1. Ethereal/WireShark Tutorial
Yen-Cheng Chen
IM, NCNU

2. WireShark Download: Wireshark User's Guide
The Ethereal network protocol analyzer has changed its name to Wireshark.
Download:
Wireshark User's Guide

3. Introduction
A network protocol analyzer will try to capture network packets and tries to display that packet data as detailed as possible.
What will be captured
All packets that an interface can ”hear”
At your PC connected to a switch
Unicast (to and from the interface only)
Multicast, RIP, IGMP,…
Broadcast, e,g ARP,

5. ipconfig /renew  menu  main toolbar  filter toolbar
 packet list pane
 packet details pane
ipconfig /renew
 packet bytes pane
 status bar

6. packet list pane

7. Sort by source

8. packet details pane

9. packet bytes pane

12. Filter

17. Filter Expression ip.src == 10.32.11.220 && ip.dst == 163.22.32.101
ip.src eq and ip.dst eq
ip.src == || ip.src ==
http && ( ip.src == || ip.src == )
!(ip.dst == )

21. (ip.dst == 10.32.11.220) && (ip.src == 163.22.32.101)

22. Follow TCP Stream

25. Export

26. No. Time Source Destination Protocol Length Info
HTTP GET /rnd/ HTTP/1.1
Frame 950: 613 bytes on wire (4904 bits), 613 bytes captured (4904 bits)
Ethernet II, Src: Metallig_43:fd:08 (00:50:bf:43:fd:08), Dst: Cisco_74:e4:00 (00:1a:30:74:e4:00)
Internet Protocol Version 4, Src: ( ), Dst: ( )
Transmission Control Protocol, Src Port: rdrmshc (1075), Dst Port: http (80), Seq: 559, Ack: 813, Len: 559
Source port: rdrmshc (1075)
Destination port : (80)
[Stream index:21]
Sequence number : 559 (relative sequence number)
[Next sequence number : 1118 (relative sequence number)]
Acknowledgement number : 813 (relative ack number)
Header length : 20 bytes
Flags : 0x18 (PSH , ACK)
window size value : 64723
[Calculated window size : 64723]
[window size scaling factor : -2 (no window scaling used)]
Checksum : 0x5306 [validation disabled]
[SEQ/ACK analysis]
Hypertext Transfer Protocol

27. Capture Options

28. Assignments 5 layers Ethernet II frame 802.3 frame Broadcast frame
Deadline: ?