Today’s writing is copied from a cisco material.
Wireshark® is one of the common tools that is used to perform packet capture and analysis. Wireshark is available for Windows, Linux, and Macintosh systems.
Wireshark is designed to provide a graphical environment for packet analysis. Wireshark allows you to capture packets live and to open PCAP files that have been captured through another packet-capture device. As with tcpdump, there are limitations to the speed at which Wireshark can capture. It can take a considerable amount of time to process large files. Similar to tcpdump, Wireshark needs to run as Administrator or root to use promiscuous mode. To open a prerecorded PCAP file, a standard user account is acceptable.
Below is an example of using Wireshark to examine a PCAP containing Telnet traffic. Telnet traffic is sent one character at a time in cleartext, that is why you won’t see the Telnet username and password in a single Telnet packet. Using the Wireshark Follow the TCP Stream feature, Wireshark will put all the data together so you will be able to see the Telnet username and cleartext password. The example below shows the username student and the password Cisco123!.
overview of Wireshark.
This section provides a high-level overview of Wireshark. Throughout the different labs in the course, you will use Wireshark to perform packet capture and to analyze the PCAPs.
Clicking Capture Options from the main screen opens the Capture Options window. The Capture Options window allows you to select an interface if there are multiple interfaces, define filenames for output, set display options, end capture options, and define name-resolution options. If you are capturing traffic live, it is strongly recommended that you disable network name resolution by unchecking the Enable Network Name Resolution check box.
Interface Settings
Double-click an interface to open the Edit Interface Settings window, which is shown in the figure below. This window allows you to limit the packet size, which sometimes may be required by your organization because of legal restraints. Also, you can set capture filters. Click the Capture Filter button to display examples of capture filters.
Capture Filter
Alternatively, Wireshark can read data from a prerecorded PCAP file, using the File menu Open option. Note a brief summary at the bottom of the window of the PCAP file to be opened.
Once a packet capture has been started or a PCAP file has been opened, the main interface of Wireshark (shown below) is presented.
Packet analysis
The main interface of Wireshark consists of three components:
- The packet list shows a complete list of packets within the current capture. Information about each packet is presented in customizable columns. By default, this information includes the packet number, time stamp, source address, destination address, protocol, and a summary field of protocol-specific information.
- The packet details list shows detailed information about the highlighted packet. Protocols within the packet are presented in expandable panes, with each field enumerated and explained. Some basic analysis is performed, such as translating port numbers to more human-readable names or displaying the human-readable flags in the Flags field.
- The packet bytes pane shows the raw bytes of the highlighted packet, starting at the link-level header. The output is divided into three columns: offset, hexadecimal representation, and ASCII representation.
In the main interface, analysts can quickly move around the capture to inspect packets of interest. Clicking a packet in the top third of the window, the packet list, alters the other two panes to show the details and bytes of the highlighted packet.
Expanding protocols within the packet details pane, analysts may find a field that interests them. As shown in the figure below, clicking a field highlights the relevant bytes in the packet bytes pane. This information not only helps analysts quickly learn about protocol structures, it also allows users who are more familiar with the protocol to quickly identify any inconsistencies.
A brief mention of the role of filters is necessary at this point to distinguish the display filters at the top of the Wireshark window. In the example below, the http filter is applied to show HTTP traffic only. Do not confuse the display filters with the capture filters that were described with tcpdump. Tcpdump capture filters use BPF syntax. Wireshark display filters do not affect what is being captured, and they use proprietary syntax.
Packet analysis
Leave a Reply