Notes:

Wi r eshar k Jumpst ar t : Wi r eshar k 101

www.chappellseminars.com
Presenter: LauraChappell,FounderofChappellUniversityandWiresharkUniversity
laura@chappellu.com
Followme:www.twitter.com/LauraChappell
Thephoneringsmultiplelinesatonetimeneveragoodsign.Theusersarecomplaining
aboutnetworkperformanceagain.Theynevercalltosaythenetworkisdoinggreattoday
theydontrememberthenumerousdayswhenthenetworksupportedtheireverywhim.No.
Theyonlycalltocomplain.BeinganITsupportpersonisathanklessjob.
Inthisliveonlineseminar,LauraChappellexplainsanddemonstratesthekeytasksusing
Wireshark,theworldsmostpopularnetworkanalyzer.
1
Jumpstart:Wireshark101(12/21/11) Wireshark101
Sites:lcuportal.com chappellu.com
wiresharkbook.com wiresharktraining.com
Notes:
Ihavelotsofresourcesonline:
FollowmeonTwitter(laurachappell)
CheckouttheWiresharkWeeklyTips(www.wiresharktraining.com/tips.html)
WatchsomeofthevideosIuploadedtoSecurityTube.net
Myblogisoveratlcuportal.com
TheLaurasLabKitv10isoveratlcuportal.comaswell
Checkouttheotheronlineseminarsandkeeplearningevenifitisanhouratatime.Thescheduleis
onlineatwww.chappellu.com/schedule.html.
Jumpstart:Wireshark101(12/21/11)
Sites:lcuportal.com chappellu.com
wiresharkbook.com wiresharktraining.com 2
Wireshark101
Notes:
Thesearetheareaswewilldiscussintodaysseminar.
WhatisWireshark?IllshowyouadiagramoftheelementsofWireshark.
PlacingtheAnalyzer.Dothisrightandsaveyourselfloadsoftime.
CaptureandDisplayFilters.Focusonspecifictypesoftraffic.
SpottingProblems.LettheExpertInfoCompositewindowguideyou.
BasicTrafficGraphs:apictureisworthathousandpackets!
OverviewofCommandLineTools.Sometimesyouneedtogocommandline.
Q&A.Illgettoasmanyquestionsastimepermits.
Soletsgetstarted.
Jumpstart:Wireshark101(12/21/11)
3
Wireshark101
Sites:lcuportal.com chappellu.com
wiresharkbook.com wiresharktraining.com
Notes:
ToooftenIamcalledonsitetotroubleshootanetworkaftereveryonehaspulledtheirhairout.It
bogglesthemind.Whydidntthesepeopleputananalyzeronthenetworkandlookatthetraffic?
Thepacketsneverlie!
WiresharkisaFIRSTRESPONDERtool.Networkslow?Getthetrace!Cantconnect?Getthetrace!
Systembehavingstrangely?Getthetrace!
NetworkanalysiscanalwaystellyouWHEREtheproblemis,butitcannotalwaystellyouWHYthe
problemishappening.
Jumpstart:Wireshark101(12/21/11)
Sites:lcuportal.com chappellu.com
wiresharkbook.com wiresharktraining.com 4
Wireshark101
Notes:
ThesearesomeofthecoolnewfeaturesavailableintheWireshark1.4.0version.
IfyouareanAllAccessPassmember,avideoonthesefunctionsisavailableatlcuportal.com.Ifyou
needmoreinformationontheAllAccessPass,visitlcuportal.com.
TIP:
MyfavoritesimpleadditiontoWiresharkv1.4.0istherightclickApplyAsColumn!Tryit.Openatrace
filecontainingawebbrowsingsession.ExpandaTCPheaderandrightclickontheSequenceNumber
field.ChooseApplyAsColumn.YounowhaveaSequenceNumbercolumninthePacketListpane.
Ioftenaddatcp.window_sizecolumnbasedontheTCPWindowSizefield(notvisibleinthefirst
packetofthehandshakecurrently)andTCPSequenceNumberandAcknowledgmentNumberfields.
