COMPUTER NETWORKS

CPSC 441, Winter 2016Prof. Mea Wang

Department of Computer ScienceUniversity of Calgary

Introduction: Wireshark and tsharkRunning tsharkRunning WiresharkExercise: Analyze HTTP traffic to and from web browser

CPSC  457  Winter  2014

WHAT IS WIRESHARK?

Wireshark is network protocol analyzerRuns in Linux, Mac and WindowsFree of cost

It is installed in lab machines, but need root accessYou can install it:

on your own machine:http://www.wireshark.org/download.html on your RAC VM (next slide)

TSHARK

Terminal version of WiresharkTypically used when interactive user interface is not availableYou need to use tshark to capture and analyze network packets on RAC VMs.Install tshark on your RAC VM

Please login to your VMsudo apt-get install tshark

If this results in “package not available” message, update package list by executing sudo apt-get update first and later install tshark

Introduction: Wireshark and tsharkRunning tsharkRunning WiresharkExercise: Analyze HTTP traffic to and from web browser

CAPTURE TRAFFIC

tshark has to be run with “root” privilegessudo (superuser mode) while running tshark

Identify the network interface to monitor To list all interfaces in a machine: ifconfig -aFor RAC VMs, there is only interface -- “eth0”

Create a destination folder to save the packet trace fileIn your home directory (/home/ubuntu): mkdir dumpChange ownership of the dump folder to root: sudo chown -R root: dump

Capture trafficsudo tshark -i eth0 -w dump/filedump0

Option “i” to specify interface nameOption “w” to specify destination of packet trace file

Introduction: Wireshark and tsharkRunning tsharkRunning Wireshark (This tutorial is adapted from the textbook exercise.)Exercise: Analyze HTTP traffic to and from web browser

MAIN WINDOW

Click  “Capture”  pull  down  button  to  select  an  interface  and  start  capturing  packets

CAPTURE WINDOW

CAPTURE WINDOW

The command  menus  are standard pull-down menus located at the top of the window.The packet-­‐lis1ng  window  displays an one-line summary for each packet captured.The packet-­‐header  details  window  provides details about the packet selected (highlighted) in the packet-listing window.The packet-­‐contents  window  displays the entire content of the captured frame, in both ASCII and hexadecimal format.The  packet  display  filter  field,  into which a protocol name or other information can be entered in order to filter the information displayed in the packet-listing window (and hence the packet-header and packet-contents windows).

Introduction: Wireshark and tsharkRunning tsharkRunning Wireshark Exercise: Analyze HTTP traffic to and from web browser(This tutorial is adapted from the textbook exercise.)

EXERCISE: HTTP ANALYSIS

In this exercise, you will use Wireshark or tshark to analyze HTTP traffic.On your RAC VM:

Since we cannot run a browser application on the VM, we will use the command wget to retrieve web contentWhile running tshark through one terminal, connect to the public VM in another terminal. Then do the following steps:

wget www.cpsc.ucalgary.cawget will show a progress bar

Once the webpage is downloaded completely, stop the capture (press Control-c in the terminal where tshark is running)

TSHARK: ANALYZE PACKETS

Tshark dumps all incoming and outgoing packets from eth0We need to filter the packets that are of interest to ustshark and wireshark shares the same “Filter Engine”The filter expression is provided to tshark using the option field “-R”. For example:

To filter tcp packets: sudo tshark -r dump/filedump0 -R ‘tcp’By default, a short description of the packets (one per line) is displayed to the standard outputYou can redirect output using ‘>’ operatorIf you want full information (all protocol fields) about packet, use –V option: sudo tshark -r dump/filedump0 -R ‘tcp’ -V

To filter packets with HTTP headersudo tshark -r dump/filedump0 -R ‘http’

TSHARK: ANALYZE PACKETS

To display tcp packets to and from specific port numberssudo tshark -r dump/filedump0 -R ‘tcp.dstport==80 || tcp.srcport==80’Above command displays all packets having either source or destination tcp port number equal to 80Note the operators ‘==‘ and ‘||’Similarly, there are operators: ‘!=‘, ‘>’, ‘<‘, ‘<=‘, ‘<=‘dstport and srcport are field names defined in tshark for TCP destination and source port number, respectively.

For more information about the filter expressionGeneral Info, go to manual page: man wireshark-filterFor full list of field names https://www.wireshark.org/docs/dfref/

TSHARK: FILTER HTTP PACKETS

Filter packets with protocol or field name “HTTP”sudo tshark -r dump/filedump0 -R ‘http’Note that above command will ONLY display packets that is identified as HTTP by tshark or has a field called “HTTP”

To display all packets exchanged between VM and the cpsc server

sudo tshark -r dump/filedump0 -R ‘tcp.dstport==80 || tcp.srcport==80’HTTP server listens on port 80

WIRESHARK: HTTP ANALYSIS

In Windows or MacOS:Start up your favorite web browser, which will display your selected homepage Start up the Wireshark software.To begin packet capture, select the Capture pull down menu and select Interfaces.  This will cause the “Wireshark: Capture Interfaces” window to be displayed.You’ll see a list of the interfaces on your computer. Click on Start  for the interface on which you want to begin packet capture.While Wireshark is running, enter the URL: www.cpsc.ucalgary.ca in your browser and have that page displayed in browserStop Wireshark packet capture by selecting “stop” in the Wireshark capture window

WIRESHARK: HTTP ANALYSIS

Lets now filter the HTTP messages (due to webpage access) between your browser and cpsc web server

Type in “http” (without the quotes, and in lower case – all protocol names are in lower case in Wireshark) into the display filter specification window and press ENTER. The wireshark window will look similar to figure in slide 11

EXAMPLE: HTTP ANALYSIS

“No.”  and  “Time”  values  are  relative  to  the  start  of  the  capture

THINGS TO TRY OUT

Find the “HTTP Get” Message. This is the HTTP request message sent to the cpsc web server from your browserFind the “HTTP Ok” Message. This is the HTTP Response message from the cpsc web server to your browserFigure out the IP address of cpsc web serverFigure out the IP address of your machineFigure out the time gap between “HTTP Get” and “HTTP OK” ?