Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lab 2: Packet Capture & Traffic Analysis with Wireshark

Published byDoris Parsons Modified over 6 years ago

Similar presentations

Presentation on theme: "Lab 2: Packet Capture & Traffic Analysis with Wireshark"— Presentation transcript:

1 Lab 2: Packet Capture & Traffic Analysis with Wireshark
Goals :This lab introduces packet capture (packet sniffing) and network traffic analysis with the Wireshark tool Prepared by T.Najed ALmutairi

2 Prepared by T.Najed ALmutairi
Agenda Wireshark Introduction & purposes Download and install Capture Traffic Stop Capture Traffic Display Filters Saving Display Filters Follow TCP Stream Wireshark Statistics Capture ARP & ICMP Protocol Traffic using Wireshark. Prepared by T.Najed ALmutairi

3 Prepared by T.Najed ALmutairi
What is Wireshark? Wireshark is a network packet/protocol analyzer. A network packet analyzer will try to capture network packets and tries to display that packet data as detailed as possible. Wireshark is perhaps one of the best open source packet analyzers available today for UNIX and Windows. It used for network troubleshooting, analysis, software and communications protocol development, and education. Prepared by T.Najed ALmutairi

4 Some intended purposes
network administrators use it to troubleshoot network problems network security engineers use it to examine security problems developers use it to debug protocol implementations people use it to learn network protocol internals Wireshark isn't an intrusion detection system. Wireshark will not manipulate things on the network, it will only "measure" things from it. Prepared by T.Najed ALmutairi

5 Wireshark System Overview
Prepared by T.Najed ALmutairi

6 Download and install Wireshark on your PC.
If Wireshark is not currently available on your PC, you can download the Latest Windows Version from Prepared by T.Najed ALmutairi

7 Download and install Wireshark on your PC.
Prepared by T.Najed ALmutairi

8 Prepared by T.Najed ALmutairi
Configuration This checkbox allows you to specify that Wireshark should put the interface in promiscuous mode when capturing. If you do not specify this, Wireshark will only capture the packets going to or from your computer (not all packets on your LAN segment). Prepared by T.Najed ALmutairi

9 Prepared by T.Najed ALmutairi
Wireshark Interface Prepared by T.Najed ALmutairi

10 Using Wireshark to Capture Traffic
Start the Wireshark application. When Wireshark is first run, a default, or blank window is shown. To list the available network interfaces, select the Capture->Interfaces menu option. Prepared by T.Najed ALmutairi

11 Using Wireshark to Capture Traffic
Wireshark should display a popup window such as the one shown in Figure 2. To capture network traffic click the Start button for the network interface you want to capture traffic on. Windows can have a long list of virtual interfaces, before the Ethernet Network Interface Card (NIC). Prepared by T.Najed ALmutairi

12 Using Wireshark to Capture Traffic
Generate some network traffic with a Web Browser, such as Internet Explorer or Chrome. Your Wireshark window should show the packets, and now look something like. Packet list panel Packet details panel Packet bytes panel Prepared by T.Najed ALmutairi

13 The capture is split into 3 parts:
1. Packet List Panel – this is a list of packets in the current capture. It colours the packets based on the protocol type. When a packet is selected, the details are shown in the two panels below. 2. Packet Details Panel – this shows the details of the selected packet. It shows the different protocols making up the layers of data for this packet. Layers include Frame, Ethernet, IP, TCP/UDP/ICMP, and application protocols such as HTTP. 3. Packet Bytes Panel – shows the packet bytes in Hex and ASCII encodings. Prepared by T.Najed ALmutairi

14 Prepared by T.Najed ALmutairi
Stop Capture Traffic Click the stop capture button near the top left corner of the window when you want to stop capturing traffic. Prepared by T.Najed ALmutairi

15 Wireshark Display Filters.
Display filters (also called post-filters) only filter the view of what you are seeing. All packets in the capture still exist in the trace Display filters use their own format and are much more powerful then capture filters Prepared by T.Najed ALmutairi

16 Wireshark Display Filters.
The most basic way to apply a filter is by typing it into the filter box at the top of the window and clicking Apply (or pressing Enter). For example, type “dns” and you’ll see only DNS packets. When you start typing, Wireshark will help you autocomplete your filter. Prepared by T.Najed ALmutairi

17 Wireshark Display Filters formats
Prepared by T.Najed ALmutairi

18 Wireshark Display Filters.
If the filter syntax is correct, it will be highlighted in green, otherwise if there is a syntax mistake it will be highlighted in red. Correct syntax Wrong syntax Prepared by T.Najed ALmutairi

19 Display Filter Exersizes
By using Wireshark program Show the results of filter captures and print screen them Ex #1 ,Display the SNMP or DNS or HTTP traffics. Ex #2, Display packets with TCP source or destination port 25. EX#3, Display packets having a TCP flags Prepared by T.Najed ALmutairi

20 Prepared by T.Najed ALmutairi
Follow TCP Stream Prepared by T.Najed ALmutairi

21 Prepared by T.Najed ALmutairi
Follow TCP Stream red - stuff you sent blue - stuff you get Prepared by T.Najed ALmutairi

22 Prepared by T.Najed ALmutairi
Saving Packet filters To save only the displayed packets, select File-> Export Specified Packets, and make sure the Displayed radio button is selected rather than the Captured option. This creates a pcap file, with only the packets filtered by the current display filter Prepared by T.Najed ALmutairi

