Transcript presentation slides - BCS Berkshire Branch

Wireshark in a nutshell
What is Wireshark and how can it
help me?
Marco S. Zuppone & the precious review of Tim Lloyd
What is Wireshark?
• Wireshark is a free open-source packet analyzer
created by Gerald Combs and initially was named
Ethereal. The name changed in Wireshark in
2006 for copyright reasons.
• Wireshark is very similar to tcpdump but has the
advantage of a very good GUI that greatly
improves and simplifies its usage.
• As with tcpdump Wireshark needs the libpcap
library to be able to capture traffic. Under
Windows this library is called WinPcap
What I need and how to get it
• Wireshark is available on many platforms:
Microsoft Windows: from Windows 2000* to
Windows 2008 R2. It is available for x86 and x64
OS.
• Mac OS >= Snow Leopard (10.5).
• Various Linux flavors and Unix: the source code is
available.
• You can download it free at www.wireshark.org.
The pre-compiled versions include the libpcap
library that is installed if needed.
Why it can help me?
• As you can easily spot LANDesk depends strongly
on network communications to work and most of
the problems you will face supporting it are due
to network problems.
• “Yes but we have logs! Why I need another
software?” It is true that you have logs but CAN
YOU TRUST THEM? Packets never lie!
• Logs can be misleading or they do not capture
the whole story: A simple IIS log can tell you that
the client called vulcore.aspx but they are not
telling you what the client really asked to the
Web Service if you do not enable a specific log.
How to install it and where?
• To install Wireshark on Windows and MacOS you need to
be NNN Certified (Next -> Next -> Next).
• Where to install it? You need to install it on the device
where you want to capture the traffic*.
• Sometimes choosing where you need to capture the traffic
can be tricky and depends on the problem and the network
configuration.
• If you suspect or know that between the client and the
server there are some devices that can ‘’mangle’’ the
network communications (NAT/SNAT/Websense appliances,
firewalls etc etc…) you may need to capture the traffic in
multiple places to find out where the problem is.
• Generally speaking capture the traffic closer to the
problem.
The interface
The interface
• The interface is consistent on all the
supported platforms and there are only very
small differences between the OSX, Unix and
Windows version.
• Always keep and eye on the status bar. It
always shows important information as:
Expert info, profile used, packet field name
• Now it is time to begin a capture: this can be
done in a lot of ways!
How to start a capture
• Starting a capture can be done in multiple
ways. The most common are:
1. Select an interface from the interface list: the
capture begins immediately with the default
option
2. Click on the Interface List
3. Click on the one of the
two first icons of the
ribbon
How to start a capture
4. Press Ctrl+E
5. Use the Capture menu
• When you start a capture you can generally choose some
options (except when you press CTRL+E or click directly on
the interface: In these cases the capture starts
immediately).
• The most important options you need to know in the
option pane are:
promiscuous mode, capture filter & enable network name
resolution.
• CAVEAT: use the enable network name resolution option
sparingly! This option will generate a lot of DNS requests
and so DNS replies as well.. You may not want to generate
this kind of traffic.
Promiscuous mode or not?
• In Promiscuous Mode your network interface is going to receive all the
traffic even if it is not directed specifically to it.
Example: a device (IP 10.14.8.1) is trying to talk with another device (IP
10.14.8.2) on the same network segment.
If you are in Promiscuous Mode you should be able to see the
conversation even if it is not for you.
• There are many factors that may limit your visibility while you are in
Promiscuous Mode such as network switches! If your switch is a ‘’proper
one’’ should direct the traffic from device A to device B to the switch ports
where A and B are physically plugged in.
• There are some solutions to this problem: configure the switch to repeat
all the traffic to a SPAN port, use an HUB to connect the devices (if you are
still able to find one) or ask budget to buy an Aggregating Network TAP (I
know! I’m a dreamer!)
• If you are not in Promiscuous Mode you will be able to see all the traffic
direct to you, broadcast and multicast traffic.
Capture filters
• In some specific circumstances you need to limit the traffic that you want
to capture and so you can use Capture filters.
• The use the BPF (Berkeley packet filter) syntax that is different from the
Wireshark display filter syntax.
• In the version 1.6 of Wireshark two useful features about Capture filters
were introduced: the Compile BPF button and the fact that the field
where you define the rule changes color if the syntax in valid or not valid
The compile button is useful to validate the rule a well.
• Use capture filter sparingly! What is not captured simply is not there
anymore. There are not ways to get it back!
