Network Protocol Analysis Using Wireshark Part-1
What is network protocol ?
A network protocol is an established set of rules that determine how data is transmitted between different devices in the same network. Essentially, it allows connected devices to communicate with each other, regardless of any differences in their internal processes, structure, or design.
What is wireshark ?
Wireshark is a GUI network protocol analyzer. It lets you interactively browse packet data from a live network or from a previously saved capture file. Wireshark’s native capture file format is pcapng format, or pcap which is also the format used by tcpdump and various other tools.
Wireshark can also be used to intercept and analyze encrypted TLS traffic. Symmetric session keys are stored in the browser, and with the appropriate browser setting (and permission and knowledge of the user) an administrator can load those session keys into Wireshark and examine unencrypted web traffic. Wireshark comes with graphical tools to visualize the statistics. This makes it easy to spot general trends, and to present findings to less-technical management. This is a practical course, so you will explore more.
What will you learn ?
In this course, you will first be introduced to the Wireshark tool. Once you get to know the different features and navigation in Wireshark, we will get into the Analysis of Protocol Structure, where the following protocols would be explained in detail,
-
ARP
-
ICMP
-
IP
-
UDP
-
TCP
-
DHCP
-
DNS
-
HTTP
-
FTP
Using Wireshark Effectively
-
1
Introduction to Network Protocol AnalyzingThis is an introduction part.
-
2
Selecting a Capture Interface and Creating the First pcap File
Selecting a capture interface and creating the first pcap file.
Step 1: Open wireshark tool and select the interface to capture the network traffic.
Step 2: While opening the wireshark tool it shows all interfaces on the system. Select the interface in which the traffic need to be captured.
Otherwise press an icon button at main toolbar and start capture network traffic like given below.
After selecting the interface, click start.
Step 3: Browse something and check packets will increase sequentially and stop capturing using stop icon on main toolbar.
Step 4: To save captures go to File | save and select the storage path and give a name first-capture and click save.
-
3
Using Capture Filter
Using Capture filters.
In this lab, we will see how to create and use a capture filter
Step 1: Click Capture > Options. You will get a prompt as
Step 2: Select the interface and enter the capture filter. To check what are all the capture filters available, go to Capture > Capture filters. If necessary, we can add more capture filters by clicking button.
Step 3: After entering the capture-filter for example ‘tcp’, click start.
Step 4: Visit www.netlab.co.in from your browser. Toggle back to wireshark and click the stop capture button.
Step 5: Your trace file will contain the only TCP traffic. After reviewing the result, clear the capture filter. Otherwise, wireshark will use the same capture filter the next time you begin a capture.
-
4
Find, Mark, Save Interested Packets
Find, Mark, Save interested Packets.
In this lab, we will see how to find and save TCP 3-way handshake packets.
Step 1: Open general.pcapng, you will find 14652 packets in it.
Step 2: Filter the TCP packets by applying the filter ‘tcp’. Check packet number 148, 152, 156 it is a TCP 3-way handshake.
Step 3: Right click on the packet and click mark or select the packet and press CTRL+M. Do this for all the three packets
Step 4: Go to File > Export specified packets > Choose selected packets > Give a name (tcp-3way-handshake) > Click save.
-
5
Navigate Through Menus and Status Bar
Navigate through menus and status bar
Here we will see how to use a wireshark menus and navigations and their functionalities.
(2) Main menu – standard menu
(3) Main toolbar – learn to use this set of icon buttons!
(4) Display Filter and Filter Expressions area – focus on specific traffic
(5) Packet List pane – packet relationship indicator and summary of each frame
(6) Packet Details pane – dissected frames
(7) Packet Bytes pane – hex and ASCII details
(8) Status Bar – access to the Expert, annotations, packet counts, and profiles.
Main menu:
Edit - change preferences, clear marked/ignored packets, and time references
View - view/hide toolbars and panes edit the time column setting, reset colouring
Go - navigate the packets and auto scroll live packets
Capture - capture interface, start capturing and stop capturing
Analyze - create display filter macros, see enabled protocols, save forced decodes
Statistics - build graphs and open statistics windows for various protocols
Telephony - perform all telephony-related functions (graphs, charts, play-back)
Wireless - perform Bluetooth and WLAN functions (devices, statistics)
Tools - access the Lua scripting console and jump to resources
Help - check for updates, access Wireshark folder information and shortcut list
Main toolbar: You can work with this button very efficiently on main toolbar to access files and more options given below.
