Scribd
Upload
148 views30 pages

Wireshark

Tcpdump and Wireshark are network packet analysis tools that allow users to capture and analyze network traffic. Tcpdump is a command line tool that captures traffic on a network interface and can either display it or save it to a file. Wireshark is a graphical network packet analyzer that allows users to interactively browse captured network traffic. Both tools utilize the libpcap library to capture packets. This document provides examples of how to use tcpdump and Wireshark commands to filter traffic, follow TCP streams, and view statistics about captured traffic. It also includes exercises for students to analyze network packet captures using Wireshark.

Uploaded by

Danar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
148 views30 pages

Wireshark

Tcpdump and Wireshark are network packet analysis tools that allow users to capture and analyze network traffic. Tcpdump is a command line tool that captures traffic on a network interface and can either display it or save it to a file. Wireshark is a graphical network packet analyzer that allows users to interactively browse captured network traffic. Both tools utilize the libpcap library to capture packets. This document provides examples of how to use tcpdump and Wireshark commands to filter traffic, follow TCP streams, and view statistics about captured traffic. It also includes exercises for students to analyze network packet captures using Wireshark.

Uploaded by

Danar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 30

Packet Capture &

Wireshark

Fakrul  Alam  
[email protected]  
Why we need to capture packet &
how it’s related to security?
tcpdump Definition

tcpdump is a utility used to capture and analyze


packets on network interfaces. Details about these
packets can either be displayed to the screen or
they can be saved to a file for later analysis.
tcpdump utilizes the libpcap library for packet
capturing.
tcpdump command example
# tcpdump –nni eth0
# tcpdump –nni eth0 host 10.10.10.10
# tcpdump –nni eth0 dst host 10.10.10.10 and proto tcp
# tcpdump –nni eth0 src net 10.10.10.0/24 and port tcp
and portrange 1-1024

-nni = don’t use DNS to resolve IPs and display port no


-i = interface to watch
dst = watch only traffic destined to a net, host or port
src = watch only traffic whose src is a net, host or port
net = specifies network
host = specifies host
port = specifies a port
proto = protocol ie tcp or udp
tcpdump command example
# tcpdump –nni eth0 –s0
# tcpdump –nni eth0 not port 22 –s0 –c 1000
# tcpdump –nni eth0 not port 22 and dst host
10.10.10.10 and not src net 10.20.30.0/24

-s0 = setting samples length to 0 means use the required length


to catch whole packet
-c = no to packets
tcpdump pcaps
# tcpdump –nni eth0 -w capture.pcap –vv –c 1000
# tcpdump –nni eth0 –r capture.pcap and port 80

-w capture.pcap = save capture packet to capture.pcap


–vv = display number of packet captured
-r caputre.pcap = read capture file
-c = no to packets
tcpdump Output
IP 199.59.148.139.443 > 192.168.1.8.54343: Flags
[P.], seq 53:106, ack 1, win 67, options [nop,nop,TS
val 854797891 ecr 376933204], length 53

IP 192.168.1.8.54343 > 199.59.148.139.443: Flags


[.], ack 106, win 4092, options [nop,nop,TS val
376934736 ecr 854797891], length 0

IP 199.59.148.139.443 > 192.168.1.8.54343: Flags


[P.], seq 106:159, ack 1, win 67, options
[nop,nop,TS val 854797891 ecr 376933204], length 53

IP 192.168.1.8.54343 > 199.59.148.139.443: Flags


[.], ack 159, win 4091, options [nop,nop,TS val
376934736 ecr 854797891], length 0
What is Wireshark?

•  Wireshark is a network packet/protocol analyzer.


–  A network packet analyzer will try to capture network
packets and tries to display that packet data as
detailed as possible.
•  Wireshark is perhaps one of the best open
source packet analyzers available today for
UNIX and Windows.
About Wireshark

•  Formerly known as “Ethereal”


–  Author, Gerald Combs quit Network Integration Services
–  Free
•  Requirement
–  Need to install winpcap
–  Latest wireshark installer contains winpcap, don’t worry
–  (On Windows Vista) Need Administrator Privilege to
capture
•  GUI
–  Dramatically improved
Why Wireshark
•  network administrators use it to troubleshoot
network problems
•  network security engineers use it to examine
security problems
•  developers use it to debug protocol
implementations
•  people use it to learn network protocol
internals
•  Wireshark isn't an intrusion detection system.
•  Wireshark will not manipulate things on the
network, it will only "measure" things from it.
How to Install

