Wireshark101

Jumpstart:Wireshark101(12/21/11)

Notes:

Wireshark Jumpstart: Wireshark 101

www.chappellseminars.com Presenter: LauraChappell,FounderofChappellUniversityandWiresharkUniversity laura@chappellu.com Followme:www.twitter.com/LauraChappell Thephoneringsmultiplelinesatonetimeneveragoodsign.Theusersarecomplaining aboutnetworkperformanceagain.Theynevercalltosaythenetworkisdoinggreattoday theydontrememberthenumerousdayswhenthenetworksupportedtheireverywhim.No. Theyonlycalltocomplain.BeinganITsupportpersonisathanklessjob. Inthisliveonlineseminar,LauraChappellexplainsanddemonstratesthekeytasksusing Wireshark,theworldsmostpopularnetworkanalyzer.

Sites:lcuportal.com chappellu.com wiresharkbook.com wiresharktraining.com

Wireshark101

Jumpstart:Wireshark101(12/21/11)

Notes:
Ihavelotsofresourcesonline: FollowmeonTwitter(laurachappell) CheckouttheWiresharkWeeklyTips(www.wiresharktraining.com/tips.html) WatchsomeofthevideosIuploadedtoSecurityTube.net Myblogisoveratlcuportal.com TheLaurasLabKitv10isoveratlcuportal.comaswell

Checkouttheotheronlineseminarsandkeeplearningevenifitisanhouratatime.Thescheduleis onlineatwww.chappellu.com/schedule.html.

Sites:lcuportal.com chappellu.com wiresharkbook.com wiresharktraining.com

Wireshark101

Jumpstart:Wireshark101(12/21/11)

Notes:
Thesearetheareaswewilldiscussintodaysseminar. WhatisWireshark?IllshowyouadiagramoftheelementsofWireshark. PlacingtheAnalyzer.Dothisrightandsaveyourselfloadsoftime. CaptureandDisplayFilters.Focusonspecifictypesoftraffic. SpottingProblems.LettheExpertInfoCompositewindowguideyou. BasicTrafficGraphs:apictureisworthathousandpackets! OverviewofCommandLineTools.Sometimesyouneedtogocommandline. Q&A.Illgettoasmanyquestionsastimepermits. Soletsgetstarted.

Sites:lcuportal.com chappellu.com wiresharkbook.com wiresharktraining.com

Wireshark101

Jumpstart:Wireshark101(12/21/11)

Notes:
ToooftenIamcalledonsitetotroubleshootanetworkaftereveryonehaspulledtheirhairout.It bogglesthemind.Whydidntthesepeopleputananalyzeronthenetworkandlookatthetraffic? Thepacketsneverlie! WiresharkisaFIRSTRESPONDERtool.Networkslow?Getthetrace!Cantconnect?Getthetrace! Systembehavingstrangely?Getthetrace! NetworkanalysiscanalwaystellyouWHEREtheproblemis,butitcannotalwaystellyouWHYthe problemishappening.

Sites:lcuportal.com chappellu.com wiresharkbook.com wiresharktraining.com

Wireshark101

Jumpstart:Wireshark101(12/21/11)

Notes:
ThesearesomeofthecoolnewfeaturesavailableintheWireshark1.4.0version. IfyouareanAllAccessPassmember,avideoonthesefunctionsisavailableatlcuportal.com.Ifyou needmoreinformationontheAllAccessPass,visitlcuportal.com. TIP: MyfavoritesimpleadditiontoWiresharkv1.4.0istherightclickApplyAsColumn!Tryit.Openatrace filecontainingawebbrowsingsession.ExpandaTCPheaderandrightclickontheSequenceNumber field.ChooseApplyAsColumn.YounowhaveaSequenceNumbercolumninthePacketListpane. Ioftenaddatcp.window_sizecolumnbasedontheTCPWindowSizefield(notvisibleinthefirst packetofthehandshakecurrently)andTCPSequenceNumberandAcknowledgmentNumberfields.

