Chappell Wire Shark 101 Handouts

Download as pdf or txt
Download as pdf or txt
You are on page 1of 24

Registeronlineatwww.chappellseminars.

com

Jumpstart:Wireshark101

Notes: Wireshark Jumpstart: Wireshark 101


LiveOnlineSeminar Live Online Seminar www.chappellseminars.com Presenter: LauraChappell,FounderofChappellUniversityandWiresharkUniversity [email protected] Followme:www.twitter.com/LauraChappell Readmyblog:laurachappell.blogspot.com

Thephoneringsmultiplelinesatonetimenever agoodsign. Theusersarecomplainingaboutnetworkperformanceagain.Theynevercalltosaythenetworkis The users are complaining about network performance again. They never call to say the network is doinggreattoday theydontrememberthenumerousdayswhenthenetworksupportedtheir everywhim.No.Theyonlycalltocomplain.BeinganITsupportpersonisathanklessjob. Inthisliveonlineseminar,LauraChappellexplainsanddemonstratesthekeytasksusingWireshark, theworldsmostpopularnetworkanalyzer. Tellyourfriendstellyourcolleagues.Thisisoneseminarnottomiss. Thisseminarisbroughttoyouforfreebyoursponsor,NetOptics.ThankyouNetOptics! This seminar is brought to you for free by our sponsor NetOptics Thank you NetOptics!

ChappellUniversity AllRightsReserved

Registeronlineatwww.chappellseminars.com

Jumpstart:Wireshark101

Notes:

Wireshark Jumpstart: Wireshark 101


LiveOnlineSeminar www.chappellseminars.com SpecialthankstoNetOpticsforsponsoringthisonlineseminarsowecanofferitfreetoouraudience. LauraapproachedNetOpticsforsponsorshipbecausesheusestheirtapsinheranalysiswork. PleasevisitNetOpticsatwww.netoptics.comandthankthemfortheirsponsorship.Tweetyour thanksusingthetags#netoptics and#chappellseminars.

ChappellUniversity AllRightsReserved

Registeronlineatwww.chappellseminars.com

Jumpstart:Wireshark101

Notes:
PleasefollowmeonTwitterandsubscribetomyblog. Checkouttheotheronlineseminarsandkeeplearningevenifitisanhouratatime. RegisterforupcomingSeminarsatchappellseminars.com Top10ReasonsYourNetworkisSlow[HOT!] WiresharkJumpstart newdatesTBA(Takeit againinviteyourteam) TraceBacktoaSuspiciousHost AnalyzingandImproveNetworkThroughput:PacketLossandLatencyAnalysis A l i dI N k Th h P k L dL A l i HackedHosts:NetworkForensics IdentifySuspiciousTrafficPatterns Ifyouwanttostartlearningrightnow,thencheckouttheover200videocoursesonlineat www.chappellU.com.Seethediscountcodelaterinthisdocument.

ChappellUniversity AllRightsReserved

Registeronlineatwww.chappellseminars.com

Jumpstart:Wireshark101

Notes:
These aretheareaswewilldiscussintodaysseminar. WhatisWireshark?Illshowyouadiagramoftheelements ofWireshark. PlacingtheAnalyzer.Dothisrightandsaveyourselfloadsoftime. CaptureandDisplayFilters.Focus onspecifictypesoftraffic. Spotting Problems.LettheExpertInfoCompositewindowguideyou. BasicTrafficGraphs:apictureisworthathousandpackets! OverviewofCommandLineTools.Sometimesyouneedtogocommandline. Q&A.Illgettoasmanyquestionsastimepermits. Q & A Ill i i i Soletsgetstarted.

ChappellUniversity AllRightsReserved

Registeronlineatwww.chappellseminars.com

Jumpstart:Wireshark101

Notes:
ToooftenIamcalledonsitetotroubleshoot anetworkaftereveryonehaspulledtheirhair out.Itbogglesthemind.Whydidn tthesepeopleputananalyzeronthenetworkandlookat out. It boggles the mind. Why didnt these people put an analyzer on the network and look at thetraffic? Thepacketsneverlie! WiresharkisaFIRSTRESPONDERtool. Networkslow?Getthetrace!Cantconnect?Getthe trace!Systembehavingstrangely?Getthetrace! Networkanalysiscanalwaystellyou WHEREtheproblemis,butitcannotalwaystellyou WHYtheproblemishappening.

