Was Designed as an Easytouse Interface for Inspecting and Analyzing Large Tcpdump Files
Wireshark
Packet Analysis
Chris Sanders , Jason Smith , in Applied Network Security Monitoring, 2014
Wireshark Display Filters
Wireshark and tshark both provide the ability to use display filters. These are different than capture filters, because they leverage the protocol dissectors these tools use to capture information about individual protocol fields. Because of this, they are a lot more powerful. As of version 1.10, Wireshark supports around 1000 protocols and nearly 141000 protocol fields, and you can create filter expressions using any of them. Unlike capture filters, display filters are applied to a packet capture after data has been collected.
Earlier we discussed how to use display filters in Wireshark and tshark, but let's take a closer look at how these expressions are built, along with some examples.
A typical display filter expression consists of a field name, a comparison operator, and a value.
A field name can be a protocol, a field within a protocol, or a field that a protocol dissector provides in relation to a protocol. Some example field names might include the protocol icmp, or the protocol fields icmp.type and icmp.code. A complete list of field names can be found by accessing the display filter expression builder (described in the Wireshark section of this chapter) or by accessing the Wireshark help file. Simply put, any field that you see in Wireshark's packet details pane can be used in a filter expression.
Next is the comparison operator (sometimes called a relational operator), which determines how Wireshark compares the specified value in relation to the data it interprets in the field. The comparison operators Wireshark supports are shown in Table 13.4. You can alternate use of the English and C-like operators based upon what you are comfortable with.
Operator (English) | Operator (C-Like) | Description | Example |
---|---|---|---|
eq | == | Matches values equal to the specified value | ip.addr == 192.168.1.155 |
ne | != | Matches values not equal to the specified value | ip.addr ! = 192.168.1.155 |
gt | > | Matches values greater than the specified value | tcp.port gt 1023 |
lt | < | Matches values less than the specified value | tcp.port < 1024 |
ge | >= | Matches values greater than or equal to the specified value | udp.length > = 75 |
le | <= | Matches values less than or equal to the specified value | udp.length le 75 |
contains | Matches values where the specified value is contained within the field | smtp.req.parameter contains "FROM" |
The last element in the expression is the value, which is what you want to match in relation to the comparison operator. Values also come in different types as well, which are shown in Table 13.5.
Value Type | Description | Example |
---|---|---|
Integer (Signed or Unsigned) | Expressed in decimal, octal, or hexadecimal | tcp.port == 443 ip.proto == 0x06 |
Boolean | Expressed as true (1) or False (0) | tcp.flags.syn == 1 ip.frags.mf == 0 |
String | Expressed as ASCII text | http.request.uri == " http://www.appliednsm.com " smtp.req.parameter contains "FROM" |
Address | Expressed as any number of addresses: IPv4, IPv6, MAC, etc. | ip.src == 192.168.1.155 ip.dst == 192.168.1.0/24 ether.dst == ff:ff:ff:ff:ff:ff |
Now that we understand how filters are constructed, let's build a few of our own. Starting simple, we can create a filter expression that only shows packets using the IP protocol by simply stating the protocol name:
ip
Now, we can match based upon a specific source IP address by adding the src keyword to the expression:
ip.src == 192.168.1.155
Alternatively, we could match based upon packets with the destination IP address instead:
ip.dst == 192.168.1.155
Wireshark also includes custom fields that will incorporate values from multiple other fields. For instance, if we want to match packets with a specific IP address in either the source or destination fields, we could use this filter, which will examine both the ip.src and ip.dst fields:
ip.addr == 192.168.1.155
Multiple expressions can be combined using logical operators. These are shown in Table 13.6.
Operator (English) | Operator (C-Like) | Description |
---|---|---|
and | && | Evaluates to true when both conditions are true |
or | || | Evaluates to true when either condition is true |
xor | ^^ | Evaluates to true when one and only one condition is true |
not | ! | Evaluates to true when a condition is NOT met |
We can combine a previous expression with another expression to make a compound expression. This will match any packets sourced from 192.168.1.155 that are not destined for port 80:
ip.src == 192.168.1.155 && !tcp.dstport == 80
Once again, the key thing to keep in mind when creating display filters is that anything you see in the packet details pane in Wireshark can be used in a filter expression. Table 13.7 contains a few more example display filter expressions.