23 Prepared by T.Najed ALmutairi
Wireshark Statistics select the Statistics->Protocol Hierarchy menu option. shown displaying statictics about the pcap. Note that all the packets are Ethernet (Local Area Network) packets, but at the network layer most of the packets are TCP, but some are UDP. Prepared by T.Najed ALmutairi

24 Prepared by T.Najed ALmutairi
Wireshark Statistics Select the Statistics->Flow Graph menu option. Choose General Flow and Network Source options, and click the OK button. A window similar to that shown in should be displayed, showing the flow of traffic. Prepared by T.Najed ALmutairi

25 Capture ARP & ICMP Protocol Traffic using Wireshark.
Start a Wireshark capture. Open a Windows console window, and generate some ICMP traffic by using the Ping command line tool to check the connectivity of a neighbouring machine (or your home router). Prepared by T.Najed ALmutairi

26 Capture ARP & ICMP Protocol Traffic using Wireshark.
Stop the capture and Wireshark should now look something like Figure 10. The Address Resoloution Protocol (ARP) and ICMP packets are difficult to pick out, create a display filter to only show ARP or ICMP packets. Prepared by T.Najed ALmutairi

27 Capture ARP & ICMP Protocol Traffic using Wireshark.
Note the results in Wireshark : The initial ARP request broadcast from your PC determines the physical MAC address of the network IP Address , and the ARP reply from the neighbouring system. After the ARP request, the pings (ICMP echo request and replies) can be seen Prepared by T.Najed ALmutairi

Download ppt "Lab 2: Packet Capture & Traffic Analysis with Wireshark"

Similar presentations

COEN 445 Lab 7 Wireshark Lab: IP Claude Fachkha.

COEN 445 Lab 7 Wireshark Lab: IP Claude Fachkha.
SYSTEM ADMINISTRATION Chapter 19

SYSTEM ADMINISTRATION Chapter 19
Basic Network Concepts And Troubleshooting. A Simple Computer Network for File Sharing.

Basic Network Concepts And Troubleshooting. A Simple Computer Network for File Sharing.
ITIS2110 Lab 9. Scenario There are web network problems at your site Your manager has assigned you to track down the problem  He “highly” suggests you.

ITIS2110 Lab 9. Scenario There are web network problems at your site Your manager has assigned you to track down the problem  He “highly” suggests you.
Packet Analyzers, a Threat to Network Security. Agenda Introduction The background of packet analyzers LAN technologies & network protocols Communication.

Packet Analyzers, a Threat to Network Security. Agenda Introduction The background of packet analyzers LAN technologies & network protocols Communication.
Network Analyzer Example

Network Analyzer Example
DVG-N5402SP.

DVG-N5402SP.
Network Analyzer CS4500 Spring 2004 Hong Jiang Ryan Pratt Raul Chiari By Palantir:

Network Analyzer CS4500 Spring 2004 Hong Jiang Ryan Pratt Raul Chiari By Palantir:
Detection of Promiscuous nodes Using Arp Packets By Engin Arslan.

Detection of Promiscuous nodes Using Arp Packets By Engin Arslan.
ITIS3100 By Fei Xu. Acknowledge This document is basically a digest from “Wireshark User's Guide 25114 for Wireshark 1.0.0” You can download the software.

ITIS3100 By Fei Xu. Acknowledge This document is basically a digest from “Wireshark User's Guide for Wireshark 1.0.0” You can download the software.
CAP6135: Malware and Software Vulnerability Analysis Network Traffic Monitoring Using Wireshark Cliff Zou Spring 2013.

CAP6135: Malware and Software Vulnerability Analysis Network Traffic Monitoring Using Wireshark Cliff Zou Spring 2013.
Copyright 2010-2013 Kenneth M. Chipps Ph.D. www.chipps.com How to Use SNMP to Collect Network Data Last Update 2013.04.18 1.1.0 1.

Copyright Kenneth M. Chipps Ph.D. How to Use SNMP to Collect Network Data Last Update
Advanced Networking for DVRs

Advanced Networking for DVRs
Module 1: Reviewing the Suite of TCP/IP Protocols.

Module 1: Reviewing the Suite of TCP/IP Protocols.
1 Lab 3 Transport Layer T.A. Youngjoo Han. 2 Transport Layer  Providing logical communication b/w application processes running on different hosts 

1 Lab 3 Transport Layer T.A. Youngjoo Han. 2 Transport Layer  Providing logical communication b/w application processes running on different hosts 
1 Ethereal.  Freeware sniffing tool.  Captures live network traffic.  The user interface separates it from other sniffers.

1 Ethereal.  Freeware sniffing tool.  Captures live network traffic.  The user interface separates it from other sniffers.
University of Calgary – CPSC 441.  Wireshark (originally named Ethereal)is a free and open-source packet analyzer.  It is used for network troubleshooting,

University of Calgary – CPSC 441.  Wireshark (originally named Ethereal)is a free and open-source packet analyzer.  It is used for network troubleshooting,
Hands-on Networking Fundamentals

Hands-on Networking Fundamentals
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 3: TCP/IP Architecture.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 3: TCP/IP Architecture.
Special Project Group 03 Chintan Shah Nisharg Patel Cynthia York.

Special Project Group 03 Chintan Shah Nisharg Patel Cynthia York.

Similar presentations

Ads by Google