wireshark network protocol analyzer
DESCRIPTION
Presented in May 2010 This presentation goes through the Wireshark network analyzer. It presents an overview of the different features that I've found useful while doing network performance analysis for ICS network protocols.TRANSCRIPT
Sensor Standardization & Harmonization Working Group
1
Manufacturing Engineering Laboratory (MEL)National Institute of Standards & Technology (NIST)
U.S. Department of Commerce, Technology Administration
Wireshark Network Protocol Analyzer
Jim GilsinnManufacturing Engineering Laboratory (MEL)
National Institute of Standards & Technology (NIST)
May 18, 2010
Manufacturing Engineering Laboratory (MEL)National Institute of Standards & Technology (NIST)
U.S. Department of Commerce, Technology Administration
Sensor Standardization & Harmonization Working Group 2
Overview
• Wireshark: What Is It?• A Brief History• What Can It Do?• How Do I Use It?• Demo
– Starting Screen– Capture Screen– Capture File Statistics– Packet Filtering
• Summary• Where Can I Get It?
May 18, 2010
Manufacturing Engineering Laboratory (MEL)National Institute of Standards & Technology (NIST)
U.S. Department of Commerce, Technology Administration
Sensor Standardization & Harmonization Working Group 3
Wireshark: What Is It?
• De-facto network packet analyzer• Open-source
– GNU General Public License– Over 680 Contributors
• Multi-platform– Pre-compiled installers for PC/Mac– Source code & instructions for Unix & Linux
• Extensible– Add-ons and extensions are relatively easy to build
May 18, 2010
Manufacturing Engineering Laboratory (MEL)National Institute of Standards & Technology (NIST)
U.S. Department of Commerce, Technology Administration
Sensor Standardization & Harmonization Working Group 4
A Brief History
• Started out in 1998 as Ethereal 0.2.0• Became Wireshark in 2006
– Original developer changed companies– Name remained property of previous company– Started as Wireshark 0.99
• Currently 3 versions available– Version 1.0.13 – Old stable release– Version 1.2.8 – Stable release– Version 1.3.5 – Development release
May 18, 2010
Manufacturing Engineering Laboratory (MEL)National Institute of Standards & Technology (NIST)
U.S. Department of Commerce, Technology Administration
Sensor Standardization & Harmonization Working Group 5
What Can It Do?
• Capture live network traffic– Variety of networks (Ethernet, WiFi, Bluetooth, USB, etc.)
• Import capture files from multiple packages– 35 different file network capture file formats
• Display packets in great detail– Over 1000 different protocol decoders have been written
• Identify bad packets– Wireshark knows what the packets should look like
• Search and filter packets– Over 75k different filter variables
• Track “conversations”
May 18, 2010
Manufacturing Engineering Laboratory (MEL)National Institute of Standards & Technology (NIST)
U.S. Department of Commerce, Technology Administration
Sensor Standardization & Harmonization Working Group 6
How Do I Use It?
• Protocol & data analysis– Analyze client-server interaction, errors, network data
verification
• Latency– Client-server request-response timing
May 18, 2010
Manufacturing Engineering Laboratory (MEL)National Institute of Standards & Technology (NIST)
U.S. Department of Commerce, Technology Administration
Sensor Standardization & Harmonization Working Group 7
How Do I Use It?
• Non-web-based applications– Jitter on repeating network packets– Hardware-assisted packet analysis
May 18, 2010
Manufacturing Engineering Laboratory (MEL)National Institute of Standards & Technology (NIST)
U.S. Department of Commerce, Technology Administration
Sensor Standardization & Harmonization Working Group 8
How Do I Use It?