Filter Expression | Description |
---|---|
eth.addr ! = < MAC address > | Match packets not to or from the specified MAC address. Useful for excluding traffic from the host you are using. |
ipv6 | Match IPv6 packets |
ip.geoip.country == < country > | Match packets to or from a specified country |
ip.ttl < = < value > | Match packets with a TTL less than or equal to the specified value. This can be useful for some loose OS fingerprinting. |
ip.checksum_bad == 1 | Match packets with an invalid IP checksum. Can be used for TCP and UDP checksums as well by replacing ip in the expression with udp or tcp. Useful for finding poorly forged packets. |
tcp.stream == < value > | Match packets associated with a specific TCP stream. Useful for narrowing down specific communication transactions. |
tcp.flags.syn == 1 | Match packets with the SYN flag set. This filter can be used with any TCP flag by replacing the "syn" portion of the expression with the appropriate flag abbreviation. |
tcp.analysis.zero_window | Match packets that indicate a TCP window size of 0. Useful for finding hosts whose resources have become exhausted. |
http.request == 1 | Match packets that are HTTP requests. |
http.request.uri == "<value>" | Match HTTP request packets with a specified URI in the request. |
http.response.code == < value > | Match HTTP response packets with the specified code. |
http.user_agent == "value" | Match HTTP packets with a specified user agent string. |
http.host == "value" | Match HTTP packets with a specified host value. |
smtp.req.command == "<value > " | Match SMTP request packets with a specified command |
smtp.rsp.code == < value > | Match SMTP response packets with a specified code |
smtp.message == "value" | Match packets with a specified SMTP message. |
bootp.dchp | Match DHCP packets. |
!arp | Match any packets that are not ARP. |
ssh.encrypted_packet | Match encrypted SSH packets. |
ssh.protocol == "<value>" | Match SSH packets of a specified protocol value. |
dns.qry.type == < value > | Match DNS query packets of a specified type (A, MX, NS, SOA, etc). |
dns.resp.type == < value > | Match DNS response packets of a specified type (A, MX, NS, SOA, etc). |
dns.qry.name == "<value>" | Match DNS query packets containing the specified name. |
dns.resp.name == "<value>" | Match DNS response packets containing the specified name. |
You should spend some time experimenting with display filter expressions and attempting to create useful ones. A quick perusal of the expression builder in Wireshark can point you in the right direction.
Read full chapter
URL:
https://www.sciencedirect.com/science/article/pii/B9780124172081000131
Network Investigations
Eoghan Casey , ... Terrance Maguire , in Handbook of Digital Forensics and Investigation, 2010
Wireshark
Wireshark is a network capture and protocol analyzer tool. Unlike tcpdump and ngrep, this tool has a graphical user interface and has the ability to interpret (a.k.a. decode) some application layer protocols that are encapsulated within TCP sessions. Its primary strengths include the ability to easily navigate through packet captures, an easy to use interface that provides a granular view of each packet in a capture file, and a robust set of protocol definitions that allow it to decode a wide variety of traffic types. However it does not handle extremely large sets of traffic very well, so if you are dealing with a large capture file, you will need to trim it down using other tools before viewing it in Wireshark.
By decoding protocols, more information can be obtained and more filtering and searching functions can be performed to locate important items. For instance, by decoding Domain Name Service (DNS) traffic, it is possible to create a filter that focuses on DNS-related traffic, making it easier to focus on activities relevant to an investigation and extract items of interest. Importantly, Wireshark makes assumptions about the expected behavior of protocols that prevent it from automatically classifying traffic that does not meet these basic assumptions. Therefore, when traffic of a known type is not identified correctly by Wireshark, it is necessary for an individual to inspect packets manually, identify the type of traffic, and instruct Wireshark to decode it correctly.
