the trace file names ending in “101?” Is that a standard for any trace file? A: The “101” in the name is because this trace file is part of the set of traces for the Wireshark 101: Essential Skills for Network Analysis book. You can find all of the trace files used in this webinar at www.wiresharkbook.com/wireshark101 under book supplements.
Q: For the window that Laura was showing that has the filter to the right - can that window be reset so that the filter area shows each time you open that window? A: I’m not sure what was on the screen just then. If you were referring to the Filter Expression buttons, they are maintained in the current profile and will appear each time you launch Wireshark with that profile or switch to that profile.
Q: Is there a configuration file which stores these changes to which PDU segments are displayed in the Info field, so we don't have to use that right-click setting every time? A: I think you are referring to the Allow subdissector to reassemble TCP stream setting that was disabled (for HTTP analysis) and then enabled (for HTTP reassembly). The setting is saved in your profile. If you don’t want to change the setting at all, create two profiles – one with the setting enabled and another with it disabled. Just switch between profiles to see the different views.
Q: Laura is using v1.8.6 - would this be the latest and most stable version of Wireshark? A: Yes. Releases are announced on the Wireshark-announce mailing list: www.wireshark.org/lists/.
Q: So for Laura’s example of display filters, "tcp.port==80" is equivalent to "http"? A: Not necessarily. "tcp.port==80" looks at specific fields in the TCP header. "http" looks for HTTP requests (GET/POST/PUT/HEAD) and responses (OK) and could be over a number of TCP ports or even over UDP. [LC: I recommend using tcp.port==80 when analyzing web browsing sessions – this way you can see the TCP handshake, maintenance and teardown process as well as the HTTP traffic.]
Copyright Chappell University, created for Wireshark University and the Wireshark Jumpstart events (www.wiresharktraining.com/jumpstart) Download the trace files used during this event from wiresharkbook.com/wireshark101.
Page 46
WIRESHARKUNIVERSITY Profiles Q: How do you get back to the default profile? A: Click on Profile column in the status bar and choose "default" from the drop down list. If you want to remove any changes made to your Default profile, select Help | About Wireshark | Folders and click on the link to open the Personal Configuration folder link. Delete any files that sit directly in this folder – do not delete the Profiles folder, however, as that folder contains your customized profile settings.
Q: Is there an option to create multiple profiles and where are they stored? A: You can right-click the profile portion of the status bar in the lower-right corner of the main window or go to Edit | Configuration Profiles. Profiles are stored in your personal configuration directory (Help | About Wireshark | Folders).
Q: Is there a place where we can get directions on what Laura suggests as viewing defaults? A: Yes – check out the Wireshark 101: Essential Skills for Network Analysis book – you will see Lab 6 offers a chance to create a very nice default viewing environment.
Bluetooth Support Q: What devices will you need for Bluetooth to capture? A: On Linux, OS X, and FreeBSD you should be able to use built-in hardware: wiki.wireshark.org/Bluetooth. You can also use Mike Ossmann's Ubertooth (see http://ubertooth.sourceforge.net/).
Q: What protocol support for BlueTooth? A: Wireshark 1.10 will add support for Bluetooth Attribute, AVDTP, AVRCP, AVCTP, BNEP, HCI, USB Transport, HCRP, HID, MCAP SAP, SBC Codec, and Security Manager. Wireshark 1.8 has existing support for quite a few other BT protocols.
Conferences Q: Is this the type of thing we can expect at Sharkfest? A: Absolutely. Someone pointed out that Sharkfest is one of the few shows where presenters attend each other’s sessions.
Q: Any chance of having a Sharkfest in Europe someday? A: I'd love to see a Sharkfest Europe! Hopefully that's something we can do in the near future.
Q: Any chance you will be at Interop LV2013? A: Laura WILL be at Interop! She is doing an “Advanced Wireshark” workshop on May 6th from 8:30am – 12:00pm. See http://www.interop.com/lasvegas/conference/it-workshops.php?session_id=10 for more information.
Copyright Chappell University, created for Wireshark University and the Wireshark Jumpstart events (www.wiresharktraining.com/jumpstart) Download the trace files used during this event from wiresharkbook.com/wireshark101.
