Mastering Wireshark 2 E-Book

Mastering Wireshark 2

Copyright © 2018 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Commissioning Editor: Vijin BorichaAcquisition Editor: Prachi BishtContent Development Editor: Trusha ShriyanTechnical Editor: Sayali ThanekarCopy Editor: Laxmi SubramanianProject Coordinator: Kinjal BariProofreader: Safis EditingIndexer: Tejal Daruwale SoniGraphics: Jisha ChirayilProduction Coordinator: Shraddha Falebhai

First published: May 2018

Production reference: 1290518

Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK.

ISBN 978-1-78862-652-1

www.packtpub.com

Mapt is an online digital library that gives you full access to over 5,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website.

Why subscribe?

Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals

Improve your learning with Skill Plans built especially for you

Get a free eBook or video every month

Mapt is fully searchable

Copy and paste, print, and bookmark content

PacktPub.com

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.

At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks.

Contributor

About the author

Andrew Crouthamel is an experienced senior network engineer and IT trainer who resides in Doylestown, PA, and currently works with organizations including NASA, ESA, JAXA, Boeing, and the US Air Force. His passion for teaching is reflected in his work, which is filled with excitement and real-world anecdotes.

Packt is searching for authors like you

If you're interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea.

Table of Contents

Title Page

Copyright and Credits

Mastering Wireshark 2

Packt Upsell

Why subscribe?

PacktPub.com

Contributor

About the author

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the color images

Conventions used

Get in touch

Reviews

Installing Wireshark 2

Installation and setup

Installing Wireshark on Windows

Installing Wireshark on macOS

Installing Wireshark on Linux

Summary

Getting Started with Wireshark

What's new in Wireshark 2?

Capturing traffic

How to capture traffic

Saving and exporting packets

Annotating and printing packets

Remote capture setup

Prerequisites

Remote capture usage

Summary

Filtering Traffic

Berkeley Packet Filter (BPF) syntax

Capturing filters

Displaying filters

Following streams

Advanced filtering

Summary

Customizing Wireshark

Preferences

Appearance

Layout

Columns

Fonts and colors

Capture

Filter buttons

Name resolution

Protocols

Statistics

Advanced

Profiles

Colorizing traffic

Examples of colorizing traffic

Example 1

Example 2

Summary

Statistics

TCP/IP overview

Time values and summaries

Trace file statistics

Resolved addresses

Protocol hierarchy

Conversations

Endpoints

Packet lengths

I/O graph

Load distribution

DNS statistics

Flow graph

Expert system usage

Summary

Introductory Analysis

DNS analysis

An example for DNS request failure

ARP analysis

An example for ARP request failure

IPv4 and IPv6 analysis

ICMP analysis

Using traceroute

Summary

Network Protocol Analysis

UDP analysis

TCP analysis I

TCP analysis II

Graph I/O rates and TCP trends

Throughput

I/O graph

Summary

Application Protocol Analysis I

DHCP analysis

HTTP analysis I

HTTP analysis II

FTP analysis

Summary

Application Protocol Analysis II

Email analysis

POP and SMTP

802.11 analysis

VoIP analysis

VoIP playback

Summary

Command-Line Tools

Running Wireshark from a command line

Running tshark

Running tcpdump

Running dumpcap

Summary

A Troubleshooting Scenario

Wireshark plugins

Lua programming

Determining where to capture

Capturing scenario traffic

Diagnosing scenario traffic

Summary

Other Books You May Enjoy

Leave a review - let other readers know what you think

Preface

Wireshark, a combination of Kali and Metasploit, deals with the second to the seventh layers of network protocols. The book will introduce you to various protocol analysis methods and teach you how to analyze them. You will discover and work with some advanced features, which will enhance the capabilities of your application. By the end of this book, you will be able to secure your network using Wireshark 2.

Who this book is for

If you are a security professional or a network enthusiast who is interested in understanding the internal working of networks and have some prior knowledge of using Wireshark, then this book is for you.

What this book covers

Chapter 1, Installing Wireshark 2, teaches you how to install Wireshark on Windows, macOS, and Linux.

Chapter 2, Getting Started with Wireshark, tells you about what's new in Wireshark 2. It will also teach you how to capture traffic and how to save, export, annotate, and print packages.

Chapter 3, Filtering Traffic, teaches you about BPF syntax and how to create one. It further explains how to use BPF to apply it as a capture filter and reduce the packets, how to create and use display filters, and how to follow streams—both TCP and UDP.