Read full chapter
URL:
https://www.sciencedirect.com/science/article/pii/B9780123742674000094
Ubuntu One investigation
Mohammad Shariati , ... Kim-Kwang Raymond Choo , in The Cloud Security Ecosystem, 2015
5.1.4 Network traffic
Wireshark was used for collecting the network traffic from Ubuntu One usage, which was then analyzed using NetworkMiner. We found that all of the collected traffic was encrypted due to the use of SSL/TLS when communicating with the Ubuntu One servers. For this reason, we were unable to extract any data of significant evidential value. However, a number of common IP addresses were used for Ubuntu One communications, which resolve to Ubuntu.com subdomains. Table 2 shows the IP addresses and associated hostnames that were extracted from the network traffic capture file after a login to Ubuntu One and contents of the user's account had been accessed/manipulated.
IP Address | Hostname |
---|---|
91.189.89.77—91.189.89.78 | one.ubuntu.com |
91.189.89.182—91.189.89.183 | media.one.ubuntu.com |
91.189.89.206—91.189.89.207 | login.one.ubuntu.com |
Read full chapter
URL:
https://www.sciencedirect.com/science/article/pii/B9780128015957000197
Architecture, Environment, and Installation
David Maynor , K.K. Mookhey , in Metasploit Toolkit for Penetration Testing, Exploit Development, and Vulnerability Research, 2007
Understanding the Soft Architecture
In this section we will discuss tools that you will need to set up your Metasploit environment.
Wireshark
Wireshark (earlier known as Ethereal) is one of the most popular network sniffing and traffic analysis tools. Wireshark runs on Windows as well as a majority of UNIX variants including Linux, Solaris, FreeBSD, and so on. Source tarballs and binaries can be downloaded from www.wireshark.org.
IDA
IDA is one of the most popular debugging tools for Windows. First, IDA Pro is a disassembler, in that it shows the assembly code of a binary (an executable or a dynamic link library [DLL]). It also comes with advanced features that try to make understanding the assembly code as easy as possible. Second, it is also a debugger, in that it allows the user to step through the binary file to determine the actual instructions being executed, and the sequence in which the execution occurs. IDA Pro is widely used for malware analysis and software vulnerability research, among other purposes. IDA Pro can be purchased at www.datarescue.com.
UltraEdit
UltraEdit and EditPlus are powerful text editors and are specially designed for writing code. They support color-coded syntax highlighting for a variety of languages, including Perl and Ruby. UltraEdit can be purchased at www.ultraedit.com.
Nmap/Nessus
Nmap and Nessus are the de facto tools for scanning your network prior to launching exploits. Now that Metasploit can integrate Nessus and Nmap outputs into its own database, and then use that to configure which exploits to run, you definitely need to ensure you have the latest and greatest versions of these software installed on your system. Also, Metasploit can launch Nmap from within the msfconsole.
Nmap can be downloaded from www.insecure.org, and Nessus can be downloaded from www.nessus.org. Nmap works for a number of platforms and even has a graphical user interface (GUI) version. Nessus runs in client-server mode. The client is used to select the targets, select the plugins to be used for the testing, manage the sessions, and generate reports. The server does all the hard work of running the tests against the selected targets and communicating the results back to the client.
Read full chapter
URL:
https://www.sciencedirect.com/science/article/pii/B9781597490740500040
Color Codes
Robert Shimonski , in The Wireshark Field Guide, 2013
5.4 Other Coloring Options
Wireshark also allows you to apply color in another way to help you isolate problems. In this example, we will look at conversations such as source IP address and destination IP address as shown in Figure 5.9. Here, click on the View menu option and scroll down to Colorize Conversation and expand the menu to view the coloring options.
What this helps you do is "mark" conversations in a capture file for easy viewing. Now, to do this, simply click on a conversation pair found in one packet in the Summary pane. Next, click on the View menu option, Colorize Conversation, and select Color 1.
This will then mark every packet in the capture having this conversation with that specific color code you have chosen. This is very helpful when you are trying to quickly visualize that particular conversation in a large capture file.
Read full chapter
URL:
https://www.sciencedirect.com/science/article/pii/B978012410413600005X
Nmap Scanning in the Real World
Angela Orebaugh , Becky Pinkard , in Nmap in the Enterprise, 2008
Nmap Decoys
In the first Wireshark screenshot, we can see the details from one of the decoy IP addresses. If you look at the packet details in the lower half of the screenshot, you can see the MAC address information captured by Wireshark, as shown in Figure 8.9.
Now we'll compare this MAC address information (00:14:a5:13:17:75) to the IP address that we know is the real source of the Nmap scan, as shown in Figure 8.10.
