Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2010 Cisco Systems, Inc. All rights reserved. 1 CREATE Re-Tooling Exploring Protocols with Wireshark March 12, 2011 CREATE CATC and Ohlone College.

Published byDomenic Evans Modified over 8 years ago

Similar presentations

Presentation on theme: "© 2010 Cisco Systems, Inc. All rights reserved. 1 CREATE Re-Tooling Exploring Protocols with Wireshark March 12, 2011 CREATE CATC and Ohlone College."— Presentation transcript:

1 © 2010 Cisco Systems, Inc. All rights reserved. 1 CREATE Re-Tooling Exploring Protocols with Wireshark March 12, 2011 CREATE CATC and Ohlone College

2 2 © 2010 Cisco Systems, Inc. All rights reserved.  Karen Stanton  College of the Canyons  Michael McKeever  Santa Rosa Junior College  Danijela Babic  Ohlone College  Laura Chappell  Wireshark University INTRODUCTIONS

3 3 © 2010 Cisco Systems, Inc. All rights reserved.  Parking  Restrooms  Other? Before we start…

4 4 © 2010 Cisco Systems, Inc. All rights reserved.  Introduction to Wireshark  Capturing Traffic  Filtering Examples  Analyzing Protocols AGENDA

5 5 © 2010 Cisco Systems, Inc. All rights reserved. INTRODUCTION TO WIRESHARK

6 6 © 2010 Cisco Systems, Inc. All rights reserved. What is wireshark? “Wireshark is a network packet analyzer. A network packet analyzer will try to capture network packets and tries to display that packet data as detailed as possible. You could think of a network packet analyzer as a measuring device used to examine what's going on inside a network cable, just like a voltmeter is used by an electrician to examine what's going on inside an electric cable (but at a higher level, of course). “ Source: Wireshark User’s Guide http://www.wireshark.orghttp://www.wireshark.org

7 7 © 2010 Cisco Systems, Inc. All rights reserved. Wireshark’s features  Available for UNIX and Windows.  Capture live packet data from a network interface.  Display packets with very detailed protocol information.  Open and Save packet data captured.  Import and Export packet data from and to a lot of other capture programs.  Filter packets on many criteria.  Search for packets on many criteria.  Colorize packet display based on filters.  Create various statistics. ... and a lot more!

8 8 © 2010 Cisco Systems, Inc. All rights reserved. Another Resource!  Wireshark Wiki  http://wiki.wireshark.org/FrontPage http://wiki.wireshark.org/FrontPage

9 9 © 2010 Cisco Systems, Inc. All rights reserved. Wireshark main window

10 10 © 2010 Cisco Systems, Inc. All rights reserved. CAPTURING TRAFFIC

11 11 © 2010 Cisco Systems, Inc. All rights reserved. Are you allowed to capture traffic?  Ensure that you are allowed to capture packets from the network you are working on! For example, corporate policies or applicable law might prevent you from capturing on the network you're using!  If you have to change network cabling to start a capture, ensure that you are allowed to do so! Network administrators and other people are usually not amused with re-arrangements to "their" network. http://wiki.wireshark.org/CaptureSetup

12 12 © 2010 Cisco Systems, Inc. All rights reserved. General setup  You need to have root / Administrator privileges to start a live capture.  You need to choose the right network interface to capture packet data from.  You need to capture at the right place in the network to see the traffic you want to see

13 13 © 2010 Cisco Systems, Inc. All rights reserved. Ways to start capturing traffic  You can get an overview of the available local interfaces using the " Capture Interfaces" dialog box. You can start a capture from this dialog box, using (one of) the "Capture" button(s).  You can start capturing using the " Capture Options" dialog box.  If you have selected the right capture options before, you can immediately start a capture using the " Capture Start" menu / toolbar item. The capture process will start immediately.  If you already know the name of the capture interface, you can start Wireshark from the command line and use the following: wireshark -i eth0 -k

14 14 © 2010 Cisco Systems, Inc. All rights reserved. Ways to start capturing traffic  Capture Interfaces Window

15 15 © 2010 Cisco Systems, Inc. All rights reserved. Ways to start capturing traffic  Capture Options

16 16 © 2010 Cisco Systems, Inc. All rights reserved. Ways to start capturing traffic Command Line  C:\program files\wireshark\wireshark.exe –i 1 -k C:\program files\wireshark\wireshark.exe –i 1 -k

17 17 © 2010 Cisco Systems, Inc. All rights reserved. Remote CAPTURE  Client Setup – Wireshark  Capture Options Daemon (remote) Setup  First install WinPcap on the remote machine. After that, the daemon can be found at:WinPcap  C:\Program Files\WinPcap\rpcapd.exe  The easiest is to start the deamon from the command line now: rpcapd -n  The -n will turn off authentication.

