Introduction To Wireshark: COMP2322 Lab 1 [PDF]

Zitiervorschau

COMP2322 Lab 1

Introduction to Wireshark Weichao Li Jan. 22, 2016

Before the lab • Review the content of communication arc hitecture. • Review TCP/IP model and protocol suite. • Understand data transferring, layering, an d encapsulation/demultiplexing.

2

Content • • • •

Data capture basis and tools Getting started with Wireshark Advanced usage Traffic and protocol analysis

3

Packet capture • Why do we need to capture packets? – troubleshoot network problems – examine security problems – debug protocol implementations – learn network protocol internals

4

Existing packet capture tools/sniffers • Classic tools – Wireshark (http://www.wireshark.org/) – tcpdump (http://www.tcpdump.org/) • Other tools – Ettercap – Dsniff – Ntop – KISMET – WinDump – Tshark –… 5

What is Wireshark? • An open-source network protocol analyzer – capture network packets – display that packet data

• Decodes 1,926 protocols (V2.0.1). • Supports command-line and GUI interfaces. • Run on many platforms, including Windows, OS X, Linux , and UNIX. • Many online resources • Wireshark User’s Guide ( http://www.wireshark.org/download/docs/user-guide-a4 .pdf ) 6

How does Wireshark work?

Windows Linux

Wireshark

libpcap Winpcap

7

Libpcap and Winpcap • Libpcap and Winpcap are libraries for netw ork traffic capture, providing the core functi ons of packet capturing. – Linux/Unix -> libpcap – Windows -> winpcap

• Homepage of libpcap: – http://www.tcpdump.org/

• Homepage of winpcap: – http://www.winpcap.org 8

Tcpdump and Windump • Tcpdump – Unix-based command-line tool used to analyze packets • Include filtering to just capture the packets of intere st

– Homepage: http://www.tcpdump.org/

• Windump – The Windows version of tcpdump – Homepage: http://www.winpcap.org/windump / 9

Tshark • Also a network protocol analyzer • Command-line version of Wireshark • User manual: https:// www.wireshark.org/docs/man-pages/tsha rk.html

10

Basic usage of Wireshark • Tip: packet capture need root / administr ator privileges • Packet capture: select the right interface! • Save / open trace

11

Practice 1: my first packet trace • Y:\Win32\WiresharkPortable_1.4  • Select the right interface. • Start packet capture for 10 seconds and sav e the trace. • Question 1 (2 marks for each part in a ques tion) – A) How many interface have you observed? Wh at are they? – B) Which interface will you choose and why? 12

Advanced usage (1): filters •

Capture filters – Only the packets meeting the rule will be captured and decode d in Wireshark. – Syntax • Specify protocols: ip, tcp, udp • Specify host: host, dst, src • More filters can be found: http://wiki.wireshark.org/CaptureFilters

•

Display filters – Do not affect captured packets. – Only determine whether or not to display some packets. – Syntax • Useful: Follow TCP Stream • More filters can be found: http://wiki.wireshark.org/DisplayFilters 13

Advanced usage (2) • • •

Follow a stream. – Stream: [IP address A, port A, IP address B, port B] Adjust the layout and columns. – Edit -> Preference Statistics – Summary: general statistics about the current capture file – Conversations: statistics of the captured conversations • Conversation is the traffic between two specific endpoints

– Endpoints: traffic statistics of an end host – IO Graphs: visualizing the number of packets in time – …

14

Analyze Web application • The World Wide Web (WWW) is the most popular Internet application. • Answer the following questions (Question 2): – A) What’s the relationship between Web and HTTP? – B) What type of protocols does HTTP belong t o? – C) How many application protocols have you captured when accessing a website?

15

Practice 2: analyze HTTP traffic • • • •

Y:\Win32\WiresharkPortable  Select the right interface. Visit www.polyu.edu.hk. Analyze HTTP traffic (Question 3) – A) What’s your HTTP request method? – B) What’s your HTTP request version? – C) What’s the status code in the response? W hat does it mean? 16

Practice 2 (cont’d) • Apply a display filter so that only HTTP pa ckets are shown (Question 4) – A) How many HTTP requests have been sent t o the Web server? – B) Write down each request (at least 3).

17

Practice 3 • Try different capture filters (Question 5) – A) How can I capture only HTTP traffic? – B) How can I capture only the traffic from/to a specified h ost?

• Visit http://www.polyu.edu.hk again and analyze the HT TP traffic (Question 6) – A) What’s your IP address? – B) What’s the server’s IP address?

• Visit http://www.polyu.edu.hk/test and analyze the HTT P traffic (Question 7) – A) What’s the difference compared with the last step? 18

Practice 3 (cont’d) • Visit http://www.oneprobe.org and analyze HTTP traffic (Question 8) – A) What’s the difference compared with the previous step s? – B) How many Web servers have you accessed? – C) Write down the exact IP addresses of servers. – D) Explain what happened in this HTTP session.

19

Practice 4 • • • •

Delete capture filter Start a new capture Visit http://hk.yahoo.com/

When the page is fully loaded, stop captur ing • Compare the throughput between UDP a nd TCP in time (through Statistics->IO Gra phs) 20

Practice 5 • • • •

Start a new capture Visit https://www.google.com.hk When the page is fully loaded, stop capturing Identify the HTTPS traffic (Question 9) – A) What’s the default port of HTTPS? – B) What can you see after applying “follow the TC P stream”? – C) Write down the process of how a https connec tion is established. 21

Practice 6 • Visit http://www.facebook.com and analysis HTTP traffic – Record the IP address of the Facebook server – Save the trace

• Visit Facebook again at home, and compare the trace wi th the one obtained in campus (Question 10) – A) Record the IP address of the Facebook server. – B) Is the IP address recorded at home the same as the on e recorded in campus? – C) If not, explain why the servers are different.

22

Further reading • CDN (content delivery network) – http://www.nczonline.net/blog/2011/11/29/h ow-content-delivery-networks-cdns-work/

23

Thanks

24