Sites:lcuportal.com chappellu.com wiresharkbook.com wiresharktraining.com

Wireshark101

Jumpstart:Wireshark101(12/21/11)

Notes:
WhenyouarecapturingtrafficoffthenetworkusingWireshark,youarelikelyusingoneofthree possibledrivers. WinPcap driver UsedonWindowshostsrunningWireshark. AirPcap driver UsedtocaptureWLANtrafficonaWindowshost.TheAirPcap adapterisavailablefromCACE Technologies(www.cacetech.com) whichwaspurchasedbyRiverbedinNovember2010.Ioften runthreeAirPcap adaptersonmysystemandseteachtolistentoadifferentWLANchannel. CapturingwiththeAirPcap aggregatingdriverallowsmetocaptureonallthesedifferentchannelsat onetime. Libpcap driver Usedtocapturetrafficona*nixhost. ThefirstfilterappliedistheCapturefilter.Ifyouapplyacapturefilterforallbroadcasttraffic,thatis whatwillbepasseduptothecaptureengine.Youcantgobackandgetpacketsthatwerefilteredout fromviewusingcapturefilters,sousethesesparingly.

Sites:lcuportal.com chappellu.com wiresharkbook.com wiresharktraining.com

Wireshark101

Jumpstart:Wireshark101(12/21/11)

Notes:
YoudonotneedWinPcap,AirPcaporLibpcapinordertoopenuptracefiles.Thosedriversareused tocapturetrafficonthenetwork. Whenyouopenatracefile,youareusingthewiretaplibrarywhichsupportsnumeroustracefile formatsincludingtracefileformatsusedbyNetworkGeneralSniffer,WildpacketsOmniPeek,Snoop andmore. SelectFile>OpenandclickthedownarrowtotherightofFileTypetoseethelistofrecognizedfile types.

Sites:lcuportal.com chappellu.com wiresharkbook.com wiresharktraining.com

Wireshark101

Jumpstart:Wireshark101(12/21/11)

Notes:
Dissectors,pluginsanddisplayfiltersareappliedoncethepacketsarepassedupeitherbythe captureengineorthewiretaplibraryintothecoreengine. Dissectors/pluginsinterpretthecontentsofthepacketandareakeycomponentofWireshark enablingyoutoreadpacketsandseeinterpretedfields. Thedisplayfiltersenableyoutoselectwhichpacketstoviewbasedonspecificcriteriathatyou define.Displayfiltersdonotaffectthetracefileitself theyonlyaffectwhichpacketsyouview. TheGIMPToolKit(commonlyreferredtoasGTK+)providesthegraphicalinterfaceforWireshark. GTK+wasinitiallydevelopedforandusedbyGIMP,theGNUImageManipulationProgram.Itisused byalargenumberofapplicationsincludingtheGNUproject'sGNOMEdesktop. SelectHelp>AboutWireshark>FolderstofindwherethevariousWiresharkfilesarelocated. StartinginWiresharkv1.2,thelocationslistedarehyperlinkedsoyoucanquicklyopenfolders.

Sites:lcuportal.com chappellu.com wiresharkbook.com wiresharktraining.com

Wireshark101

Jumpstart:Wireshark101(12/21/11)

Notes:
PlacetheAnalyzerAppropriately:Switchednetworkscancausestheanalystgrief blockingthe trafficfromeasyview.Wellgothroughfourwaystocapturewirednetworktrafficandafewwaysto captureWLANtrafficnext.Hey ifyoucantseethepackets,youareblindtotheproblem. CreateBaselines:Baselinesaresampletracefilesoftrafficwhenlifewasgoodthiswillbeonyour ToDolistifnot. FilteronSpecificConversationsorTypesofTraffic:IfFrediscomplainingabouthiswebbrowsing speedsyoucouldstartwithafilteronjustFredsHTTP/HTTPStraffic. LookforHotProblems:PayattentiontoWiresharks ExpertInfoCompositeinformation. CreateKeyGraphs:Apictureisworthathousandswords.Inthiscase,anIOgraphiswortha thousandpackets.

