Chappell Wire Shark 101 Handouts
Chappell Wire Shark 101 Handouts
Chappell Wire Shark 101 Handouts
com
Jumpstart:Wireshark101
Thephoneringsmultiplelinesatonetimenever agoodsign. Theusersarecomplainingaboutnetworkperformanceagain.Theynevercalltosaythenetworkis The users are complaining about network performance again. They never call to say the network is doinggreattoday theydontrememberthenumerousdayswhenthenetworksupportedtheir everywhim.No.Theyonlycalltocomplain.BeinganITsupportpersonisathanklessjob. Inthisliveonlineseminar,LauraChappellexplainsanddemonstratesthekeytasksusingWireshark, theworldsmostpopularnetworkanalyzer. Tellyourfriendstellyourcolleagues.Thisisoneseminarnottomiss. Thisseminarisbroughttoyouforfreebyoursponsor,NetOptics.ThankyouNetOptics! This seminar is brought to you for free by our sponsor NetOptics Thank you NetOptics!
ChappellUniversity AllRightsReserved
Registeronlineatwww.chappellseminars.com
Jumpstart:Wireshark101
Notes:
ChappellUniversity AllRightsReserved
Registeronlineatwww.chappellseminars.com
Jumpstart:Wireshark101
Notes:
PleasefollowmeonTwitterandsubscribetomyblog. Checkouttheotheronlineseminarsandkeeplearningevenifitisanhouratatime. RegisterforupcomingSeminarsatchappellseminars.com Top10ReasonsYourNetworkisSlow[HOT!] WiresharkJumpstart newdatesTBA(Takeit againinviteyourteam) TraceBacktoaSuspiciousHost AnalyzingandImproveNetworkThroughput:PacketLossandLatencyAnalysis A l i dI N k Th h P k L dL A l i HackedHosts:NetworkForensics IdentifySuspiciousTrafficPatterns Ifyouwanttostartlearningrightnow,thencheckouttheover200videocoursesonlineat www.chappellU.com.Seethediscountcodelaterinthisdocument.
ChappellUniversity AllRightsReserved
Registeronlineatwww.chappellseminars.com
Jumpstart:Wireshark101
Notes:
These aretheareaswewilldiscussintodaysseminar. WhatisWireshark?Illshowyouadiagramoftheelements ofWireshark. PlacingtheAnalyzer.Dothisrightandsaveyourselfloadsoftime. CaptureandDisplayFilters.Focus onspecifictypesoftraffic. Spotting Problems.LettheExpertInfoCompositewindowguideyou. BasicTrafficGraphs:apictureisworthathousandpackets! OverviewofCommandLineTools.Sometimesyouneedtogocommandline. Q&A.Illgettoasmanyquestionsastimepermits. Q & A Ill i i i Soletsgetstarted.
ChappellUniversity AllRightsReserved
Registeronlineatwww.chappellseminars.com
Jumpstart:Wireshark101
Notes:
ToooftenIamcalledonsitetotroubleshoot anetworkaftereveryonehaspulledtheirhair out.Itbogglesthemind.Whydidn tthesepeopleputananalyzeronthenetworkandlookat out. It boggles the mind. Why didnt these people put an analyzer on the network and look at thetraffic? Thepacketsneverlie! WiresharkisaFIRSTRESPONDERtool. Networkslow?Getthetrace!Cantconnect?Getthe trace!Systembehavingstrangely?Getthetrace! Networkanalysiscanalwaystellyou WHEREtheproblemis,butitcannotalwaystellyou WHYtheproblemishappening.
ChappellUniversity AllRightsReserved
Registeronlineatchappellseminars.com!
Jumpstart:Wireshark101
Notes:
Whenyouarecapturing trafficoffthenetwork,youareusingoneofthreepossibledrivers. WinPcap driver UsedonWindowshostsrunningWireshark. AirPcapdriver UsedtocaptureWLANtrafficonaWindowshost. Libpcap d i Lib driver Usedtocapturetrafficona*nixhost. ThefirstfilterappliedistheCapturefilter.Ifyouapplyacapturefilterforallbroadcasttraffic, thatiswhatwillbepasseduptothecaptureengine.Youcantgobackandgetpacketsthat werefilteredoutfromviewusingcapturefilters,sousethesesparingly.
