Wireshark

Introduction:
In late 1997 Gerald Combs needed a tool for tracking down network
problems and wanted to learn more about networking so he started writing
Ethereal.
In 2006 the project moved house and re-emerged under a new name:
Wireshark.
In 2008, after ten years of development, Wireshark finally arrived at version
1.0.
In 2015 Wireshark 2.0 was released, which featured a new user interface.

Wireshark is a network packet/protocol analyzer.

A network packet analyzer
capture network packets
to display that packet with its header fields
along with payload

Its a tool that is used to inspect data passing

through a network interface (physical layer)
which use either ethernet, or token ring or WiFi,
etc.

Working Principle:

Capturing network traffic

Decodes packets of a number of protocols

Displays the network traffic in humanreadable format

Bit view

Human
readable
format

Applications:
Network

administrators
use
it
to
troubleshoot network problems
Network security engineers use it to
examine security problems
Developers use it to debug protocol
implementations
People use it to learn network protocol
internals

How it Works?

 List

of available interfaces > select the

interface
Start

OSI Layers:
HTTP, SMTP
Jpeg, Gif, MPEG
WinSock
TCP, UDP
IP, ICMP
Ethernet, FDDI
Fiber, WireLess

Physical

presentation

Data link

Network

Transport

 Packet is represented in Hexadecimal format.

Usually a network sniffer captures only

those packets sent to its own network
address.

Enabling promiscuous mode makes

network sniffer listen to all traffic on
network, even though the packet is
destined for that particular node where
network sniffer( Wireshark) is installed.

the
the
not
the

Filterengine helps in removing the noise from a

packet trace and lets you see only the packets
that interest you.
2 types
- Display Filter
- Capture Filter
A capture filter is used to select which packets
should be saved to disk while capturing.
A Display filter is used to filter only those packets
that used intended to view, out of all packets.

Capture Filters:
Host 172.18.5.4 Net 192.168.0.0/24
host www.example.com and not (port 80 or port 25)
Port 53 capture packets from specific port
(tcp[0:2] > 1500 and tcp[0:2] < 1550) or (tcp[2:2] > 1500 and
tcp[2:2] < 1550) capture packets within range of ports
src net 192.168.0.0 mask 255.255.255.0
pppoes and (host 192.168.0.0 and port 80) capture pppoe
traffic.

Display Filters:
Ip.addr eq 172.16.52.110
Ip.src eq addr1 and ip.dst addr2
http contains url
http.request.method == "GET"
tcp.port == 80 and ip.src ==
192.168.2.1
Ip.src ne addr1 or ip.dst ne addr1
http.content_type matches "audio/*"

https://www.wireshark.org/#learnWS
https://en.wikipedia.org/wiki/Wireshark

Identify Packet
https://ask.wireshark.org/questions/7621/identify-packet

Wireshark Filters
https://www.wireshark.org/docs/man-pages/wireshark-filter.html
Ethernet Packet
http://www.infocellar.com/networks/ethernet/frame.htm
http://ecomputernotes.com/computernetworkingnotes/communicationnetworks/cyclic-redundancy-check