WiresharkTutorialsforNetworkAdministrators

HowtoGuidewww.tcpipguru.com

TableofContents

HowtofindtheIPaddressofwebsitesaccessedbyasystemusingDNSanalysis

HowtofindtheIPaddressofsystemsonanetworkusingARPanalysis

HowtofindifasystemisshutdownorunavailableusingARPanalysis

HowtofindtheIPaddressofsystemswhichpingedyourserver

HowtoverifyDNSresolutionfunctionality

Howtomonitorethernetpacketscontainingaspecifictypeofprotocol

Howtomonitortrafficdistributionbasedonprotocolsforaspecifiedduration

HowtographicallyviewthelistofIPaddressaccessedbyasystemforaspecifiedduration

HowtomonitorDHCPserverresponsetime

HowtotestlatencyonaLANnetworkwithping.

HowtosetupwiresharktomonitorInternettrafficonaLANnetwork.

HowtomonitorIPbasedbroadcastpackets

HowtomonitorconnectionfailuresonTCPapplicationsonaServer

Howtomonitortrafficsendfromonesystemtoanother

HowtoidentifyfailedFTPloginrequestsonaFTPServer.

HowtomonitortheIPaddressofusersaccessingwebservicesonaserver

HowtosetupwiresharkfortrafficmonitoringonCiscoWANLinks.

Howtoanalyzeifdesktopfirewallwouldbeblockingping

Howtomonitortrafficbetweenasystemanditsgatewayonanetwork

Howtodisplayprotocolsassociatedwithbroadcastpackets.

HowtofindtheIPaddressofwebsitesaccessedbyasystemusingDNSanalysis

This tutorial demonstrates how the IP address of websites accessed by a system on anetworkcanbeperformedusingDNSanalysis.Whenawebsiteistypedonabrowser,theoperating system sends aDNSquery,which is a typeofDNSpacket to identify the IPaddressofthewebsite.ThewebsiteURLisincludedintheDNSquerypacket.Byusingappropriate wireshark filter all DNS query packets can be displayed which can beanalyzedtoviewthewebsitesaccessedbythesystem.Startwiresharkonthesystemandapply thefilterdns.flags.response==0whichdisplaysallDNSquerypackets. Inside thequeriesfieldinthepacket,thenameofthewebsitecanbeviewed.Thiscanbeviewedforallthepackets.ThebelowcaptureshowstheDNSqueryforlinkedinwebsite.

HowtofindtheIPaddressofsystemsonanetworkusingARPanalysis

ARPprotocol isusedfor identifyingthemac-addressofsystemsonanetworkforanIPaddress.Forthis,theARPprotocolsendsoutanARPrequestpacket,whichisabroadcastpacket.InsidetheARPrequestheader,thereisafieldwhichisthesenderIPaddress.Thiswouldcontain theIPaddressof thesystemwhich initiated theARPrequest.SinceARPrequestpackets arebroadcast, it canbeviewedbyany systemon thenetworkbyusingwireshark.ARPrequestpacketshavetheopcodeas1.Byusingthefilter,arp.opcode==1,allARPrequestpacketscanbeviewed.ThesenderIPaddressfieldinsidetheIPheadercanbeanalyzedtoidentifytheIPaddressofthesender.ByanalyzingARPrequestssentbydifferentsystems,theIPaddressesonthenetworkcanbeviewed.

HowtofindifasystemisshutdownorunavailableusingARPanalysis

Asmentionedintheabovetutorial,arprequestpacketsaresendtofindthemac-addressofsystems on a network for an IP address. The mac-address of a system is required toconstruct the ethernet frame to send upper layer protocol headers and data. If themac-addressisnotavailable,itwouldnotbepossibletoconstructtheframe,followingwhichthe packet cannot be sent.When anARP request is sent, the corresponding destinationwouldrespondwithARPreply.IfanARPreplyisnotreceived,itindicatesthatthesystemmaybeshutdownorunavailable.Startwiresharkonasystem.PingtheIPaddresswhichistobeanalyzed.FilterARPpacketsonwiresharkusingthefilterarp.Ifapingresponseisnotreceived,observeiftheARPreplyisbeingreceivedfromthedestination.Thebelowscreenshot shows a systemwith the IP address 192.168.0.10which is pinged. It canbeobservedthatonlyARPrequestspacketsarebeingsentout,butthereisnocorrespondingreply packets being received, which indicates that the system would be shutdown orpossiblynotavailableonthenetwork.