ChappellUniversity AllRightsReserved
Registeronlineatchappellseminars.com!
Jumpstart:Wireshark101
Notes:
YoudonotneedWinPcap, AirPcaporLibpcap inordertoopenuptracefiles.Thosedrivers areusedtocapturetrafficonthenetwork. are used to capture traffic on the network. Whenyouopenatracefile,youareusingthewiretaplibrarywhichsupportsnumeroustrace fileformatsincludingtracefileformatsusedbyNetworkGeneralSniffer,Wildpackets OmniPeek,Snoopandmore. SelectFile>OpenandclickthedownarrowtotherightofFileTypetoseethelistof recognizedfiletypes. i d fil
ChappellUniversity AllRightsReserved
Registeronlineatchappellseminars.com!
Jumpstart:Wireshark101
Notes:
Dissectors,plugins anddisplayfiltersareappliedoncethepacketsarepassed upeitherby thecaptureengineorthewiretaplibraryintothecoreengine. p g p y g Dissectors/plugins interpretthecontentsofthepacketandareakeycomponentof Wiresharkenablingyoutoreadpacketsandseeinterpretedfields. Thedisplayfiltersenableyoutoselectwhichpacketstoviewbasedonspecificcriteriathat youdefine.Displayfiltersdonotaffectthetracefileitself theyonlyaffectwhichpackets youview. TheGIMPToolKit (commonlyreferredtoasGTK+)providesthegraphicalinterfacefor Wireshark.GTK+wasinitiallydevelopedforandusedbyGIMP,theGNUImageManipulation Program.ItisusedbyalargenumberofapplicationsincludingtheGNUproject'sGNOME desktop. SelectHelp>AboutWireshark>FolderstofindwherethevariousWiresharkfilesare located.StartinginWiresharkv1.2,thelocationslistedarehyperlinkedsoyoucanquickly located Starting in Wireshark v1 2 the locations listed are hyperlinked so you can quickly openfolders.
ChappellUniversity AllRightsReserved
Registeronlineatwww.chappellseminars.com
Jumpstart:Wireshark101
Notes:
PlacetheAnalyzerAppropriately: Switched networkscancausestheanalystgrief blocking thetrafficfromeasyview.We llgothroughfourwaystocapturewirednetworktrafficanda the traffic from easy view. Well go through four ways to capture wired network traffic and a fewwaystocaptureWLANtrafficnext.Hey ifyoucantseethepackets,youareblindto theproblem. CreateBaselines:Baselinesaresample tracefilesoftrafficwhenlifewasgoodthiswillbe onyourToDolistifnot. FilteronSpecificConversationsorTypesofTraffic:IfFred i Fil S ifi C i T f T ffi If F d iscomplainingabouthisweb l i i b hi b browsingspeedsyoucouldstartwithafilteronjustFredsHTTP/HTTPStraffic. LookforHotProblems:Payattention toWiresharks ExpertInfoCompositeinformation. CreateKeyGraphs:Apictureisworthathousandswords.Inthiscase,an IOgraphiswortha p thousandpackets.