ChappellUniversity AllRightsReserved

Registeronlineatchappellseminars.com!

Jumpstart:Wireshark101

Notes:
Whenyouarecapturing trafficoffthenetwork,youareusingoneofthreepossibledrivers. WinPcap driver UsedonWindowshostsrunningWireshark. AirPcapdriver UsedtocaptureWLANtrafficonaWindowshost. Libpcap d i Lib driver Usedtocapturetrafficona*nixhost. ThefirstfilterappliedistheCapturefilter.Ifyouapplyacapturefilterforallbroadcasttraffic, thatiswhatwillbepasseduptothecaptureengine.Youcantgobackandgetpacketsthat werefilteredoutfromviewusingcapturefilters,sousethesesparingly.

ChappellUniversity AllRightsReserved

Registeronlineatchappellseminars.com!

Jumpstart:Wireshark101

Notes:
YoudonotneedWinPcap, AirPcaporLibpcap inordertoopenuptracefiles.Thosedrivers areusedtocapturetrafficonthenetwork. are used to capture traffic on the network. Whenyouopenatracefile,youareusingthewiretaplibrarywhichsupportsnumeroustrace fileformatsincludingtracefileformatsusedbyNetworkGeneralSniffer,Wildpackets OmniPeek,Snoopandmore. SelectFile>OpenandclickthedownarrowtotherightofFileTypetoseethelistof recognizedfiletypes. i d fil

ChappellUniversity AllRightsReserved

Registeronlineatchappellseminars.com!

Jumpstart:Wireshark101

Notes:
Dissectors,plugins anddisplayfiltersareappliedoncethepacketsarepassed upeitherby thecaptureengineorthewiretaplibraryintothecoreengine. p g p y g Dissectors/plugins interpretthecontentsofthepacketandareakeycomponentof Wiresharkenablingyoutoreadpacketsandseeinterpretedfields. Thedisplayfiltersenableyoutoselectwhichpacketstoviewbasedonspecificcriteriathat youdefine.Displayfiltersdonotaffectthetracefileitself theyonlyaffectwhichpackets youview. TheGIMPToolKit (commonlyreferredtoasGTK+)providesthegraphicalinterfacefor Wireshark.GTK+wasinitiallydevelopedforandusedbyGIMP,theGNUImageManipulation Program.ItisusedbyalargenumberofapplicationsincludingtheGNUproject'sGNOME desktop. SelectHelp>AboutWireshark>FolderstofindwherethevariousWiresharkfilesare located.StartinginWiresharkv1.2,thelocationslistedarehyperlinkedsoyoucanquickly located Starting in Wireshark v1 2 the locations listed are hyperlinked so you can quickly openfolders.

ChappellUniversity AllRightsReserved

Registeronlineatwww.chappellseminars.com

Jumpstart:Wireshark101

Notes:
PlacetheAnalyzerAppropriately: Switched networkscancausestheanalystgrief blocking thetrafficfromeasyview.We llgothroughfourwaystocapturewirednetworktrafficanda the traffic from easy view. Well go through four ways to capture wired network traffic and a fewwaystocaptureWLANtrafficnext.Hey ifyoucantseethepackets,youareblindto theproblem. CreateBaselines:Baselinesaresample tracefilesoftrafficwhenlifewasgoodthiswillbe onyourToDolistifnot. FilteronSpecificConversationsorTypesofTraffic:IfFred i Fil S ifi C i T f T ffi If F d iscomplainingabouthisweb l i i b hi b browsingspeedsyoucouldstartwithafilteronjustFredsHTTP/HTTPStraffic. LookforHotProblems:Payattention toWiresharks ExpertInfoCompositeinformation. CreateKeyGraphs:Apictureisworthathousandswords.Inthiscase,an IOgraphiswortha p thousandpackets.

