Presentation is loading. Please wait.

Presentation is loading. Please wait.

COMP2322 Lab 1 Introduction to Wireshark Weichao Li Jan. 22, 2016.

Published byStanley Hodge Modified over 8 years ago

Similar presentations

Presentation on theme: "COMP2322 Lab 1 Introduction to Wireshark Weichao Li Jan. 22, 2016."— Presentation transcript:

1 COMP2322 Lab 1 Introduction to Wireshark Weichao Li Jan. 22, 2016

2 Before the lab Review the content of communication architecture. Review TCP/IP model and protocol suite. Understand data transferring, layering, and encapsulation/demultiplexing. 2

3 Content Data capture basis and tools Getting started with Wireshark Advanced usage Traffic and protocol analysis 3

4 Packet capture Why do we need to capture packets? – troubleshoot network problems – examine security problems – debug protocol implementations – learn network protocol internals 4

5 Existing packet capture tools/sniffers Classic tools – Wireshark (http://www.wireshark.org/) – tcpdump (http://www.tcpdump.org/) Other tools – Ettercap – Dsniff – Ntop – KISMET – WinDump – Tshark – … 5

6 What is Wireshark? An open-source network protocol analyzer – capture network packets – display that packet data Decodes 1,926 protocols (V2.0.1). Supports command-line and GUI interfaces. Run on many platforms, including Windows, OS X, Linux, and UNIX. Many online resources Wireshark User’s Guide (http://www.wireshark.org/download/docs/user-guide-a4.pdf)http://www.wireshark.org/download/docs/user-guide-a4.pdf 6

7 How does Wireshark work? Winpcap Wireshark libpcap WindowsLinux 7

8 Libpcap and Winpcap Libpcap and Winpcap are libraries for network traffic capture, providing the core functions of packet capturing. – Linux/Unix -> libpcap – Windows -> winpcap Homepage of libpcap: – http://www.tcpdump.org/ Homepage of winpcap: – http://www.winpcap.org 8

9 Tcpdump and Windump Tcpdump – Unix-based command-line tool used to analyze packets Include filtering to just capture the packets of interest – Homepage: http://www.tcpdump.org/http://www.tcpdump.org/ Windump – The Windows version of tcpdump – Homepage: http://www.winpcap.org/windump/http://www.winpcap.org/windump/ 9

10 Tshark Also a network protocol analyzer Command-line version of Wireshark User manual: https://www.wireshark.org/docs/man- pages/tshark.html https://www.wireshark.org/docs/man- pages/tshark.html 10

11 Basic usage of Wireshark Tip: packet capture need root / administrator privileges Packet capture: select the right interface! Save / open trace 11

12 Practice 1: my first packet trace Y:\Win32\WiresharkPortable_1.4 Select the right interface. Start packet capture for 10 seconds and save the trace. Question 1 (2 marks for each part in a question) – A) How many interface have you observed? What are they? – B) Which interface will you choose and why? 12

13 Advanced usage (1): filters Capture filters – Only the packets meeting the rule will be captured and decoded in Wireshark. – Syntax Specify protocols: ip, tcp, udp Specify host: host, dst, src More filters can be found: http://wiki.wireshark.org/CaptureFiltershttp://wiki.wireshark.org/CaptureFilters Display filters – Do not affect captured packets. – Only determine whether or not to display some packets. – Syntax Useful: Follow TCP Stream More filters can be found: http://wiki.wireshark.org/DisplayFiltershttp://wiki.wireshark.org/DisplayFilters 13

14 Advanced usage (2) Follow a stream. – Stream: [IP address A, port A, IP address B, port B] Adjust the layout and columns. – Edit -> Preference Statistics – Summary: general statistics about the current capture file – Conversations: statistics of the captured conversations Conversation is the traffic between two specific endpoints – Endpoints: traffic statistics of an end host – IO Graphs: visualizing the number of packets in time – … 14

15 Analyze Web application The World Wide Web (WWW) is the most popular Internet application. Answer the following questions (Question 2): – A) What’s the relationship between Web and HTTP? – B) What type of protocols does HTTP belong to? – C) How many application protocols have you captured when accessing a website? 15

16 Practice 2: analyze HTTP traffic Y:\Win32\WiresharkPortable Select the right interface. Visit www.polyu.edu.hk.www.polyu.edu.hk Analyze HTTP traffic (Question 3) – A) What’s your HTTP request method? – B) What’s your HTTP request version? – C) What’s the status code in the response? What does it mean? 16

17 Practice 2 (cont’d) Apply a display filter so that only HTTP packets are shown (Question 4) – A) How many HTTP requests have been sent to the Web server? – B) Write down each request (at least 3). 17

18 Practice 3 Try different capture filters (Question 5) – A) How can I capture only HTTP traffic? – B) How can I capture only the traffic from/to a specified host? Visit http://www.polyu.edu.hk again and analyze the HTTP traffic (Question 6)http://www.polyu.edu.hk – A) What’s your IP address? – B) What’s the server’s IP address? Visit http://www.polyu.edu.hk/test and analyze the HTTP traffic (Question 7)http://www.polyu.edu.hk/test – A) What’s the difference compared with the last step? 18

19 Practice 3 (cont’d) Visit http://www.oneprobe.org and analyze HTTP traffic (Question 8)http://www.oneprobe.org – A) What’s the difference compared with the previous steps? – B) How many Web servers have you accessed? – C) Write down the exact IP addresses of servers. – D) Explain what happened in this HTTP session. 19