HowtofindtheIPaddressofsystemswhichpingedyourserver

Pinguses ICMPat thenetwork layer. ICMPtypevalue8 isusedbyping.All incomingpackets to the server would have the destination IP address in the IP header as the IPaddressoftheserver.ToidentifytheIPaddressofsystemswhichpingedtheserver,afilterisappliedwhichwoulddisplayallpacketswithdestinationIPaddressintheIPheaderasthe servers IP address and icmp packetswith type 8. Startwireshark on the server andapply the filter ip.dst==192.168.0.2 && icmp.type==8, where 192.168.0.2 is the IPaddressoftheserver.ThesourceIPaddresswoulddisplaythesystemswhichpingedtheserver.Inthebelowscreenshot,theIPaddress192.168.0.3,pingedtheserver.

HowtoverifyDNSresolutionfunctionality

DNSresolution is required foraccessingwebsitesanddomainnames.DNSarchitectureconsistsofDNSclientsandservers.DNSclientscontactDNSserversusingappropriateDNSmessages.Whenanamehastoberesolved,DNSclientssendaDNSquerywiththename/URLtotheserver.TheDNSserverrespondswiththeDNSqueryresponsewhichcontains the IP address of the requested URL / name. To test DNS resolution, startwiresharkonthesystem,applyafilterfor theprotocoldnsandpingawebsite.For thepingtowork,theIPaddressonwhichthewebsiteishostedhastoberesolved,followingwhichthepingisinitiatedtotheIPaddress.Inthebelowdiagram,thepingisinitiatedtothewebsitetcpipguru.com,followingwhichaDNSqueryissentandonreceipt,theDNSserver responds with the IP address. The functionality of DNS resolution is confirmedwhentheDNSqueryandDNSqueryresponsemessagesareexchangedasshowninthebelowscreenshot.

Howtomonitorethernetpacketscontainingaspecifictypeofprotocol

Thetypefieldintheethernetheadercontainsthetypeofupperlayerprotocols.Thishelpstoidentifythetypeofprotocolwhichiscarriedbytheethernetheader.Someoftheethertype fields are IP v4 (0x800), ARP(0x0806),IPX(0x8137)etc. The below screenshotdisplaysallethernetpacketswithtypeIP(0x800),usingthefiltereth.type==0x800

Howtomonitortrafficdistributionbasedonprotocolsforaspecifiedduration

Thistutorialexplainshowtomonitortrafficdistributionbasedonprotocolsforaspecifiedtime.Startwiresharkonthesystemandstopthecaptureaftertherequiredtime.GototheMenu and select statistics -> protocol hierarchy. The below screenshot shows thedifferent protocols which were used on the system during the specified time and theirrespectivedistributioninpercentage.

HowtographicallyviewthelistofIPaddressaccessedbyasystemforaspecifiedduration

This tutorial explains how to view the list of IP addresses with which a systemcommunicatedduring a specifiedduration.Startwiresharkon the systemand stop aftertherequiredduration.GototheMenuandselectstatistics->conversations.Select theIPv4tab.ThebelowscreenshotshowsthelistofIPaddresseswhichthesystem192.168.0.2communicatedduringthespecifiedtime.

HowtomonitorDHCPserverresponsetime

ThistutorialunderstandshowtomonitortheresponsetimeofaDHCPserverandthetimeitactually takes foraDHCPclient to receive the IPaddress.Go toWiresharkMenu->View->TimeDisplayFormatandSelectMilliseconds.Ensurethatthefieldisaddedinthecolumn.StartwiresharkonthenetworkcardandinitiateaDHCPrequestonthenetworkcardandwaitforthecardtoreceiveanIPaddress.Applyafilterforbootpwhichwouldfilteranddisplay theDHCPmessagesexchangedbetween theclientand theserver.TheclientreceivesandconfirmstheIPaddressintheDHCPACKmessage.ThedifferenceintimebetweentheDHCPDiscoverandDHCPACKshowsthetimetaken.Inthiscaseitis13.683746–13.678012=5734milliseconds.

HowtotestlatencyonaLANnetworkwithping.