May 18, 2010
Manufacturing Engineering Laboratory (MEL)National Institute of Standards & Technology (NIST)
U.S. Department of Commerce, Technology Administration
Sensor Standardization & Harmonization Working Group 9
Starting Screen
May 18, 2010
Manufacturing Engineering Laboratory (MEL)National Institute of Standards & Technology (NIST)
U.S. Department of Commerce, Technology Administration
Sensor Standardization & Harmonization Working Group 10
Capture Screen
May 18, 2010
Manufacturing Engineering Laboratory (MEL)National Institute of Standards & Technology (NIST)
U.S. Department of Commerce, Technology Administration
Sensor Standardization & Harmonization Working Group 11
Capture Screen: Filtered Packets
May 18, 2010
Manufacturing Engineering Laboratory (MEL)National Institute of Standards & Technology (NIST)
U.S. Department of Commerce, Technology Administration
Sensor Standardization & Harmonization Working Group 12
Capture Screen: Packet Details
May 18, 2010
Manufacturing Engineering Laboratory (MEL)National Institute of Standards & Technology (NIST)
U.S. Department of Commerce, Technology Administration
Sensor Standardization & Harmonization Working Group 13
Capture Screen: Packet Hex/ASCII
May 18, 2010
Manufacturing Engineering Laboratory (MEL)National Institute of Standards & Technology (NIST)
U.S. Department of Commerce, Technology Administration
Sensor Standardization & Harmonization Working Group 14
Capture File Statistics
May 18, 2010
Manufacturing Engineering Laboratory (MEL)National Institute of Standards & Technology (NIST)
U.S. Department of Commerce, Technology Administration
Sensor Standardization & Harmonization Working Group 15
Statistics: Summary
May 18, 2010
• Basic information about the file
• File format• Number of packets• Capture duration• Average
packets/second
Manufacturing Engineering Laboratory (MEL)National Institute of Standards & Technology (NIST)
U.S. Department of Commerce, Technology Administration
Sensor Standardization & Harmonization Working Group 16
Statistics: Protocol Hierarchy
May 18, 2010
• Displays protocol layering• Shows basic statistics for each protocol layer
Manufacturing Engineering Laboratory (MEL)National Institute of Standards & Technology (NIST)
U.S. Department of Commerce, Technology Administration
Sensor Standardization & Harmonization Working Group 17
Statistics: Conversations
May 18, 2010
• Identifies and tracks individual streams of traffic• Can track multiple protocols
Manufacturing Engineering Laboratory (MEL)National Institute of Standards & Technology (NIST)
U.S. Department of Commerce, Technology Administration
Sensor Standardization & Harmonization Working Group 18
Statistics: IO Graph
• Graphical representation of packet timing• Helps identify causes/effects for packets
May 18, 2010
Manufacturing Engineering Laboratory (MEL)National Institute of Standards & Technology (NIST)
U.S. Department of Commerce, Technology Administration
Sensor Standardization & Harmonization Working Group 19
Packet Filtering
May 18, 2010
Manufacturing Engineering Laboratory (MEL)National Institute of Standards & Technology (NIST)
U.S. Department of Commerce, Technology Administration
Sensor Standardization & Harmonization Working Group 20
Building Packet Filters
May 18, 2010
Manufacturing Engineering Laboratory (MEL)National Institute of Standards & Technology (NIST)
U.S. Department of Commerce, Technology Administration
Sensor Standardization & Harmonization Working Group 21
Summary
• Wireshark is the de-factor standard– Very versatile– Extensible
• Wireshark provides insight into what’s happening on the network– Capture and view network traffic– Investigate network issues– Monitor application interactions
• The only way to understand your network is to understand the packets
May 18, 2010
Manufacturing Engineering Laboratory (MEL)National Institute of Standards & Technology (NIST)
U.S. Department of Commerce, Technology Administration
Sensor Standardization & Harmonization Working Group 22
Where Can I Get It?
• Wireshark Website– http://www.wireshark.org
• Wireshark Download– http://www.wireshark.org/download.html
• Wireshark Documentation– http://www.wireshark.org/docs/
• Wireshark Wiki– http://wiki.wireshark.org/
May 18, 2010
Manufacturing Engineering Laboratory (MEL)National Institute of Standards & Technology (NIST)
U.S. Department of Commerce, Technology Administration
Sensor Standardization & Harmonization Working Group 23
Questions?
• Jim Gilsinn– Intelligent Systems Division
Manufacturing Engineering LaboratoryNational Institute of Standards & Technology100 Bureau Drive, Stop 8230Gaithersburg, MD 20899-8230
– 301-975-3865– [email protected]– http://www.nist.gov/mel/isd
May 18, 2010