5
Jumpstart:Wireshark101(12/21/11)
Sites:lcuportal.com chappellu.com
wiresharkbook.com wiresharktraining.com
Wireshark101
Notes:
WhenyouarecapturingtrafficoffthenetworkusingWireshark,youarelikelyusingoneofthree
possibledrivers.
WinPcap driver
UsedonWindowshostsrunningWireshark.
AirPcap driver
UsedtocaptureWLANtrafficonaWindowshost.TheAirPcap adapterisavailablefromCACE
Technologies(www.cacetech.com) whichwaspurchasedbyRiverbedinNovember2010.Ioften
runthreeAirPcap adaptersonmysystemandseteachtolistentoadifferentWLANchannel.
CapturingwiththeAirPcap aggregatingdriverallowsmetocaptureonallthesedifferentchannelsat
onetime.
Libpcap driver
Usedtocapturetrafficona*nixhost.
ThefirstfilterappliedistheCapturefilter.Ifyouapplyacapturefilterforallbroadcasttraffic,thatis
whatwillbepasseduptothecaptureengine.Youcantgobackandgetpacketsthatwerefilteredout
fromviewusingcapturefilters,sousethesesparingly.
Sites:lcuportal.com chappellu.com
wiresharkbook.com wiresharktraining.com 6
Wireshark101 Jumpstart:Wireshark101(12/21/11)
Notes:
YoudonotneedWinPcap,AirPcaporLibpcapinordertoopenuptracefiles.Thosedriversareused
tocapturetrafficonthenetwork.
Whenyouopenatracefile,youareusingthewiretaplibrarywhichsupportsnumeroustracefile
formatsincludingtracefileformatsusedbyNetworkGeneralSniffer,WildpacketsOmniPeek,Snoop
andmore.
SelectFile>OpenandclickthedownarrowtotherightofFileTypetoseethelistofrecognizedfile
types.
Sites:lcuportal.com chappellu.com
wiresharkbook.com wiresharktraining.com 7
Wireshark101 Jumpstart:Wireshark101(12/21/11)
Notes:
Dissectors,pluginsanddisplayfiltersareappliedoncethepacketsarepassedupeitherbythe
captureengineorthewiretaplibraryintothecoreengine.
Dissectors/pluginsinterpretthecontentsofthepacketandareakeycomponentofWireshark
enablingyoutoreadpacketsandseeinterpretedfields.
Thedisplayfiltersenableyoutoselectwhichpacketstoviewbasedonspecificcriteriathatyou
define.Displayfiltersdonotaffectthetracefileitself theyonlyaffectwhichpacketsyouview.
TheGIMPToolKit(commonlyreferredtoasGTK+)providesthegraphicalinterfaceforWireshark.
GTK+wasinitiallydevelopedforandusedbyGIMP,theGNUImageManipulationProgram.Itisused
byalargenumberofapplicationsincludingtheGNUproject'sGNOMEdesktop.
SelectHelp>AboutWireshark>FolderstofindwherethevariousWiresharkfilesarelocated.
StartinginWiresharkv1.2,thelocationslistedarehyperlinkedsoyoucanquicklyopenfolders.
Sites:lcuportal.com chappellu.com
wiresharkbook.com wiresharktraining.com 8
Wireshark101 Jumpstart:Wireshark101(12/21/11)
Notes:
PlacetheAnalyzerAppropriately:Switchednetworkscancausestheanalystgrief blockingthe
trafficfromeasyview.Wellgothroughfourwaystocapturewirednetworktrafficandafewwaysto
captureWLANtrafficnext.Hey ifyoucantseethepackets,youareblindtotheproblem.
CreateBaselines:Baselinesaresampletracefilesoftrafficwhenlifewasgoodthiswillbeonyour
ToDolistifnot.
FilteronSpecificConversationsorTypesofTraffic:IfFrediscomplainingabouthiswebbrowsing
speedsyoucouldstartwithafilteronjustFredsHTTP/HTTPStraffic.
LookforHotProblems:PayattentiontoWiresharks ExpertInfoCompositeinformation.
CreateKeyGraphs:Apictureisworthathousandswords.Inthiscase,anIOgraphiswortha
thousandpackets.
