The Official Wireshark Certified Network Analyst™ Study Guide. 2nd Edition ( Version b) . Wireshark regarding the "field not in use, but existent" issue. Yippie!. “A wonderful, simple to use and well laid out guide.” Practical packet analysis: using Wireshark to solve real-world network problems / Chris Sanders. p. cm. WIRESHARK FIELD GUIDE - Wireshark Field Guide (FREE) Wireshark User's VisualEther Click on any message in PDF sequence diagrams.
|Language:||English, Spanish, Indonesian|
|Genre:||Business & Career|
|ePub File Size:||26.45 MB|
|PDF File Size:||19.19 MB|
|Distribution:||Free* [*Regsitration Required]|
It will hopefully guide you around some common problems that frequently the packet list pane, and highlights the field selected in the packet details pane. 7. In this chapter, we will learn how to use Wireshark to inspect packets and isolate network and system problems. In this chapter, we will look at a single problem. The Wireshark Field Guide provides hackers, pen testers, and network administrators with practical guidance on capturing and interactively browsing computer.
For instance, if you are looking for a packet in the bytes pane, which matches the value Google the ASCII value in the packet bytes pane will be matched , then we can go ahead and first choose the String option and then check the Search In box and choose Packet Bytes. With display filter screenshot 2 Now, after applying the filter, the variance among the values listed in the stats can be observed. The capture customization screen 4. Entering filters manually can drastically increase the speed of your work, but it requires a bit more skill than there are in a novice user. However, hubs have one weakness that can drastically decrease network performance due to the collision of packets.
Refer to the following table for sample capture filters: Filters Description host As and when you get into Wireshark in more detail, you will feel its importance. I would suggest that you practice it once when you are comfortable with the syntax.
Capture filters that use protocol header values Capture filters can be created on the basis of offset values present in protocol header fields. The syntax to create such filters looks like proto[offset: Here, proto is any protocol that you want to filter, offset is the position of the corresponding value in the header, size is the length of the data you are looking for, and value is the data you want to find.
Say, for instance, we want to capture only ICMP reply packets; now, if you observe the following figure, you will note that the ICMP header type is located at the first place and the offset counting starts from 0. So, the offset value will be 0 in this case, and the size of the field is 1 bytes. We have all the required information to create a capture filter, so now, the resulting expression will look like icmp[0: Browse google. Using the same technique, you can filter out traffic on the basis of the protocol header value: Display filters do not discard any packets; instead, the packets are hidden to make viewing convenient or convenience.
Discarding packets is not a very effective practice because, once the packets are dropped, they cannot be recovered. When you apply the display filter, only those packets that meet the specification of your filter will be displayed. In the the second column of the status bar of the Wireshark window, you will see a number of packets displayed after you apply a filter. A display filter can be used for a capture file in the Filter dialog box located above the Packet List Pane.
Display filters are more popular than capture filters. The syntax used for display filters can be easily adapted and applied. For new users, a display filter is like a super power that gives you the functionality of hiding inappropriate packets in run-time that do not meet your requirements as per the current scenario.
Display filters can be created on the basis of several different constraints such as the IP address, protocols, port numbers, and header values in specific protocols.
There are lot of conditional tools and concatenation operators that can be used to create complex expressions. You can combine different sets of expressions to get more specific sets of packets that we are looking for. Each and every packet shown in the Packet List Pane can be filtered using the fields that a packet contains.
Display filters do not delete data; instead, packets are hidden, which can be made visible again once the filter in the Filter dialog above the list pane is cleared. If you want to see all packets again, just click on the Clear button and everything will be back to normal.
Wireshark has a very awesome feature that can assist you while creating your filter. Just click on the Expression button at the end of the Filter dialog box, choose the protocol you want to filter, and specify the value if there is one.
Using the filter expression dialog is really easy, and if you are a beginner, then this is a boon for you. The filter expression 1. As show in the preceding screenshot, click on the Expression button. Now, you will be presented with the Expression window like the one shown in the following screenshot: For example, if you want to see only packets associated with ip: Then, expand the section and choose the ip.
Then, from the Relation box next to it, choose the operator you wish to add in your expression. At last, just click on OK. Below the Value box, there is a Predefined value box that is used when a certain protocol restricts us to use only a specific set of values. You can choose a value form here. Below the Predefined Value box, there is a Range box that allows us to enter a range of values such as , , if the protocol allows the same.
This is one of the easiest ways to create a display filter; there is one more way following which we can also create such filters. Entering filters manually can drastically increase the speed of your work, but it requires a bit more skill than there are in a novice user. Before we start digging into creating filters manually, I want you to know about a few more things, such as comparison and logical operators. These can be used to create simple and the most complex filters for Wireshark.
The following table lists the comparison operators used to create display filters: The following table lists all of them: Operator Description The AND logical operator is used when we want both parts of the expression to state true. For example, the ip. Only the packets that match both the expressions will be shown. For example, the! Retaining filters for later use Sometimes, you will have a requirement where having access to previously created filters would make your work easy and fast enough.