Page 47
WIRESHARKUNIVERSITY Q: Do any of the creators/associates of Wireshark ever attend Defcon, for the Capture the Packet event? It’s a networking event that has competitors utilize Wireshark to capture network traffic to find flags placed in network captures. A: Gerald: I attended Defcon in the early 2000s and was able to watch CtF then. I'm not sure about any of the other developers. Laura: I haven’t been to Defcon in ages either. You could ask this at ask.wireshark.org to see if some of the developers are going to Defcon.
Learning Wireshark Q: What is a good book to begin/understand Wireshark? A: Wireshark 101: Essential Skills for Network Analysis – see www.wiresharkbook.com/wireshark101. You can view the book Table of Contents, Index and sample pages there as well. The book is available on Amazon in paperback and Kindle formats. Q: Do you have any onsite trainings in [my city] planned for 2013? A: Online training (All Access Pass portal): see chappellu.com/online.html • Onsite: see chappellU.com/onsite.html (can be customized) • US Instructor-led: Global Knowledge offers a 5-day Troubleshooting TCP/IP Networks with Wireshark (www.globalknowledge.com). • Also - Laura will be delivering a 3-day WCNA Boot Camp at Sharkfest (sharkfest.wireshark.org/bootcamp.html). • New! There is also the option of ordering Wireshark 101: Essential Skills for Network Analysis student/instructor manuals, should your facility choose to deliver in house www.wiresharkbook.com/teachwireshark.html.
Q: A lot of tech books don’t look too good on Kindle. How does the Wireshark 101 book look? Do you recommend the hardcopy? A: We put a lot of effort into ensuring the screenshots and graphic images are clear on the Kindle. It’s really just a reader’s preference when choosing paperback or Kindle version.
Q: What ebook format do the book come in? A: The ebooks are in kindle format. You can download the kindle viewer from Amazon to read the books on your iPad, PC, Mac, etc.
Q: What’s the best source for learning how to write dissectors? A: See doc/README.developer in the distribution and wireshark-dev mailing list. Sharkfest if you can make it.
Q: How can I find out about more upcoming events? A: Join the Newsletter at www.wiresharktraining.com or sign up for the Early Wireshark Jumpstart Notification at www.wiresharktraining.com/jumpstart.html.
Copyright Chappell University, created for Wireshark University and the Wireshark Jumpstart events (www.wiresharktraining.com/jumpstart) Download the trace files used during this event from wiresharkbook.com/wireshark101.
Page 48
WIRESHARKUNIVERSITY Q: What is Sharkfest? A: Sharkfest is the annual Wireshark User and Developer conference (sharkfest.wireshark.org). It is a 4day gathering focused on sharing Wireshark knowledge, experience and best practices between members of the global developer and user communities. Attendees are those interested in teaching and learning the art of packet analysis and supporting one another in educational and professional pursuits as they relate to network management, monitoring, security, troubleshooting, and more.
Q: When is the Sharkfest conference? A: June 16-19, 2013 UC Berkeley. Early Bird Rates until April 15th. • • •
Conference rate: $695.00 Conference and Boot Camp rate: $1490.00 See sharkfest.wireshark.org for more information.
Q: What is the WCNA Boot Camp? A: This is an intense three-day class focusing on the key areas covered in the most current version of the Wireshark Certified Network Analyst Exam (WCNA102.1). Students will review these key areas through labs, lecture, and sample open-grading exams. Bring your own laptop. Taught by Laura Chappell. • • •
Early Bird Boot Camp only until April 15th - $795 Boot Camp and Conference: $1490 Regular rate Boot Camp only April 16th – June 15th $995. Boot Camp and Conference: $1690 sharkfest.wireshark.org/bootcamp.html
Q: What is included in the WCNA Boot Camp at Sharkfest? A: Worth over $1,000, the following items are provided to each candidate in this course: - 3-days of intense instruction by Laura Chappell - Book: Wireshark Network Analysis: the Official Wireshark Certified Network Analyst Study Guide, (2nd Edition) - All access pass 1-year subscription, over 100 hours of online training and access to live events by Laura Chappell - Coupon: WCNA exam voucher (Kryterion/WebAssessor)
Q: How much does the All Access Pass cost? A: The All Access Pass is $699USD for a one year subscription. Use the discount code WS39JS (expires April 30, 2013) for $100 off. We do offer a discount for groups of 5 students or more. Get pricing at www.chappellU.com/pricing.html.
