packet analysis using wireshark

PACKET ANALYSIS USING WIRESHARK

CEHTWITTER:@BASAVESWARK

WHAT IS WIRESHARK ?WIRESHARK IS A FREE AND OPEN SOURCE PACKET ANALYZER. IT IS USED FOR NETWORK TROUBLESHOOTING, ANALYSIS, SOFTWARE AND COMMUNICATIONS PROTOCOL DEVELOPMENT, AND EDUCATION

FEATURES• DEEP INSPECTION OF HUNDREDS OF PROTOCOLS, WITH MORE BEING ADDED ALL THE TIME• LIVE CAPTURE AND OFFLINE ANALYSIS• MULTI-PLATFORM: RUNS ON WINDOWS, LINUX, MACOS, SOLARIS, FREEBSD, NETBSD, AND MANY

OTHERS• CAPTURED NETWORK DATA CAN BE BROWSED VIA A GUI, OR VIA THE TTY-MODE TSHARK UTILITY• THE MOST POWERFUL DISPLAY FILTERS IN THE INDUSTRY• RICH VOIP ANALYSIS• READ/WRITE MANY DIFFERENT CAPTURE FILE FORMATS: TCPDUMP (LIBPCAP), PCAP NG, CATAPULT

DCT2000, CISCO SECURE IDS IPLOG, MICROSOFT NETWORK MONITOR, NETWORK GENERAL SNIFFER® (COMPRESSED AND UNCOMPRESSED), SNIFFER® PRO, AND NETXRAY®, NETWORK INSTRUMENTS OBSERVER, NETSCREEN SNOOP, NOVELL LANALYZER, RADCOM WAN/LAN ANALYZER, SHOMITI/FINISAR SURVEYOR, TEKTRONIX K12XX, VISUAL NETWORKS VISUAL UPTIME, WILDPACKETS ETHERPEEK/TOKENPEEK/AIROPEEK, AND MANY OTHERS

• CAPTURE FILES COMPRESSED WITH GZIP CAN BE DECOMPRESSED ON THE FLY• COLORING RULES CAN BE APPLIED TO THE PACKET LIST FOR QUICK, INTUITIVE ANALYSIS• OUTPUT CAN BE EXPORTED TO XML, POSTSCRIPT®, CSV, OR PLAIN TEXT

CAPTURING LIVE TRAFFIC

COLORING RULES

DISPLAY FILTERS• Filter specific addresses

ip.addr == 192.168.1.5ip.src ==192.168.1.5ip.dest ==192.168.1.5

• Filter specific protocolsdns || http (OR) dns or http

• Filter specific portstcp.port == 443udp.port == 1234

• Identity TCP issues, packet losstcp.analysis.flag

• Cleaning up or Pruning noise !(arp or dns or icmp)

DISPLAY FILTERS (CONTINUED)• Follow tcp stream

tcp.stream eq 32

• DNS Queriesudp contains facebook

• HTTP Request/Responseshttp.request http.response.code == 200

• TCP Traffic flagstcp.flags.syn == 1tcp.flags.reset == 1

• SIP Traffic sip

rtp

DEMO TIME

SOME QUICK SHORTCUTS

USE CASE # 1VOIP CALL RECORDING

USE CASE # 1VOIP CALL RECORDING (CONTINUED..)

USE CASE # 2DNS QUERY

USE CASE # 2DNS QUERY (CONTINUED)

USE CASE # 3TROUBLESHOOTING INTERNET ACCESS ISSUE(UNABLE TO ACCESS A PARTICULAR MUSIC SITE)

USE CASE # 4UNDERSTANDING SSL FLOW

USE CASE # 4UNDERSTANDING SSL FLOW (CONTINUED..)

REFERENCES• https://

en.wikipedia.org/wiki/Wireshark• https://www.wireshark.org/• Practical Packet Analysis by by

Chris Sanders• https://

www.youtube.com/watch?v=68t07-KOH9Y

• https://en.wikipedia.org/wiki/User_Datagram_Protocol

• https://en.wikipedia.org/wiki/Transmission_Control_Protocol

• http://www.informatics.buzdo.com/_images/f912-1.gif

• http://1.bp.blogspot.com/-gTRV25VTdb8/T55rvji6cEI/AAAAAAAACXM/9clbBo-y0nY/s1600/dnslookups.png

https://en.wikipedia.org/wiki/Wireshark

https://en.wikipedia.org/wiki/Wireshark

https://www.wireshark.org/

https://www.wireshark.org/

https://www.youtube.com/watch?v=68t07-KOH9Y



https://en.wikipedia.org/wiki/User_Datagram_Protocol



https://en.wikipedia.org/wiki/Transmission_Control_Protocol



http://www.informatics.buzdo.com/_images/f912-1.gif

http://www.informatics.buzdo.com/_images/f912-1.gif

http://1.bp.blogspot.com/-gTRV25VTdb8/T55rvji6cEI/AAAAAAAACXM/9clbBo-y0nY/s1600/dnslookups.png




APPENDIX

APPENDIX (CONTINUED)

packet analysis using wireshark

Technology