It's a match! Just remember that this test will only work for scans originating from the same subnet. Otherwise, you would find the MAC address of the upstream router for the source MAC. Now, hopefully you also noticed the fact that our packets were indeed fragmented. For example in packets number 31 and 32 you will notice the offset is equal to 8 and 16 respectively, indicating 8 byte increments. Wireshark shows that the –f Nmap option performed as expected and split our outbound packets into 8 byte fragments.
Read full chapter
URL:
https://www.sciencedirect.com/science/article/pii/B978159749241600008X
Networking tools
Sreekrishna Pandi , ... Sebastian A.W. Itting , in Computing in Communication Networks, 2020
27.6.2.2 Installation
After a standard installation of Wireshark on UNIX-OSes, nonroot users have no permission to capture packets. Either Wireshark has to be started with root privilege, for example,
, or the Wireshark package needs to be reconfigured by running in a terminal. This provides the option to allow nonroot users to capture packets, for which a group wireshark is added to the system. As all members of that group are allowed to capture, users have to be added carefully, because they all can sniff the network. For other possible solutions of this privilege problem, we refer to the Wireshark user guide. Installation on Windows can simply be processed by downloading and running the installer program. Default settings should work for most purposes. The corresponding capture software winpcap will be automatically installed alongside without any privilege issues.Read full chapter
URL:
https://www.sciencedirect.com/science/article/pii/B978012820488700044X
Introduction
Robert Shimonski , in The Wireshark Field Guide, 2013
Inspecting Packets
As we learn more about Wireshark, we will discuss problems found on a network and specifically why they occur from the packet level. In this chapter, we will take an in-depth look at a few common (and not so common) problems and what you are looking for in the packets, how to use the tool to get and view this information, and how to use Wireshark to solve them. We will also look at other tools you can use to augment the use of Wireshark to solve complex network and system issues.
Read full chapter
URL:
https://www.sciencedirect.com/science/article/pii/B978012410413600019X
Configuring a System
Robert Shimonski , in The Wireshark Field Guide, 2013
3.4 Other Tools and Methodologies
When troubleshooting with Wireshark, it's recommended that you take the time to use other tools and methodologies while you are analyzing the problem. For example, in the same switches and routers you are piping the information from, you can use commands on them to help find the problem. Although there are books and many online articles that cover these in more detail, for the purposes of this field guide we will help you develop the methodology instead of specifically stating what those commands may be. For example, if you find you have a user complaining of an application that seems to freeze up or appear sluggish, you can do the following tests in phases of complexity:
-
Phase 1 Testing (quick checks, somewhat nonintrusive)
- 1.
-
First try to understand what the problem is by framing it. Ask as many questions as needed. Put on the private investigator hat and attempt to capture the end user's experience.
- 2.
-
Next verify that no changes were made that could impact.
- 3.
-
Verify path and check all devices in the path. Check logs.
- 4.
-
You can then look over the basics. Ping, traceroute, advanced ping commands where you can specific packet sizes will help you to provide a load (to test fragmentation) as an example.
- 5.
-
Checking performance. Bandwidth, CPU, it can get as deep as checking performance on a storage area network (SAN).
- 6.
-
You could install and use Wireshark at this point, however.
- 7.
-
You can run checks on the network devices and infrastructure—look at the logs, run basic checks with specific commands that highlight—run nonintrusive debugs
-
Phase 2 Testing (deeper level of inspection and more time consuming and may be intrusive)
- 1.
-
Wireshark set up on both ends from source to destination, checking the timing of the packets from source to destination. This is more difficult to perform because you need access to both systems (as an example) and will have to run the tests in tandem. You will have to analyze both captures using timestamps in order to verify when data was sent and when it was received and any errors or anomalies that took place during that period of time. When analyzing timestamps a recommended procedure would be to ensure that all devices you run Wireshark on have the correct time which can be done through configuring Network Time Protocol (NTP), or the Windows Time Service (W32Time).
- 2.
-
Real-time analysis of traffic and deep inspection by looking into packet headers will uncover a more granular level of detail, however, will take more time to review and analyze.
- 3.
-
Run intrusive tests such as performance test on network links that will verify the validity of the bandwidth and size however will inadvertently shut down the link for use thus causing an outage.
