http://www.wireshark.org/

Background

Wireshark is a packet analysis tool. It allows you to capture packets and analyze them live, or load captures from another session. You can also use its very handy filter functions to look for specific packets - based on destination, target, type, , time, payload, etc.

Packet Captures

Capturing packets on a network is useful for troubleshooting, but it is also useful for seeing what the network normally looks like.

Take a Capture

Open up Wireshark, pick your network interface, and click the green fin to start the capture.

Capture Settings

You can control many of wireshark's capture options, one nice feature is outputting the capture file in size increments or time increments. As networks get busier, these cap files get pretty large. This is a nice feature to have.

You can also load multiple capture files simultaneously.

Capture Syntax

The filters use BPF (berkeley packet filter) syntax.

The BPF syntax consists of primitives and operators.

Primitives consist of qualifiers and an ID.

Example:

dst host 192.168.0.10 && tcp port 80

First, the primitives and the operators:

primitive: dst host 192.168.0.10

operator: &&

primitive: tcp port 80

Now qualifiers and ID portion:

primitive: dst host 192.168.0.10

qualifier: dst

qualifier: host

id: 192.168.0.10

Filtering Packets

It is usually better to capture everything and hide packets using display filters, instead of applying capture filters on the capture level.

Use filter expression dialogue to create packet display filters.

Operators and Filter Expressions

You can use several comparison operators and logical operators when constructing the display filter.

Comparison Operators:

• equal to
• not equal to
• greater than
• less than
• greater than or equal to
• less than or equal to

Logical Operators:

• and
• or
• xor
• not

Advanced Stuff

Endpoints and Conversations

You can see the network endpoints, or members of a network that initiate/terminate conversation and communication, by picking Statistics > Endpoints. This shows a list of endpoints and statistics.

You can see the conversations between two endpoints by picking Statistics > Conversations, which will show a window with a list of IP address pairs and various statistics of each conversation.

Endpoints/Conversations are useful for troubleshooting lots of traffic, or determining which server is busiest.

Protocol Statistics

You can open Statistics > Protocol Hierarchy to see information about what protocols are used in what amounts.

This can be useful if you are trying to determine "normal" behavior for a network, and then trying to determine if a particular day's traffic is an outlier and why.

By looking at a network's traffic protocol statistics, you can learn a lot about that network. Example: IT department will have admin protocols like ICMP or SNMP. Ordering department will use lots of SMTP. Interns will use WoW.

Name Resolution

To convert from a MAC address to an IP address is name resolution using the ARP protocol.

To convert from IP to Human-readable domain name uses DNS protocol.

Wireless

Filtering for WPA Handshake Packets