Wireshark gives you the facility where you can retain your display filters through their saved names and use them at a later point of time whenever required. This option will save you the great amount of time and effort required to type some of the complex display filters. To create one for yourself, follow the given steps: Go to Analyze Display filters; this will give you a window like the one shown in the following screenshot: Adding Display Filters 2.
Now, click on New, enter the values in the Filter name and Filter string fields. For instance, we want to create a display filter for no ARP packets. Then, the values will look something like the following screenshot: Creating a new filter 3.
After entering the same, click on Apply. Now, in the list of default filters present you would be able to see NO ARP, which can be used later. Make sure that the Filter String box is shown with a green background, which denotes that your expression is correct; if it is in red color, then you need to recheck it, and if it is in yellow, this denotes that the results can be unexpected.
Now, you can click on Apply and then click on Ok. If you need assistance to create any filter you want, simply click on the Expression button next to the Filter string box, where all the protocols and majorly used filter expressions can be found. The Delete button will assist you in deleting an existing filter from the list. The Cancel button will discard any unsaved changes and close the window. The Ok button commits Save and will close the window.
Try following the same and create your own display filter that you might want to reuse. Searching for packets using the Find dialog If you want to find a packet for a particular criterion, you can use the Find dialog. It has a couple of useful search techniques that can be applied easily and effectively on an already captured file or on a live running capture. The display filter: The ip.
If you have the hex value for a certain packet that you are looking for, then this option can be selected. Just write the physical address separated by colons, for example: CC String: This feature gives us the ability to search in a specific pane. For instance, if you are looking for a packet in the bytes pane, which matches the value Google the ASCII value in the packet bytes pane will be matched , then we can go ahead and first choose the String option and then check the Search In box and choose Packet Bytes.
String Options: To use this, first select the String option and then select Case- Sensitive and then if you want, choose the character width as well but I would suggest not changing this unless until you have a specific reason to do so. This last option changes the direction of a search; you can change it to upward or downwards. Once you have customized the options, enter the text and click on Find.
This will give you the first exact capture that matches your criterion. Colorize traffic For better and convenient viewing experience, Wireshark gives us a feature where we can colorize a certain type of traffic that we want to highlight.
Colorization of traffic is done in order to distinguish between different sets of traffic. Coloring a specific set of traffic with a different rule other than the default one will be like finding a needle in a haystack. The default profile for most protocols is already created because of which we are able to see traffic in the packet list pane in different colors.
You can access it by navigating to View Edit coloring rules or clicking on the Edit coloring rules button from the main toolbar to open a window as shown in the following screenshot: Coloring rules All rules that are currently saved as part of your global configuration file to colorize traffic with certain foreground and background colors are listed in this dialog.
Every packet listed in the packet list pane follows a certain rule, which gives them a unique and distinguished look and feel. Now, one of the clients in my network is trying directory listing and gets HTTP error messages. These error messages will pop up in my packet list pane but will be colored using the same http coloring rule that makes these errors less visible to me.
To make this more visible, I want to colorize the HTTP error messages with a black background and with a cyan foreground. I have configured a Linux box running on The web server running on Normal traffic on a web server running on Now that everything is up and running, we will try to do some directory listing manually from Linux, which will give eventually HTTP error messages.
The traffic generated through this request is captured, which can be seen in the following screenshot: We figured out easily because there is just one client requesting a single resource.
Consider a production environment where thousands of clients are present and they might do the same. In such cases, coloring a specific set of packets with a different rule is a game changer. Navigate to Edit Coloring Rules New. Type http. Once you click on Apply, you will see that only the HTTP error packets will be colored according to your new coloring rule.
After applying the new coloring rule Try the same using a virtual environment to give yourself more insight into the topic. Coloring rules listed in the Edit Coloring Rules dialog will be checked in a top-to-bottom manner. With every packet, there is coloring rule information attached that can be listed from the Packet Details Pane under the Frame section. Consider the following screenshot illustrating the same: A profile is a set of different components, such as capture filters, display filters, time preferences, column preferences, protocol preferences, color profiles, and so on, that fit together and give you a case-specific scenario, which you might require instantly.
Just copy and paste the Profile configuration files in a certain directory to use them. To create a profile, follow these steps: Right-click on the Profile column in Status Bar. Click on New… in the pop-up dialog. Now, choose any profile you wish to use as a template and type the name of the new profile.
And then, click on OK. Now, in the status bar, you will see the the same profile has been activated. This means that any changes in a profile do not alter the contents of other profiles that are saved.
This way, we can create different profiles for case-sensitive scenarios that can save time and make the task easy. Summary Using the Find utility can be pretty useful sometimes, and can be accessed from the Edit menu in Wireshark. The Find utility gives us various vectors to search the packet content. Filtering traffic lets you see only those packets that you are interested in; there are two types of filters: Display filters hide the packets, and once the expression you made is cleared, all packets can be seen again.
