Wire Shark

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis.
These courses, lessons, and activities will show you how to use Wireshark to analyze a network.

Activity 1 - Start Wireshark
Two different methods for starting Wireshark are available. These include the Start menu and the Run
command box.
Method 1 - Start Menu
To start Wireshark using the Start menu:
1. Open the Start menu.
2. Select All Programs.
3. Select Wireshark.
Method 2 - Run Command
To start Wireshark using the Run command box:
1. Open the Start menu or press the Windows key + R.
2. Type Wireshark in the Run command box.
3. Press Enter.
Activity 2 - Open the Capture Interfaces Dialog Box
Three different methods for opening the Capture Interfaces dialog box are available. These include the
Capture menu, the Capture Interfaces toolbar button, and the Capture Interfaces keyboard shortcut.
Method 1 - Capture Menu
To open the Capture Interfaces dialog box using the Capture menu:
1. Select the Capture menu.
2. Select Interfaces.
Method 2 - Capture Interfaces Toolbar Button
To open the Capture Interfaces dialog box using the Capture interfaces Toolbar button:
1. Locate the toolbar button with the help text List the available capture interfaces. This should be
the first toolbar button on the left.
2. Click the Capture Interfaces toolbar button.
Method 3 - Capture Interfaces Keyboard Shortcut
To open the Capture Interfaces dialog box using the Capture interfaces keyboard shortcut:
1. Press <Ctrl> + I.

Activity 3 - Start a Wireshark Capture
To start a Wireshark capture from the Capture Interfaces dialog box:
1. Observe the available interfaces. If you have multiple interfaces displayed, look for the interface
with the highest packet count. This is your most active network interface.
2. Select the interface you want to use for the capture using the check box on the left.
3. Select Start to begin the capture.

Activity 4 - Stop a Wireshark Capture
Three different methods for stopping a Wireshark capture are available. These include the Capture menu,
the Stop Capture toolbar button, and the Stop Capture keyboard shortcut.
Method 1 - Capture Menu
To stop a Wireshark capture using the Capture menu:
1. Select the Capture menu.
2. Select Stop.
Method 2 - Stop Capture Toolbar Button
To stop a Wireshark capture using the Stop Capture toolbar button:
1. Locate the toolbar button with the help text Stop the running live capture. This should be the
fourth toolbar button from the left.
2. Click the Stop Capture toolbar button.
Method 3 - Stop Capture Keyboard Shortcut
To stop a Wireshark capture using the Stop Capture keyboard shortcut:
1. Press <Ctrl> + E.

Activity 5 - Capture Network Traffic
To capture network traffic:
1. Start a Wireshark capture.
2. Open a web browser and navigate to a favorite web site.
3. Stop the Wireshark capture.
4. Observe the traffic captured in the top Wireshark packet list pane.
5. Select a packet you want to analyze.
6. Observe the packet details in the middle Wireshark packet details pane.
7. Expand various protocol containers to view detailed protocol information.
8. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
Activity 6 - Capture Network Traffic
To capture network traffic:
2. Use ping 8.8.8.8 to ping an Internet host by IP address.
Activity 7 - Use a Display Filter
To use a display filter:
1. Type ip.addr == 8.8.8.8 in the Filter box and press Enter.
2. Observe that the Packet List Pane is now filtered so that only traffic to (destination) or from
(source) IP address 8.8.8.8 is displayed.
3. Click Clear on the Filter toolbar to clear the display filter.

Activity 8 - Capture Network Traffic Using a Capture Filter
To capture network traffic using a capture filter:
1. Select either the Capture menu and then the Interfaces dialog box or the List the available
capture interfaces toolbar button.
2. Select Options.
3. Double-click on the interface you want to use for the capture.
4. In the Capture Filter box type host 8.8.8.8.
5. Select OK to save the changes.
6. Select Start to start a Wireshark capture.
9. Observe that only traffic to (destination) or from (source) IP address 8.8.8.8 is captured.

