Scribd
Upload
69 views23 pages

Analyzing Wireshark Captures and Filters

This document discusses using Wireshark to capture and analyze network data. It provides information on the following: - Wireshark is a free and open-source packet analyzer that is used for network troubleshooting, analysis, and education. It can display encapsulation and fields of different networking protocols. - The document covers installing Wireshark, capturing live network data from different interfaces, analyzing captured data by protocol layers, and using filters to refine packet displays. - Both capture filters, used to remove unwanted packets during capture, and display filters, used to compare packet fields after capture, are described along with syntax and examples.

Uploaded by

Atikah Ibno Sofa
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
69 views23 pages

Analyzing Wireshark Captures and Filters

This document discusses using Wireshark to capture and analyze network data. It provides information on the following: - Wireshark is a free and open-source packet analyzer that is used for network troubleshooting, analysis, and education. It can display encapsulation and fields of different networking protocols. - The document covers installing Wireshark, capturing live network data from different interfaces, analyzing captured data by protocol layers, and using filters to refine packet displays. - Both capture filters, used to remove unwanted packets during capture, and display filters, used to compare packet fields after capture, are described along with syntax and examples.

Uploaded by

Atikah Ibno Sofa
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

USING WIRESHARK TO

CAPTURE AND ANALYZE


NETWORK DATA
CPSC 441 TUTORI A L ² JA NUA RY 30, 2012
TA : RUI TI NG ZHOU

The content of these slides are taken from CPSC 526 TUTORIAL by Nashd Safa
(Extended and partially modified)
‡ TA: Ruiting Zhou
‡ Email: rzho@[Link]
‡ CT hour: Wednesday 4:00pm-­5:00pm
Friday: 11:00am-­12:00am
‡ Math Science Building
‡ 1st floor, Computer science Lab

2
WIRESHARK

‡ Wireshark (Originally named Ethereal)is a free and


open-­source packet analyzer

‡ It is used for network troubleshooting, analysis,


software and communication protocol
development, and education.

‡ It has a graphical front-­end, and many more


information sorting and filtering options.

3
FEATURES AND FUNCTIONALITIES
OF WIRESHARK
‡ Wireshark is software that "understands" the
structure of different networking protocols. Thus, it is
able to display the encapsulation and the fields
along with their meanings of different packets
specified by different networking protocols.

‡ Live data can be read from a number of types of


QHWZRUNLQFOXGLQJ(WKHUQHW ,(((333«

‡ Data display can be refined using a display filter.

4
INSTALLING WIRESHARK

‡ Download Wireshark from


[Link]
‡ Choose appropriate version according to your operating
system
‡ (For Windows), during installation agree to install winpcap as
well.
‡ pcap (packet capture) consists of an application programming
interface (API) for capturing network traffic. Unix-­like systems
implement pcap in the libpcap library. Windows uses a port of
libpcap known as WinPcap.
‡ [Link]
Provides a good tutorial on how to capture data using
WireShark

5
BEFORE CAPTURING DATA

‡ Are you allowed to do this?


‡ Ensure that you have the permission to capture packets
from the network you are connected with. (Corporate
policies or applicable law might prohibit capturing data
from the network)

‡ General Setup
‡ Operating system must support packet capturing, e.g.
capture support is enabled
‡ You must have sufficient privileges to capture packets,
e.g. root / Administrator privileges
‡ Your computer's time and time zone settings should be
correct

6
CAPTURING DATA
‡ Check the interfaces are correctly listed

7
CAPTURING DATA

‡ Click on the specific interface you want to


capture traffic from.

8
ANALYZING CAPTURED DATA

9
ANALYZING CAPTURED DATA

‡ Note: The hierarchical display here is upside down


compared to the Internet protocol stack that you learn in
the lecture. 10
ANALYZING CAPTURED DATA

‡ HTTP header
11
WIRESHARK FILTERS

‡ Two types of filters:


‡ Capture Filters
‡ Display Filters

‡ Wireshark contains a powerful capture filter engine that


helps remove unwanted packets from a packet trace
and only retrieves the packets of our interest.