ChappellUniversity AllRightsReserved

Registeronlineatwww.chappellseminars.com

Jumpstart:Wireshark101

Notes:
UnlessyouaretheITslave atanoldschoolthatstillsupportshubs,youarelikelyworkingin aswitchedenvironment. Loveem orhateem,switchesarenecessarynetworktrafficcops.Fromtheanalysts perspective,however,theyreducevisibilitybylimitingtheforwardingtrafficoftrafficfrom unnecessarypathsorsegments. Switchesforwardfourtypesofpacketsbydefault: Broadcasts(MAClayerbroadcasts) B d (MAC l b d ) Multicasts(MAClayermulticasts) ifconfiguredtodoso Trafficto/fromtheconnectedhostsMACaddress TraffictounknownMACaddresses(Ihopeyouneverseethis)

WedbeblindtoFredstraffictotheserverifweplacedtheanalyzerofftheswitch asshown inthegraphic. SowhatcanwedowhatCANwedo?!

ChappellUniversity AllRightsReserved

10

Registeronlineatwww.chappellseminars.com

Jumpstart:Wireshark101

Notes:
Thefirstthingwecando(althoughoneofmyleastdesiredoptions)isjust runWiresharkoff Fred smachine. Freds machine. Yeahitsaneasysolution,butfilledwithriskswetypicallydontwanttoalterthesystem thatishavingproblems.Networkanalysisisapassive,noninvasiveprocess.Ioftencompare ittoanxraymachine ohlookyourfootisbrokenintwoplacesnomoreDancingwith theStarsforyou!Imagineifthexraymachinewasembeddedinyourfoottofindthe problem ouch. IalsodetesttheideaofshowingFredthathissystemcanrunWireshark.Fredis,afterall,the UserfromHellandinthiscase,ignoranceisblisshisignoranceismybliss. Butsometimesthatistheonlyfeasibleoption.StartWiresharkrunninginthebackground (maybewithaniceringbuffer welldiscussthatlaterinthisclass)andtellFredtodohis y p g stuffandshowyouwhathesexperiencing. BesuretouninstallWiresharkafterwards!

ChappellUniversity AllRightsReserved

11

Registeronlineatwww.chappellseminars.com

Jumpstart:Wireshark101

Notes:
Thisoptiononlyworksonhalfduplex networks. Astinkinoldhubcansaveyourhide! Hubsarestupidalltheyknoware1sand0sandtheyforwardeverybitineverydirection (exceptbacktheywaythebitscamein).ByplacingahubalongthepathbetweenFredand theswitchandpluggingmyanalyzerintothehub,IgettoseeallFredstraffic. Watchoutforthose10/100/1000hubsthough.Ifyouhaveaspeedmismatchonthe W h f h 10/100/1000 h b h h If h d i h h connectingdevicesthathubmayactasaswitchbetweenthedifferentspeeddevices. Testthisfirstbeforeyouneedit.Connecttwohostsandyouranalyzertoahub.Makesure youcanseethedevicespingingeachother.Therearealotofhubsthatarecrossdressers theyareactuallyswitches.Theresnotruthinadvertisingthesedays(especiallyinthetech ) world).

ChappellUniversity AllRightsReserved

12

Registeronlineatwww.chappellseminars.com

Jumpstart:Wireshark101

Notes:
Ifyouareworking onafullduplexnetwork,ahubaint gonna cutthemustard(akawontworkfor myinternationalattendees). Totapintoafullduplexnetwork,youllneedafullduplextap.Simplyconnectitupjustasyoudid thehubandawayyougo!Uhexceptforonething Therearemanyvariationsoffullduplextapoutthere.Themaindifferentiatoris,ofcourse,speed (10/100/1000)andporttype(copper/fiber).Pastthat,youalsohavenonaggregatingtapsand aggregatingtaps. NonAggregatingTaps Thesetapshavetwooutputportsanddonotcombinethefullduplexstreamsineachdirection.You needtohangtwoanalyzersoffthesetapstoseebidirectionalcommunication.UseFile>Mergeor thecommandlinemergecap utilitytocombinemultipletracefiles. AggregatingTaps Wellworththemoney.Thesetapscombinethebidirectionaldataandforwarditoutonemonitor port(ortwoifyouhavearegeneratingthatandwanttoplacesomethingelse maybeaSnortbox offtheextraport).