However, capture filters discard the packets that do not meet the expression that you created. Discarded packets are not passed to the capturing engine. Capture filters use the BPF syntax, which is an industry standard and is used by several other protocol analyzers. Coloring preferences can be really useful while filtering a certain set of traffic based on a specific expression. Distinguishing packets will be become easy, as the matched packets will be shown with a different coloring scheme.
Profiles are like case-sensitive scenarios that can save your time and workload. Exporting profiles and various settings from Wireshark is very simple, which make the software more portable.
Use the Find utility to search using hex values. Then, change the coloring scheme of all DNS response packets to the color of your choice. Chapter 3.
Mastering the Advanced Features of Wireshark In this chapter, we will look under the hood of the Statistics menu in Wireshark and work with different command-line utilities that come pre-packaged with Wireshark. Here, we will cover the following topics: We can collect basic as well as advanced and specific information about protocols that are involved in the communication process. We will discuss most of the useful tools available in this menu, which can give us a better insight into dealing with day-to-day complex situations.
The Statistics menu Statistics in Wireshark are not presented to you just through recorded figures; there are graphical features too, which can present the figures in terms of graphs.
Using this, the analysis process becomes easier and much efficient. Multiple types of graphs are available, which we can use to collect valuable information. In this chapter, we will see a couple of inbuilt tools that are command based. Using the Statistics menu A wide range of tools related to network stats is available in the menu, which facilitate users in gaining information ranging from general info to specific protocol related info in detail.
The general details with respect to the packets captured, filters applied, marked packets, and various other stats can be checked in the Statistics menu. Though this option is just for informational purpose, at times this can be pretty much useful.
To access the summary stats, click on Statistics Summary; now, you will be able to see a window, as shown in the upcoming screenshot. The Summary dialog is partitioned into a couple of sections, which are as follows: General information, such as the name of the file, location of the file, format used, and encapsulation, is listed under this Time: This section will tell you the time when the first and the last packets were captured and the time elapsed total capture duration Capture: This lists the name of the OS along with the version used and the interface used to dump packets from the live network traffic Comments: This shows any comments that the user mentioned for reference Interface s: This lists the details of every interface, using which the traffic is captured Display: Summary dialog Just below the Display section, you must see a few columns listing various details, which include a summary in a tabular format that is grouped on the basis of different categories, such as average packet size, total number of packets captured, time elapsed between the first and last packet captured, and so on.
Figure 3. After this, we can access the Summary option. Take a look at the following screenshot and try to compare them in order to understand the difference a display filter would make in the representation of the packets related summary.
With display filter screenshot 2 Now, after applying the filter, the variance among the values listed in the stats can be observed. Protocol Hierarchy The Protocol Hierarchy window provides us with an overview regarding distribution of protocols used in the communication process and how to spot unusual activities in your network that do not follow the benchmark as expected. By distribution of protocols, I mean in what percentage a certain protocol has been used in the communication between two hosts, and statistics, for example, how many bytes and packets are being sent and received for every protocol, are collected easily.
Any form of unusual activity can be easily figured out by matching our current traffic with the baseline created. Protocol Hierarchy window If you want to check the protocol distribution for a specific host, then before you open the Protocol Hierarchy window, apply a display filter, for example, ip.
The same filter will be visible at the top of the Hierarchy window just below the title bar. This makes it easy for us to figure out what kind of traffic is actually generated from a certain host, and any malicious traffic from a certain host can be easily figured out. Refer to the following screenshot: Protocol Hierarchy window after applying display filter Using the Protocol Hierarchy window, you can create filters too.
Just right-click on the protocol you wish to use and then go ahead and specify the expression, as shown in the following screenshot: There will be situations when a certain host in your network has been breached and you might be observing some unusual traffic associated with a particular host. In such situations, the Protocol Hierarchy window will prove worthy. Conversations When two devices are connected to each other on the network, they are supposed to communicate; this is considered normal behavior.
However, suppose you have thousands of devices connected to your network and you want to figure out the most active device that is generating too much traffic, then in that instance, the Conversations window will be quite useful.
To access this nice tool, click on Statistics Conversations. At the top, you will observe various protocols displayed individually in separate tabs, and along with each active protocol tab, you will notice a number that denotes the number of unique conversations. Conversations window For example, if you are looking for the devices that generated a lot of packets and from where major data transfer has happened, then open the Conversations dialog, go to the IPv4 tab, and sort the packets column in a descending order.
Here, the device listed in the first row is your answer. Take a look at the following screenshot that illustrates the same. If you wish to create a filter for the same, right- click on the first row and then create the respective expression you are thinking about. The respective filter will be inserted in the Display Filter dialog, as shown in the following screenshot: The Conversations dialog will let us collect and analyze details in a more granular form, which can be used in various scenarios while troubleshooting and auditing networking infrastructures.