18 18 © 2010 Cisco Systems, Inc. All rights reserved. PRACTICE Capturing your own traffic 1.Start Wireshark 2.Select the correct interface 3.Start capture 4.Generate traffic 5.Stop capture

19 19 © 2010 Cisco Systems, Inc. All rights reserved. PRACTICE Capturing Remote Traffic Work with a partner on this exercise. You will need to computers. Computer 1, the remote daemon; and Computer 2, the Wireshark Client Computer 1 – Remote  Start the WinPCAP daemon  Go to command prompt  Go to the directory where WinPCAP is installed  Run the following command rpcapd -n

20 20 © 2010 Cisco Systems, Inc. All rights reserved. PRACTICE Capturing Remote Traffic Computer 2 - Wireshark 1.Start Wireshark 2.Go to Capture Options 3.For interface type, select Remote 4.Enter the IP address of Computer 1 for the Host IP address. 5.Select Null Authentication and then OK. 6.Select the correct remote interface and then click Start. 7.Generate traffic in Computer 1 Can you capture the remote traffic?

21 21 © 2010 Cisco Systems, Inc. All rights reserved. FILTERING TRAFFIC SquidSquid, a popular web proxy/cache server

22 22 © 2010 Cisco Systems, Inc. All rights reserved. Two Types of Filters  Display Filters  Capture Filters

23 23 © 2010 Cisco Systems, Inc. All rights reserved. Capture only traffic to or from IP address 172.18.5.4: host 172.18.5.4 Capture traffic to or from a range of IP addresses: net 192.168.0.0/24 or net 192.168.0.0 mask 255.255.255.0 Capture traffic from a range of IP addresses: src net 192.168.0.0/24 or src net 192.168.0.0 mask 255.255.255.0 Capture traffic to a range of IP addresses: dst net 192.168.0.0/24 or dst net 192.168.0.0 mask 255.255.255.0 Capture only DNS (port 53) traffic: port 53 Capture non-HTTP and non-SMTP traffic on your server (both are equivalent): host www.example.com and not (port 80 or port 25) host www.example.com and not port 80 and not port 25 CAPTURE FILTERS

24 24 © 2010 Cisco Systems, Inc. All rights reserved. Capture except all ARP and DNS traffic: port not 53 and not arp Capture traffic within a range of ports (tcp[0:2] > 1500 and tcp[0:2] 1500 and tcp[2:2] < 1550) or, with newer versions of libpcap (0.9.1 and later): tcp portrange 1501-1549 Capture only Ethernet type EAPOL: ether proto 0x888e Reject ethernet frames towards the Link Layer Discovery Protocol Multicast group: not ether dst 01:80:c2:00:00:0e Capture only IP traffic - the shortest filter, but sometimes very useful to get rid of lower layer protocols like ARP and STP: ip Capture only unicast traffic - useful to get rid of noise on the network if you only want to see traffic to and from your machine, not, for example, broadcast and multicast announcements: not broadcast and not multicast CAPTURE FILTERS (cont.)

25 25 © 2010 Cisco Systems, Inc. All rights reserved. Display Filter Comparison Operators Display filters

26 26 © 2010 Cisco Systems, Inc. All rights reserved. Show only SMTP (port 25) and ICMP traffic:SMTPICMP tcp.port eq 25 or icmp Show only traffic in the LAN (192.168.x.x), between workstations and servers -- no Internet: ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16 Display filters

27 27 © 2010 Cisco Systems, Inc. All rights reserved. ANALYZING PROTOCOLS

28 28 © 2010 Cisco Systems, Inc. All rights reserved.  User needs to have a good understanding of the protocol  The protocol analyzer is just a tool Analyzing Protocols

29 29 © 2010 Cisco Systems, Inc. All rights reserved. File Transfer protocol  Characteristics -Application Protocol -TCP -Control – Port 21 -Data – Port 20 -Clear Text -Commands

30 30 © 2010 Cisco Systems, Inc. All rights reserved. Requirements  FTP server: ftp.sbccnetworking.com  User Authentication enable  Small image file Capturing FTP TRAFFIC

31 31 © 2010 Cisco Systems, Inc. All rights reserved.  Configure Wireshark to capture just FTP traffic  Start Wireshark Capturing FTP TRAFFIC Setup Wireshark

32 32 © 2010 Cisco Systems, Inc. All rights reserved.  Open the command prompt and connect to the ftp server as follow:  Enter the command: ftp ftp.sbccnetworking.com  Use the following name to authenticate:  Username: student#  Password: Studentftp#  Where # is a number assigned by instructor 1-20 Capturing FTP TRAFFIC Connect to FTP site