•  Very straight forward


•  Just double-click and follow the instructions.
Capture
Dashboard
Menu  
Filter  

Capture  Data  

Raw  Data  
Filters

•  Capture filter
–  Capture Traffic that match capture filter rule
–  save disk space
–  prevent packet loss
•  Display filter
•  Tweak appearance
Apply Filters
•  ip.addr == 10.0.0.1 [Sets a filter for any packet with 10.0.0.1, as
either the source or dest]
•  ip.addr==10.0.0.1 && ip.addr==10.0.0.2 [sets a conversation filter
between the two defined IP addresses]
•  http or dns [sets a filter to display all http and dns]
•  tcp.port==4000 [sets a filter for any TCP packet with 4000 as a
source or dest port]
•  tcp.flags.reset==1 [displays all TCP resets]
•  http.request [displays all HTTP GET requests]
•  tcp contains rviews [displays all TCP packets that contain the word
‘rviews’. Excellent when searching on a specific string or user ID]
•  !(arp or icmp or dns) [masks out arp, icmp, dns, or whatever other
protocols may be background noise. Allowing you to focus on the
traffic of interest]
Follow TCP Stream
Follow TCP Stream

•  Build TCP Stream


–  Select TCP Packet -> Follow TCP Stream
Use “Statistics”

•  What protocol is used in your network


–  Statistics -> Protocol Hierarchy
Use “Statistics”

•  Which host most chatty


–  Statistics -> Conversations
Use “Statistics”

•  Make graph
–  Statistics -> IO Graph
Need CLI?

•  If you stick to character based interface, try


tshark.exe
•  C:\program files\wireshark\tshark.exe
Tcpdump & Wireshark

•  tcpdump -i <interface> -s 65535 -w <some-file>


Exercise

•  Install Wireshark into your PC


•  Run wireshark and Capture inbound/outbound
traffic
•  Download capture files from
–  Follow the instructor's guide.
Exercise1: Good Old Telnet

•  File
–  telnet.pcap
•  Question
–  Reconstruct the telnet session.
•  Q1: Who logged into 192.168.0.1
–  Username __________, Password __________ .
•  Q2: After logged in what did the user do?
–  Tip
–  telnet traffic is not secure
Exercise 2: Massive TCP SYN

•  File
–  massivesyn1.pcap and massivesyn2.pcap
•  Question
–  Point the difference with them.
•  Q1: massivesyn1.pcap is a _________ attempt.
•  Q2: massivesyn2.pcap is a _________ attempt.
•  Tip
–  Pay attention to Src IP
Exercise 3: Compare the traffic
•  Scenario
•  You’re an IT admin of company X. You had a report that
Jim (a new employee) can not browse or mail with his
laptop. After researching you found that Risa, sitting next
to Jim, can brose without any problem.
•  File
–  Risa.pcap, jim.pcap
•  Question
•  Compare the capture file from both machines and find
out why Jim’s machine is not online.
–  Jim must _____________________________ .
•  Tip
–  Pay attention to the first arp packet.
Exercise 4: Chatty Employees

•  File
–  chat.dmp
•  Question
•  Q1: What kind protocol is used? _______
•  Q2: This is conversation between
[email protected] and [email protected]
•  Q3: What do they say about you(sysadmin)?
•  Tip
–  Your chat can be monitored by network admin.
Exercise 5: Suspicious FTP activity

•  File
–  ftp1.pcap
•  Question
–  Q1: 10.121.70.151 is FTP ______ .
–  Q2: 10.234.125.254 is FTP ______ .
–  Q3: FTP Err Code 530 means __________ .
–  Q4: 10.234.125.254 attempt ________.
•  Tip
–  How many login error occur within a minute?
Exercise 6: Unidentified Traffic

•  File
–  Foobar.pcap
•  Question
–  Q1: see what’s going on with wireshark gui
•  Statistics -> Conversation List -> TCP (*)
–  Q2: Which application use TCP/6346? Check the
web.
Exercise 7: Covert channel

•  File
–  covertinfo.pcap
•  Question
–  Take a closer look! This is not a typical ICMP Echo/
Reply…
–  Q1: What kind of tool do they use? Check the web.
–  Q2: Name other application which tunneling user
traffic.

You might also like