Wireshark (aka Ethereal) Aamer Akhter / [email protected] ECMD, cisco Systems Aakhter-wireshark ©2006 Cisco Systems, Inc. All rights reserved. 1 What is Wireshark (cid:1) Free Open Source Network Protocol Analyzer (cid:1) Multi-platform: Runs on Windows, Linux, Solaris, NetBSD, FreeBSD (cid:1) CLI as well as Graphical display (cid:1) 100’s of protocols supported Aakhter-wireshark ©2006 Cisco Systems, Inc. All rights reserved. 2 Acknowledgements (cid:1) Gerald Combs, creator, lead developer – 1998 (cid:1) Guy Harris (cid:1) Gilbert Ramirez (cid:1) Many, many contributors http://anonsvn.wireshark.org/wireshark/trunk/AUTHORS (cid:1) libpcap folks (cid:1) Winpcap folks (cid:1) CACE Technologies Aakhter-wireshark ©2006 Cisco Systems, Inc. All rights reserved. 3 How is Wireshark Used today? (cid:1) Troubleshooting (cid:1) Performance issues (cid:1) Security Analysis (cid:1) Protocol Learning Tool (cid:1) Protocol Development Aakhter-wireshark ©2006 Cisco Systems, Inc. All rights reserved. 4 Wireshark Website (cid:1) http://www.wireshark.org (cid:1) Formerly ethereal.com (cid:1) Source tarball (cid:1) SVN repository (cid:1) Multi-platform compiled sources (cid:1) Documentation Aakhter-wireshark ©2006 Cisco Systems, Inc. All rights reserved. 5 Wireshark Wiki (cid:1) http://wiki.wireshark.org/ (cid:1) Protocol reference (cid:1) Discussion on various network protocols and their function operation (cid:1) Growing sample pcap library Aakhter-wireshark ©2006 Cisco Systems, Inc. All rights reserved. 6 Basic Components CCaappttuurreedd FFrraammee FFiilltteerr SSppeecc FFrraammeess tthhaatt mmaattcchh FFiilltteerr SSppeecc PPrroottooccooll DDiisssseeccttiioonn ooff sseelleecctteedd ffrraammee HHeexx vviieeww ooff ffrraammee hhiigghhlliigghhtteedd,, sseelleeccttiioonn ffrroomm pprroottooccooll ddiisssseeccttiioonn iiss aa aallssoo hhiigghhlliigghhtteedd Aakhter-wireshark ©2006 Cisco Systems, Inc. All rights reserved. 7 Acquiring Packets (capturing) Select Capture->Interfaces… Pick which Interface to Capture Real-time stats are shown with basic breakdown of captured packets Clock on Stop to Stop and Analyze in detail Aakhter-wireshark ©2006 Cisco Systems, Inc. All rights reserved. 8 Capture Options (cid:1) Allow user to select ‘how’ the capture is done (cid:1) Capture Filters (cid:1) Where to store capture file (cid:1) Real-time Capture (cid:1) When to stop Capturing Aakhter-wireshark ©2006 Cisco Systems, Inc. All rights reserved. 9 Security- Capturing Packets (cid:1) Capturing generally super-user capability BSD does not require SU to capture in promiscious (cid:1) Have been number of security related issues Large number of dissectors from variety of people Large infrastructure code (GTK, etc) (cid:1) For pure capture, ‘tshark’ in capture-only mode or ‘tcpdump’ might be better option Analysis in Wireshark Aakhter-wireshark ©2006 Cisco Systems, Inc. All rights reserved. 10