ThistutorialunderstandshowtotestthelatencyonaLANnetworkwithping.TheRTT(Roundtriptime)ittakesforapackettobesentandreceivedischeckedappropriatetimefields.TwosystemsonanetworkwiththeIPaddress192.168.0.1and192.168.0.2isused.WiresharkissetuponthesystemwiththeIPaddress192.168.0.2.GotoWiresharkMenu->View->TimeDisplayFormatandselectTimeoftheDay.Ensurethat theappropriatefieldisaddedinthecolumn.Startwiresharkandpingthesystem192.168.0.1.FilterwithICMPandstopthecaptureafterpingexecutionhasstopped.Thefirsttwopackets(No25and26)inthebelowscreenshotshowsthefirstICMPpacketsent tothedestinationandpacket which is sent back from the destination to the sender. By analyzing the timedifference between these packets, the RTT can be calculated. In this case it is10:50:32:372–10:50:32:370whichis2milliseconds.

HowtosetupwiresharktomonitorInternettrafficonaLANnetwork.

This tutorial explains how to setup wireshark on a LAN network to monitor internettraffic.A switchwhich supports portmirroring is required for the purpose.On a LANnetwork,internetissetupusingaNATrouteroraProxyServer.Abasictopologydiagramis shownbelow.All trafficdestined to the internet from theuserson theLANnetworkwouldflowthroughtheLANinterfaceoftherouter.Thetechniqueusestheportmirroringfeature on the switch,whichwould send all traffic travelling throughportE1,which isinternettraffictotheportE0,wherewiresharkcancaptureallthepacketsandfiltersusedfor appropriate analysis.Theconfiguration to setupportmirroringonaCisco switch toachievethisrequirementisprovidedbelow.

The port E1 is configured as the source interface and the destination interface isconfiguredasE0,wherethewiresharksystemisconfigured.ThefollowingcommandsareusedinCisco2950switchtosetuptherequiredconfiguration.

Switch(config)#monitorsession1sourceinterfaceE1

Switch(config)#monitorsession1destinationinterfaceE0

HowtomonitorIPbasedbroadcastpackets

This tutorial understands how to use wireshark to display IP based broadcast packets.Broadcast packets occur at layer 2 and layer 3. Layer 3 broadcast packets / IP basedbroadcast packets would contain the destination IP address as 255.255.255.255. DHCPDiscoverisalayer3broadcastpacket.Thebelowscreenshotshowsawiresharkcapturewhichdisplaysthefilterip.dst==255.255.255.255

HowtomonitorconnectionfailuresonTCPapplicationsonaServer

TCP applications respond with TCP reset connections on the event of failure ofestablishingaTCPconnection.ToanalyzeTCPconnectionfailures,appropriatefiltersfordisplayingTCPresetconnectionsareused.Startwiresharkonthesystemandstopitaftertherequiredtime.Applythefilter,ip.addr==192.168.100.20&&tcp.flags.reset=1,where192.168.100.20 is the IP address of the server and tcp.flags.reset=1 shows all the TCPpacketswiththeresetbitset.

Howtomonitortrafficsendfromonesystemtoanother

Thistutorialunderstandshowtomonitortrafficwhichissendfromonesystemtoanother.Whenasysteminitiatescommunicationtoanothersystem,thesourceIPaddressintheIPpacketwouldbe thesystemsIPaddressand thedestinationIPaddresswouldbesystemwhich it intends to communicate with. The below screenshot shows a capture whichdisplaysallpacketswhicharesentfromthesystemwiththeIPaddress192.168.137.175to192.168.137.1.Thefilterusedisip.src==192.168.137.175&&ip.dst==192.168.137.1

HowtoidentifyfailedFTPloginrequestsonaFTPServer.

ThistutorialexplainshowtoidentifyfailedFTPloginrequestsonaFTPserverbasedonLinuxorWindowsusingwireshark.Forthispurpose,wiresharkisinstalledandsetupontheoperatingsystemsonwhichtheFTPserverisinstalled.FTPserversrespondwiththeresponsecode530totheFTPclient,whenthelogincredentialsareincorrectlyprovided.Appropriatewiresharkfiltercanbeusedtoidentifythepacketswhichsendtheseresponsecodes.ThedestinationIPaddressinthesepacketswouldalsohelpidentifytheIPaddressoftheclientwhichinitiatedtheconnection.Thebelowscreenshotshowswiresharkfilterftp.response.code==530whichisappliedonacaptureexecutedonaFTPserver,wherethe client provided an incorrect credential to login. The IP address of the server is192.168.1.20andclientis192.168.1.100.