Endpoints Two devices that share data with each other are often referred to as endpoints with reference to Wireshark. As we have noticed and observed, if a host intends to talk to another host on the network, they would require some form of address to send and receive packets—yes, I am talking about the physical address that every device holds. Every host is able to communicate with the help of an Network Interface Card NIC that holds a physical address often termed as a MAC address , and the same address is used for communication over a local network.
Devices that communicate in this kind of infrastructure are termed as endpoints. Wireshark gives us the facility of analyzing and collecting information regarding these two devices. Now, we want to figure out due to which device s the traffic pattern differs. For us, the Endpoints dialog comes to the rescue, which can be accessed from the Endpoints menu under Statistics, which looks something like the following screenshot.
What you will see is a list of tabs visible at the top, each stating a different a protocol. Some of them will be shown as active, and some of them will be shown as inactive because if in your traffic you have a packet relating to a certain protocol, the tab listing that particular protocol will be shown as active; otherwise, it will be shown as inactive.
Along with the protocol, you must observe a number that states the number of endpoints captured for that specific protocol. As in our case, we are seeing 3 and the same number of rows are visible in the Main pane.
In the Main pane, many more specific details can be seen for every endpoint, such as the total number of packets transferred, total number of bytes transferred, and total bytes and packets received and transmitted for an individual endpoint. Endpoints window Now, if you want to analyze other protocols, then simply click on any tab of your choice.
I clicked on the IPv4 tab and sorted the main pane using the Packets column, which looks like the one shown in the following screenshot: By just looking at the Endpoints dialog, I can now easily figure out that maximum data was transferred from IP This could be a one single IP talking to some server or probably a server talking to multiple machines on our network at a moderate rate. Endpoints dialog—IPv4v tab If you would like to dig more into it, we have an interesting option that can be taken advantage of; simply create a display filter for the same.
To do so, right-click on the first row with most packets transferred and choose Selected under Apply as Filter, as shown in the following screenshot: You will be able to see a display filter for the same Endpoint in the Display Filter dialog above the List pane, like the one shown here: This facilitates us to quickly analyze traffic for a certain endpoint and hence increases the speed of analysis for users.
Once you click on Clear, you will be presented with the same Endpoint dialog.
At the bottom of the window, you will see two check boxes and a few buttons. The purpose of each is listed in the following: Name Resolution: This resolves the name of each of the Ethernet addresses listed in the Ethernet tab. But in some scenarios, it might affect the performance of the application adversely too, for example, when trying to resolve the unique IP addresses from a huge pcap file. Limit to display filter: This limits the results of the Endpoint window on the basis of a display filter that you already applied before accessing the Endpoints window.
This copies the content of the current Endpoints window tab in a CSV format comma-separated values. Working with IO, Flow, and TCP stream graphs Among various other reporting tools, Wireshark offers graphing capabilities too, which can present captured packets in an interesting format that makes the analysis process much more effective and easy to adapt. The graphing feature is much more effective in comparison to scrolling thousands of packets to figure out the cause of any network- related problem.
If you have an overwhelming number of packets to be analyzed, then graphs can be seriously productive. There are multiple types of graphs available that we will discuss, starting with the IO graph. IO graphs This is one of the basic graphs that are created using the packets available in the capture file.
IO graphs This way, you can see the highs and lows in your traffic, which can be used to rectify problems or can even be used for monitoring purpose. In the preceding graph, the data on the x axis represents the time in seconds and the data on y axis represents the number of packets per tick. The scale for the x and y axis can be altered if needed, where x axis will have a range between 10 and 0. From the preceding graph, we can easily depict that between sixtieth to eightieth second of the capture process, the network was most active, which generated approximately packets each second of the capture process.
Now, you will be realizing how easy it was to gather that specific information from thousands of packets in merely seconds; this is what graphing makes you capable of. Just below the plotted area, you can see the Graph section, which lists various tools, such as Graphs , several filters, and the line format, and various other details.
The preceding graph displays the generalized form of our network traffic. Now, my requirement is that I just want to see the frequency of the UDP traffic separately in the same graph plotted with a red line. For such specifications, follow these steps: Write UDP as a filter in the second filter box from the top Click on the Graph 1 button to deactivate it Click on the Graph 2 button to activate it Now, you will see the same window as shown in the following screenshot: It is clearly visible from the preceding graph that most of the UDP traffic was generated between the seventieth to eightieth second of the capture process, and more than packets were received during the capture process.
IO Graphs—TCP and UDP together Comparing two things gives us a new angle to view regular things, and generally speaking, the learning process becomes better when we start comparing. Flow graphs This is one of the nicest features in Wireshark, where we are assisted with troubleshooting capabilities in scenarios like facing a lot of dropped connections, lost frames, retransmission traffic, and more.
Flow graphs let us create a column-based graph, which summarizes the flow of traffic between two endpoints, and it even lets us export the results in a simple text-based format. This is the easiest way of verifying the connection between client and server. For instance, I have a web server running at The client will request the web server for a certain resource. There will be hundreds of packets generated, but we will look only at HTTP packets, just to make the results more confined and understandable.