- 4.
-
Run heavy debugs on infrastructure devices. This may cause the device to process heavily therefore spike the CPU and cause the device to perform poorly (if at all) to process production traffic.
- 5.
-
Other tests to conduct would be to reboot physical servers, move cluster nodes from primary to secondary, moving virtual machine (VM instances) from one host to another and other "server-related" testing that may help isolate the issue.
- 6.
-
Cabling testing where cables need to be replaced or verified may cause a disruption or an outage if not redundant.
Although I created a framework for this methodology and called it phased testing, it's nothing more than how normal network engineers perform their jobs every day. As you can see from this example, using Wireshark is not the only tool used to solve problems, its only one of the many different tools (or processes) used to solve simple to complex problems every day. Figures 3.4 and 3.5 show examples of other testing methods you can deploy with Wireshark to solve a problem.
In Figure 3.4, we see an example of using the ping command to test connectivity as well as the stability of a network connection. This can be used to help assess if bandwidth or latency can be an issue with for example, a slow application response time. If the application is slow to respond and the network is suspect, by running a quick ping from the source to the destination can quickly help rule out what the network looks like and is performing in seconds.
In Figure 3.5 we see an example of another helpful tool called the SolarWinds Engineer's Toolset. This tool much like the rest of the SolarWinds product line make network management and troubleshooting easier; for example, you can run a ping sweep of a subnet to verify connectivity of a device or devices quickly and easily through the GUI.
In sum, remember that Wireshark is but one tool—and using it alone can be helpful but when used in conjunction with other tools can help solve problems quicker. It should also be considered that when troubleshooting, you have to learn "where" to place your packet analyzers so that you can collect the correct data. You also have to time the problem correctly and sometimes collect baseline data to ensure you can understand how the network performs normally before you can suspect a problem.
Read full chapter
URL:
https://www.sciencedirect.com/science/article/pii/B9780124104136000036
Installing Wireshark
Robert Shimonski , in The Wireshark Field Guide, 2013
2.5 Installing Wireshark
In this example, Wireshark will be installed on a 32-bit version of Windows. Although you can install it on other systems, we will focus on the most common, the Windows operating system. Once you have downloaded the executable for the Wireshark installation procedure, simply double-click on it to execute it.
Some versions of operating systems may have incompatibility issues. A workaround that can be used in the case of Windows 8 is to install WinPcap prior to installing Wireshark because of possible incompatibility issue.
Figure 2.3 shows that once executed, you will be provided with a security warning from Windows about the installation. Here we will see that the publisher is the Wireshark Foundation and that the file is digitally signed and safe. You can always scan your files with an antivirus program first.
In this example, we will be installing the most current version of Wireshark as of the writing of this book which is 1.8.4. This is the most current (and stable) version of the program.
You can also download and test newer versions; however, it is safer to use a stable version so that you can ensure that you are working with the more reliable version when capturing and analyzing data.
You may run into an issue when installing if you already have Wireshark installed. We will discuss this briefly. In Figure 2.4, you can see that because Wireshark is already installed on the host system, Wireshark is asking for permission to uninstall the older version before proceeding. By accepting and clicking on Yes, Wireshark will uninstall the older version before installing the current version.
After you agree, Wireshark will start the uninstall wizard which will walk you through removing the older version as seen in Figure 2.5. Although some programs "upgrade" the current system, Wireshark does a clean removal process and reinstallation of the new package.
Once you click Next, you will be shown the directory in which Wireshark will be removed from on your system. Normally this is found in the program file folder on your root drive. Next, you will be given options on the features you would like to uninstall. Figure 2.6 shows the options in which you can select from.
Here you can choose to keep specific components, such as WinPcap, personal settings or plug-ins. By choosing default options, you will keep personal settings and WinPcap as an example.
Take note of the drop-down menu where you can select the type of uninstall. This sets up specific options that are preset into the uninstall routine. For example, in Figure 2.7, you can select Default, All, or Custom. Quite simply, select the type of uninstall routine you want and you can always customize the options regardless. This just makes it easier for you to select when you uninstall Wireshark.
Once you click on Uninstall, you will be shown a dialog box where you see the files and directories being removed from your system. Once it completes, select Next and you will be shown the dialog box that closes the Wizard and completes the Uninstall. Click Finish to close the wizard.