Sites:lcuportal.com chappellu.com wiresharkbook.com wiresharktraining.com

Wireshark101

Jumpstart:Wireshark101(12/21/11)

Notes:
UnlessyouaretheITslaveatanoldschoolthatstillsupportshubs,youarelikelyworkingina switchedenvironment. Loveemorhateem,switchesarenecessarynetworktrafficcops.Fromtheanalystsperspective, however,theyreducevisibilitybylimitingtheforwardingtrafficoftrafficfromunnecessarypathsor segments. Switchesforwardfourtypesofpacketsbydefault: Broadcasts(MAClayerbroadcasts) Multicasts(MAClayermulticasts) ifconfiguredtodoso Trafficto/fromtheconnectedhostsMACaddress TraffictounknownMACaddresses(Ihopeyouneverseethis)

WedbeblindtoFredstraffictotheserverifweplacedtheanalyzerofftheswitchasshowninthe graphic. SowhatcanwedowhatCANwedo?!

Sites:lcuportal.com chappellu.com wiresharkbook.com wiresharktraining.com

10

Wireshark101

Jumpstart:Wireshark101(12/21/11)

Notes:
Thefirstthingwecando(althoughoneofmyleastdesiredoptions)isjustrunWiresharkoffFreds machine. Yeahitsaneasysolution,butfilledwithriskswetypicallydontwanttoalterthesystemthatis havingproblems.Networkanalysisisapassive,noninvasiveprocess.Ioftencompareittoanxray machine ohlookyourfootisbrokenintwoplacesnomoreDancingwiththeStarsforyou! Imagineifthexraymachinewasembeddedinyourfoottofindtheproblem ouch. IalsodetesttheideaofshowingFredthathissystemcanrunWireshark.Fredis,afterall,theUser fromHellandinthiscase,ignoranceisblisshisignoranceismybliss. Butsometimesthatistheonlyfeasibleoption.StartWiresharkrunninginthebackground(maybe withaniceringbuffer welldiscussthatlaterinthisclass)andtellFredtodohisstuffandshow youwhathesexperiencing. BesuretouninstallWiresharkafterwards!

Sites:lcuportal.com chappellu.com wiresharkbook.com wiresharktraining.com

11

Wireshark101

Jumpstart:Wireshark101(12/21/11)

Notes:
Thisoptiononlyworksonhalfduplexnetworks. Astinkinoldhubcansaveyourhide! Hubsarestupidalltheyknoware1sand0sandtheyforwardeverybitineverydirection(except backtheywaythebitscamein).ByplacingahubalongthepathbetweenFredandtheswitchand pluggingmyanalyzerintothehub,IgettoseeallFredstraffic. Watchoutforthose10/100/1000hubsthough.Ifyouhaveaspeedmismatchontheconnecting devicesthathubmayactasaswitchbetweenthedifferentspeeddevices. Testthisfirstbeforeyouneedit.Connecttwohostsandyouranalyzertoahub.Makesureyoucan seethedevicespingingeachother.Therearealotofhubsthatarecrossdressers theyareactually switches.Theresnotruthinadvertisingthesedays(especiallyinthetechworld).

Sites:lcuportal.com chappellu.com wiresharkbook.com wiresharktraining.com

12

Wireshark101

Jumpstart:Wireshark101(12/21/11)

Notes:
Ifyouareworkingonafullduplexnetwork,ahubaintgonnacutthemustard(akawontworkfor myinternationalattendees).Totapintoafullduplexnetwork,youllneedafullduplextap.Simply connectitupjustasyoudidthehubandawayyougo!UhexceptforonethingTherearemany variationsoffullduplextapoutthere.Themaindifferentiatoris,ofcourse,speed(10/100/1000)and porttype(copper/fiber).Pastthat,youalsohavenonaggregatingtapsandaggregatingtaps. NonAggregatingTaps Thesetapshavetwooutputportsanddonotcombinethefullduplexstreamsineachdirection.You needtohangtwoanalyzersoffthesetapstoseebidirectionalcommunication.UseFile>Mergeor thecommandlinemergecaputilitytocombinemultipletracefiles. AggregatingTaps Wellworththemoney.Thesetapscombinethebidirectionaldataandforwarditoutonemonitor port(ortwoifyouhavearegeneratingthatandwanttoplacesomethingelse maybeaSnortbox offtheextraport).