Click on OK. Refer to the following screenshot that illustrates the same: Flowgraph Now, from the Graph Analysis window, we can see at what time a certain request was made and what response did we receive, which TCP port was used, along with some plain English comments, and the flow of traffic is also marked. This makes it simple for us to understand how TCP packets flow around. TCP stream graphs There are a couple of graphs that come in this section.
Each of them depicts the network traffic in a graphical form differently. Round-trip time graphs Round-trip time RTT is the duration in which the ACK for a packet that is sent is received, that is, for every packet sent from a host, there is an ACK received TCP communication , which determines the successful delivery of the packet. The total time that is consumed from the transfer of the packet to the ACK for the same is called round trip time.
Follow these steps to create one for yourself: Select any TCP packet in your packet list pane. Each plotted point on the graph represents the RTT of a packet. If you are not seeing anything in your graph, then you might have selected an opposite directional packet. RTT graphs are often used by network admins to identify any congestion or latency that can make your network perform slowly.
To investigate further, just click on any plotted RTT dot in your graph, and Wireshark will point you to that specific packet in the list pane. The following RTT graph represents normal web traffic, and at some points in the graph, latency can be observed: Round Trip time Graph Bottleneck and latency can often be identified with a vertical line of plotted RTT dots, which depicts whether the packet from the sending device is first queued up and then sent all at once or whether the packets are suffering with duplicate ACKs or packet loss, where retransmission was required, thus increasing the RTT time.
Throughput graphs This graph is very similar to the IO graph that depicts the traffic flow. However, it is different in one important aspect that Throughput graphs depict the unidirectional traffic whereas IO graphs depict the traffic in both directions. For every TCP packet that you select in the list pane, the Throughput graph can be different. If you are seeing a blank graph, then just select another TCP packet and try to create the graph again.
Open the trace file that contains your packets. Apply a display filter if required. Select any TCP packet from the list pane. In the title bar, the IP address of the communicating hosts is present, along with the direction of traffic. Refer to the following graph Figure 3. The traffic that will be presented is unidirectional moving in one direction. To create this graph, follow these steps: Click on any TCP packet from the list pane. You must now see something like the following: Time Sequence graph tcptrace The x axis of the graph represents the time in seconds and the y axis represents the TCP sequence number.
TCP sequence numbers are incremented by the bytes of data sent with every packet, that is, if the sequence number is 1 and the packet we are sending holds 10 bytes of data, then the sequence number will be incremented by Hence, the sequence number for the next packet to be sent will be There are actually three lines plotted on every graph.
The line with multiple I written is the TCP data segment, and the longer the I stream, the more the data in the packet. The line below the TCP segment is the ACK stream for data sent, and the line at the top represents the calculated client-receiving window. The distance between the client-receiving window line and the TCP segment line is the window size. The closer the line, the less data can be buffered, and vice versa.
Consider the following zoomed-in screenshot for more understanding: A point to be noted here is that the dark grey lines denote the ACKs received.
Follow TCP streams Wireshark provides the feature of reassembling a stream of plain text protocol packets into an easy-to-understand format. There is specific color coding that is followed by the requests and responses shown in the Follow TCP stream dialog. Any text in red color denotes a request that a client has sent, and any text in blue color denotes the response received from the server. If the protocol is HTTP, then you can view almost everything in plain text; if the protocol is HTTPS, then most of the things will be encrypted, hence giving ambiguous text on the screen there is a way to decrypt HTTPS traffic too, which we will discuss in the upcoming chapters.
The Follow TCP stream option can be of great help while troubleshooting any HTTP session, which is the same with most of the application layer protocols. At the bottom of the dialog, you have a drop-down menu from where you can choose to view either side of communication or you can choose the entire communication, consisting of requests and responses that are shared between the client and the server at the same time.
Similarly, to print, you can click on Print. And if you want to view everything except the Follow TCP stream packets that you are viewing currently, then click on Filter out this stream.
To close the dialog, click on Close. To view the TCP stream, follow these steps: Apply the display filter if required.
Select any packet from the list pane. Right-click on the selected packet and click on Follow TCP stream. Following the preceding steps gives a simple view of viewing data. Now, figuring out who initiated the connection will be quite easy. Expert Infos The information in the Expert Infos dialog is populated by the dissectors that enable the translation of every protocol that is well known to Wireshark. The Expert Infos dialog keeps you aware of the specific states that users should know about.
Presently, expert infos is available only for TCP-based communication.
Maybe for other protocols, the Expert Info dialog will be available by the time you read this. You can access the Expert Info dialog by clicking on Expert Info under Analyze, or you can click on the bottom-left corner on the colored dot just before the status bar. Refer to the following screenshot, which illustrates the same: The red dot at the bottom-left corner can be colored with different colors, such as cyan, yellow, green, blue, and grey, where each of them has a specific meaning, which is listed as follows: This refers to warnings Cyan: This refers to a note Blue: This refers to chats Green: This refers to comments Grey: Refer to the following screenshot for illustration purposes: Expert Infos dialog As you can observe, there are multiple tabs listed just below the title bar that consist of packets listed depending on their severity level and category of information.