ChappellUniversity AllRightsReserved

13

Registeronlineatwww.chappellseminars.com

Jumpstart:Wireshark101

Notes:
Easy, eh? PortAconnectstotheswitch.PortBconnectstothetarget.PortCconnectstoyouranalyzer. There arealotofvariationspossiblewhenyourelookingforatap. IusetheNetOpticsproducts inmyoffice www.netoptics.com Ihavethe10/100Teeny Tap,10/100PortAggregatorTap,10/100/1000BaseTTap,andaniTap. NetOpticshasgreatresourcesontheirwebsiteandofferssomeprettyfancyfeaturesintheir higherendtap.IapproachedthemtosponsorthisonlineseminarbecauseItrusttheir productswhenIneedtogetthepackets. Hmmmbutwhatsthechanceacompanyisgoingtoletmedisconnecttheirserverfrom y p p y g thenetworktoinstallmyfullduplextap?NotlikelysothatswhenIgothenextroute

ChappellUniversity AllRightsReserved

14

Registeronlineatwww.chappellseminars.com

Jumpstart:Wireshark101

Notes:
Nonmanageable switchesaregreatforhomenetworks theyDONOT,however,belongon thecorporatenetwork. the corporate network. Allofyourswitchesshouldhavetheabilitytodoportspanning(akaportmirroring).Port spanningenablesyoutohaveacopyofallnetworktrafficflowingfromanotherswitchport downyourswitchport.Itsrelativelypassive,butnottotallypassiveasyoudidreconfigure theswitch andiftheswitchistheproblem,suchreconfigurationmaysolvetheproblem orgivetheswitchenoughofakickinthebehindtogetitworkingproperlymostlikelyonly untilyouhavecriticalnetworktrafficagain thenitwillfailagain. il h ii l k ffi i h i ill f il i DONTGETMESTARTEDonportsampling.Whatgoodisittoseeonlyapieceofanxray result?Aargh! Makesureyoutestoutyourspanningcommandsandensureyourswitchspansports p p y properly.Eventhehighestandmightiestofswitchmanufacturersseemstohavestumbled g g fromtimetotimeinimplementingthisnecessaryfeature.

ChappellUniversity AllRightsReserved

15

Registeronlineatwww.chappellseminars.com

Jumpstart:Wireshark101

Notes:
Ohyeahwireless! Okheresthescoop.Youcanjustselectyourwirelessadaptertobeginmonitoring traffic itmostlikelywillletyouseeyourtraffic.ButuhwhataboutFredstraffic?MostNICs wontgointofullmonitormodeandallowyoutoseeotherfolkstraffic. ThisiswhereaWindowshosthasanadvantage(amazingtohearmyselfsaythat).CACE Technologies(whereGeraldCombs,creatorofWireshark,andLorisDegioanni andGianluca Varenni,creatorsofWinPcap,work)hasAirPcap adapters.Buythree.Rightnow. (www.cacetech.com) h di ( h ) heresadiscountcodeforyou WSU0709 thatllgive you15%off d f WSU0709 h ll i 15% ff onAirPcaps andPilotbyCACETechnologies. IllwaittaptaptapDidyougetthem?Good. ThesethreeAirPcap adaptersshouldbeconnectedtoyoursystemviaUSBhubmostlikely. WiththeAirPcap aggregatingdriveryoucannowseeallthetrafficonthreechannels simultaneously.Justtoocool.CACEalsohasWiFi PilotnowthatbundleswithMegageek s simultaneously Just too cool CACE also has WiFi Pilot now that bundles with Megageeks WiSpyadapterforspreadspectrumanalysis(IdemonstratethisadapterliveintheTop10 ReasonsYourNetworkisSlowclass checkitout).

ChappellUniversity AllRightsReserved

16

Registeronlineatchappellseminars.com!

Jumpstart:Wireshark101

Notes:
Thesearethefunctions thatIconsiderkeywhenyouareanalyzingnetworks: ChoosingtheInterface CaptureFiltering CapturingtoFileSets CapturingwithaRingBuffer AlteringtheTimeColumn DisplayFiltering(newautocomplete) UsingtheExpertInfoComposite Ui h E I f C i DefiningProfiles ReassemblingStreams

IwillcutdownthetimespentonslidessoIcanget intothedemoprocessasap inthis training.