Sites:lcuportal.com chappellu.com wiresharkbook.com wiresharktraining.com

13

Wireshark101

Jumpstart:Wireshark101(12/21/11)

Notes:
ThisisthewhitepaperthatIrefertointheclass itsverywellwrittenandhelpsdifferentiate betweenusingataptocaptureyourtrafficorspanningaswitchport. BestPracticesGuide Basicbestpractices Typesoftaps aggregating,regeneratingtaps,linkaggregationtaps,etc. Advancebestpractices

Sites:lcuportal.com chappellu.com wiresharkbook.com wiresharktraining.com

14

Wireshark101

Jumpstart:Wireshark101(12/21/11)

Notes:
Easy,eh? PortAconnectstotheswitch.PortBconnectstothetarget.PortCconnectstoyouranalyzer. Therearealotofvariationspossiblewhenyourelookingforatap. Hmmmbutwhatsthechanceacompanyisgoingtoletmedisconnecttheirserverfromthe networktoinstallmyfullduplextap?NotlikelysothatswhenIgothenextroute

Sites:lcuportal.com chappellu.com wiresharkbook.com wiresharktraining.com

15

Wireshark101

Jumpstart:Wireshark101(12/21/11)

Notes:
Nonmanageableswitchesaregreatforhomenetworks theyDONOT,however,belongonthe corporatenetwork. Allofyourswitchesshouldhavetheabilitytodoportspanning(akaportmirroring).Portspanning enablesyoutohaveacopyofallnetworktrafficflowingfromanotherswitchportdownyourswitch port.Itsrelativelypassive,butnottotallypassiveasyoudidreconfiguretheswitch andifthe switchistheproblem,suchreconfigurationmaysolvetheproblemorgivetheswitchenoughofa kickinthebehindtogetitworkingproperlymostlikelyonlyuntilyouhavecriticalnetworktraffic again thenitwillfailagain. DONTGETMESTARTEDonportsampling.Whatgoodisittoseeonlyapieceofanxrayresult? Aargh! Makesureyoutestoutyourspanningcommandsandensureyourswitchspansportsproperly.Even thehighestandmightiestofswitchmanufacturersseemstohavestumbledfromtimetotimein implementingthisnecessaryfeature.

Sites:lcuportal.com chappellu.com wiresharkbook.com wiresharktraining.com

16

Wireshark101

Jumpstart:Wireshark101(12/21/11)

Notes:
Okheresthescoop.Youcanjustselectyourwirelessadaptertobeginmonitoringtraffic itmost likelywillletyouseeyourtraffic.ButuhwhataboutFredstraffic?MostNICswontgointofull monitormodeandallowyoutoseeotherfolkstraffic. ThisiswhereaWindowshosthasanadvantage(amazingtohearmyselfsaythat).Riverbed(who purchasedCACETechnologies),whereGeraldCombs,creatorofWireshark,andLorisDegioanni and Gianluca Varenni,creatorsofWinPcap,work,hasAirPcap adapters. ThesethreeAirPcap adaptersshouldbeconnectedtoyoursystemviaUSBhubmostlikely.Withthe AirPcap aggregatingdriveryoucannowseeallthetrafficonthreechannelssimultaneously.Justtoo cool.Riverbed(who purchasedCACE)alsohasWiFi Pilot.Megageeks WiSpyadapteroffersspread spectrumanalysis(IdemonstratethisadapterliveintheTop10ReasonsYourNetworkisSlowclass checkitout). TIP: Seethefreevideo,StarttheDaybyTestingYourNetworkAdapter, at www.wiresharkbook.com/coffee.YoullseemetestingtwoWLANadapterstoseeiftheywillwork forcapturingtraffic.YourWLANadaptersshouldruninbothpromiscuousmodeandmonitormode forbestresults.