Q: Can I share my All Access Pass with a co-worker? A: No, the All Access Pass Subscription is a single seat license. If you have several members on your team we do offer group discount rate. See www.chappellU.com/pricing to get a discount quote.
Copyright Chappell University, created for Wireshark University and the Wireshark Jumpstart events (www.wiresharktraining.com/jumpstart) Download the trace files used during this event from wiresharkbook.com/wireshark101.
Page 49
WIRESHARKUNIVERSITY Q: I am new to TCP/IP, where do I start? A: Our classes assume some basic knowledge about networks. There is a large section on TCP/IP analysis in the Wireshark Network Analysis: the Official Wireshark Certified Network Analyst Study Guide (available in paperback/Kindle versions from Amazon). See Where Do You Start? on page 4.
Q: I need help analyzing our network traffic. A: You can contact us for onsite classes (Laura analyzes your traffic while teaching you how to catch problems/use Wireshark). See www.chappellU.com/onsite.
Fibre Channel over Ethernet (FCoE) Q: Can you monitor FCoE? A: Absolutely!
Q: When I try to capture fiber channel traffic how should I set filter during the capture A: What do you want to filter on? The Ethernet Type field for FCoE is 0x8906 – you can use the capture filter eth.type == 0x8906. See wiki.wireshark.org/FCoE. There is also a great document on FCoE at research.ijcaonline.org/etcsit/number4/etcsit1029.pdf.
Reassembly Q: Can you send the reassembled files elsewhere off the network in case they are a security vulnerability? A: You are prompted for a directory and file name, so just choose that server drive/directory to save remotely.
Q: We saw you save that jpg from an FTP data transfer. What if the capture was split into multiple files? Can you still reassemble those packets to save that jpg file? A: You can still do the reassembly on a trace file if it contains the beginning of the file (which contains the file identifier and necessary information to open the file). If you didn’t have the entire file transfer in a single trace file, when you perform reassembly you will only see a part of the file. If the file transfer occurs over multiple files, merge the files first (File | Merge or use mergecap) before reassembling.
Q: What could be the goal of reassembling file transfer captures? A: If you want to know what the file is—perhaps it is a malicious executable that you want to analyze, for example.
Q: when you pull that information, is it from Wireshark does a cache of the data, or pulls the data down directly from the site that you are looking at. A: You mean the HTTP reassembly? That is pulled out of the trace file.
Copyright Chappell University, created for Wireshark University and the Wireshark Jumpstart events (www.wiresharktraining.com/jumpstart) Download the trace files used during this event from wiresharkbook.com/wireshark101.
Page 50
WIRESHARKUNIVERSITY Coloring Rules Q: When you opened the coloring rules were those default colors? A: Yes.
Q: What is the meaning of the black color on some of the captures? A: It depends on the coloring rules in use but in the default set we use a black background to indicate serious errors.
Q: Where do you get list of all default color codes used and meaning of each? A: Open the Coloring Rules window and look at the name and string associated with each.
Q: so what is the hex code for "Butt Ugly"? ;-) A: During this webinar, it was #FA8072 (salmon). Anything getting close to pink will work (of course, that is just a personal preference).
Time Values Q: Can you have multiple Time columns each with a different view? A: Sure! You can add as many columns as you want (within reason) and choose from several time metrics and formats. Notice that in this document there is an example of adding a TCP Delta column in Locate Slow Clients and Servers on page 21.
Q: How do you identify time for latency? Is there a default? A: Do you mean to ask about “how high is high” in high latency? If so, that is entirely up to what people will put up with. Some folks don’t blink when the path latency is 100ms. Others scream. Start capturing traffic to determine the typical latency times to the most common targets.
Q: How is timing tracked? I mean packet 1 is at 0.0, then packet 2 is at 1.0012 , and then time goes back when packet 3 shows up at 0.000. A: If you go to View |Time Display Format you can change how timestamps are displayed. It looks like Laura is using seconds since the previous captured or previous displayed packet. [Laura: I prefer Seconds Since Previously Displayed Packet.]