Filter Toolbar: Filter toolbar used to sort particular packets from which trace file contains huge packets.
Status Bar:
Status bar contains two buttons and three column.
(1). Expert Information Button - This button is colored to show you the highest level of information contained in the Expert Information window. The Expert Information window can alert you to numerous network concerns seen in the trace file as well as packet comments. We will work with the Expert Information window in Use the Expert Information Button on the Status Bar.
(2). Annotation Button - Click this button to add, edit, or view a trace file
comment. The trace file now has to be saved in .pcapng format to preserve the comment.
(3). Trace File Information - we see a field name, the corresponding display filter field name. Click around inside the Packet Details pane to see the contents of this first column change.
(4). Packet Counts - When you open a saved trace file, the second column indicates the total number of packets in the file, the number and percentage of packets will displayed.
(5). Profile - The third column indicates your current profile. Profiles are created so you can customize your Wireshark environment.
Analysis of Protocol Structure
-
6
Filtering Low TTL Value Packets
Filtering Low TTL value packets.
Time to Live (TTL) is a mechanism used to limit the lifespan of data on a network. If the prescribed TTL elapses, data will be dropped. The idea behind having this mechanism is to prevent any data packet from looping.
Step 1: Open low-ttl.pcapng, you will find 6607 packets in it.
Step 2: Apply the filter ip.ttl < 20. It will 102 packet with TTL less than 20 which is a low TTL
-
7
Finding a Text String in a Trace File
Finding a Text String in a Trace File
Finding a text string method is used to find out which packets contains particular string in the whole trace file.
Step 1: Open first-capture.pcanng, check the status bar, this capture file contains 5566 packets.
Step 2: Open Edit > Find packets prompt will appear at filter area bottom. Either press Find a Packet button in main toolbar.
Step 3: Change a filtering type as a string.
Step 4: Enter a string value you want find (facebook) and press find button it shows the packets, which contains a required string text.
The packet number 3583, 3586, 3758, 3773, 4305, 4325, 5520 and 5522 contains a required string text.
-
8
Configuring Global Preferences
Configuring global preferences
Global preference is one of the best option of wireshark. We can edit Settings for our requirements now we going to see the basics of configuring preference.
Step 1: Open wireshark and go to Edit | Preference prompt will appear.
In Appearance has some general property setting such as like recent files.
Column:
The default columns in the Wireshark Packet List pane are:
No.: Packet number (this value never changes for each packet)
Time: Setting based on View | Time Display Format setting
Source: Highest layer source address identified (hardware/network)
Destination: Highest layer destination address identified (hardware/network)
Protocol: Highest layer protocol identified
Length: Length of the frame
Info: Protocol-specific details for each packet
In Font and Colours is used to change font style and font size.
In Layout is used to change the appearance of packet windows.
Capture:
Capture packets in promiscuous mode: If an adapter is capturing in promiscuous mode, that adapter is capturing and passing up packets that are addressed to any hardware address, not just the local hardware address. This is an essential function in network analysis.
Capture packets in pcapng format: The .pcapng format is a newer format for packet capture. Trace files captured directly into .pcapng format include metadata about the capture interface and any capture filter that may have been applied during the capture process.
Update list of packets in real time: Rather than wait for you to stop a capture to view the packets, this setting enables you to begin your analysis of the traffic as packets are being captured.
Automatic scrolling in live capture: This feature scrolls the Packet List pane so the most recently captured packets are always in view. On a busy network, you likely will not be able to do a live analysis as thousands of packets scroll past you on the screen, but this is a nice feature on a quieter network or when filtering is in place.
Filter Expression Buttons: You can select Edit | Preferences | Filter Expressions to save your favorite display filters as buttons to apply them more quickly to your trace files. There is a faster way to create these buttons, however. We will cover the process of making Filter Expression buttons in Turn Your Key Display Filters into Buttons.
Name Resolution Settings: Select Edit | Preferences | Name Resolution to view or change the way Wireshark deals with MAC address, port, and IP address resolution.
Resolve MAC addresses: By default, Wireshark resolves the first three bytes of the MAC addresses (the OUI) to friendly names using the manuf file in the Wireshark program file directory.