There are mainly four sections in the Expert Infos dialog that point to the likely cause of the problem, so double-checking it will be helpful. Each tab contains the name of the section and two numbers: The number inside the parenthesis denotes the total number of packets that have been flagged for the containing category, and the number outside denotes the total number of unique categories for the packets flagged.
We will go through each section one by one, and we will also summarize the criteria by which packets are flagged and listed under different categories, such as chat, note, warnings, details, and so on: These are general messages concerning the current communication. A packet that falls under this section is listed as follows: Window Update: This makes the sender aware that the TCP receive window size has been updated.
These are unusual messages that may or may not be part of the current normal communication. Packets that fall under this section are listed as follows: The Zero Window Probe: Suppose that the server receiving the packets from the client is not able to process the packets received at the same speed that the client is sending them, thus causing packet loss.
In such cases, a server will send a Zero Window packet to the client to halt the process of sending packets for sometime while keeping the connection alive.
This relates to the Zero Window Probe example. Window is full: This notifies the sending host that the TCP-receiving window is currently full. TCP retransmission: The TCP packet is retransmitted again because of a duplicate ACK, packet loss, or if the timer for retransmission expires.
The duplicate ACK: If you think about the TCP three-way handshake communication, for every packet received at the other end, the sender should get an ACK packet. If the receiver gets the packet with the sequence number that has already been received, then duplicate ACKs will be generated.
This will happen in case of packet loss as well. Warning messages: These are unusual messages that are probably not a part of your general communication. Zero Window: These messages have been observed when the receiving side tries to notify the sender to stop sending for a while as the TCP-receiving window is full.
Keep Alive: These messages will be observed when any Keep Alive messages have been captured in the communication. ACKed Lost Packet: These messages will be observed when an ACK for some lost packet is received.
Previous Segment Lost: These messages will be observed when an unexpected packet is received out of sequence. Out of Order: These messages will be observed when are packets received in some random sequence, thus signifying no sequence.
Fast Retransmission: These messages will be popped up when, in a short time of 20 milliseconds, duplicate ACKs have been transmitted again. These are general error messages in the packets or are thrown by the dissector of a specific protocol translating it. There is no specific category in error messages. Collectively, all Expert Info dialogs can be viewed in the details tab. However, it is advisable to look into each tab individually on the basis of their severity level.
Pointing out the problems can be sometimes easy because the entries made in the details tab are lined up in the sequence as they were captured.
Viewing anomalies through the details tab can be a bit time consuming and disadvantageous. Packet Comments: This refers to any annotations given regarding the trace file that can be used to share any interpretations further.
Adding comments to the trace file can be really useful while documenting for future references. To add a comment to any packet of your choice, just right-click on the selected packet and click on Packet Comment. Adding a comment will also affect how a certain packet is shown in the Details pane.
Generally, an extra field will be added to the details pane highlighted with a green background color. Create filter using Expert Infos dialog Unique categories presented in every section can be expanded to get more information about a specific packet. When you expand and click on the packet listed in the Expert Infos dialog, Wireshark will point you to the corresponding packet in the list pane that can be investigated further.
Creating a display filter for every category is also possible; just right-click on the selected category and choose the type of filter you want to create. The main motive of the Expert Infos dialog is to find the anomalies present in a trace file. Finding the network problems in the trace file for a novice user becomes a lot easier and faster.
Viewing the Expert Infos dialog can give a better idea about the unusual behavior of network packets. The best way to figure out juicy info is to look into the tabs separately instead of looking into the details tab because, as we discussed, it can be time consuming and can lead to various misunderstandings.
May be, manual analysis will be required as well. The protocol field that is shown in the details pane of the selected packet will be colored as per the severity level of the Expert Infos dialog; take a look at the following screenshot for further reference: Colorization rules in protocol field We can easily identify from the preceding screenshot that for this particular packet, there is an entry in the Error and Chat sections red color denotes Error and blue denotes Chats.
It is also possible that a single packet is listed in two sections of the Expert Infos dialog. Command Line-fu With the default installation of Wireshark, there are couple of command-line tools that get installed.
The most common and widely used command-line tool for protocol analysis purposes is Tshark, which is capable of capturing data through listening to a live wire, and it can even analyze your already saved trace files. The captured packets are translated into an understandable form and printed to the standard output, or you can save them to the file of your choice. Dissectors that are used by Wireshark the same Tshark utilizes. Tshark uses the pcap library to capture and translate the packets from the live wire or from the already saved files.
