Professional Documents
Culture Documents
Introduction to Wireshark
Weichao Li
Jan. 22, 2016
Content
Packet capture
Why do we need to capture packets?
troubleshoot network problems
examine security problems
debug protocol implementations
learn network protocol internals
What is Wireshark?
An open-source network protocol analyzer
capture network packets
display that packet data
Windows
Linux
Wireshark
libpcap
Winpcap
Homepage of libpcap:
http://www.tcpdump.org/
Homepage of winpcap:
http://www.winpcap.org
8
Homepage: http://www.tcpdump.org/
Windump
The Windows version of tcpdump
Homepage: http://www.winpcap.org/windump /
9
Tshark
Also a network protocol analyzer
Command-line version of Wireshark
User manual: https://
www.wireshark.org/docs/man-pages/tsha
rk.html
10
11
Capture filters
Only the packets meeting the rule will be captured and decode
d in Wireshark.
Syntax
Specify protocols: ip, tcp, udp
Specify host: host, dst, src
More filters can be found: http://wiki.wireshark.org/CaptureFilters
Display filters
Do not affect captured packets.
Only determine whether or not to display some packets.
Syntax
Useful: Follow TCP Stream
More filters can be found: http://wiki.wireshark.org/DisplayFilters
13
Follow a stream.
Stream: [IP address A, port A, IP address B, port B]
Adjust the layout and columns.
Edit -> Preference
Statistics
Summary: general statistics about the current capture file
Conversations: statistics of the captured conversations
Conversation is the traffic between two specific endpoints
14
15
Y:\Win32\WiresharkPortable
Select the right interface.
Visit www.polyu.edu.hk.
Analyze HTTP traffic (Question 3)
A) Whats your HTTP request method?
B) Whats your HTTP request version?
C) Whats the status code in the response? W
hat does it mean?
16
Practice 2 (contd)
Apply a display filter so that only HTTP pa
ckets are shown (Question 4)
A) How many HTTP requests have been sent t
o the Web server?
B) Write down each request (at least 3).
17
Practice 3
Try different capture filters (Question 5)
A) How can I capture only HTTP traffic?
B) How can I capture only the traffic from/to a specified h
ost?
Practice 3 (contd)
Visit http://www.oneprobe.org and analyze HTTP traffic
(Question 8)
A) Whats the difference compared with the previous step
s?
B) How many Web servers have you accessed?
C) Write down the exact IP addresses of servers.
D) Explain what happened in this HTTP session.
19
Practice 4
Practice 5
Practice 6
Visit http://www.facebook.com and analysis HTTP traffic
Record the IP address of the Facebook server
Save the trace
22
Further reading
CDN (content delivery network)
http://www.nczonline.net/blog/2011/11/29/h
ow-content-delivery-networks-cdns-work/
23
Thanks
24