‡ Display filters let you compare the fields within a protocol


against a specific value, compare fields against fields,
and check the existence of specified fields or protocols

12
EXAMPLE OF A CAPTURE FILTER

13
EXAMPLE OF A DISPLAY FILTER

‡ Display filter separates the packets to be displayed


(In this case, only packets with source port 80 are
displayed)

14
WIRESHARK FILTERS

‡ Comparison operators
‡ Fields can also be compared against values. The
comparison operators can be expressed either through
English-­like abbreviations or through C-­like symbols:
‡ eq, == Equal
‡ ne, != Not Equal
‡ gt, > Greater Than
‡ lt, < Less Than
‡ ge, >= Greater than or Equal to
‡ le, <= Less than or Equal to

15
WIRESHARK FILTERS

‡ Logical Expressions
Tests can be combined using logical expressions. These
too are expressible in C-­like syntax or with English-­like
abbreviations:
and, && Logical AND
or, || Logical OR
not, ! Logical NOT
‡ Some Valid Filters
‡ [Link] == 80 and [Link] == [Link]
‡ http and frame[100-­199] contains "wireshark"

16
WIRESHARK FILTERS

‡ The Slice Operator


‡ You can take a slice of a field if the field is a text string or
a byte array. For example, you can filter the HTTP header
fields +HUHWKHKHDGHU´ORFDWLRQµLQGLFDWHVWKH
REDIRECTION happens.
[Link][0:4]=="http"
‡ Another example is:
http.content_type[0:4] == "text"

17
CAPTURE FILTERS
Syntax Protocol Direction Host(s) Logical Other
Op. Express.
Example tcp dst [Link] and host
[Link]

‡ Protocol:
‡ Values: ether, fddi, ip, arp, rarp, decnet, lat, sca, moprc,
mopdl, tcp and udp.
‡ If no protocol is specified, all the protocols are used.

‡ Direction:
‡ Values: src, dst, src and dst, src or dst
‡ If no source or destination is specified, the "src or dst" keywords
are applied.
‡ )RUH[DPSOH´KRVW[Link]" is equivalent to "src or dst host
[Link]".
18
CAPTURE FILTERS

‡ Host(s):
‡ Values: net, port, host, portrange.
‡ If no host(s) is specified, the "host" keyword is used.
‡ For example, "src [Link]" is equivalent to "src host
[Link]".

‡ Logical Operations:
‡ Values: not, and, or.
‡ Negation ("not") has highest precedence. Alternation ("or")
and concatenation ("and") have equal precedence and
associate left to right.
‡ For example,
"not tcp port 3128 and tcp port 80" is equivalent to "(not tcp
port 3128) and tcp port 80".

19
CAPTURE FILTERS(EXAMPLES)

‡ tcp port 80
Displays packets with tcp protocol on port 80.
‡ ip src host [Link]
Displays packets with source IP address equals to [Link].
‡ host [Link]
Displays packets with source or destination IP address equals
to [Link].
‡ src portrange 2000-­2500
Displays packets with source UDP or TCP ports in the 2000-­2500
range.

20
CAPTURE FILTERS(EXAMPLES)

‡ src host [Link] and not dst host [Link]


Displays packets with source IP address equals to [Link]
and in the same time not with the destination IP address
[Link].

‡ (src host [Link] or src host [Link]) and tcp


dst portrange 200-­10000 and dst host [Link]
Displays packets with source IP address [Link] or source
address136.159.5.3, the result is then concatenated with
packets having destination TCP portrange from 200 to 10000
and destination IP address136.159.5.2.

21
DISPLAY FILTERS
Syntax Protocol . String . String Comparison Value Logical Other
1 2 operators Op. Expr.

Exampl http . request . method == get or [Link] ==


e 80

‡ String1, String2
(Optional settings):
Sub protocol
categories inside the
protocol. To find them,
look for a protocol
and then click on the
"+" character.

22
DISPLAY FILTERS(EXAMPLES)

‡ [Link] == [Link]
Displays the packets with source or destination IP address
equals to [Link] .
‡ [Link] +773´
Display http Version
‡ [Link] == 25
‡ [Link]
Display packets having a TCP flags
‡ [Link] == 0x02
Display packets with a TCP SYN flag. (Synchronize
sequence numbers. Only the first packet sent from each
end should have this flag set)

23

You might also like