HowtomonitortheIPaddressofusersaccessingwebservicesonaserver

This tutorial understands how the view the IP address of users accessing Apache webserverwhich is installedonanUbuntu system.Web services runonTCPport80.Startwireshark on the ubuntu system and capture packets for the required duration. Packetswhich are intended for the web server would have the destination port number and IPaddressas80andtheserversIPaddressrespectively.AfilterisappliedwhichdisplaysallTCP packets with the destination port 80 and the destination IP address of the serverwhichis192.168.1.20.Thefilterisip.dst==192.168.1.20&&tcp.dstport==80

HowtosetupwiresharkfortrafficmonitoringonCiscoWANLinks.

ThistutorialunderstandshowtoanalyzetrafficonaWANlinkwhichisconfiguredwithCisco routers. Thebelowdiagramshows twoCisco routerswhichare connectedusingSerialLinks.ThefastethernetinterfaceofRouterR1isconnectedtoaswitch,onwhichasystemwithwireshark is installed. IP traffic-export featurewhich is available onCiscoroutersisusedforthepurpose.Theconfigurationisshowbelow.

R1(config)#iptraffic-exportprofilecapturewan(Createsatrafficexportprofilewithnamecapturewan.

R1(conf-rite)#bidirectional(Configurestocaptureinboundandoutboundtraffic.

R1(conf-rite)#interfacefastEthernet0/0(Interfacewhichisconnectedtotheswitchonwhichwiresharkissetup.)

R1(conf-rite)#mac-address001b.76ad.9890(Mac-addressofthePConwhichwiresharkissetup)

R1(config)#interfaceserial0/0

R1(config-if)#iptraffic-exportapplycapturewan

Aftertheaboveconfigurationisperformed,therouterwouldsendtrafficonWANlinktothesystemonwhichwiresharkisconfigured.Usingwireshark,appropriatetrafficcanbefilteredandanalyzed.

Howtoanalyzeifdesktopfirewallwouldbeblockingping

The tutorial understands how to analyze if a desktop firewall is blocking ping requestsfromaremotesystem.Forthis,pingisinitiatedfromthesystem192.168.0.2tothesystem192.168.0.3.Tocommunicatewith192.168.0.2,initiallyanARPrequestissenttoidentifythemac-addressof102.168.0.3.Thispacket isdisplayed is the first frame in thebelowcapture.ThesecondframeshowstheARPreplywhichistheresponsetotheARPrequest.This ensures that the device is up and running at layer 2. The 3rd packet shows pingrequest sent, but there is no corresponding response. This indicates that the system isavailableatlayer2,butpingisnotresponding,possiblyindicatingadesktopfirewallon192.168.0.3blockingtherequest.

Howtomonitortrafficbetweenasystemanditsgatewayonanetwork

Thistutorialunderstandshowtomonitortrafficbetweenasystemanditsgateway.onanetwork.Systemson thenetwork sendspacketwhich arebound fordifferentnetworks,internet etc to the gateway. For this, the data is encapsulated in a frame which wouldcontainthesourcemac-addressanddestinationmac-addressasthesystemsandgatewaysmac-addressrespectively.Thebelowscreenshotshowsthetrafficexchangedbetweenthesystem (MAC: 4c:0f:6e:f5:e9:fc) and the gateway (MAC: 6c:19:8f:58:f8:89 ) using thefilter.eth.addr==4c:0f:6e:f5:e9:fc&&eth.addr==6c:19:8f:58:f8:89

Howtodisplayprotocolsassociatedwithbroadcastpackets.

This tutorialunderstandshowtodisplay theprotocolswhichgeneratebroadcastpacketson the network. Broadcast packets would have the ethernet destinationmac-address asFF:FF:FF:FF:FF:FF. Broadcast packets are sent to all systems on a network. Startwiresharkonasystemonthenetworkandapplythefiltereth.addr==FF:FF:FF:FF:FF:FF,which would capture all broadcast packets on the network. Stop wireshark after therequiredtime.GotoMenu->Statistics->ProtocolHierarchy.Thescreenshotbelowshowstheprotocolswhichgeneratebroadcastpackets.