ChappellUniversity AllRightsReserved
Registeronlineatwww.chappellseminars.com
Jumpstart:Wireshark101
Notes:
UnlessyouaretheITslave atanoldschoolthatstillsupportshubs,youarelikelyworkingin aswitchedenvironment. Loveem orhateem,switchesarenecessarynetworktrafficcops.Fromtheanalysts perspective,however,theyreducevisibilitybylimitingtheforwardingtrafficoftrafficfrom unnecessarypathsorsegments. Switchesforwardfourtypesofpacketsbydefault: Broadcasts(MAClayerbroadcasts) B d (MAC l b d ) Multicasts(MAClayermulticasts) ifconfiguredtodoso Trafficto/fromtheconnectedhostsMACaddress TraffictounknownMACaddresses(Ihopeyouneverseethis)
ChappellUniversity AllRightsReserved
10
Registeronlineatwww.chappellseminars.com
Jumpstart:Wireshark101
Notes:
Thefirstthingwecando(althoughoneofmyleastdesiredoptions)isjust runWiresharkoff Fred smachine. Freds machine. Yeahitsaneasysolution,butfilledwithriskswetypicallydontwanttoalterthesystem thatishavingproblems.Networkanalysisisapassive,noninvasiveprocess.Ioftencompare ittoanxraymachine ohlookyourfootisbrokenintwoplacesnomoreDancingwith theStarsforyou!Imagineifthexraymachinewasembeddedinyourfoottofindthe problem ouch. IalsodetesttheideaofshowingFredthathissystemcanrunWireshark.Fredis,afterall,the UserfromHellandinthiscase,ignoranceisblisshisignoranceismybliss. Butsometimesthatistheonlyfeasibleoption.StartWiresharkrunninginthebackground (maybewithaniceringbuffer welldiscussthatlaterinthisclass)andtellFredtodohis y p g stuffandshowyouwhathesexperiencing. BesuretouninstallWiresharkafterwards!
ChappellUniversity AllRightsReserved
11
Registeronlineatwww.chappellseminars.com
Jumpstart:Wireshark101
Notes:
Thisoptiononlyworksonhalfduplex networks. Astinkinoldhubcansaveyourhide! Hubsarestupidalltheyknoware1sand0sandtheyforwardeverybitineverydirection (exceptbacktheywaythebitscamein).ByplacingahubalongthepathbetweenFredand theswitchandpluggingmyanalyzerintothehub,IgettoseeallFredstraffic. Watchoutforthose10/100/1000hubsthough.Ifyouhaveaspeedmismatchonthe W h f h 10/100/1000 h b h h If h d i h h connectingdevicesthathubmayactasaswitchbetweenthedifferentspeeddevices. Testthisfirstbeforeyouneedit.Connecttwohostsandyouranalyzertoahub.Makesure youcanseethedevicespingingeachother.Therearealotofhubsthatarecrossdressers theyareactuallyswitches.Theresnotruthinadvertisingthesedays(especiallyinthetech ) world).
ChappellUniversity AllRightsReserved
12
Registeronlineatwww.chappellseminars.com
Jumpstart:Wireshark101
Notes:
Ifyouareworking onafullduplexnetwork,ahubaint gonna cutthemustard(akawontworkfor myinternationalattendees). Totapintoafullduplexnetwork,youllneedafullduplextap.Simplyconnectitupjustasyoudid thehubandawayyougo!Uhexceptforonething Therearemanyvariationsoffullduplextapoutthere.Themaindifferentiatoris,ofcourse,speed (10/100/1000)andporttype(copper/fiber).Pastthat,youalsohavenonaggregatingtapsand aggregatingtaps. NonAggregatingTaps Thesetapshavetwooutputportsanddonotcombinethefullduplexstreamsineachdirection.You needtohangtwoanalyzersoffthesetapstoseebidirectionalcommunication.UseFile>Mergeor thecommandlinemergecap utilitytocombinemultipletracefiles. AggregatingTaps Wellworththemoney.Thesetapscombinethebidirectionaldataandforwarditoutonemonitor port(ortwoifyouhavearegeneratingthatandwanttoplacesomethingelse maybeaSnortbox offtheextraport).
