Networking Laboratory 1/56

Sungkyunkwan University

Copyright 2000-2017 Networking Laboratory

Network Analyzer :- Introduction to Wireshark

Part -2

Syed M. Raza – s.moh.raza@skku.edu

H. Choo – choo@skku.edu

Networking Laboratory 2/24

Recap

Networking Laboratory 3/24

Introduction (1/3)

Network Traffic Trace

► A recording of the network packets both received by and transmitted

from a network interface

What is a pcap file?

► pcap = Packet Capture

► File format originally designed for tcpdump/libpcap

► Most widely used packet capture format

Networking Laboratory 4/24

Introduction (2/3)

What is Wireshark ?

► Formerly known as Ethereal

► Wireshark is a GUI Network Protocol Analyzer

► Follows the rules of the pcap library

► Found at http://www.wireshark.org

► The complete manual is located here

Networking Laboratory 5/24

Introduction (3/3)

Some of its functions

► Capturing network traffic from the interface

► Decodes packets of common protocols

► Displays the network traffic in human-readable format

Some of its uses

► Troubleshoot network problems.

► Learn network protocol internals.

► Debug protocol/program implementation.

► Examine network-related security issues

Networking Laboratory 6/24

Wireshark GUI

Networking Laboratory 7/24

Wireshark GUI and Layout

Video

Brief introduction of Wireshark GUI, its different options and

layout

Networking Laboratory 8/24

Wireshark GUI and Layout

Video

Networking Laboratory 9/24

Wireshark Startup

Main Screen

List of interfaces

Select one of the listed

interfaces to start the

capture on that interface

Networking Laboratory 10/24

Screen Layout of Wireshark

Packet List

The summary

line, briefly

describing what

the packet is.

Packet Details

A protocol tree is

shown in detail,

allowing you to

drill down deep

your interest

Packet Bytes

shows what the

packet looks like

when it goes

over the wire. Filename Of Current File

Menu

Networking Laboratory 11/24

Basic UI Options (1/2)

Change columns in the packet list to see the information

relevant to you

► Edit -> Preferences ->Columns

Different interface

related options

Columns is one of the

options

New column can be

added or removed

Column title and information

shown in that column can be

changed

Select the type of information

shown in a column

Networking Laboratory 12/24

Basic UI Options (2/2)

File -> Open

► Opens a packet capture file

View -> Time Display Format

► Change the format of the packet timestamps in the packet list pane

► Switch between absolute and relative timestamps

► Change level of precision

View -> Name Resolution

► Allow wireshark to resolve names from addresses at different

protocol layers

Networking Laboratory 13/24

Enable Protocols

Enabled protocol list shows which protocols

Wireshark can understand and can dissect (parse)

It’s a huge list which covers almost all protocols, and gets updated with

every new version release

Networking Laboratory 14/24

Wireshark Packet Capture and Options

Video

Brief introduction about different options of packet capture

options

Networking Laboratory 15/24

Wireshark Packet Capture and Options

Video

Networking Laboratory 16/24

Packet Capture

Capture -> Interfaces

► Available network interfaces for capture

► Total packets per interface

► Packet rate per interface

All interfaces in

the system

Interfaces status

Networking Laboratory 17/24

Capture Options (1/2)

Networking Laboratory 18/24

Capture Options (2/2)

To secify the interface to be monitored

To record all traffic (even traffic not

meant for you)

Only Capture part of the packet

To Store the result in file

Automatic Stop Condition

Only Capture certain packet

Networking Laboratory 19/24

Start Capturing

Networking Laboratory 20/24

Stop Capturing

Networking Laboratory 21/24

Packet List(1/2)

Displays all of the packets in the trace in the order they

were recorded

Columns

► Time – the timestamp at which the packet crossed the interface

► Source – the originating host of the packet

► Destination – the host to which the packet was sent

► Protocol – the highest level protocol that Wireshark can detect

► Length – the length in bytes of the packet on the wire

► Info – an informational message pertaining to the protocol in the

protocol column

Networking Laboratory 22/24

Packet List (2/2)

Coloring

► Default Coloring

Gray – TCP packets

Black with red letters – TCP Packets with errors

Green – HTTP Packets

Light Blue – UDP Packets

Pale Blue – ARP Packets

Lavender – ICMP Packets

Black with green letters – ICMP Packets with errors

► Colorings can be changed under View -> Coloring Rules

Networking Laboratory 23/24

Column Sorting

Output is Sorted By Frame No By Default

Output is Sorted By Source Address

Networking Laboratory 24/24

Thank you