Activity 9 - Capture Ethernet Traffic
To capture Ethernet traffic:
2. Use ipconfig to display the default gateway address. Note the Default Gateway displayed.
3. Use ping <default gateway address> to ping the default gateway address.
Activity 10 - Analyze Ethernet Traffic
To analyze Ethernet traffic:
1. Observe the traffic captured in the top Wireshark packet list pane. All of the traffic you see is likely
to be Ethernet traffic. If you want to specifically identify the traffic generated from the ping
command above, look for traffic with ICMP listed as the protocol and Echo (ping) request or Echo
(ping) reply in the description.
2. Select a packet you want to analyze.
3. Observe the packet details in the middle Wireshark packet details pane.
4. Select Frame. Notice when you select the frame that the entire frame is highlighted in the bottom
packet bytes pane.
5. Expand Frame to view frame details.
6. Expand Ethernet II to view Ethernet details. Notice the Destination, Source, and Type fields.
7. Select the Destination field. Notice when you select the Destination field that the first six bytes of
the frame are highlighted in the bottom packet bytes pane. This is the destination MAC address
for the Ethernet frame.
8. Select the Source field. Notice when you select the Source field that the second six bytes of the
frame are highlighted in the bottom packet bytes pane. This is the source MAC address for the
Ethernet frame.
9. Select the Type field. Notice when you select the Type field that the 13th and 14th bytes of the
frame are highlighted in the bottom packet bytes pane. This is the type of packet encapsulated
inside the Ethernet frame.
10. Select additional Ethernet frames in the top packet list pane and observe frame details in these
packets.
Activity 11 - Confirm MAC Addresses in Ethernet Traffic
To confirm MAC addresses in Ethernet traffic:
1. Use ipconfig /all or Getmac to display your computer's Physical Address.
2. Compare your computer's physical address to the Source and Destination fields in the captured
traffic. Identify which frames were sent by your computer and which frames were received by
your computer.
3. Use arp -a to view the ARP cache.
4. Locate the default gateway IP address used in the ping command above and note the Physical
Address of the default gateway.
5. Compare your default gateway's physical address to the Source and Destination fields in the
captured traffic. Identify which frames were sent by the default gateway and and which frames
were sent to the default gateway.

Activity 12 - Capture Local IPv4 Traffic
To capture local IPv4 traffic:
2. Use ping <default gateway address> to ping the default gateway address.
Activity 13 - Analyze Local IPv4 Outbound Traffic
To analyze local IPv4 outbound traffic:
1. Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ICMP listed
as the protocol. To view only ICMP traffic, type icmp (lower case) in the Filter box and
press Enter.
2. Select the first ICMP packet, labeled Echo (ping) request.
3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an
Ethernet II / Internet Protocol Version 4 / Internet Control Message Protocol frame.
4. Expand Ethernet II to view Ethernet details.
5. Observe the Destination field. This should contain the MAC address of your default gateway. You
can use arp -a to confirm.
6. Observe the Source field. This should contain your MAC address. You can use ipconfig
/all or getmac to confirm.
7. Observe the Type field. Notice that the type is 0x0800, indicating IP.
8. Expand Internet Protocol Version 4 to view IP details.
9. Observe the Source address. Notice that the source address is your IP address.
10. Observe the Destination address. Notice that the destination address is the default gateway IP
address.
Activity 14 - Analyze Local IPv4 Inbound Traffic
To analyze local IPv4 inbound traffic:
1. In the top Wireshark packet list pane, select the second ICMP packet, labeled Echo (ping) reply.
4. Observe the Destination field. This should contain your MAC address.
5. Observe the Source field. This should contain the MAC address of your default gateway.
8. Observe the Source address. Notice that the source address is the default gateway IP address.
9. Observe the Destination address. Notice that the destination address is your IP address.

Activity 15 - Capture Remote IPv4 Traffic
To capture remote IPv4 traffic:
Activity 16 - Analyze Remote IPv4 Outbound Traffic
To analyze remote IPv4 outbound traffic:
1. Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ICMP listed
as the protocol. To view only ICMP traffic, type icmp (lower case) in the Filter box and
press Enter.
2. Select the first ICMP packet, labeled Echo (ping) request.
can use arp -a to confirm. Notice that remote Internet layer traffic is processed as local Link
layer traffic. The default gateway will route the packet to the Internet.
10. Observe the Destination address. Notice that the destination address is the Internet host IP
address.
Activity 17 - Analyze Remote IPv4 Inbound Traffic
To analyze remote IPv4 inbound traffic:
1. In the top Wireshark packet list pane, select the second ICMP packet, labeled Echo (ping) reply.
5. Observe the Source field. This should contain the MAC address of your default gateway. Notice
that the remote Internet layer traffic is returned as local Link layer traffic. The routers
between the Internet host and your network routed the packet back to your router so that
it could forward the packet back to your computer.
8. Observe the Source address. Notice that the source address is the Internet host IP address.