There are multiple customizable options present in Tshark that can be leveraged to use it in a more advanced fashion. Wireshark has a CLI version, which is almost similar to Tshark in terms of the syntax and various options that both of them support equally. Using our custom infrastructure, we will generate some network packets and try to use Tshark for capturing and analysis purposes. When working on a Windows PC, you might have to create the environment variable before you can start using Tshark.
The following screenshot belongs to Tshark, displaying tshark —h help options within the CLI: Tshark help We will start with the basics and eventually move toward the creation of filters, and then we will collect statistics using the CLI-based tool Tshark: The first thing we should know is how many interfaces do we have available to capture packets.
Use the following command to check tshark -D: Interfaces available If you do not specify any interface for capturing, tshark will choose the first interface that is available on its own. Interfaces can be chosen by their names and also by the sequence number they appear in. Refer to the preceding screenshot, which shows all the interfaces that are available. I have a custom interface pktap0 that will listen to the connection between my client and the server.
So, the command to initiate the capture process will be tshark —i pktap0 or tshark —i 5: As soon as the preceding command has been issued, a couple of packets are captured by tshark on the pktap0 interface. And a summary of translated packets for better understandability can be seen. To save the translated packets to a file, we need to specify the —w switch, along with the command that will save the raw data packets to the specified file: A total of 11 packets have been captured, and a text file is being created on the desktop with the name http.
As you can see, 11 packets are captured and redirected to the text file http2. Hopefully, by now you must have clearly understood the difference between both ways of saving the raw data packets and translated packets.
Both of the techniques can be used in multiple scenarios. The next big thing you will learn is the different filters Capture, Read, and Display available in Tshark. We know about Capture and Display filters already, but here we have one more category, that is, the Read filter. The Read filter is closely similar to the Capture filter, as both of them can filter packets from the live network.
However, the Read filter is also capable of filtering packets out of a saved file. Using the Read filter could be processor intensive, and things like packet loss can happen, so think twice before using it.
To display the filter, the —f switch is used; —R is used for the Read filter; and —Y is used for the display filter. Now, I am going to capture only FTP packets using the following syntax: While applying a filter, there is a restriction that the filter expression must be specified as a single argument if it has spaces in between.
Then, we need to write the expression within double quotes. Refer to the preceding screenshot that illustrates the same. I want to filter all packets originating from the web server located at First I captured the communication between the client and server. And save the traffic in file HTTP. Once I have enough packets to work with, I will apply display filters, as shown in the following screenshot: Tshark display filter Suppose you want to quickly collect statistics about the http protocol from the http.
For such a requirement, we can use this command: Both of these switches are often used together. For such a requirement, refer to the following screenshot: Here, you learned about the basic theoretical and practical concepts of the CLI utility Tshark, along with how to capture and filter data as per our requirements.
With the help of Tshark, it becomes really easy to understand how protocols work; we saw various techniques to collect and analyze the packets.
Statistical features in Tshark are rich, which helps a moderate user become advanced with an better understanding of how to analyze network packets. Summary The Statistics menu in Wireshark contains options that can give us insight from a unique perspective.
Summary is an informational feature, which offers a granular form of data, filters, and the trace file that you are working with. The Conversations window details data regarding the communication that happens between two or more hosts. The Endpoints dialog gives an overview of the devices connected to the network and communicating. The Protocol Hierarchy window gives an idea about the protocols being used in the communication, that is, it gives us a picture of the distribution of protocols used by the hosts for communication.
Graphs are a pictorial way of representing the statistics regarding packets. We can easily figure out if something is wrong with our network; we can match network performances and troubleshoot general day-to-day problems that occur.
IO graphs tell us the basic status of a network, and let us create filters. Matching network performances and differentiating a specific protocol becomes easy due to these. The Flow graph depicts the flow of data in a column-based manner and creates a simple interface to understand the flow of packets in a network. TCP stream graphs are a couple of types, but their objective is to depict the throughput of our network, that is, to know how much data is traveling over a particular period of time.
Using the Follow TCP Stream option, you can reassemble the packets listed in a raw data form, which can be easily read. The Expert Infos dialog tells you the information that can be usual and unusual.
All of them are related to your packets; information is generated with the help of protocol dissectors, which translate the packets to a normal form, and if they find something unusual, then it will be listed in a section and under a category inside the dialog. Command-line tools also get installed when you install Wireshark.
The most common tool used is Tshark, which works in a similar way to Wireshark and tcpdump. It uses the pcap library that is used by other major protocol analyzers.
With tshark, you can listen to live networks or work along with an already saved capture file. The Filtering and Statistical features are really efficient when dealing with any network analysis process. In the next chapter, we will dive into analyzing the commonly used application layer protocols.
Exercise Q. What is the purpose of the Statistics menu and what tools does it contain? Using the Conversations dialog, can you figure out the busiest host on the network? If yes, how? Think of a scenario where using the Endpoints window can be useful. Is it possible to create a display filter using the Endpoints window?
Switch the name resolution feature off while viewing the conversations window. What difference does it make if it is switched on? Can using the Summary option from an already saved capture file help you figure out the total number of ignored packets after you apply a display filter? Describe the benefits of using different graphing techniques while analyzing data.