ChappellUniversity AllRightsReserved

17

Registeronlineatchappellseminars.com!

Jumpstart:Wireshark101

Notes:
Youhavemanyoptionswhenstartingyourcapture. Youcouldjustcapture asinglefileand(a)manuallystopthecaptureor(b)setastoptrigger. Youcouldcaptureafilesetthatyou(a)manuallystopor(b)stopsbasedonatrigger. TocontrolthenumberoftracefilescreatedyoucanusearingbufferwhichisaFIFO(firstin, firstout)buffer. TriggersforMultipleFiles Ti f M l i l Fil Nextfileeveryxkilobytes,megabytes,gigabytes(carefuloffilesize) Nextfileeveryxseconds,minutes,hours,days(againwatchthesize) Ringbufferwithxfiles Stopcaptureafterxfiles StopTriggers afterxpackets after x packets afterxkilobytes,megabytes,gigabytes(youknowthewarning) afterxseconds,minutes,hours,days(yupsamething)

ChappellUniversity AllRightsReserved

18

Registeronlineatwww.chappellseminars.com

Jumpstart:Wireshark101

Notes:
Herearesome ofthethingstoknow: ExaminingtheInterfaces E i i th I t f SelectCapture>Interfacestoseetheactiveinterfacesandcheckouttheinterfacedetails,startcapturingright awayorsetupyourcaptureoptions. CaptureFilters MakeaNotMecapturefiltertofilteroutyourtrafficfromyourtracefiles.Youdontwantyouremailorweb browsingsessiontobecapturedwhenyouareworkingonFredsnetworkproblems.ThesyntaxforaNotMe capturefilterisnot ether host 00:21:97:40:74:d2 (withyourMACaddress). SettheTimeCorrectly UseEdit>TimeDisplayFormat>SecondsSincePreviousDisplayedPackettoseethedeltatimefromtheendof onepackettotheendofthenext.Nowyoucansortthetimecolumntoseelargegapsintime! ListentotheExpert SelectAnalyze>ExpertInfoCompositetoidentifypossibleproblemsseeninthetracefile.Expandthefindings tolocatespecificpacketsinthetrace. ChecktheIORate SelectStatistics>IOGraphtonotewhentheIOratedrops.ClickanywhereontheIOgraphtolocatethatarea inthetrace.

ChappellUniversity AllRightsReserved

19

Registeronlineatwww.chappellseminars.com

Jumpstart:Wireshark101

Notes:
Herearesome ofthethingsImgoingtodemonstrate(continued): MeasurePain Learntomeasuretimebetweenpacketsspreadthroughoutthetrace. Selectthestartpointandrightclick. ChooseSetTimeReference(toggle).Youmightbepromptedforthetimeformatchange.Scrolldownto thenexttimemeasurementandthetimecolumnnowshowsyouthetimefromtheTimeReferenced packettothisone.YoucansetmultipleTimeReferencepacketsinthetraceifdesired. RightClickFiltering Inmyexample,IwanttofindoutifthetraceincludesBOTHtheoriginalandtheretransmittedTCPpacket In my example I want to find out if the trace includes BOTH the original and the retransmitted TCP packet (findaretransmissionpacket).InsidetheTCPheader,IrightclickedtheTCPSequenceNumberfieldand saidPrepareasaFilter(justsoIcanlookatthefilterbeforeitgetsapplied).WhenyouapplythefilterI willlearnifIamupstream(beforepacketlossoccurs)ordownstream(afterpacketlosshasoccurred)on thenetwork. CustomColumns TimepermittingIalsowantedtoshowyouhowtoaddacolumnfortheTCPWindowSizefieldvalueto Wiresharks summarypane.Clickthefieldtoseethefieldnameinthestatusbaratthebottomofthe Wiresharkwindow.Thisfieldiscalledtcp.window_size.NowselectEdit>Preferences>Columns>New> [name:WinSize].IntheFormatarea,selectCustom.Anewblankwindowshowsupontherightofthe Formatfield.Typeinyourfieldname,tcp.window_size.ClickOKandnowlookatyoursummarywindow (youmightneedtoscrolltotherighttoseeyournewcolumn).Cool!