Activity 18 - Capture Local IPv6 Traffic
To capture local IPv6 traffic:
1. Use ipconfig to display the default gateway address. Note the Default Gateway displayed. Be
sure to select an IPv6 address. If you don't have an IPv6 default gateway, just review the follow
instructions for content understanding.
3. Use ping <default gateway address> to ping the default gateway IPv6 address.
Activity 19 - Analyze Local IPv6 Outbound Traffic
To analyze local IPv6 outbound traffic:
1. Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ICMPv6
listed as the protocol. To view only ICMPv6 traffic, type icmpv6 (lower case) in the Filter box and
press Enter.
2. Select the first ICMPv6 packet or scroll down if necessary to locate the first packet labeled Echo
(ping) request.
Ethernet II / Internet Protocol Version 6 / Internet Control Message Protocol v6 frame.
can use netsh interface ipv6 show neighbors to confirm.
7. Observe the Type field. Notice that the type is 0x86dd, indicating IPv6.
8. Expand Internet Protocol Version 6 to view IPv6 details.
9. Observe the Source address. Notice that the source address is your IPv6 address.
10. Observe the Destination address. Notice that the destination address is the default gateway IPv6
address.
Activity 20 - Analyze Local IPv6 Inbound Traffic
To analyze local IPv6 inbound traffic:
1. In the top Wireshark packet list pane, select the next ICMPv6 packet, labeled Echo (ping) reply.
Ethernet II / Internet Protocol Version 6 / Internet Control Message Protocol v6 frame.
5. Observe the Source field. This should contain the MAC address of your default gateway.
6. Observe the Type field. Notice that the type is 0x86dd, indicating IP.
7. Expand Internet Protocol Version 6 to view IPv6 details.
8. Observe the Source address. Notice that the source address is the default gateway IPv6 address.
9. Observe the Destination address. Notice that the destination address is your IPv6 address.