Pcapng Format Q: Does the new Cascade Pilot work with pcapng format files? Older versions didn't. A: Newer versions (particularly 10) have better pcapng support.
Copyright Chappell University, created for Wireshark University and the Wireshark Jumpstart events (www.wiresharktraining.com/jumpstart) Download the trace files used during this event from wiresharkbook.com/wireshark101.
Page 51
WIRESHARKUNIVERSITY Q: How do you convert a pcap to pcapng? A: In Wireshark: "File | Save As". On the command line: "editcap -F pcapng " or "tshark -F pcapng -r -w ". pcapng is the default output format in 1.8 and later so you can probably omit "-F pcapng". You can check a file's format with "Statistics | Summary" in Wireshark or by using capinfos on the command line.
Q: Are pcap and pcapng file formats compatible? A: Somewhat. You can convert from pcap to pcapng without any problems. Pcapng supports multiple interfaces, non-packet data (e.g. host name resolution information) and many other things that pcap doesn't so converting from pcapng to pcap can be difficult.
Q: How does pcapng format work with Cascade Pilot? A: Recent versions of Pilot (particularly 10.0) support pcapng. The file format is still evolving so support in both Pilot and Wireshark should improve over time.
Filtering Q: Please describe a scenario when using a capture filter would be absolutely necessary A: If the network is so busy that Wireshark indicates that it is dropping packets – applying a capture filter will reduce the load on Wireshark.
Q: Is there any difference between 'AND' or' &&' when applying a filter? A: "AND" (all uppercase) isn't a valid display filter operator. "and" and "&&" are functionally equivalent but "and" requires whitespace on either side. In other words, "tcp&&frame.len > 300" and "tcp and frame.len > 300" are both valid and behave the same.
Q: Which is better to use - capture or use a display filter? A: Capture filters throw away information so you should use them sparingly. Display filters cover many more protocols and fields.
Q: Can you filter for a range of IP addresses in WS? A: Yes – use the display filter ip.addr==10.2.0.0/16 or the capture filter net 10.2.0.0/16.
Q: Can you exclude an IP address in a display filter? A: Yes... use !ip.addr==10.2.0.0 (display filter) or not 10.2.0.0 (capture filter) can use the /16 too to add CIDR formatting for a subnet. Just don’t use ip.addr!=10.2.0.0 (display filter) – that’s where the != won’t work.
Q: How to make the DNSErr Filter Expression button go away? A: Edit | Preferences | Filter Expressions.
Copyright Chappell University, created for Wireshark University and the Wireshark Jumpstart events (www.wiresharktraining.com/jumpstart) Download the trace files used during this event from wiresharkbook.com/wireshark101.
Page 52
WIRESHARKUNIVERSITY Q: That last display filter showed "and eth and frame." What do these do and why were they included in the filter? A: You must be referring to the right-click filter created in the Protocol Hierarchy window. Wireshark pulls the hierarchical structure when creating a filter this way. They aren’t necessary elements, but that’s just the way Wireshark pulls exactly what you wanted.
Q: Can there be some demonstration of advance filters with concentration of changing the custom ports? A: Not exactly sure what the question is…if you want Wireshark to apply a different dissector to the traffic rather than the dissector associated with a specific port number, first look at the application preferences setting (Edit | Preferences | (+) Protocols) to see if you can change the port number there. Alternately, you can right-click on a packet and select Decode As. Select the Transport tab and scroll through the list of dissectors to find the one you want. If this is a setting you want to save, select Analyze | User Specified Decodes | Save.
Q: You prefer display rather than capture filters, but what if I'm sniffing a high throughput telecomm link? A: One of the few reasons to apply a capture filter is to reduce the amount of traffic Wireshark has to deal with – in your case, a capture filter would be a good option.
Q: Can those filters which Laura is talking about be exported and put on another laptop? A: Sure! If you go to Help | About | Folders you can navigate to your personal or the global configuration directory. All of Wireshark's configuration files are simple text files and can be copied between machines. You may have to convert line endings when moving from Windows to non-Windows machines however.
Q: How did you copy the String section (from the display filter area to the coloring rule string area)? A: Ctrl+C to copy and Ctrl+V to paste. Basic copy/paste process.
