network packet analysis with wireshark
DESCRIPTION
Presented @ ISA Safety & Security Symposium 2012 Aneheim, CA, April 2012 Wireshark is the de facto network packet analysis tool used in the industry today. It is an easily extensible open–source tool that provides a large number of capabilities for users. It’s not just for IT–based protocols either. Many industrial protocols have created packet decoders for Wireshark. This tutorial will provide the user with: * An introduction to protocol layering * A basic overview of packet capture and analysis * A demonstration of how Wireshark can be used for packet capture and analysis * Examples of some industrial protocol in Wireshark * An explanation of some more advanced features available in WiresharkTRANSCRIPT
Standards
Certification
Education & Training
Publishing
Conferences & Exhibits
Network Packet Analysis with Wireshark
Jim GilsinnNational Institute of Standards & Technology
Engineering Laboratory
Jim Gilsinn - Bio
• Electronics Engineer with NIST/EL for over 20 years• Cybersecurity for Factory Control Systems
– Co-Chair and General Editor, ISA99 Committee– Co-Chair, ISA99 WG2, Security Program– Co-Chair, ISA99 WG7, Safety & Security
• Factory Equipment Network Testing Framework– Co-Investigator & Main Developer, FENT software– Extension of previous IENetP project
• Education– MSEE in Controls from Johns Hopkins University– BSEE in Controls from Drexel University
2
3
What is Wireshark?
• The De-Factor Network Protocol Analyzer– Open-Source (GNU Public License)– Multi-platform– Easily extensible– Large development group
• Allows Users to…– Capture network traffic– Interactively browse that traffic– Decode packet protocols using dissectors
• Previously Named “Ethereal”
4
What is Wireshark?
• Development Version (as of last night @ 11:30pm)– 1,300+ Protocols– 112,600+ Protocol Header Fields
• Almost Every Ethernet/TCP/IP Protocol• Many Industrial Ethernet Protocols
– BACnet– EtherNet/IP & CIP, CIP Safety, CIP Motion– DNP 3.0– EtherCAT– Foundation Fieldbus– IEC 61850 & GOOSE– Modbus & Modbus/TCP– openSAFETY– Profinet– SERCOS III– TTEthernet– Zigbee
5
Network Layering
• Network Protocols Generally Have Some Header– Who sent the information– Who needs the information– Information about the payload– Other protocol specific information
• Headers Can Be Significant Part of Packet– Ethernet/IP/UDP
– Minimum 42 Bytes of Header (65%)– Minimum 64 Bytes Ethernet packet
– Many industrial Ethernet protocols only transmit a few bytes of data in real-time
EthernetHeader
IP Header
UDP/TCP Header
ProtocolHeader DataData
TCP PayloadTCP Payload
IP PayloadIP Payload
Ethernet Payload
14 Bytes
20 Bytes
8/20+ Bytes
?? Bytes
6
Wireshark Welcome Screen
7
Wireshark Packet Analysis Window
8
Wireshark Packet Analysis Demo
• Packet Decoder Window• Layering• Bytes on Wire• Protocol Filters
– Capture Filters– Display Filters
9
Wireshark Capture & Exporting Demo
• Capturing Live Traffic• Saving Packet Capture Files• Exporting Packet Capture Files• Marking Sections of Captures
10
Advanced Features of Wireshark GUI
• Statistics– Conversations– Endpoints– IO Graphs– Flow Graphs
• Firewall ACL Rules
11
Using & Interfacing With Wireshark
• Wireshark Strictly Uses GNU Public License– Any derived work with Wireshark code SHALL be open-source
• You Can Use Wireshark Hands-Off, Though– Network Socket Interface– Tshark.exe
• Network Socket Interface– Rudimentary control
• Tshark.exe– Most features available through command-line interface
12
Developing Your Own Protocol Dissectors
• Not Every Protocol Exists in Wireshark– When you need a protocol that doesn’t exist, you can relatively
easily build your own dissector
• Not Every Protocol Dissector Has Full Coverage– Open-source software allows anyone to modify the code– Protocols generally change over time– The original dissector developer may not exist any longer
• Bugs Can Exist in Dissectors– Code almost always has bugs
13
For More Information…
• Wireshark Website– http://www.wireshark.org
• Wireshark Documentation– http://www.wireshark.org/docs/
• Wireshark Wiki– http://wiki.wireshark.org