Jumpstart:Wireshark101(12/21/11)
Sites:lcuportal.com chappellu.com
wiresharkbook.com wiresharktraining.com 9
Wireshark101
Notes:
UnlessyouaretheITslaveatanoldschoolthatstillsupportshubs,youarelikelyworkingina
switchedenvironment.
Loveemorhateem,switchesarenecessarynetworktrafficcops.Fromtheanalystsperspective,
however,theyreducevisibilitybylimitingtheforwardingtrafficoftrafficfromunnecessarypathsor
segments.
Switchesforwardfourtypesofpacketsbydefault:
Broadcasts(MAClayerbroadcasts)
Multicasts(MAClayermulticasts) ifconfiguredtodoso
Trafficto/fromtheconnectedhostsMACaddress
TraffictounknownMACaddresses(Ihopeyouneverseethis)
WedbeblindtoFredstraffictotheserverifweplacedtheanalyzerofftheswitchasshowninthe
graphic.
SowhatcanwedowhatCANwedo?!
Jumpstart:Wireshark101(12/21/11)
Sites:lcuportal.com chappellu.com
wiresharkbook.com wiresharktraining.com 10
Wireshark101
Notes:
Thefirstthingwecando(althoughoneofmyleastdesiredoptions)isjustrunWiresharkoffFreds
machine.
Yeahitsaneasysolution,butfilledwithriskswetypicallydontwanttoalterthesystemthatis
havingproblems.Networkanalysisisapassive,noninvasiveprocess.Ioftencompareittoanxray
machine ohlookyourfootisbrokenintwoplacesnomoreDancingwiththeStarsforyou!
Imagineifthexraymachinewasembeddedinyourfoottofindtheproblem ouch.
IalsodetesttheideaofshowingFredthathissystemcanrunWireshark.Fredis,afterall,theUser
fromHellandinthiscase,ignoranceisblisshisignoranceismybliss.
Butsometimesthatistheonlyfeasibleoption.StartWiresharkrunninginthebackground(maybe
withaniceringbuffer welldiscussthatlaterinthisclass)andtellFredtodohisstuffandshow
youwhathesexperiencing.
BesuretouninstallWiresharkafterwards!
Jumpstart:Wireshark101(12/21/11)
Sites:lcuportal.com chappellu.com
wiresharkbook.com wiresharktraining.com 11
Wireshark101
Notes:
Thisoptiononlyworksonhalfduplexnetworks.
Astinkinoldhubcansaveyourhide!
Hubsarestupidalltheyknoware1sand0sandtheyforwardeverybitineverydirection(except
backtheywaythebitscamein).ByplacingahubalongthepathbetweenFredandtheswitchand
pluggingmyanalyzerintothehub,IgettoseeallFredstraffic.
Watchoutforthose10/100/1000hubsthough.Ifyouhaveaspeedmismatchontheconnecting
devicesthathubmayactasaswitchbetweenthedifferentspeeddevices.
Testthisfirstbeforeyouneedit.Connecttwohostsandyouranalyzertoahub.Makesureyoucan
seethedevicespingingeachother.Therearealotofhubsthatarecrossdressers theyareactually
switches.Theresnotruthinadvertisingthesedays(especiallyinthetechworld).
Jumpstart:Wireshark101(12/21/11)
Sites:lcuportal.com chappellu.com
wiresharkbook.com wiresharktraining.com 12
Wireshark101
Notes:
Ifyouareworkingonafullduplexnetwork,ahubaintgonnacutthemustard(akawontworkfor
myinternationalattendees).Totapintoafullduplexnetwork,youllneedafullduplextap.Simply
connectitupjustasyoudidthehubandawayyougo!UhexceptforonethingTherearemany
variationsoffullduplextapoutthere.Themaindifferentiatoris,ofcourse,speed(10/100/1000)and
porttype(copper/fiber).Pastthat,youalsohavenonaggregatingtapsandaggregatingtaps.
NonAggregatingTaps
Thesetapshavetwooutputportsanddonotcombinethefullduplexstreamsineachdirection.You
needtohangtwoanalyzersoffthesetapstoseebidirectionalcommunication.UseFile>Mergeor
thecommandlinemergecaputilitytocombinemultipletracefiles.