Once you have finished the uninstall, you will then invoke the Wizard to install Wireshark on your system. Figure 2.8 shows the Wireshark Setup Wizard. The current version of Wireshark (1.8.4) will be installed on the target host once you click Next.
Once you click Next, you will be shown a license agreement in which you need to select I Agree if you do to continue the installation process. Once you agree, you will then be brought the choosing components portion of the installation process. Here as seen in Figure 2.9, you can select specifically what components you would like to install.
In Figure 2.9, you are presented with the following components: Wireshark, TShark, plug-ins and extensions, tools and a user's guide. You can also see that you can expand the options in the plug-ins and extensions as well as the tools components.
TShark is a terminal emulation program that you work with via the command line, much like tcpdump. To learn more about how to use TShark and the commands and switches you can use with it, please visit the Wireshark documentation for more info.
http://www.wireshark.org/docs/man-pages/tshark.html
The plug-ins component has multiple options within it. You can install Simple Network Management Protocol (SNMP) Management information bases (MIBs) as well, which are used with management software solutions that capture and alert on specific criteria. This can be helpful if you want to use Wireshark via SNMP to accomplish management and alerting tasks. Plug-in options can be seen in Figure 2.10. Select which plug-ins you would like to use and deselect those you do not want to use when preparing to install.
You can also select options within the Tools component as seen in Figure 2.11.
You can use tools, such as Editcap, Text2Pcap, and others for more. For example, Editcap is another command line tool that works much like a Unix input–output function where you can pipe data to files. Some technicians really enjoy the use of command line tools for many reasons; however, one of the most common of those reasons is that they can be used in scripting files that help to automate processes.
Please make sure you check your space required field in the dialog box to ensure that you have allotted for this space. If you select everything that Wireshark has to offer, you will only need approximately 85 MB for the installation to take place.
Once you have decided what components you would like to install, click Next to continue. Once you do, you will be asked to check what additional tasks you would like the Wireshark wizard to perform when installing the program. Figure 2.11 shows these specific tasks. In Figure 2.12 you can tell Wireshark upon completing installation that you want Start Menu Item's created and if specific file extensions should always be tied to Wireshark when accessed by default.
Once you click on Next, you will have to choose the directory in which to install Wireshark. By default (much like uninstall), the program file folder in the root drive will be selected. You can also see in this dialog box how much space is required and how much space you have available on the drive you wish to install it on to. Click Next to continue.
To install WinPcap on Windows 8 systems, download the executable file from http://www.winpcap.org/install/bin/WinPcap_4_1_2.exe first. Before running the file, modify the Compatibility Mode to Windows 7 within Properties. Otherwise the installation for both WinPcap and Wireshark will fail.
In Figure 2.13, we can verify if we want to install WinPcap if and only if it's a different version. For example, since we did an uninstall and WinPcap remained on the computer we are installing Wireshark on to, we have an option. For example, if this was an older version, we may be given an option to upgrade to the new version which at the time of this writing is version 4.1.2. Click on Install to install the latest version of WinPcap or upgrade it.
Next, you will be shown the extraction and installation of Wireshark and WinPcap on your Windows system. Once the installation is completed, you will be shown the final dialog box as seen in Figure 2.14. Here you can click on Finish to complete the install. If you select the Run Wireshark or Show News check boxes, you can immediately start Wireshark as well as be shown a list of the updates and new features of Wireshark. If you are new to Wireshark, this page will be helpful to read.
Once you have completed the installation, reboot and then you can run the application. Figure 2.15 shows the desktop icon that is created postinstallation. Double-click this icon to complete the launch Wireshark if you did not select it to be run postinstallation.
You have officially installed Wireshark and have it ready to use on your computer. Now, in our next chapter, we will cover the specifics of configuring your system to prepare it for captures, filtering, and analysis of network traffic.
Read full chapter
URL:
https://www.sciencedirect.com/science/article/pii/B9780124104136000024
Source: https://www.sciencedirect.com/topics/computer-science/wireshark
0 Response to "Was Designed as an Easytouse Interface for Inspecting and Analyzing Large Tcpdump Files"
Enregistrer un commentaire