ChappellUniversity AllRightsReserved

20

Registeronlineatwww.chappellseminars.com

Jumpstart:Wireshark101

Notes:
Nowwhat?!Heresaquicklistoftodoitemsforyouafterthisclass. 1.C monupgrade toWireshark:There sNOREASONtobeworkingwiththeoldEthereal software 1 Cmon upgrade to Wireshark: Theres NO REASON to be working with the old Ethereal software itsoutdatedandendoflifed.Gettowww.wireshark.organdupdatetothelatestversionof Wireshark. 2.Testanalyzerplacement:Makesureyoufeelcomfortable withyourcaptureoptions hubbing out, tappingout,WLANAirPcaps,spanning,etc. 3.Baselineyournetworktraffic:Knowwhatsnormal.Takebaselines ofhoststartupprocesses, connectiontothekeynetworkdevices,shutdown,etc. 4.Learntofilter(captureANDdisplay):Workwithbothtypesoffilters.Becomeafiltergurutosave yourselfloads oftimewhenanalyzingnetworkproblems. 5.DontignoretheExpertInfo:AlwaysgiveanodtotheExpert InfoCompositefindings verifythe alertslistedbylookingatthetraceindepth. 6.LearnTCP/IPatpacketlevel:InstallingandconfiguringaTCP/IPnetworkisentirely differentfrom analyzingthetraffic.GettoknowTCP/IPinsideandout thatincludesARP,IP,TCP,UDP,DHCP, ICMP,HTTP,POP,SMTP,etc.Checkoutthevideocoursesatwww.chappellU.comtogetondemand ICMP HTTP POP SMTP t Ch k t th id t h llU t t d d trainingonTCP/IP.

ChappellUniversity AllRightsReserved

21

Registeronlineatwww.chappellseminars.com

Jumpstart:Wireshark101

Notes:
Useem orloseem.Thesearethediscountcodesfor theondemandtrainingsubscription.

ChappellUniversity AllRightsReserved

22

Registeronlineatwww.chappellseminars.com

Jumpstart:Wireshark101

Notes:
Nowwemove ontoliveQ&A. RemembertofollowmeonTwitterandcheckoutmyblog. Checkouttheotheronlineseminarsandkeeplearningevenifitisanhouratatime. UpcomingSeminarsatchappellseminars.com Top10ReasonsYourNetworkisSlow[HOT!] WiresharkJumpstart(Takeit againinviteyourteam) Wi h k J (T k i i i i ) TraceBacktoaSuspiciousHost AnalyzeandImproveNetwork Throughput:PacketLossandLatencyAnalysis Hacked Hosts:NetworkForensics(IdentifySuspiciousTrafficPatterns) Ifyouwanttostartlearningrightnow,thencheckouttheover200videocoursesonlineat www.chappellU.com. pp

ChappellUniversity AllRightsReserved

23

Registeronlineatwww.chappellseminars.com

Jumpstart:Wireshark101

Notes:
Wellthanks muchforattendingtheonlineliveseminar. Youcanhelpusguidethecontent,length,pricingandformatofthesecoursesbysending yourthoughtstomeatlaura@chappellseminars.comorwritingsomethingintheContactUs pageatwww.chappellseminars.com. NowIaskafavor PleasehelpusreachouttotheITcommunitytoletthemknowabouttheseonlineseminars. Pl h l h h IT i l h k b h li i SpecialthankstoNetOpticswhosponsoredthisliveonlineseminarsowecouldofferitfree toyou.Ifyouknowacompanywhowouldbeagoodsponsortoenableustoopenmore onlineseminarsforfree,pleaseletmeknowdirectly([email protected]).Iwill likelynotbeontheroadmuchthisyearteachinginpublicsochappellseminars.comand pp yp y g g, chappellU.comaremyprimarymethodsoftrainingfolksonnetworktroubleshooting, optimizationandsecurity.Spreadtheword.

ChappellUniversity AllRightsReserved

24

You might also like