AggregatingTaps
Wellworththemoney.Thesetapscombinethebidirectionaldataandforwarditoutonemonitor
port(ortwoifyouhavearegeneratingthatandwanttoplacesomethingelse maybeaSnortbox
offtheextraport).
Jumpstart:Wireshark101(12/21/11)
Sites:lcuportal.com chappellu.com
wiresharkbook.com wiresharktraining.com 13
Wireshark101
Notes:
ThisisthewhitepaperthatIrefertointheclass itsverywellwrittenandhelpsdifferentiate
betweenusingataptocaptureyourtrafficorspanningaswitchport.
BestPracticesGuide
Basicbestpractices
Typesoftaps aggregating,regeneratingtaps,linkaggregationtaps,etc.
Advancebestpractices
Sites:lcuportal.com chappellu.com
wiresharkbook.com wiresharktraining.com 14
Wireshark101 Jumpstart:Wireshark101(12/21/11)
Notes:
Easy,eh?
PortAconnectstotheswitch.PortBconnectstothetarget.PortCconnectstoyouranalyzer.
Therearealotofvariationspossiblewhenyourelookingforatap.
Hmmmbutwhatsthechanceacompanyisgoingtoletmedisconnecttheirserverfromthe
networktoinstallmyfullduplextap?NotlikelysothatswhenIgothenextroute
Jumpstart:Wireshark101(12/21/11)
Sites:lcuportal.com chappellu.com
wiresharkbook.com wiresharktraining.com 15
Wireshark101
Notes:
Nonmanageableswitchesaregreatforhomenetworks theyDONOT,however,belongonthe
corporatenetwork.
Allofyourswitchesshouldhavetheabilitytodoportspanning(akaportmirroring).Portspanning
enablesyoutohaveacopyofallnetworktrafficflowingfromanotherswitchportdownyourswitch
port.Itsrelativelypassive,butnottotallypassiveasyoudidreconfiguretheswitch andifthe
switchistheproblem,suchreconfigurationmaysolvetheproblemorgivetheswitchenoughofa
kickinthebehindtogetitworkingproperlymostlikelyonlyuntilyouhavecriticalnetworktraffic
again thenitwillfailagain.
DONTGETMESTARTEDonportsampling.Whatgoodisittoseeonlyapieceofanxrayresult?
Aargh!
Makesureyoutestoutyourspanningcommandsandensureyourswitchspansportsproperly.Even
thehighestandmightiestofswitchmanufacturersseemstohavestumbledfromtimetotimein
implementingthisnecessaryfeature.
Jumpstart:Wireshark101(12/21/11)
Sites:lcuportal.com chappellu.com
wiresharkbook.com wiresharktraining.com 16
Wireshark101
Notes:
Okheresthescoop.Youcanjustselectyourwirelessadaptertobeginmonitoringtraffic itmost
likelywillletyouseeyourtraffic.ButuhwhataboutFredstraffic?MostNICswontgointofull
monitormodeandallowyoutoseeotherfolkstraffic.
ThisiswhereaWindowshosthasanadvantage(amazingtohearmyselfsaythat).Riverbed(who
purchasedCACETechnologies),whereGeraldCombs,creatorofWireshark,andLorisDegioanni and
Gianluca Varenni,creatorsofWinPcap,work,hasAirPcap adapters.
ThesethreeAirPcap adaptersshouldbeconnectedtoyoursystemviaUSBhubmostlikely.Withthe
AirPcap aggregatingdriveryoucannowseeallthetrafficonthreechannelssimultaneously.Justtoo
cool.Riverbed(who purchasedCACE)alsohasWiFi Pilot.Megageeks WiSpyadapteroffersspread
spectrumanalysis(IdemonstratethisadapterliveintheTop10ReasonsYourNetworkisSlowclass
checkitout).
TIP:
Seethefreevideo,StarttheDaybyTestingYourNetworkAdapter, at
www.wiresharkbook.com/coffee.YoullseemetestingtwoWLANadapterstoseeiftheywillwork
forcapturingtraffic.YourWLANadaptersshouldruninbothpromiscuousmodeandmonitormode
forbestresults.