• Example: if you have a problem browsing internet you may be tempted to
use a filter such this one: ip port 80 but what about HTTPS traffic? What
about it the problem is a DNS issue or of the HTTP port used is not 80??
• CAVEAT: if a rule is syntactically valid this does not imply that the rule is
logically meaningful!! As analogy a lot of politicians make declaration
without spelling or grammar errors but they are totally meaningless!
Wireshark 1.6 is able to spot some of these meaningless expressions but
not all of them
Capture filters
The most common and useful capture filters are:
ip
Only IP traffic
tcp
Only TCP traffic
udp
Only UDP traffic
host 192.168.0.1
All the traffic to/for 192.168.0.1
not broadcast and not multicast
Self explanatory
ether src 10:10:EA:11:33:22
All the Ethernet traffic from that MAC address
ether dst 10:10:EA:11:33:22
All the Ethernet traffic to that MAC address
ether host 10:10:EA:11:33:22
All the Ethernet traffic to/for that MAC address
port 80
Udp or Tcp traffic where the source or
destination port is the 80
tcp and udp
Something stinks here!
Let’s capture a bit of traffic now
• It is finally the time to capture some traffic. So
after setting our favorite interface options in the
Capture settings window it is time to press Start.
• In my test example I installed Wireshark on
Windows XP with the LANDesk client on it and
then from the LANDesk Console I selected the XP
machine and the following screen is the result.
• The core IP is 192.168.60.128 and the client IP is
192.168.60.129
Let’s have a look to the traffic then..
• The first 2 packet are ARP: the core needs to talk with the client but does
not know the MAC address of it and so it sends an ARP request to
determine it. In the packet 2 the client replies with his MAC address to the
core server.
• Packet 3 and 4: the core pings the client and the client replies.
• Packet 5 to 12: the core server try to talk with the mngsuite port (9535) to
determine if the remote control is active on the client
• Some ports has some symbolic name associated to it. These names are
registered by the interested parties to IANA. The file SERVICES in the
Program File\Wireshark folder contains the association between the
number and the symbolic name. This file can be edited if we want.
• If we want to know what is the number of a port without opening the file
just click on the packet. In the detail section you are able to see the
symbolic and numeric port.
• TIP: to determine where are the configuration files of Wireshark go to the
Help Menu -> About -> Folders tab. This works in every architecture.
• Packets from 13 to 19: The core does a PDS ping (tcp port 9595) and the
client replies.
If you have a close look to the packet 16 you can see in the payload of it
some text that resembles HTTP traffic…how can you read it better ??!?!?
Follow TCP or UDP stream
• This is one of the most useful functions of
Wireshark and you will use it a lot.
You can see that in packet 16 there is some
data (payload) and in the subsequent packets
as well. It is not very handy to read all the
conversation in this way so…try to right click
on packet 16 and choose the option “follow
tcp stream”
• You’d obtain something like this:
Follow UDP or TCP steam
• Much better! Isn’t it? The requests and replies
are colored differently (red and blue)
• This is very handy when you need to analyze
HTTP conversation or FTP, SMTP, POP3 and all
the protocols where there is some clear text.
• This feature is handy even if the payload is not
‘clear text’ (as SMB for example) because it is
possible [we will demonstrate how] to save
the conversation (stream) to a file.
Display filters
• It’s the time to introduce the display filters: their knowledge is
essential to analyze the traffic. They help us to display only the
interesting traffic and solve the famous ‘’needle in the haystack”
problem
• Their syntax is very different and more flexible than the BFP filters.
• They can be applied while you are capturing or after the capture is
finished.
• Their syntax is used for Columns definition and coloring rules as
well.
• Wireshark comes already with a predefined list of filters that can be
used as example (starting point)
• Display Filters as the Capture Filters are case sensitive ! HTTP is not
the same of http
• Fortunately when you type filters in the filter field you can use
Intellisense. This will help you a lot!!
Display filters
• To create a filter you can simply type it in the filter field and
get the advantage of Intellisense.
• Another way to create a filter is to explode a packet in the
details section, click on a particular section of it, then right
click and choose Prepare Filter or Apply filter.
• The difference between apply and prepare is that Apply will
immediately apply the filter instead prepare will only
prepare the filter in the filter field and then you will need
to press the Apply button. The advantage is that you can
have a look to the syntax generated and eventually amend
it before to apply it.
• Another way is to press the Expression button that’s near
the Filter field: a GUI to help you to formulate the
expression will appear.