Resolve transport names: Transport names, such as “ftp” instead of port 21 are resolved using the services file in the Wireshark program file directory.
Resolve network (IP) addresses: If you want Wireshark to resolve host names enable Network Name Resolution. There are five extra configuration options for resolving network addresses.
Use captured DNS packet data for address resolution: If enabled, Wireshark examines all the name resolution packets (such as DNS) in the trace file and uses that information to resolve host names. This is an excellent method for resolving names without transmitting any queries onto the network.
Use an external network name resolver: If enabled, Wireshark will send DNS Pointer (PTR) queries to obtain host names if they can’t be obtained from another source, such as the DNS cache, a host’s file, or from DNS packets that are already in the trace, not sent by Wireshark. This extra traffic will show up in your trace files and may create extra work for your DNS server.
Maximum concurrent requests: This number indicates how many concurrent queries can be sent to the DNS server. Keeping this number low will reduce the load on your DNS server.
Protocols: You can select Edit | Preferences Protocols to view all the protocols and applications that contain editable settings. Many of the protocols and applications interpreted by Wireshark have dissection options that can be changed. Those options could be as simple as changing the default port that an application uses.
-
9
Merging Multiple Trace Files
Merging Multiple Trace Files
Step 1: Our objective is to merge first-capture.pcapng and dhcp.pcapng. Open first-capture.pcapng.
Step 2: Go to File > Merge. Select dhcp.pcapng and click open. The 15 packets of dhcp.pcapng will be added at the bottom of the current file.
Save it as merge.pcapng
Likewise, you can merge multiple trace files.
-
10
Create a Colouring Rule to Detect Specific Traffic
Create a Colouring Rule to detect specific traffic
In wireshark, colouring rules used to easily identify specific packets. Wireshark has some default colouring rules. You can edit, import, export, and disable if it is needed.
Wireshark does not have a default rules for http errors so we are going to create color rule for http error specifically server not found error 404.
Step 1: Open http-errors.pcapng and check the status bar, this capture file contains 13350 packets.
Step 2: Open packet number 2 and select Hypertext Transfer Protocol and expand all and right click Status code and select Colorize with Filter | New coloring rule.
Step 3: After clicking New colouring rule the colouring rule prompt will appear. Then double click the name label to modify the rule name as a Http 404 error and Change a colour of rules using Foreground and Background buttons and click ok.
Step 4: After creating a colouring rule then enable the colouring rule using button on main toolbar. Then check the packets which conatins404 error change a colour as a red and white
Step 5: Another method to create a colouring rule go to View > Colouring rules
Then the colouring rule prompt will appear you can create, modify, remove, duplicate the rules.
-
11
Understanding Columns and Time Value Evaluation
Understanding Columns and time value evaluation
When troubleshooting slow network communications, it is important to focus on the Time column. Slow network performance can be due to high latency, access errors, excessive number of packets required to obtain data or a number of other causes.
When poor performance is due to delays in the communications, look for large gaps in time between a request and acknowledgement, an acknowledgement and a response, etc.
How Wireshark Measures Packet Time?
During the capture process, Wireshark gets the timestamps from the libpcap/WinPcap library. This library gets the timestamp from the operating system kernel. When you save a trace file, the packet timestamps are saved with that file in a file header so packet arrival time can be displayed when the file is opened.
The pcap file format consists of a record header for each packet. These record headers contain a 4-byte value that defines the timestamp of that packet in seconds since January 1, 1970 00:00:00 Coordinated Universal Time (UTC). This field is followed by another 4-byte value defining the microseconds since that point in time. The time zone and current time setting of the capturing host is used in defining the packet timestamp.
Step 1: Open http-delay.pcapng
Step 2: To isolate slow performance caused by high latency, set the Time column value to Seconds since Previous Displayed Packet using View > Time Display Format > Seconds since Previous Displayed Packet.
Step 3: Sort the Time column to identify packets that have a large delay between them. We have added another column for the delta time setting by expanding the Frame section of a packet, right clicking on the Time delta from previous displayed frame line > Apply as Column.
Step 4: Click twice on the new delta Time column heading to sort from highest to lowest in delta times. At the top of the sorted packet list, we see large delays between displayed packets.