Q: In a Windows Terminal Services environment is there a way to narrow a "conversation" to a particular user session (User ID)? A: We believe this traffic is encrypted – you could look for just the port 3389… but that won’t pull out one user’s session. We aren’t of any way to correlate an RDP flow with a user (other than by looking at the IP address in the trace file, perhaps).
Q: Is it possible to display duplicate IP packets using a display filter? A: Editcap can remove duplicate packets, but you can’t ask Wireshark to compare packets to identify duplicates. Here’s what you can do, though – you can add a column for the IP ID field (right-click on an IP header ID field and select Apply as Column) and sort that column. Since each packet going out through the IP portion of the TCP/IP stack should be given a unique IP ID value, you may be able to spot duplicates this way.
Q: What is the .rcode option Laura used? I missed it. Is it the color code? A: I used dns.flags.rcode !=0. That will detect DNS response errors.
Copyright Chappell University, created for Wireshark University and the Wireshark Jumpstart events (www.wiresharktraining.com/jumpstart) Download the trace files used during this event from wiresharkbook.com/wireshark101.
Page 53
WIRESHARKUNIVERSITY Troubleshooting Q: How can I use Wireshark to detect the reason why a connection is reset during a request? A: All Wireshark can show you is what is happening – it cannot tell you why something is happening, however. If you are receiving resets during a request, you need to use Wireshark to determine which side of the connection is resetting it. Then look at that host to determine if there are some resource issues. Consider that some interconnecting devices can reset a connection based on some rules (such as request types) as well.
Q: Was the capture with DNS errors performed at the client? A: Yes – dns-errors101.pcapng was captured at a client. Note that both insecure.org and nmap.org domains are managed by the same name server – that was the system having problems (not my local DNS server that dutifully told me something was wrong with another server – Server Error).
WinPcap Q: I see WinPcap is not compatible with W8 64-bit, so this would not be a good Wireshark platform? A: WinPcap 4.1.3 (released on March 8) supports Windows 8. You can get it at www.winpcap.org. I've added it to the Wireshark installer so it will be included with the next round of releases.
Q: If you don't start WinPcap on boot, how do you start/stop it (in Windows)? A: You can try running "net start npf" or "net stop npf" as administrator.
Decryption Q: I decrypted a Wireshark packet using the private key, and save it decrypted. When I open the saved file on another PC, is it still decrypted? A: Not yet but it's certainly been discussed. The question is whether to save out the decrypted data or to save the encrypted data + keys. We can do either with pcap-ng.
Q: Is it possible to intercept encrypted traffic? A: Sure! You should be able to see any traffic that traverses your interface. Decrypting encrypted traffic is an entirely different question and depends on the protocol.
Statistics Q: What was the definition of Endpoints in terms of the statistics within Wireshark? A: For Wireshark, an endpoint is a device that sends or receives data using a particular protocol. We don't distinguish between OSI layers, e.g. we track Ethernet, IP, and TCP endpoints (which may be the same device). There will also be overlap, e.g. a TCP endpoint entry will have a corresponding IPv4 or IPv6 entry.
Copyright Chappell University, created for Wireshark University and the Wireshark Jumpstart events (www.wiresharktraining.com/jumpstart) Download the trace files used during this event from wiresharkbook.com/wireshark101.
Page 54
WIRESHARKUNIVERSITY Q: Does duration (in the Conversations window) include trailing FIN that might be delayed quite a while? A: Yes – so you need to be careful interpreting that duration value. Many applications (such as your web browser) will just eventually timeout the connections.
Q: Where was that graph? I got called away. A: Laura created that graph using Statistics | IO Graphs.
Q: Does Zero window indicate something is wrong? A: It means the receiver can't accept any more traffic and tells the sender to stop transmitting. If you're trying to transfer data then that's a problem. :-)
Q: Is the duration column (Conversation window) shown in seconds? A: Yes.
Q: Does the Protocol Hierachy statistics window update information during a live capture? A: You can open the window, but you get a snapshot at that point in time (the information doesn't automatically refresh).
Q: In a competing MS product, each packet will include the application that generated/received the packet. Is there anything similar in Wireshark, I have caught myself using the MS product just for this feature. A: Process and user information is a feature I've wanted to add from the beginning. Several people have worked on this, but unfortunately we don't have anything ready for release yet.