20 Practice 4 Delete capture filter Start a new capture Visit http://hk.yahoo.com/http://hk.yahoo.com/ When the page is fully loaded, stop capturing Compare the throughput between UDP and TCP in time (through Statistics->IO Graphs) 20

21 Practice 5 Start a new capture Visit https://www.google.com.hkhttps://www.google.com.hk When the page is fully loaded, stop capturing Identify the HTTPS traffic (Question 9) – A) What’s the default port of HTTPS? – B) What can you see after applying “follow the TCP stream”? – C) Write down the process of how a https connection is established. 21

22 Practice 6 Visit http://www.facebook.com and analysis HTTP traffichttp://www.facebook.com – Record the IP address of the Facebook server – Save the trace Visit Facebook again at home, and compare the trace with the one obtained in campus (Question 10) – A) Record the IP address of the Facebook server. – B) Is the IP address recorded at home the same as the one recorded in campus? – C) If not, explain why the servers are different. 22

23 Further reading CDN (content delivery network) – http://www.nczonline.net/blog/2011/11/29/how- content-delivery-networks-cdns-work/ http://www.nczonline.net/blog/2011/11/29/how- content-delivery-networks-cdns-work/ 23

24 Thanks 24

Download ppt "COMP2322 Lab 1 Introduction to Wireshark Weichao Li Jan. 22, 2016."

Similar presentations

Ubiquitous Computing Technology Research Institute Sungkyunkwan University Using Ethereal - Packet Capturing & Analysis Tool 2006. 4. 12 Sungkyunkwan University.

Ubiquitous Computing Technology Research Institute Sungkyunkwan University Using Ethereal - Packet Capturing & Analysis Tool Sungkyunkwan University.
Chapter 7: Transport Layer

Chapter 7: Transport Layer
CCNA 1 v3.1 Module 11 Review.

CCNA 1 v3.1 Module 11 Review.
Capture Packets using Wireshark. Introduction Wireshark – – Packet analysis software – Open source.

Capture Packets using Wireshark. Introduction Wireshark – – Packet analysis software – Open source.
1 Capturing & Analyzing Network Traffic: tcpdump/tshark and Wireshark EE 122: Intro to Communication Networks Vern Paxson / Jorge Ortiz / Dilip Anthony.

1 Capturing & Analyzing Network Traffic: tcpdump/tshark and Wireshark EE 122: Intro to Communication Networks Vern Paxson / Jorge Ortiz / Dilip Anthony.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Practical Networking. Introduction  Interfaces, network connections  Netstat tool  Tcpdump: Popular network debugging tool  Used to intercept and.

Practical Networking. Introduction  Interfaces, network connections  Netstat tool  Tcpdump: Popular network debugging tool  Used to intercept and.
© 2006, The Technology Firm WWW.THETECHFIRM.COM Ethereal The Technology Firm.

© 2006, The Technology Firm Ethereal The Technology Firm.
CAP6135: Malware and Software Vulnerability Analysis Network Traffic Monitoring Using Wireshark Cliff Zou Spring 2013.

CAP6135: Malware and Software Vulnerability Analysis Network Traffic Monitoring Using Wireshark Cliff Zou Spring 2013.
COEN 445 Communication Networks and Protocols Lab 3

COEN 445 Communication Networks and Protocols Lab 3
Linux Operations and Administration

Linux Operations and Administration
Wireshark Presented By: Hiral Chhaya, Anvita Priyam.

Wireshark Presented By: Hiral Chhaya, Anvita Priyam.
1 Lab 3 Transport Layer T.A. Youngjoo Han. 2 Transport Layer  Providing logical communication b/w application processes running on different hosts 

1 Lab 3 Transport Layer T.A. Youngjoo Han. 2 Transport Layer  Providing logical communication b/w application processes running on different hosts 
University of Calgary – CPSC 441.  Wireshark (originally named Ethereal)is a free and open-source packet analyzer.  It is used for network troubleshooting,

University of Calgary – CPSC 441.  Wireshark (originally named Ethereal)is a free and open-source packet analyzer.  It is used for network troubleshooting,
Packet capture and protocol analysis 1. Content TCP/IP Networking Review Packet Capture Protocol Analysis 2.

Packet capture and protocol analysis 1. Content TCP/IP Networking Review Packet Capture Protocol Analysis 2.
CPSC 441 Tutorial TA: Fang Wang The content of these slides are taken from CPSC 526 TUTORIAL by Nashd Safa (Extended and partially modified)

CPSC 441 Tutorial TA: Fang Wang The content of these slides are taken from CPSC 526 TUTORIAL by Nashd Safa (Extended and partially modified)
Session 10 Windows Platform Eng. Dina Alkhoudari.

Session 10 Windows Platform Eng. Dina Alkhoudari.
Chapter 10 Intro to Routing & Switching.  Upon completion of this chapter, you should be able to:  Explain how the functions of the application layer,

Chapter 10 Intro to Routing & Switching.  Upon completion of this chapter, you should be able to:  Explain how the functions of the application layer,
Section 2.2 Network Forensics TRACKING HACKERS THROUGH CYBERSPACE

Section 2.2 Network Forensics TRACKING HACKERS THROUGH CYBERSPACE
Computer Networking Course Introduction Dr Sandra I. Woolley.

Computer Networking Course Introduction Dr Sandra I. Woolley.

Similar presentations

Ads by Google