Sites:lcuportal.com chappellu.com wiresharkbook.com wiresharktraining.com

17

Wireshark101

Jumpstart:Wireshark101(12/21/11)

Notes:
ThesearethefunctionsthatIconsiderkeywhenyouareanalyzingnetworks: ChoosingtheInterface CaptureFiltering CapturingtoFileSets CapturingwithaRingBuffer AlteringtheTimeColumn DisplayFiltering(newautocomplete) UsingtheExpertInfoComposite DefiningProfiles ReassemblingStreams

IwillcutdownthetimespentonslidessoIcangetintothedemoprocessa.s.a.p.inthistraining.

Sites:lcuportal.com chappellu.com wiresharkbook.com wiresharktraining.com

18

Wireshark101

Jumpstart:Wireshark101(12/21/11)

Notes:
Youhavemanyoptionswhenstartingyourcapture. Youcouldjustcaptureasinglefileand(a)manuallystopthecaptureor(b)setastoptrigger. Youcouldcaptureafilesetthatyou(a)manuallystopor(b)stopsbasedonatrigger. TocontrolthenumberoftracefilescreatedyoucanusearingbufferwhichisaFIFO(firstin,firstout) buffer. TriggersforMultipleFiles Nextfileeveryxkilobytes,megabytes,gigabytes(carefuloffilesize) Nextfileeveryxseconds,minutes,hours,days(againwatchthesize) Ringbufferwithxfiles Stopcaptureafterxfiles StopTriggers afterxpackets afterxkilobytes,megabytes,gigabytes(youknowthewarning) afterxseconds,minutes,hours,days(yupsamething)

Sites:lcuportal.com chappellu.com wiresharkbook.com wiresharktraining.com

19

Wireshark101

Jumpstart:Wireshark101(12/21/11)

Notes:
Herearesomeofthethingstoknow: ExaminingtheInterfaces SelectCapture>Interfacestoseetheactiveinterfacesandcheckouttheinterfacedetails,startcapturingright awayorsetupyourcaptureoptions. CaptureFilters MakeaNotMecapturefiltertofilteroutyourtrafficfromyourtracefiles.Youdontwantyouremailorweb browsingsessiontobecapturedwhenyouareworkingonFredsnetworkproblems.ThesyntaxforaNotMe capturefilterisnot ether host 00:21:97:40:74:d2 (withyourMACaddress). SettheTimeCorrectly UseEdit>TimeDisplayFormat>SecondsSincePreviousDisplayedPackettoseethedeltatimefromtheendof onepackettotheendofthenext.Nowyoucansortthetimecolumntoseelargegapsintime! ListentotheExpert SelectAnalyze>ExpertInfoCompositetoidentifypossibleproblemsseeninthetracefile.Expandthefindings tolocatespecificpacketsinthetrace. ChecktheIORate SelectStatistics>IOGraphtonotewhentheIOratedrops.ClickanywhereontheIOgraphtolocatethatarea inthetrace.

Sites:lcuportal.com chappellu.com wiresharkbook.com wiresharktraining.com

20

Wireshark101

Jumpstart:Wireshark101(12/21/11)

Notes:
HerearesomeofthethingsImgoingtodemonstrate(continued): MeasurePain Learntomeasuretimebetweenpacketsspreadthroughoutthetrace.Selectthestartpointandrightclick. ChooseSetTimeReference(toggle).Youmightbepromptedforthetimeformatchange.Scrolldowntothe nexttimemeasurementandthetimecolumnnowshowsyouthetimefromtheTimeReferencedpackettothis one.YoucansetmultipleTimeReferencepacketsinthetraceifdesired. RightClickFiltering Inmyexample,IwanttofindoutifthetraceincludesBOTHtheoriginalandtheretransmittedTCPpacket(find aretransmissionpacket).InsidetheTCPheader,IrightclickedtheTCPSequenceNumberfieldandsaidPrepare asaFilter(justsoIcanlookatthefilterbeforeitgetsapplied).WhenyouapplythefilterIwilllearnifIam upstream(beforepacketlossoccurs)ordownstream(afterpacketlosshasoccurred)onthenetwork. CustomColumns TimepermittingIalsowantedtoshowyouhowtoaddacolumnfortheTCPWindowSizefieldvalueto Wiresharkssummarypane.Clickthefieldtoseethefieldnameinthestatusbaratthebottomofthe Wiresharkwindow.Thisfieldiscalledtcp.window_size.IshowedtherightclickApplyasColumnfeature!

