Friday, June 25, 2010

What is Wireshark? A network or packet sniffer, Part 2

In this previous post basic download and installation of wireshark was discussed in Windows and Linux based Ubuntu.Today's article will cover the basic uses of wireshark, how one can use it to its maximum potential using various filters and other options. 
When you have configured wireshark to capture packets from the correct interface it will aptly show the frames being received and sent on that particular interface. You might get an output such as this ->





You can view the packet details by clicking on a packet. The details are displayed just like it is seen ie in the logically encapsulated form. So the ethernet frame would appear first then the ip header and so on.


Please note that Wireshark cannot capture wireless data and a special hardware (like a wireless usb adapter) is required to capture the wireless data.Cace Technologies have developed such a product called airPcap, links are at the bottom.
 

WIRESHARK FILTERS:


If you wish to see packets of a particular protocol , ip address or a port number and/or a variety of other parameters you can prepare a 'filter' ie a set of commands which would filter and display only the requested traffic.


Programmers especially C/C++ users will find it pretty easy to create filters because of the similarity in the syntax.
For example, if only TCP traffic is to be displayed simply enter tcp in the filter field and click on apply. If TCP is not required while all other protocols are append a ! before TCP. Almost all the major protocols are supported, atleast the upper layer protocols.


What if traffic from a particular ip address is required? Simply use the command ip.src or ip.dst command
Eg if traffic coming from 192.168.32.1 is to be filtered and displayed, then enter
ip.src==192.168.32.1 ; Note the use of two = signs



Suppose we want to view only tcp traffic coming from 192.168.32.1 ? Here we want two conditions to be satisfied simultaneously, therefore the && operator. The input to the filter field becomes


ip.src==192.168.32.1 && tcp


Furthermore, if we want to view tcp or udp traffic coming from 192.168.32.1 then we have a slight complex situation in which either the packet should be tcp and the source ip be 192.168.32.1 OR the protocol be udp and  source ip be 192.168.32.1, here the use of OR operatot ie || will also come to play. The filter will become:

ip.src==192.168.32.1 && (tcp || udp)

basically wireshark will check if ip.src is equal to 192.168.32.1 if true then it will further check if the protocol is tcp or udp if either comes out to be true the boolean output will be true and that particular packet will be displayed.


As a final example if we want tcp traffic with source port as 100 or 200 and destination port as 121 or 221 be displayed the filter will become:
ip.src==192.168.32.1 && tcp && ( tcp.srcport == 100 || tcp.port==200) && (tcp.dstport== 121 || tcp.dstport == 221 ) 



Follow a stream



One of the best features of Wireshark is the ability to "follow" a stream. When a TCP connection is established a two way virtual channel is created and the two end points then communicate. This feature displays the ongoing application layer data being exchanged in a strict chronological order. This can be very useful to analyze what kind of data is being exchanged at the application layer. 



Searching data


With the find packet option one can search for a particular string in the captured packets. The option is neatly tucked up in Find packet and string radio button.





Promiscuous mode


Another superb feature which made this software one of the most popular network analyzing tool and sniffer (earlier it was known as Ethereal). These two exciting topics deserve a proper explanation and a fresh page!


Download Wireshark
WinPcap Homepage
Airpcap Homepage

No comments:

Post a Comment