ChappellUniversity AllRightsReserved
13
Registeronlineatwww.chappellseminars.com
Jumpstart:Wireshark101
Notes:
Easy, eh? PortAconnectstotheswitch.PortBconnectstothetarget.PortCconnectstoyouranalyzer. There arealotofvariationspossiblewhenyourelookingforatap. IusetheNetOpticsproducts inmyoffice www.netoptics.com Ihavethe10/100Teeny Tap,10/100PortAggregatorTap,10/100/1000BaseTTap,andaniTap. NetOpticshasgreatresourcesontheirwebsiteandofferssomeprettyfancyfeaturesintheir higherendtap.IapproachedthemtosponsorthisonlineseminarbecauseItrusttheir productswhenIneedtogetthepackets. Hmmmbutwhatsthechanceacompanyisgoingtoletmedisconnecttheirserverfrom y p p y g thenetworktoinstallmyfullduplextap?NotlikelysothatswhenIgothenextroute
ChappellUniversity AllRightsReserved
14
Registeronlineatwww.chappellseminars.com
Jumpstart:Wireshark101
Notes:
Nonmanageable switchesaregreatforhomenetworks theyDONOT,however,belongon thecorporatenetwork. the corporate network. Allofyourswitchesshouldhavetheabilitytodoportspanning(akaportmirroring).Port spanningenablesyoutohaveacopyofallnetworktrafficflowingfromanotherswitchport downyourswitchport.Itsrelativelypassive,butnottotallypassiveasyoudidreconfigure theswitch andiftheswitchistheproblem,suchreconfigurationmaysolvetheproblem orgivetheswitchenoughofakickinthebehindtogetitworkingproperlymostlikelyonly untilyouhavecriticalnetworktrafficagain thenitwillfailagain. il h ii l k ffi i h i ill f il i DONTGETMESTARTEDonportsampling.Whatgoodisittoseeonlyapieceofanxray result?Aargh! Makesureyoutestoutyourspanningcommandsandensureyourswitchspansports p p y properly.Eventhehighestandmightiestofswitchmanufacturersseemstohavestumbled g g fromtimetotimeinimplementingthisnecessaryfeature.
ChappellUniversity AllRightsReserved
15
Registeronlineatwww.chappellseminars.com
Jumpstart:Wireshark101
Notes:
Ohyeahwireless! Okheresthescoop.Youcanjustselectyourwirelessadaptertobeginmonitoring traffic itmostlikelywillletyouseeyourtraffic.ButuhwhataboutFredstraffic?MostNICs wontgointofullmonitormodeandallowyoutoseeotherfolkstraffic. ThisiswhereaWindowshosthasanadvantage(amazingtohearmyselfsaythat).CACE Technologies(whereGeraldCombs,creatorofWireshark,andLorisDegioanni andGianluca Varenni,creatorsofWinPcap,work)hasAirPcap adapters.Buythree.Rightnow. (www.cacetech.com) h di ( h ) heresadiscountcodeforyou WSU0709 thatllgive you15%off d f WSU0709 h ll i 15% ff onAirPcaps andPilotbyCACETechnologies. IllwaittaptaptapDidyougetthem?Good. ThesethreeAirPcap adaptersshouldbeconnectedtoyoursystemviaUSBhubmostlikely. WiththeAirPcap aggregatingdriveryoucannowseeallthetrafficonthreechannels simultaneously.Justtoocool.CACEalsohasWiFi PilotnowthatbundleswithMegageek s simultaneously Just too cool CACE also has WiFi Pilot now that bundles with Megageeks WiSpyadapterforspreadspectrumanalysis(IdemonstratethisadapterliveintheTop10 ReasonsYourNetworkisSlowclass checkitout).
ChappellUniversity AllRightsReserved
16
Registeronlineatchappellseminars.com!
Jumpstart:Wireshark101
Notes:
Thesearethefunctions thatIconsiderkeywhenyouareanalyzingnetworks: ChoosingtheInterface CaptureFiltering CapturingtoFileSets CapturingwithaRingBuffer AlteringtheTimeColumn DisplayFiltering(newautocomplete) UsingtheExpertInfoComposite Ui h E I f C i DefiningProfiles ReassemblingStreams
ChappellUniversity AllRightsReserved
17
Registeronlineatchappellseminars.com!