Q: Is there any way to graph more than 5 filters on the IO graph? A: Not at this time. The maximum is hard-coded and it shouldn't be. I filed an enhancement request at bugs.wireshark.org/bugzilla/show_bug.cgi?id=8512 to make sure this request doesn't get lost. Check out the graphing in Cascade Pilot too.
Q: I use Tshark because I can use it in my scripts. Command line IO graphing seems to only exist only for TCP/IP traffic. Do you plan to incorporate 802.11 support for command line IO graphing? A: TShark's "-z io,stat,..." isn't limited to TCP, but if you're trying to use it with 802.11 you'll probably have to decrypt the traffic.
Q: How do i learn how to draw aa ladder diagram from a trace? A: Not quite sure what you are looking for, but check out Statistics | Flow Graph | TCP Flow.
Q: Is calculated window size in bytes? A: Yes – it is derived by multiplying the Window Size field by the multiplier determined in the TCP handshake.
Copyright Chappell University, created for Wireshark University and the Wireshark Jumpstart events (www.wiresharktraining.com/jumpstart) Download the trace files used during this event from wiresharkbook.com/wireshark101.
Page 55
WIRESHARKUNIVERSITY Security – Network Forensics Q: From an attackers/sniffers standpoint, how can they make sense of packets when it's nothing but a mix and mash of numbers? A: Often times it's not just a mix of numbers, particularly when the traffic is plaintext (not encrypted).
Q: Why not TFTP? Wireless (Aruba) images are transferred this way? A: If the traffic is going to or from an Aruba device then tftp might be normal. If it's to or from an iPad then that probably isn't normal. :-)
Wireshark Protocol/Dissection Support Q: Is Wireshark able to capture Border Gateway Protocol (BGP) packets? A: Yes.
Q: I've used Wireshark to capture BGP packets, however I kept receiving unformatted packets... is it possible that Wireshark is mislabeling those BGP packets? A: If you're sure that the traffic is BGP (and not some other protocol running over port 179) it might be encrypted or use an extension that Wireshark doesn't yet support. BGP is evolving continuously, and newer versions of Wireshark will generally have better support for updated BGP versions and extensions.
Q: SSL Session ID is fairly easy to get from the WevServer. Is it possible to capture it using Wireshark on the client side? A: You should be able to see it (ssl.handshake.session_id).
Q: Will anything be said about Google's SPDY protocol and analyzing it? A: Google has a SPDY dissector, but they haven't submitted it for inclusion in the main release yet.
Q: Can we find BitTorrent Traffic and find hosts involved and Logon IDs? A: There’s a Wiki page dealing with BitTorrent traffic - wiki.wireshark.org/BitTorrent. There are also some sample BitTorrent trace files on that page. You can also use a display filter for bittorrent.
Q: Is there an S-Flow dissector? A: Yes. We've supported sFlow for nearly 10 years.
Q: Will there be support for SCCP ver 20? A: Are you asking about ANSI/ITU Signaling Connection Control Part or Cisco's Skinny Client Control Protocol? (I'm assuming Skinny). It looks like we might have partial support but I don't think it's complete.
Q: Does Wireshark have a dissector for AoE protocol (i.e. Coraid SAN)? A: Yes.
Copyright Chappell University, created for Wireshark University and the Wireshark Jumpstart events (www.wiresharktraining.com/jumpstart) Download the trace files used during this event from wiresharkbook.com/wireshark101.
Page 56
WIRESHARKUNIVERSITY Q: Any future support for Infiniband? A: What support are you looking for? We have some now (e.g. via ERF cards).
Q: Using Wireshark 1.8.2, I see that monitoring USB I/F is supported. Will any support be available in the future to monitor serial interfaces? i.e. /dev/ttys0, COM1 etc... Thanks! A: Analyzing raw serial data directly is difficult because it isn't packetized. That is, we don't know when frames start or stop or if there is anything resembling a frame in the first place. We can dissect serial data indirectly over USB. For instance, we have an AT (modem) command dissector which is called by the USB dissector.
Q: do we have trace parsers for Citrix ICA? A: Wireshark doesn't support Citrix ICA. As far as I know Citrix hasn't released the specifications and no one has reverse engineered it. There are private dissectors floating around but nothing public.
