computer networks · 2016. 1. 27. · tshark dumps all incoming and outgoing packets from eth0 we...
TRANSCRIPT
COMPUTER NETWORKS
CPSC 441, Winter 2016Prof. Mea Wang
Department of Computer ScienceUniversity of Calgary
Introduction: Wireshark and tsharkRunning tsharkRunning WiresharkExercise: Analyze HTTP traffic to and from web browser
CPSC 457 Winter 2014
WHAT IS WIRESHARK?
Wireshark is network protocol analyzerRuns in Linux, Mac and WindowsFree of cost
It is installed in lab machines, but need root accessYou can install it:
on your own machine:http://www.wireshark.org/download.html on your RAC VM (next slide)
TSHARK
Terminal version of WiresharkTypically used when interactive user interface is not availableYou need to use tshark to capture and analyze network packets on RAC VMs.Install tshark on your RAC VM
Please login to your VMsudo apt-get install tshark
If this results in “package not available” message, update package list by executing sudo apt-get update first and later install tshark
Introduction: Wireshark and tsharkRunning tsharkRunning WiresharkExercise: Analyze HTTP traffic to and from web browser
CAPTURE TRAFFIC
tshark has to be run with “root” privilegessudo (superuser mode) while running tshark
Identify the network interface to monitor To list all interfaces in a machine: ifconfig -aFor RAC VMs, there is only interface -- “eth0”
Create a destination folder to save the packet trace fileIn your home directory (/home/ubuntu): mkdir dumpChange ownership of the dump folder to root: sudo chown -R root: dump
Capture trafficsudo tshark -i eth0 -w dump/filedump0
Option “i” to specify interface nameOption “w” to specify destination of packet trace file
Introduction: Wireshark and tsharkRunning tsharkRunning Wireshark (This tutorial is adapted from the textbook exercise.)Exercise: Analyze HTTP traffic to and from web browser
MAIN WINDOW
Click “Capture” pull down button to select an interface and start capturing packets
CAPTURE WINDOW
CAPTURE WINDOW
The command menus are standard pull-down menus located at the top of the window.The packet-‐lis1ng window displays an one-line summary for each packet captured.The packet-‐header details window provides details about the packet selected (highlighted) in the packet-listing window.The packet-‐contents window displays the entire content of the captured frame, in both ASCII and hexadecimal format.The packet display filter field, into which a protocol name or other information can be entered in order to filter the information displayed in the packet-listing window (and hence the packet-header and packet-contents windows).
Introduction: Wireshark and tsharkRunning tsharkRunning Wireshark Exercise: Analyze HTTP traffic to and from web browser(This tutorial is adapted from the textbook exercise.)
EXERCISE: HTTP ANALYSIS
In this exercise, you will use Wireshark or tshark to analyze HTTP traffic.On your RAC VM:
Since we cannot run a browser application on the VM, we will use the command wget to retrieve web contentWhile running tshark through one terminal, connect to the public VM in another terminal. Then do the following steps:
wget www.cpsc.ucalgary.cawget will show a progress bar
Once the webpage is downloaded completely, stop the capture (press Control-c in the terminal where tshark is running)
TSHARK: ANALYZE PACKETS
Tshark dumps all incoming and outgoing packets from eth0We need to filter the packets that are of interest to ustshark and wireshark shares the same “Filter Engine”The filter expression is provided to tshark using the option field “-R”. For example:
To filter tcp packets: sudo tshark -r dump/filedump0 -R ‘tcp’By default, a short description of the packets (one per line) is displayed to the standard outputYou can redirect output using ‘>’ operatorIf you want full information (all protocol fields) about packet, use –V option: sudo tshark -r dump/filedump0 -R ‘tcp’ -V
To filter packets with HTTP headersudo tshark -r dump/filedump0 -R ‘http’
TSHARK: ANALYZE PACKETS
To display tcp packets to and from specific port numberssudo tshark -r dump/filedump0 -R ‘tcp.dstport==80 || tcp.srcport==80’Above command displays all packets having either source or destination tcp port number equal to 80Note the operators ‘==‘ and ‘||’Similarly, there are operators: ‘!=‘, ‘>’, ‘<‘, ‘<=‘, ‘<=‘dstport and srcport are field names defined in tshark for TCP destination and source port number, respectively.
For more information about the filter expressionGeneral Info, go to manual page: man wireshark-filterFor full list of field names https://www.wireshark.org/docs/dfref/
TSHARK: FILTER HTTP PACKETS
Filter packets with protocol or field name “HTTP”sudo tshark -r dump/filedump0 -R ‘http’Note that above command will ONLY display packets that is identified as HTTP by tshark or has a field called “HTTP”
To display all packets exchanged between VM and the cpsc server
sudo tshark -r dump/filedump0 -R ‘tcp.dstport==80 || tcp.srcport==80’HTTP server listens on port 80
WIRESHARK: HTTP ANALYSIS
In Windows or MacOS:Start up your favorite web browser, which will display your selected homepage Start up the Wireshark software.To begin packet capture, select the Capture pull down menu and select Interfaces. This will cause the “Wireshark: Capture Interfaces” window to be displayed.You’ll see a list of the interfaces on your computer. Click on Start for the interface on which you want to begin packet capture.While Wireshark is running, enter the URL: www.cpsc.ucalgary.ca in your browser and have that page displayed in browserStop Wireshark packet capture by selecting “stop” in the Wireshark capture window
WIRESHARK: HTTP ANALYSIS
Lets now filter the HTTP messages (due to webpage access) between your browser and cpsc web server
Type in “http” (without the quotes, and in lower case – all protocol names are in lower case in Wireshark) into the display filter specification window and press ENTER. The wireshark window will look similar to figure in slide 11
EXAMPLE: HTTP ANALYSIS
“No.” and “Time” values are relative to the start of the capture
THINGS TO TRY OUT
Find the “HTTP Get” Message. This is the HTTP request message sent to the cpsc web server from your browserFind the “HTTP Ok” Message. This is the HTTP Response message from the cpsc web server to your browserFigure out the IP address of cpsc web serverFigure out the IP address of your machineFigure out the time gap between “HTTP Get” and “HTTP OK” ?