Jumpstart:Wireshark101
Notes:
Youhavemanyoptionswhenstartingyourcapture. Youcouldjustcapture asinglefileand(a)manuallystopthecaptureor(b)setastoptrigger. Youcouldcaptureafilesetthatyou(a)manuallystopor(b)stopsbasedonatrigger. TocontrolthenumberoftracefilescreatedyoucanusearingbufferwhichisaFIFO(firstin, firstout)buffer. TriggersforMultipleFiles Ti f M l i l Fil Nextfileeveryxkilobytes,megabytes,gigabytes(carefuloffilesize) Nextfileeveryxseconds,minutes,hours,days(againwatchthesize) Ringbufferwithxfiles Stopcaptureafterxfiles StopTriggers afterxpackets after x packets afterxkilobytes,megabytes,gigabytes(youknowthewarning) afterxseconds,minutes,hours,days(yupsamething)
ChappellUniversity AllRightsReserved
18
Registeronlineatwww.chappellseminars.com
Jumpstart:Wireshark101
Notes:
Herearesome ofthethingstoknow: ExaminingtheInterfaces E i i th I t f SelectCapture>Interfacestoseetheactiveinterfacesandcheckouttheinterfacedetails,startcapturingright awayorsetupyourcaptureoptions. CaptureFilters MakeaNotMecapturefiltertofilteroutyourtrafficfromyourtracefiles.Youdontwantyouremailorweb browsingsessiontobecapturedwhenyouareworkingonFredsnetworkproblems.ThesyntaxforaNotMe capturefilterisnot ether host 00:21:97:40:74:d2 (withyourMACaddress). SettheTimeCorrectly UseEdit>TimeDisplayFormat>SecondsSincePreviousDisplayedPackettoseethedeltatimefromtheendof onepackettotheendofthenext.Nowyoucansortthetimecolumntoseelargegapsintime! ListentotheExpert SelectAnalyze>ExpertInfoCompositetoidentifypossibleproblemsseeninthetracefile.Expandthefindings tolocatespecificpacketsinthetrace. ChecktheIORate SelectStatistics>IOGraphtonotewhentheIOratedrops.ClickanywhereontheIOgraphtolocatethatarea inthetrace.
ChappellUniversity AllRightsReserved
19
Registeronlineatwww.chappellseminars.com
Jumpstart:Wireshark101
Notes:
Herearesome ofthethingsImgoingtodemonstrate(continued): MeasurePain Learntomeasuretimebetweenpacketsspreadthroughoutthetrace. Selectthestartpointandrightclick. ChooseSetTimeReference(toggle).Youmightbepromptedforthetimeformatchange.Scrolldownto thenexttimemeasurementandthetimecolumnnowshowsyouthetimefromtheTimeReferenced packettothisone.YoucansetmultipleTimeReferencepacketsinthetraceifdesired. RightClickFiltering Inmyexample,IwanttofindoutifthetraceincludesBOTHtheoriginalandtheretransmittedTCPpacket In my example I want to find out if the trace includes BOTH the original and the retransmitted TCP packet (findaretransmissionpacket).InsidetheTCPheader,IrightclickedtheTCPSequenceNumberfieldand saidPrepareasaFilter(justsoIcanlookatthefilterbeforeitgetsapplied).WhenyouapplythefilterI willlearnifIamupstream(beforepacketlossoccurs)ordownstream(afterpacketlosshasoccurred)on thenetwork. CustomColumns TimepermittingIalsowantedtoshowyouhowtoaddacolumnfortheTCPWindowSizefieldvalueto Wiresharks summarypane.Clickthefieldtoseethefieldnameinthestatusbaratthebottomofthe Wiresharkwindow.Thisfieldiscalledtcp.window_size.NowselectEdit>Preferences>Columns>New> [name:WinSize].IntheFormatarea,selectCustom.Anewblankwindowshowsupontherightofthe Formatfield.Typeinyourfieldname,tcp.window_size.ClickOKandnowlookatyoursummarywindow (youmightneedtoscrolltotherighttoseeyournewcolumn).Cool!