Sites:lcuportal.com chappellu.com wiresharkbook.com wiresharktraining.com

21

Wireshark101

Jumpstart:Wireshark101(12/21/11)

Notes:
Nowwhat?!Heresaquicklistoftodoitemsforyouafterthisclass.
1.Cmontry thenewversion!Gettowww.wireshark.organdupdatetothelatestversionofWireshark. 2.Testanalyzerplacement:Makesureyoufeelcomfortablewithyourcaptureoptions hubbing out,tapping out,WLANAirPcaps,spanning,etc. 3.Baselineyournetworktraffic:Knowwhatsnormal.Takebaselinesofhoststartupprocesses,connectionto thekeynetworkdevices,shutdown,etc. 4.Learntofilter(captureANDdisplay):Workwithbothtypesoffilters.Becomeafiltergurutosaveyourself loadsoftimewhenanalyzingnetworkproblems. 5.DontignoretheExpertInfo:AlwaysgiveanodtotheExpertInfoCompositefindings verifythealertslisted bylookingatthetraceindepth. 6.LearnTCP/IPatpacketlevel:InstallingandconfiguringaTCP/IPnetworkisentirelydifferentfromanalyzing thetraffic.GettoknowTCP/IPinsideandout thatincludesARP,IP,TCP,UDP,DHCP,ICMP,HTTP,POP,SMTP, etc.CheckoutthethreetraceanalysiscoursesintheAllAccessPass(lcuportal.com). 7.GettheWiresharkNetworkAnalysisbookfordocumentedtechniquesonanalyzingwiredandwireless networks.ISBN9781893939998(visitwiresharkbook.com) 8.Getmoreinformationaboutthecertificationprogramatwww.wiresharktraining.com/certification.

Sites:lcuportal.com chappellu.com wiresharkbook.com wiresharktraining.com

22

Wireshark101

Jumpstart:Wireshark101(12/21/11)

Notes:
NowwemoveontoliveQ&A. RemembertofollowmeonTwitter(laurachappell)andcheckoutmyblogat www.lcuportal.com. Checkouttheotheronlineseminarsandkeeplearningevenifitisanhouratatime. TheAllAccessPassincludestracefileanalysistraining,Wiresharktrainingandmore.Heresa partiallistofcoursesonlineatlcuportal.com: AAPEvent:AnalyzingtheWindowZeroCondition Core1:WiresharkFunctionalityandTCP/IPAnalysis Core2:Troubleshoot/SecureNetworkswithWireshark CS42:HackedHosts CS43:AnalyzeandImproveThroughput CS44:Top10ReasonsYourNetworkisSlow CS47Nmap NetworkScanning101 CS58:PacketCraftingtoTestFirewalls CS61:TsharkCommandLineCapture

Sites:lcuportal.com chappellu.com wiresharkbook.com wiresharktraining.com

23

Wireshark101

Jumpstart:Wireshark101(12/21/11)

Notes:
Wellthanksmuchforattendingtheonlineliveseminar. Youcanhelpusguidethecontent,length,pricingandformatofthesecoursesbysending yourthoughtstomeatlaura@chappellU.com. NowIaskafavor PleasehelpusreachouttotheITcommunitytoletthemknowabouttheseonlineseminars.

Sites:lcuportal.com chappellu.com wiresharkbook.com wiresharktraining.com

24