Scribd
Upload
33 views21 pages

Wireshark.v20

The document describes a hands-on lab session about using Wireshark to analyze network traffic. It discusses various Wireshark tools like the packet list, display filters, endpoint analysis, following TCP streams, and profile definitions. The lab covers TN3270 traffic analysis and decryption.

Uploaded by

Masterson Byorn
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
33 views21 pages

Wireshark.v20

The document describes a hands-on lab session about using Wireshark to analyze network traffic. It discusses various Wireshark tools like the packet list, display filters, endpoint analysis, following TCP streams, and profile definitions. The lab covers TN3270 traffic analysis and decryption.

Uploaded by

Masterson Byorn
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 21

SHARK@SHARE https://ibm.

biz/SHARKat
SHARK SHARE

wireshark Hands-On Lab


Thursday, March 5, 2015
01:45 PM – 02:45 PM
Sheraton Seattle, Redwood
Session 16752
Matthias Burkhard IBM Germany
Wireshark Lab Demo

• Starting wireshark: Start → Programs → wireshark


– Updating wireshark ? No thanks, not now!

03/06/15 2
Wireshark Lab - Layout

• 3 areas in wireshark: Packet List, Packet Details, Hexview

03/06/15 3
Wireshark Lab - Statistics → Summary

• Overall Information about the trace file

03/06/15 4
Wireshark Lab - Display Filter

• Syntax check in filter: green, yellow, red


– Looking for unencrypted TN3270 traffic?
– Filtering on DO TN3270E command sent by server
– Always 3 bytes only: FFFD28

03/06/15 5
Wireshark Lab - Statistics → Endpoints

• Find out how many TCP ports the TN3270 Server is using
– Check the Limit to display filter
– 4 TCP ports are found sending DO TN3270E commands
– 23, 9923, 8923, 8723

03/06/15 6
Wireshark Lab - Statistics → Endpoints

• Find out how many TCP ports the TN3270 Server is using
– Check the Limit to display filter
– 4 TCP ports are found sending DO TN3270E commands
– 23, 9923, 8923, 8723

03/06/15 7
Wireshark Lab - Filter multiple ports

• Filters can combine multiple checks


– Use the 'or' operator to filter on all telnet ports
– 4 TCP ports are found sending DO TN3270E commands
– Notice the number of packets that passed the filter at the
bottom of the screen

03/06/15 8
Wireshark Lab - Save filtered packets

• File → Export specified packets


– Creates a new trace file with a subset of packets
– Use a name that you recognize what the contents is

03/06/15 9
Wireshark Lab - Comment the trace file

• Allows to pass 'Meta Information' in the tracefile


• Don't forget to save the commentary: File → Save

03/06/15 10
Wireshark Lab - Statistics – Flow Graph

• Show all Packets over a vertical time line


• Can use filters to draw different colored graphs

03/06/15 11
Wireshark Lab - Follow TCP Stream

• Rightclick on any packet of the TCP session


• Follow TCP stream opens a view of all data
• Creates a filter on tcp.stream

03/06/15 12
Wireshark Lab - Decode AS

• If the protocol is not what wireshark thinks it is


• 160301 looks like a TLS Negotiation packet
– Rightclick on any packet → Decode as “SSL”

03/06/15 13
Wireshark Lab - Decode AS

• Now all port 23 traffic is mapped to SSL Protocol


• Sessions terminate after an Encrypted Alert

03/06/15 14
Wireshark Lab - Conversation Filter – IP

• Following a single client's traffic


• Sessions terminate after an Encrypted Alert
• And restart after 2 seconds

03/06/15 15
Wireshark Lab - Profile TN3270

• Download the files to your Personal Configuration Folder


• Help → About wireshark → Folders

03/06/15 16
Wireshark Lab - TN3270 Negotiation fails
• Filter on TN3270 Negotiation

03/06/15 17
Wireshark Lab - TN3270 Negotiation fails
• Filter on TN3270 Negotiation

03/06/15 18
Wireshark Lab - Filter on LUName
• Filter on any ASCII string using the contains operator

03/06/15 19
Wireshark Lab - Filter on single Client
• Very short lived TCP connections
• Closing after TN3270E negotiation fails

03/06/15 20
Wireshark Lab Reference

• What the TCP payload looks like

Telnet Negotiation
FFFD2E DO TLS
8055010301 SSLV2 ClientHello V31
FFFC2E WONT TLS
14 ­­­ Change Cipher Spec ­­­
FFFD28 DO TN3270E
1403vv 0001 01 ChangeCipherSpec
FFFB28 WILL TN3270E
15 ­­­ Alert ­­­­­­­­­­­­­­­­
FFFA28 SB TN3270E
1603vv xxxx yy
00 Associate
00 SSL3.0
01 Connect
16 ­­­ Handshake Protocol ­­­
02 Dev­Type
1603vv xxxx yy
03 Functions
00 SSL3.0
04 Is
01 TLS1.0
05 Reason
02 TLS1.1
06 Reject
03 TLS1.2
07 Request
01 ClientHello
08 Send
02 ServerHello
0B Certificate
Keepalive Probes 0E ServerHelloDone
FFFB06 WILL TIMEMARK 10 ClientKeyExchange
FFFC06 WONT TIMEMARK 17 ­­­ Application Data ­­­
FFFD06 DO TIMEMARK 1703vv xxxx yy Encrypted ApplData

03/06/15 21

You might also like