ChappellUniversity AllRightsReserved
20
Registeronlineatwww.chappellseminars.com
Jumpstart:Wireshark101
Notes:
Nowwhat?!Heresaquicklistoftodoitemsforyouafterthisclass. 1.C monupgrade toWireshark:There sNOREASONtobeworkingwiththeoldEthereal software 1 Cmon upgrade to Wireshark: Theres NO REASON to be working with the old Ethereal software itsoutdatedandendoflifed.Gettowww.wireshark.organdupdatetothelatestversionof Wireshark. 2.Testanalyzerplacement:Makesureyoufeelcomfortable withyourcaptureoptions hubbing out, tappingout,WLANAirPcaps,spanning,etc. 3.Baselineyournetworktraffic:Knowwhatsnormal.Takebaselines ofhoststartupprocesses, connectiontothekeynetworkdevices,shutdown,etc. 4.Learntofilter(captureANDdisplay):Workwithbothtypesoffilters.Becomeafiltergurutosave yourselfloads oftimewhenanalyzingnetworkproblems. 5.DontignoretheExpertInfo:AlwaysgiveanodtotheExpert InfoCompositefindings verifythe alertslistedbylookingatthetraceindepth. 6.LearnTCP/IPatpacketlevel:InstallingandconfiguringaTCP/IPnetworkisentirely differentfrom analyzingthetraffic.GettoknowTCP/IPinsideandout thatincludesARP,IP,TCP,UDP,DHCP, ICMP,HTTP,POP,SMTP,etc.Checkoutthevideocoursesatwww.chappellU.comtogetondemand ICMP HTTP POP SMTP t Ch k t th id t h llU t t d d trainingonTCP/IP.
ChappellUniversity AllRightsReserved
21
Registeronlineatwww.chappellseminars.com
Jumpstart:Wireshark101
Notes:
Useem orloseem.Thesearethediscountcodesfor theondemandtrainingsubscription.
ChappellUniversity AllRightsReserved
22
Registeronlineatwww.chappellseminars.com
Jumpstart:Wireshark101
Notes:
Nowwemove ontoliveQ&A. RemembertofollowmeonTwitterandcheckoutmyblog. Checkouttheotheronlineseminarsandkeeplearningevenifitisanhouratatime. UpcomingSeminarsatchappellseminars.com Top10ReasonsYourNetworkisSlow[HOT!] WiresharkJumpstart(Takeit againinviteyourteam) Wi h k J (T k i i i i ) TraceBacktoaSuspiciousHost AnalyzeandImproveNetwork Throughput:PacketLossandLatencyAnalysis Hacked Hosts:NetworkForensics(IdentifySuspiciousTrafficPatterns) Ifyouwanttostartlearningrightnow,thencheckouttheover200videocoursesonlineat www.chappellU.com. pp
ChappellUniversity AllRightsReserved
23
Registeronlineatwww.chappellseminars.com
Jumpstart:Wireshark101
Notes:
Wellthanks muchforattendingtheonlineliveseminar. Youcanhelpusguidethecontent,length,pricingandformatofthesecoursesbysending yourthoughtstomeatlaura@chappellseminars.comorwritingsomethingintheContactUs pageatwww.chappellseminars.com. NowIaskafavor PleasehelpusreachouttotheITcommunitytoletthemknowabouttheseonlineseminars. Pl h l h h IT i l h k b h li i SpecialthankstoNetOpticswhosponsoredthisliveonlineseminarsowecouldofferitfree toyou.Ifyouknowacompanywhowouldbeagoodsponsortoenableustoopenmore onlineseminarsforfree,pleaseletmeknowdirectly([email protected]).Iwill likelynotbeontheroadmuchthisyearteachinginpublicsochappellseminars.comand pp yp y g g, chappellU.comaremyprimarymethodsoftrainingfolksonnetworktroubleshooting, optimizationandsecurity.Spreadtheword.
ChappellUniversity AllRightsReserved
24