Standards

Certification

Education & Training

Publishing

Conferences & Exhibits

Network Packet Analysis with Wireshark

Jim GilsinnNational Institute of Standards & Technology

Engineering Laboratory

Jim Gilsinn - Bio

• Electronics Engineer with NIST/EL for over 20 years• Cybersecurity for Factory Control Systems

– Co-Chair and General Editor, ISA99 Committee– Co-Chair, ISA99 WG2, Security Program– Co-Chair, ISA99 WG7, Safety & Security

• Factory Equipment Network Testing Framework– Co-Investigator & Main Developer, FENT software– Extension of previous IENetP project

• Education– MSEE in Controls from Johns Hopkins University– BSEE in Controls from Drexel University

2

3

What is Wireshark?

• The De-Factor Network Protocol Analyzer– Open-Source (GNU Public License)– Multi-platform– Easily extensible– Large development group

• Allows Users to…– Capture network traffic– Interactively browse that traffic– Decode packet protocols using dissectors

• Previously Named “Ethereal”

4

What is Wireshark?

• Development Version (as of last night @ 11:30pm)– 1,300+ Protocols– 112,600+ Protocol Header Fields

• Almost Every Ethernet/TCP/IP Protocol• Many Industrial Ethernet Protocols

– BACnet– EtherNet/IP & CIP, CIP Safety, CIP Motion– DNP 3.0– EtherCAT– Foundation Fieldbus– IEC 61850 & GOOSE– Modbus & Modbus/TCP– openSAFETY– Profinet– SERCOS III– TTEthernet– Zigbee

5

Network Layering

• Network Protocols Generally Have Some Header– Who sent the information– Who needs the information– Information about the payload– Other protocol specific information

• Headers Can Be Significant Part of Packet– Ethernet/IP/UDP

– Minimum 42 Bytes of Header (65%)– Minimum 64 Bytes Ethernet packet

– Many industrial Ethernet protocols only transmit a few bytes of data in real-time

EthernetHeader

IP Header

UDP/TCP Header

ProtocolHeader DataData

TCP PayloadTCP Payload

IP PayloadIP Payload

Ethernet Payload

14 Bytes

20 Bytes

8/20+ Bytes

?? Bytes

6

Wireshark Welcome Screen

7

Wireshark Packet Analysis Window

8

Wireshark Packet Analysis Demo

• Packet Decoder Window• Layering• Bytes on Wire• Protocol Filters

– Capture Filters– Display Filters

9

Wireshark Capture & Exporting Demo

• Capturing Live Traffic• Saving Packet Capture Files• Exporting Packet Capture Files• Marking Sections of Captures

10

Advanced Features of Wireshark GUI

• Statistics– Conversations– Endpoints– IO Graphs– Flow Graphs

• Firewall ACL Rules

11

Using & Interfacing With Wireshark

• Wireshark Strictly Uses GNU Public License– Any derived work with Wireshark code SHALL be open-source

• You Can Use Wireshark Hands-Off, Though– Network Socket Interface– Tshark.exe

• Network Socket Interface– Rudimentary control

• Tshark.exe– Most features available through command-line interface

12

Developing Your Own Protocol Dissectors

• Not Every Protocol Exists in Wireshark– When you need a protocol that doesn’t exist, you can relatively

easily build your own dissector

• Not Every Protocol Dissector Has Full Coverage– Open-source software allows anyone to modify the code– Protocols generally change over time– The original dissector developer may not exist any longer

• Bugs Can Exist in Dissectors– Code almost always has bugs

13

For More Information…

• Wireshark Website– http://www.wireshark.org

• Wireshark Documentation– http://www.wireshark.org/docs/

• Wireshark Wiki– http://wiki.wireshark.org