Activity 21 - Capture UDP Traffic
To capture UDP traffic:
2. Open a command prompt.
3. Type ipconfig /renew and press Enter to renew your DHCP assigned IP address. If you have a
static address, this will not generate any UDP traffic.
4. Type ipconfig /flushdns and press Enter to clear your DNS name cache.
5. Type nslookup 8.8.8.8 and press Enter to look up the hostname for IP address 8.8.8.8.
6. Close the command prompt.
Activity 22 - Analyze UDP DHCP Traffic
To analyze UDP DHCP traffic:
1. Observe the traffic captured in the top Wireshark packet list pane. To view only UDP traffic
related to the DHCP renewal, type udp.port == 68 (lower case) in the Filter box and pressEnter.
2. Select the first DHCP packet, labeled DHCP Request.
Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Bootstrap Protocol frame.
5. Observe the Destination and Source fields. The destination should be your DHCP server's MAC
address and the source should be your MAC address. You can use ipconfig /all to confirm.
8. Observe the Destination address. Notice that the destination address is the DHCP server IP
address.
9. Expand User Datagram Protocol to view UDP details.
10. Observe the Source port. Notice that it is bootpc (68), the bootp client port.
11. Observe the Destination port. Notice that it is bootps (67), the bootp server port.
12. In the top Wireshark packet list pane, select the second DHCP packet, labeled DHCP ACK.
Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Bootstrap Protocol frame.
15. Observe the Destination and Source fields. The destination should be your MAC address and the
source should be your DHCP server's MAC address.
17. Observe the Source address. Notice that the source address is the DHCP server IP address.
20. Observe the Source port. Notice that it is bootps (67), the bootp server port.
21. Observe the Destination port. Notice that it is bootpc (68), the bootp client port.
Activity 23 - Analyze UDP DNS Traffic
To analyze UDP DNS traffic:
1. Observe the traffic captured in the top Wireshark packet list pane. To view only UDP traffic
related to the DHCP renewal, type udp.port == 53 (lower case) in the Filter box and pressEnter.
2. Select the first DNS packet, labeled Standard query.
Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Domain Name System
(query) frame.
5. Observe the Destination and Source fields. The destination should be your DNS server's MAC
address if it is local, or your default gateway's MAC address if the DNS server is remote. The
source should be your MAC address. You can use ipconfig /all to confirm.
8. Observe the Destination address. Notice that the destination address is the DNS server IP
address.
10. Observe the Source port. Notice that it is a dynamic port selected for this DNS query.
11. Observe the Destination port. Notice that it is domain (53), the DNS server port.
12. In the top Wireshark packet list pane, select the second DNS packet, labeled Standard query
response.
Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Domain Name System
(response) frame.
source should be your DNS server's MAC address if it is local, or your default gateway's MAC
address if the DNS server is remote.
17. Observe the Source address. Notice that the source address is the DNS server IP address.
20. Observe the Source port. Notice that it is domain (53) the DNS server port.
21. Observe the Destination port. Notice that it is the same dynamic port used to make the DNS
query in the first packet.
Activity 24 - Capture TCP Traffic
To capture TCP traffic:
2. Open a command prompt.
3. Type telnet www.google.com 80 and press Enter.
4. Close the command prompt to close the TCP connection.
Activity 25 - Analyze TCP SYN Traffic
To analyze TCP SYN traffic:
1. Observe the traffic captured in the top Wireshark packet list pane. To view only TCP traffic related
to the web server connection, type tcp.port == 80 (lower case) in the Filter box and pressEnter.
2. Select the first TCP packet, labeled http [SYN].
Ethernet II / Internet Protocol Version 4 / Transmission Control Protocol frame.
5. Observe the Destination and Source fields. The destination should be your default gateway's
MAC address and the source should be your MAC address. You can use ipconfig /all to confirm.
8. Observe the Destination address. Notice that the destination address is the IP address of one of
Google's web servers.
9. Expand Transmission Control Protocol to view TCP details.
10. Observe the Source port. Notice that it is a dynamic port selected for this connection.
11. Observe the Destination port. Notice that it is http (80).
12. Observe the Sequence number. Notice that it is 0 (relative sequence number). To see the actual
sequence number, select Sequence number to highlight the sequence number in the bottom
Wireshark bytes pane.
13. Expand Flags to view flag details.
14. Observe the flag settings. Notice that SYN is set, indicating the first segment in the TCP three-
way handshake.
Activity 26 - Analyze TCP SYN, ACK Traffic
To analyze TCP SYN, ACK traffic:
1. In the top Wireshark packet list pane, select the second TCP packet, labeled SYN, ACK.
source should be your default gateway MAC address.
6. Observe the Source address. Notice that the source address is the Google web server IP
address.
9. Observe the Source port. Notice that it is http (80).
10. Observe the Destination port. Notice that it is the same dynamic port selected for this connection.
12. Observe the Acknowledgement number. Notice that it is 1 (relative ack number). To see the
actual acknowledgement number, select Acknowledgement number to highlight the
acknowledgement number in the bottom pane. Notice that the actual acknowledgement number
is one greater than the sequence number in the previous segment.
14. Observe the flag settings. Notice that SYN and ACK are set, indicating the second segment in the
TCP three-way handshake.
Activity 27 - Analyze TCP ACK Traffic
To analyze TCP ACK traffic:
1. In the top Wireshark packet list pane, select the third TCP packet, labeled http ACK.
4. Observe the Destination and Source fields. The destination should be your default gateway MAC
address and the source should be your MAC address.
7. Observe the Destination address. Notice that the destination address is the Google web server IP
address.
9. Observe the Source port. Notice that it is the same dynamic port selected for this connection.
10. Observe the Destination port. Notice that it is http (80).
12. Observe the Acknowledgement number. Notice that it is 1 (relative ack number). To see the
actual acknowledgement number, select Acknowledgement number to highlight the
acknowledgement number in the bottom pane.
14. Observe the flag settings. Notice that ACK is set, indicating the third segment in the TCP three-
way handshake. The client has established a TCP connection with the server.

Wire Shark

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Wire Shark

Загружено:

Авторское право:

Доступные форматы

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis.

Вам также может понравиться