Jumpstart:Wireshark101(12/21/11)
Sites:lcuportal.com chappellu.com
wiresharkbook.com wiresharktraining.com 17
Wireshark101
Notes:
ThesearethefunctionsthatIconsiderkeywhenyouareanalyzingnetworks:
ChoosingtheInterface
CaptureFiltering
CapturingtoFileSets
CapturingwithaRingBuffer
AlteringtheTimeColumn
DisplayFiltering(newautocomplete)
UsingtheExpertInfoComposite
DefiningProfiles
ReassemblingStreams
IwillcutdownthetimespentonslidessoIcangetintothedemoprocessa.s.a.p.inthistraining.
Sites:lcuportal.com chappellu.com
wiresharkbook.com wiresharktraining.com 18
Wireshark101 Jumpstart:Wireshark101(12/21/11)
Notes:
Youhavemanyoptionswhenstartingyourcapture.
Youcouldjustcaptureasinglefileand(a)manuallystopthecaptureor(b)setastoptrigger.
Youcouldcaptureafilesetthatyou(a)manuallystopor(b)stopsbasedonatrigger.
TocontrolthenumberoftracefilescreatedyoucanusearingbufferwhichisaFIFO(firstin,firstout)
buffer.
TriggersforMultipleFiles
Nextfileeveryxkilobytes,megabytes,gigabytes(carefuloffilesize)
Nextfileeveryxseconds,minutes,hours,days(againwatchthesize)
Ringbufferwithxfiles
Stopcaptureafterxfiles
StopTriggers
afterxpackets
afterxkilobytes,megabytes,gigabytes(youknowthewarning)
afterxseconds,minutes,hours,days(yupsamething)
Sites:lcuportal.com chappellu.com
wiresharkbook.com wiresharktraining.com 19
Wireshark101 Jumpstart:Wireshark101(12/21/11)
Notes:
Herearesomeofthethingstoknow:
ExaminingtheInterfaces
SelectCapture>Interfacestoseetheactiveinterfacesandcheckouttheinterfacedetails,startcapturingright
awayorsetupyourcaptureoptions.
CaptureFilters
MakeaNotMecapturefiltertofilteroutyourtrafficfromyourtracefiles.Youdontwantyouremailorweb
browsingsessiontobecapturedwhenyouareworkingonFredsnetworkproblems.ThesyntaxforaNotMe
capturefilterisnot et her host 00: 21: 97: 40: 74: d2 (withyourMACaddress).
SettheTimeCorrectly
UseEdit>TimeDisplayFormat>SecondsSincePreviousDisplayedPackettoseethedeltatimefromtheendof
onepackettotheendofthenext.Nowyoucansortthetimecolumntoseelargegapsintime!
ListentotheExpert
SelectAnalyze>ExpertInfoCompositetoidentifypossibleproblemsseeninthetracefile.Expandthefindings
tolocatespecificpacketsinthetrace.
ChecktheIORate
SelectStatistics>IOGraphtonotewhentheIOratedrops.ClickanywhereontheIOgraphtolocatethatarea
inthetrace.
Jumpstart:Wireshark101(12/21/11)
Sites:lcuportal.com chappellu.com
wiresharkbook.com wiresharktraining.com 20
Wireshark101
Notes:
HerearesomeofthethingsImgoingtodemonstrate(continued):
MeasurePain
Learntomeasuretimebetweenpacketsspreadthroughoutthetrace.Selectthestartpointandrightclick.
ChooseSetTimeReference(toggle).Youmightbepromptedforthetimeformatchange.Scrolldowntothe
nexttimemeasurementandthetimecolumnnowshowsyouthetimefromtheTimeReferencedpackettothis
one.YoucansetmultipleTimeReferencepacketsinthetraceifdesired.