Display filters
• But what about if I want to filter a certain field
but I do not know its name?
The simplest way is to explode the packet and
select the field in the Packet Display section
and have a look to the Status Bar.
• In this case we selected the Do not fragment
field and its syntax is so ip.flags.df == 1 (1 is
set , 0 is not)
• The general structure of a display filter is a sequence of expressions
eventually concatenated by logic operators. An expression is a field +
comparison operator + value.
Example: tcp.dstport == 80
• The most common comparison operators are:
==, ||, &&, >=, !=, <=, >, <, matches, contain. For the nostalgic geek it is
possible to use the literals eq, or, and, ge, ne,le,gt,lt
• && and || are logic operators
• An example: tcp.port == 80 || tcp.port == 443
• As with the display filter we need to be careful of the meaning of them
• For example tcp && arp is a syntactically valid filter but….I will pay you a
pizza if you are be able to match some traffic with it.
• Some popular protocols define some basic filters that help us to speed up
the writing of filters.
• For example instead of writing: tcp.port == 53 || udp.port == 53 we can
simply write: dns
• Instead of tcp.port==80 ||tcp.port == 443 we can write: http
• Other popular protocols are: arp, bootp, smtp, pop3, smb, ftp, ftp-data,
ldap, icmp, imap
Advanced filters
• In some special circumstances we need to
match one or more bytes of a packet in
specific positions. This type of filter is called
offset filter and it is in this form:
field (or protocol layer)[offset 0 based:length]
comparison value
• Example: eth.src[4:2]==22:1f
• Example: ip[14:2] == 90:20
• To formulate this kind of filter you need to
know the protocol well and know what you
are looking for.
Coloring rules
• Now that we introduced a bit of the filter syntax we
can introduce the Coloring Rules and Columns: they
are defined with the same syntax used for Display
Filters.
• Have you noticed in your first capture that some
packets have a different colour from the others?!
• The Coloring Rules are a very import tool that will help
you to better understand the trace file: you will be able
to display different kind of packets in a different color
and this will help you a lot to find the needle in the
haystack.
• You can manage them via the View -> Coloring Rules…
menu
Coloring Rules
Colouring Rules
• Coloring rules colour a packet if the rule, expressed with
Display Filter syntax, is matched.
• Colouring rules can be created, deleted, moved up and
down, disabled, imported, exported or reset to default
(Cleared).
• Colouring rules are saved in the colourfilters file.
• Rule precedence: the rules are evaluated from the top to
the bottom of the list. When a rule is matched the
evaluation finishes for that packet.
• Now let’s disable a very annoying one: Checksum
errors*(Most of the time this a false positive error caused
by TCP/UDP offloading settings of your network adapter)
• To disable it simply select it and then press the disable
button. A line will appear on it marking that the rule is
disabled. It is better to disable rules than delete them!
Columns
• Columns are fundamental to view the traffic you
captured.
• The default column set not always appropriate for the
analysis of all the problems you want to analyse.
• So it is possible to define custom columns, resize them
and re-arrange them as you like.
• Clicking on a column you can sort the data in ascending
and descending order: this feature is particularly useful
when you order the capture for “Seconds since
previous captured/displayed packet”
• Custom Column definition needs the field name you
want to display: the same field name you use in the
Display Filter syntax.
How to create a new column
• There are many ways to create a custom column:
-Edit -> Preferences -> Column section.
-Right click on a column and select Column
Preferences.
-Right click on a field and choose the option Apply as a
column: in this case the column definition is applied
immediately. If the column definition created is not
what you want you will need to edit or remove it using
the Column Preferences menu
• Column definition is saved in your current profile
directory in the preferences file(the active profile is
displayed in the right down corner of Wireshark
Window)
How to define a custom column
• So let’s try to create a new custom column
1. Click on Edit -> Preferences -> Column section.
2. Click the
button.
3. Select Custom from the Field Type drop down
4. Enter the field that you want to display in the
column in the “Field name” field
5. Click on the title of the column and name it,
then press
and then
Useful columns to add
• The columns you add depend on the traffic you are
going to analyse. You may want to create different
configuration profiles for different situations and
define a different column set in every profile.
• You can reposition the columns, delete them or simply
hide them. (check out the bug 6077 Rearranging
columns in preferences in bugs.wireshark.org and
eventually vote for it )
• A couple of useful columns to add in all the
circumstances are: tcp.stream and
tcp.window_size_value. The first is useful to
distinguish between a TCP Streams and the other to
spot Window Size 0 conditions.