Then, change the y axis unit to per bytes. Create a display filter for FTP packets, and apply the same in a Flow graph. Then, check the sequence number of that packet and verify its sequence number by comparing it with the graph. Create a Throughput graph between a server and your client. If you have a requirement to view TCP packets in a raw data form, then which option will you opt for to customize the same window in order to view just the responses from the server side?
Explain the significance of the Expert Info dialog and figure out how many categories are there in a Warnings section. Using a command-line protocol analyzer, start sniffing your currently working network interface and save all traffic to a file named traffic. Using the statistical features available in tshark, figure out the total number of hosts in the traffic.
Using the statistical feature available in tshark, check the Ethernet address of the hosts participating in the communication process from the traffic. View the protocol distribution using tshark statistical functions for the traffic. Chapter 4. Inspecting Application Layer Protocols This chapter will lead you through the common application layer protocols and will make it easy for you to find any anomalies.
You will understand and analyze the normal behavior of application layer protocols by looking at the most common protocols and understand their usual and unusual behaviors.
Without spending too much time, let me take you on this wonderful journey of protocols. Domain name system Imagine a world of Internet where you have to type a random numerical value IP address , instead of a name, to visit a website. Also, assume that each numerical figure is different. Considering this, how many IP addresses can you memorize? Perhaps, 50 at max? So, now, you are confined to visiting just 50 websites.
Suppose instead of just memorizing the IP addresses, you note down each of them, followed by the name that you want to give to the website to figure out which website is for what purpose.
Now, you can create an Excel file for yourself, consisting of the IP addresses written next to the name of the website you gave. This way, probably, you can collect more than a thousand website addresses for later use. For the sake of your unlimited web experience, DNS comes to your rescue, and it does exactly what you did in the preceding example.
DNS creates a database of websites with their IP addresses, along with the name of the domain, A single row of record is often termed as resource records in a zone file.
Each entry in the zone file is termed as a resource record. As a client, when you try to visit a website from your LAN environment, your request is being sent through an internal DNS server that looks up the resource records it contains.
The request is termed as a DNS query. If your DNS server has already saved the IP address for the domain you are looking for, your client machine will get a reply from the internal DNS server that contains the IP address of the website you are trying to visit.
Thus, you can form IP packets and start communicating.
This reply is termed as a DNS response. Transaction ID: Every DNS packet is marked as a query or a response, depending on the details it contains. Flag bits: Each query and response contains different flag bits set, which are as follows. The message is a query or a response. This determines the type of query contained. Opcode ranges between 0— Refer to the following table: This determines whether the packet is truncated if its size is large greater than bytes.
Recursion desired: The query sent by your client is supposed to go on a recursive search procedure from one DNS server to another if the resource record you are looking for is not present. Recursion available: If this bit is set, then it means the recursion that your client requested is available, and if what you are looking for is not present on one server, then your query would be transferred to another DNS for lookup procedure. Reserved z: As defined by RFC ; Reserved for future use, must be set to zero for all queries and responses.
Response code: The values in this field signifies the response. This field is used to signify whether errors and the type of error. Here are the possible code values that you can receive: Indicates the number of queries present in the packet. Indicates the number of answers in response to the query sent. Authority RRs: Indicates the number of authority resource records sent as response. Additional RRs: Indicates the number of additional resource records sent as response.
Query section: The query sent to the DNS Server, it should be the same in the response received as well. Answer section: The answer that came as a response to our query. The response can be multiple too.
The answer basically consists of the resource records that came in response to our query. This field indicates the type of query sent. Refer to the following table for common query types. View on ScienceDirect. Robert Shimonski. Paperback ISBN: Published Date: Page Count: Sorry, this product is currently out of stock. Flexible - Read on multiple operating systems and devices.
Easily read eBooks on smart phones, computers, or any eBook readers, including Kindle. When you read an eBook on VitalSource Bookshelf, enjoy such features as: Access online or offline, on mobile or desktop devices Bookmarks, highlights and notes sync across all your devices Smart study tools such as note sharing and subscription, review mode, and Microsoft OneNote integration Search and navigate content across your entire Bookshelf library Interactive notebook and read-aloud functionality Look up additional information online by highlighting a word or phrase.
Institutional Subscription. Free Shipping Free global shipping No minimum order. Learn the fundamentals of using Wireshark in a concise field manual Quickly create functional filters that will allow you to get to work quickly on solving problems Understand the myriad of options and the deep functionality of Wireshark Solve common network problems Learn some advanced features, methods and helpful ways to work more quickly and efficiently.
About Wireshark 1. Installing Wireshark 2. Configuring a System 3. Capturing Packets 4. Color Codes 5. Filters 6. Sample Captures 7. Inspecting Packets 8. Deep Analysis 9. Saving Captures English Copyright: Powered by. You are connected as. Connect with: Use your name: