Lab 2: Packet Capture & Traffic Analysis with Wireshark Goals :This lab introduces packet capture (packet sniffing) and network traffic analysis with the Wireshark tool Prepared by T.Najed ALmutairi

Prepared by T.Najed ALmutairi Agenda Wireshark Introduction & purposes Download and install Capture Traffic Stop Capture Traffic Display Filters Saving Display Filters Follow TCP Stream Wireshark Statistics Capture ARP & ICMP Protocol Traffic using Wireshark. Prepared by T.Najed ALmutairi

Prepared by T.Najed ALmutairi What is Wireshark? Wireshark is a network packet/protocol analyzer. A network packet analyzer will try to capture network packets and tries to display that packet data as detailed as possible. Wireshark is perhaps one of the best open source packet analyzers available today for UNIX and Windows. It used for network troubleshooting, analysis, software and communications protocol development, and education. Prepared by T.Najed ALmutairi

Some intended purposes network administrators use it to troubleshoot network problems network security engineers use it to examine security problems developers use it to debug protocol implementations people use it to learn network protocol internals Wireshark isn't an intrusion detection system. Wireshark will not manipulate things on the network, it will only "measure" things from it. Prepared by T.Najed ALmutairi

Wireshark System Overview Prepared by T.Najed ALmutairi

Download and install Wireshark on your PC. If Wireshark is not currently available on your PC, you can download the Latest Windows Version from https://www.wireshark.org/download.html Prepared by T.Najed ALmutairi

Download and install Wireshark on your PC. Prepared by T.Najed ALmutairi

Prepared by T.Najed ALmutairi Configuration This checkbox allows you to specify that Wireshark should put the interface in promiscuous mode when capturing. If you do not specify this, Wireshark will only capture the packets going to or from your computer (not all packets on your LAN segment). Prepared by T.Najed ALmutairi

Prepared by T.Najed ALmutairi Wireshark Interface Prepared by T.Najed ALmutairi

Using Wireshark to Capture Traffic Start the Wireshark application. When Wireshark is first run, a default, or blank window is shown. To list the available network interfaces, select the Capture->Interfaces menu option. Prepared by T.Najed ALmutairi

Using Wireshark to Capture Traffic Wireshark should display a popup window such as the one shown in Figure 2. To capture network traffic click the Start button for the network interface you want to capture traffic on. Windows can have a long list of virtual interfaces, before the Ethernet Network Interface Card (NIC). Prepared by T.Najed ALmutairi

Using Wireshark to Capture Traffic Generate some network traffic with a Web Browser, such as Internet Explorer or Chrome. Your Wireshark window should show the packets, and now look something like. Packet list panel Packet details panel Packet bytes panel Prepared by T.Najed ALmutairi

The capture is split into 3 parts: 1. Packet List Panel – this is a list of packets in the current capture. It colours the packets based on the protocol type. When a packet is selected, the details are shown in the two panels below. 2. Packet Details Panel – this shows the details of the selected packet. It shows the different protocols making up the layers of data for this packet. Layers include Frame, Ethernet, IP, TCP/UDP/ICMP, and application protocols such as HTTP. 3. Packet Bytes Panel – shows the packet bytes in Hex and ASCII encodings. Prepared by T.Najed ALmutairi

Prepared by T.Najed ALmutairi Stop Capture Traffic Click the stop capture button near the top left corner of the window when you want to stop capturing traffic. Prepared by T.Najed ALmutairi

Wireshark Display Filters. Display filters (also called post-filters) only filter the view of what you are seeing. All packets in the capture still exist in the trace Display filters use their own format and are much more powerful then capture filters Prepared by T.Najed ALmutairi

Wireshark Display Filters. The most basic way to apply a filter is by typing it into the filter box at the top of the window and clicking Apply (or pressing Enter). For example, type “dns” and you’ll see only DNS packets. When you start typing, Wireshark will help you autocomplete your filter. Prepared by T.Najed ALmutairi

Wireshark Display Filters formats Prepared by T.Najed ALmutairi

Wireshark Display Filters. If the filter syntax is correct, it will be highlighted in green, otherwise if there is a syntax mistake it will be highlighted in red. Correct syntax Wrong syntax Prepared by T.Najed ALmutairi

Display Filter Exersizes By using Wireshark program Show the results of filter captures and print screen them Ex #1 ,Display the SNMP or DNS or HTTP traffics. Ex #2, Display packets with TCP source or destination port 25. EX#3, Display packets having a TCP flags Prepared by T.Najed ALmutairi

Prepared by T.Najed ALmutairi Follow TCP Stream Prepared by T.Najed ALmutairi

Prepared by T.Najed ALmutairi Follow TCP Stream red - stuff you sent blue - stuff you get Prepared by T.Najed ALmutairi

Prepared by T.Najed ALmutairi Saving Packet filters To save only the displayed packets, select File-> Export Specified Packets, and make sure the Displayed radio button is selected rather than the Captured option. This creates a pcap file, with only the packets filtered by the current display filter Prepared by T.Najed ALmutairi

Prepared by T.Najed ALmutairi Wireshark Statistics select the Statistics->Protocol Hierarchy menu option. shown displaying statictics about the pcap. Note that all the packets are Ethernet (Local Area Network) packets, but at the network layer most of the packets are TCP, but some are UDP. Prepared by T.Najed ALmutairi

Prepared by T.Najed ALmutairi Wireshark Statistics Select the Statistics->Flow Graph menu option. Choose General Flow and Network Source options, and click the OK button. A window similar to that shown in should be displayed, showing the flow of traffic. Prepared by T.Najed ALmutairi

Capture ARP & ICMP Protocol Traffic using Wireshark. Start a Wireshark capture. Open a Windows console window, and generate some ICMP traffic by using the Ping command line tool to check the connectivity of a neighbouring machine (or your home router). Prepared by T.Najed ALmutairi

Capture ARP & ICMP Protocol Traffic using Wireshark. Stop the capture and Wireshark should now look something like Figure 10. The Address Resoloution Protocol (ARP) and ICMP packets are difficult to pick out, create a display filter to only show ARP or ICMP packets. Prepared by T.Najed ALmutairi

Capture ARP & ICMP Protocol Traffic using Wireshark. Note the results in Wireshark : The initial ARP request broadcast from your PC determines the physical MAC address of the network IP Address 192.168.1.1, and the ARP reply from the neighbouring system. After the ARP request, the pings (ICMP echo request and replies) can be seen Prepared by T.Najed ALmutairi