Q: Is Openflow supported? That is, does Wireshark trace and show OF formatted packets? A: The OpenFlow project has developed a dissector but they haven't submitted it for inclusion in the mainline release yet: www.openflow.org/wk/index.php/OpenFlow_Wireshark_Dissector.
Q: Does wireshark handle various old-style formats (like uuencoded files)? A: - Not directly. TShark lets you follow TCP streams so you should be able to do something like "tshark -r some-capture.pcap -z follow,tcp,... | uudecode"
Q: Are there any configurations or plug-ins to support Juniper or Palo Alto devices specifically? A: Juniper has historically done a pretty good job of contributing support for their various protocols. They're in the mainline release so you shouldn't have to make any extra effort to dissect them. I'm not aware of any specific Palo Alto support, although many companies maintain private, internal-only dissectors for various protocols.
Q: Does Wireshark have a dissector for VMWare related protocol? A: As far as I know the only VMware-specific protocol we support is Lab Manager.
Q: Has the SNMP MIB (Debian) error been solved? A: I'm not sure which specific error you're referencing (there have been quite a few over the years). If it's Debian bug 568050 it looks like they fixed it by disabling OID resolution by default.
Q: I saw once where to find the dissectors, TCP for example but I cannot find the location again, can you guide me to the location please? A: Dissectors and display filters are listed at www.wireshark.org/docs/dfref/. The actual code is in epan/dissectors in the Wireshark source code.
Copyright Chappell University, created for Wireshark University and the Wireshark Jumpstart events (www.wiresharktraining.com/jumpstart) Download the trace files used during this event from wiresharkbook.com/wireshark101.
Page 57
WIRESHARKUNIVERSITY Q: Question for Gerald - any plan to support the Zigbee protocol - IT has an inexpensive USB USB -> Zigbee interface A: Wireshark has supported Zigbee and other 802.15.4 protocols for a while. Which adapter do you have? I'm pretty sure Wireshark works with Kisbee.
Q: Any good document or other training resources geared more for those who do not deal with live traffic but want to use tshark for reassembling conversations using custom dissectors? A: If you're developing custom dissectors then the wireshark-dev mailing list (www.wireshark.org/mailman/listinfo/wireshark-dev) is probably your best bet. If you can make it to Sharkfest you can talk to a lot of the development team in person.
OS X Questions Q: Will Wireshark 1.10 have a native OS X version? A: 1.10 won't. A later version might. That's one of the things I've been working on lately.
Q: Are there lots of differences between Windows GUI and OS X GUI ? A: Wireshark runs as a native Windows application. It runs as an X11 application on OS X, and the behavior can be a little odd sometimes.
Q: Is it true that not all Wireshark versions are ported to OS X? (v10) What is the condition for a version to be ported to OS X? A: OS X is one of our top-tier platform. That is, OS X packages are part of every release. However, due to the user interface toolkit we use (GTK+) Wireshark requires an X11 application and it looks and runs differently than a native OS X application. We're hoping to release a native application that doesn't require an X11 application in the future.
Q: Is there any chance of a native OSX version being released, and not one that hinges on X11? :) A: We're working on it. It won't happen until after 1.10 is released unfortunately.
Miscellaneous Topics Q: Will you cover more on the CLI (Command-Line Interface)? A: We did not have the Command-Line Interface tools (tshark, editcap, capinfos, mergecap, etc.) in the course outline – not enough time. You can get more information on these tools in Chapter 8 Skills: Use Command-Line Tools to Capture, Split, and Merge Traffic of the Wireshark 101: Essential Skills for Network Analysis book (www.wiresharkbook.com/wireshark101) or Chapter 33: Effective Use of Command-Line Tools of Wireshark Network Analysis: The Official Wireshark Certified Network Analyst Study Guide (www.wiresharkbook.com/studyguide).
Q: Hope you will cover how to use WS over a broadband modem? Thanks. A: What sort of broadband modem? E.g. cable, DSL, 3G/4G? In general it depends on your OS.
Copyright Chappell University, created for Wireshark University and the Wireshark Jumpstart events (www.wiresharktraining.com/jumpstart) Download the trace files used during this event from wiresharkbook.com/wireshark101.