33 33 © 2010 Cisco Systems, Inc. All rights reserved.  From the ftp server, download the SecretImage.png Enter the command get secretimage.png Stop the capture after the download. Capturing FTP TRAFFIC Download an image file

34 34 © 2010 Cisco Systems, Inc. All rights reserved. Analyze traffic

35 35 © 2010 Cisco Systems, Inc. All rights reserved.  Locate a FTP-DATA frame and follow the TCP Stream Analyze traffic

36 36 © 2010 Cisco Systems, Inc. All rights reserved.  Save the stream as RAW data with a new name: capturedimage.png Analyze traffic

37 37 © 2010 Cisco Systems, Inc. All rights reserved. CAPTURED IMAGE

38 38 © 2010 Cisco Systems, Inc. All rights reserved. Practice FTP Capture

39 39 © 2010 Cisco Systems, Inc. All rights reserved. Analyzing other Protocols  Telnet  RIP v2  OSPF  EIGRP  VPN anyone? Got one somewhere?

40 40 © 2010 Cisco Systems, Inc. All rights reserved.

41 41 © 2010 Cisco Systems, Inc. All rights reserved.

Download ppt "© 2010 Cisco Systems, Inc. All rights reserved. 1 CREATE Re-Tooling Exploring Protocols with Wireshark March 12, 2011 CREATE CATC and Ohlone College."

Similar presentations

DSL-2730B, DSL-2740B, DSL-2750B.

DSL-2730B, DSL-2740B, DSL-2750B.
Ubiquitous Computing Technology Research Institute Sungkyunkwan University Using Ethereal - Packet Capturing & Analysis Tool 2006. 4. 12 Sungkyunkwan University.

Ubiquitous Computing Technology Research Institute Sungkyunkwan University Using Ethereal - Packet Capturing & Analysis Tool Sungkyunkwan University.
SYSTEM ADMINISTRATION Chapter 19

SYSTEM ADMINISTRATION Chapter 19
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 14: Troubleshooting Remote Connections.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 14: Troubleshooting Remote Connections.
Network Analyzer Example

Network Analyzer Example
(NHA) The Laboratory of Computer Communication and Networking Network Host Analyzer.

(NHA) The Laboratory of Computer Communication and Networking Network Host Analyzer.
Module 6 Windows 2000 Professional 6.1 Installation 6.2 Administration/User Interface 6.3 User Accounts 6.4 Managing the File System 6.5 Services.

Module 6 Windows 2000 Professional 6.1 Installation 6.2 Administration/User Interface 6.3 User Accounts 6.4 Managing the File System 6.5 Services.
TSS Academy Troubleshooting with.

TSS Academy Troubleshooting with.
Activating Pilot Account ( first time users ) Web-based Activation Browse to 1. Click on the link on the lower right that says.

Activating Pilot Account ( first time users ) Web-based Activation Browse to 1. Click on the link on the lower right that says.
1 Chapter Overview Introduction to Windows XP Professional Printing Setting Up Network Printers Connecting to Network Printers Configuring Network Printers.

1 Chapter Overview Introduction to Windows XP Professional Printing Setting Up Network Printers Connecting to Network Printers Configuring Network Printers.
Virtual Private Network (VPN) © N. Ganesan, Ph.D..

Virtual Private Network (VPN) © N. Ganesan, Ph.D..
TCP/IP Tools Lesson 5. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Using basic TCP/IP commands Understanding TCP/IP3.6.

TCP/IP Tools Lesson 5. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Using basic TCP/IP commands Understanding TCP/IP3.6.
Click to edit Master subtitle style Chapter 17: Troubleshooting Tools Instructor:

Click to edit Master subtitle style Chapter 17: Troubleshooting Tools Instructor:
Cisco Confidential 1 © 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential 1 © 2011 Cisco and/or its affiliates. All rights reserved.
Implementing RADIUS AAA Phil & Rick. Content Terms and Concepts Access Control What is AAA? Benefits of AAA What is RADIUS? Microsoft IAS Overview Installation.

Implementing RADIUS AAA Phil & Rick. Content Terms and Concepts Access Control What is AAA? Benefits of AAA What is RADIUS? Microsoft IAS Overview Installation.
VPN Scenarios © N. Ganesan, Ph.D.. Chapter Objectives.

VPN Scenarios © N. Ganesan, Ph.D.. Chapter Objectives.
Advanced Networking for DVRs

Advanced Networking for DVRs
Ch 8-3 Working with domains and Active Directory.

Ch 8-3 Working with domains and Active Directory.
2440: 141 Web Site Administration Remote Web Server Access Tools Instructor: Enoch E. Damson.

2440: 141 Web Site Administration Remote Web Server Access Tools Instructor: Enoch E. Damson.

Similar presentations

Ads by Google