RightClickFiltering
Inmyexample,IwanttofindoutifthetraceincludesBOTHtheoriginalandtheretransmittedTCPpacket(find
aretransmissionpacket).InsidetheTCPheader,IrightclickedtheTCPSequenceNumberfieldandsaidPrepare
asaFilter(justsoIcanlookatthefilterbeforeitgetsapplied).WhenyouapplythefilterIwilllearnifIam
upstream(beforepacketlossoccurs)ordownstream(afterpacketlosshasoccurred)onthenetwork.
CustomColumns
TimepermittingIalsowantedtoshowyouhowtoaddacolumnfortheTCPWindowSizefieldvalueto
Wiresharkssummarypane.Clickthefieldtoseethefieldnameinthestatusbaratthebottomofthe
Wiresharkwindow.Thisfieldiscalledtcp.window_size.IshowedtherightclickApplyasColumnfeature!
Jumpstart:Wireshark101(12/21/11)
Sites:lcuportal.com chappellu.com
wiresharkbook.com wiresharktraining.com 21
Wireshark101
Notes:
Nowwhat?!Heresaquicklistoftodoitemsforyouafterthisclass.
1.Cmontry thenewversion!Gettowww.wireshark.organdupdatetothelatestversionofWireshark.
2.Testanalyzerplacement:Makesureyoufeelcomfortablewithyourcaptureoptions hubbing out,tapping
out,WLANAirPcaps,spanning,etc.
3.Baselineyournetworktraffic:Knowwhatsnormal.Takebaselinesofhoststartupprocesses,connectionto
thekeynetworkdevices,shutdown,etc.
4.Learntofilter(captureANDdisplay):Workwithbothtypesoffilters.Becomeafiltergurutosaveyourself
loadsoftimewhenanalyzingnetworkproblems.
5.DontignoretheExpertInfo:AlwaysgiveanodtotheExpertInfoCompositefindings verifythealertslisted
bylookingatthetraceindepth.
6.LearnTCP/IPatpacketlevel:InstallingandconfiguringaTCP/IPnetworkisentirelydifferentfromanalyzing
thetraffic.GettoknowTCP/IPinsideandout thatincludesARP,IP,TCP,UDP,DHCP,ICMP,HTTP,POP,SMTP,
etc.CheckoutthethreetraceanalysiscoursesintheAllAccessPass(lcuportal.com).
7.GettheWiresharkNetworkAnalysisbookfordocumentedtechniquesonanalyzingwiredandwireless
networks.ISBN9781893939998(visitwiresharkbook.com)
8.Getmoreinformationaboutthecertificationprogramatwww.wiresharktraining.com/certification.
Jumpstart:Wireshark101(12/21/11)
Sites:lcuportal.com chappellu.com
wiresharkbook.com wiresharktraining.com 22
Wireshark101
Notes:
NowwemoveontoliveQ&A.
RemembertofollowmeonTwitter(laurachappell)andcheckoutmyblogat
www.lcuportal.com.
Checkouttheotheronlineseminarsandkeeplearningevenifitisanhouratatime.
TheAllAccessPassincludestracefileanalysistraining,Wiresharktrainingandmore.Heresa
partiallistofcoursesonlineatlcuportal.com:
AAPEvent:AnalyzingtheWindowZeroCondition
Core1:WiresharkFunctionalityandTCP/IPAnalysis
Core2:Troubleshoot/SecureNetworkswithWireshark
CS42:HackedHosts
CS43:AnalyzeandImproveThroughput
CS44:Top10ReasonsYourNetworkisSlow
CS47Nmap NetworkScanning101
CS58:PacketCraftingtoTestFirewalls
CS61:TsharkCommandLineCapture
Jumpstart:Wireshark101(12/21/11)
Sites:lcuportal.com chappellu.com
wiresharkbook.com wiresharktraining.com 23
Wireshark101
Notes:
Wellthanksmuchforattendingtheonlineliveseminar.
Youcanhelpusguidethecontent,length,pricingandformatofthesecoursesbysending
yourthoughtstomeatlaura@chappellU.com.
NowIaskafavor
PleasehelpusreachouttotheITcommunitytoletthemknowabouttheseonlineseminars.
Jumpstart:Wireshark101(12/21/11)
Sites:lcuportal.com chappellu.com
wiresharkbook.com wiresharktraining.com 24
Wireshark101