Page 58
WIRESHARKUNIVERSITY Q: What's up with the legal disclaimer about written permission to sniff? Do you know something we don't? A: Some people/companies don't take kindly to you sniffin' their junk...
Q: Are there other plugins available that are not installed under the default install? A: There are a few. Many companies develop dissectors for private protocols that they maintain as plugins. Some protocols that are still evolving also have plugin dissectors such as OpenFlow www.openflow.org/wk/index.php/OpenFlow_Wireshark_Dissector.
Q: Is there a Wireshark portable? A: Yes. We offer both PortableApps and U3 installers at http://www.wireshark.org/download.html.
Q: How do you find the byte size of IP/TCP headers, and SIP SDP? A: IP headers have a Header Length field (ip.hdr). So do TCP headers (tcp.hdr_len). Since SIP/SDP runs over UDP, you have to look at the UDP Length field (udp.length) and subtract 8 bytes (the length of the UDP header itself) – you are left with the SIP/SDP length.
Q: How do you open a file obtained using tcpdump in Wireshark? A: You just open it. Both Wireshark and tcpdump use the pcap format.
Q: Some people, when confronted with a problem, think "I know… I'll use regular expressions." Now they have two problems. A: Someone spent an inordinate amount of time tracking down the origins of that quote (regex.info/blog/2006-09-15/247). Remember that Laura is teaching a Regular Expressions Primer class in May (you need to be an All Access Pass member to attend that live event). See lcuportal2.com.
Q: Can I update a host IP address with a host name? A: Wireshark lets you keep a "hosts" file in your configuration profile so that you can specify host names for specific IPv4 and IPv6 addresses.
Q: How will the DNS capture work if there is a round-robin DNS setup (single DNS name resolving to multiple IP addresses)? Will it do all or just the first one that resolves? A: The capture is going to show all DNS resolutions that take place, regardless of what is resolved.
Q: Any changes to Wireshark partnerships with other partners like Opnet/Riverbed? A: No that I'm aware of. Riverbed does a great job of sponsoring the project and community, and I don't see that changing any time soon.
Q: Can Wireshark display the MSL value in a conversation? I believe the column option she showed can be included for this? A: If you are referring to Maximum Segment Lifetime, see wiki.wireshark.org/TCP%204-times%20close.
Copyright Chappell University, created for Wireshark University and the Wireshark Jumpstart events (www.wiresharktraining.com/jumpstart) Download the trace files used during this event from wiresharkbook.com/wireshark101.
Page 59
WIRESHARKUNIVERSITY Q: Is there a way to compare two pcaps automatically (say good packet capture of what would normally occur verses bad packet capture where issue is occurring) so it would provide just the frame differences between the two packet captures? (Like analyzing logs and doing a WinDiff on two sets of log files.) A: Not currently – there is a compare feature, but it’s not working well. When we get to Wireshark 1.10 we should have a new compare feature.
Q: What is the maximum size of capture file that Wireshark will import? A: That depends a bit on how much processing power you have available. I (Laura) typically keep my capture file sizes to 100MB maximum.
Q: @Gerald - how about importing from Fiddler? A: I'm not sure how much effort that would entail but it would be a cool feature to have. :-)
Q: Are there any plans of an application to analyze Wireshark capture files on IOS devices? A: I doubt we'll ever get a capturing application into the iOS app store, but a read-only app might be possible.
Q: Can we get similar information like httpwatch in Wireshark? A: Not presently. I don't see why we couldn't add a time line chart in the future however.
Q: Will there be support for Red Hat / Fedora Linux in the future? A: Wireshark is part of the RHEL and Fedora distributions. The GUI package is named Wireshark-gnome.
Q: Is there any place to download a trusted binary for Wireshark? A: The canonical download locations are www.wireshark.org/download/ and wiresharkdownloads.riverbed.com/wireshark/. I sign the Windows installers and provide a GPG-signed file containing hashes for each released package, e.g. www.wireshark.org/download/SIGNATURES-1.8.6.txt.
Attendee
Copyright Chappell University, created for Wireshark University and the Wireshark Jumpstart events (www.wiresharktraining.com/jumpstart) Download the trace files used during this event from wiresharkbook.com/wireshark101.
Page 60