Chapter 4, Customizing Wireshark, explains how to apply preferences in Wireshark and customize them. You will learn how to create profiles for different analysis requirements.

Chapter 5, Statistics, provides an overview of TCP/IP and time values and summaries. You will also take a look at the expert system usage feature of Wireshark.

Chapter 6, Introductory Analysis, explains the basics of DNS and some DNS query examples. You will also learn about ARP resolution and how to resolve an IP address to a physical MAC address on an Ethernet bus. You will also acquire knowledge about IPv4 and IPv6 headers, the flags within them, and the fragmentation.

Chapter 7, Network Protocol Analysis, teaches you about UDP analysis: the connectionless protocol, TCP analysis: the connection-oriented protocol, and finally, graphing I/O rates and TCP trends: visualization of the data analyzed.

Chapter 8, Application Protocol Analysis I, talks about HTTP, both in an unencrypted fashion and an encrypted fashion, and how to decrypt that. You will also look into FTP in all of its many flavors, including active mode, passive mode, and the encrypted flavors of FTPS and SFTP.

Chapter 9, Application Protocol Analysis II, teaches you email analysis using POP and SMTP. We will also look at VoIP analysis using SIP and RTP.

Chapter 10, Command-Line Tools, teaches you how to run Wireshark from the command line, tshark, tcpdump, and running dumpcap.

Chapter 11, A Troubleshooting Scenario, covers troubleshooting a specific issue within Wireshark.

To get the most out of this book

You will need to have Wireshark installed in a Windows/Linux/macOS system.

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: https://www.packtpub.com/sites/default/files/downloads/MasteringWireshark2_ColorImages.pdf.

Conventions used

There are a number of text conventions used throughout this book.

CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "So, pcapng is the next generation of the pcap file extension."

Any command-line input or output is written as follows:

nslookup wireshark.org 8.8.8.8

Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "We can see the target in the Address Resolution Protocol (request) option."

Get in touch

Feedback from our readers is always welcome.

General feedback: Email [email protected] and mention the book title in the subject of your message. If you have questions about any aspect of this book, please email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Reviews

Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!

For more information about Packt, please visit packtpub.com.

Installing Wireshark 2

In this chapter, we'll cover the following topics:

Installation and setup

Installing Wireshark on Windows

Installing Wireshark on macOS

Installing Wireshark on Linux

Installation and setup

In this section, we'll take a look at installing Wireshark on Windows and installing Wireshark on macOS and Linux.

Installing Wireshark on Windows

You will need to perform the following steps:

Go to the 

https://www.wireshark.org/

web page:

When you get there, scroll down on the home page and click on

Download

.

The latest version of Wireshark will be visible. Select the installer for the version of Windows that you are currently running.

Back on the download Wireshark page, download the version that you need, and run that file; now, click on 

Next

to begin the setup.

Read the

License Agreement

, click on

I Agree

, and select the features of Wireshark that you wish to include. Most people include all of the defaults. You'll see here that we have the main Wireshark application; we have the classic interface version of Wireshark; and we have

TShark

, which is a command-line version of running Wireshark; as well as some plugins, the

User's Guide

, and some additional tools:

We'll go ahead and accept the defaults, and then click on 

Next

. And, in this window, we can go ahead and customize what shortcuts show up and whether file extensions are associated to Wireshark. We're going to turn off the

Wireshark Legacy Quick Launch Icon

and

Wireshark Legacy Start Menu Item

:

Go ahead and click on

Next

, and select a location for Wireshark to install. We'll select the defaults here as well.

And on the next page here, it says:

Install WinPcap?

If you don't have WinPcap installed, leave that checked and it will install it as part of the install process:

Click on

Next

.

Go ahead and click on

Install

and Wireshark will now install.

Partway through the install, the WinPcap installer will then run, and we'll go ahead and click on 

Next

.

Read the

License Agreement

and click on

I Agree

. You can then decide whether or not you want the WinPcap driver to run at boot time. Most people allow it to do so. We'll leave that as default, and click on

Install

.

That will finish very quickly; then click on

Finish

.

The Wireshark install will then continue. When the text window says completed, go ahead and click

Next

; and then you can select whether or not you want to run Wireshark at that moment, and click on

Finish

.

Once the Wireshark GUI loads up, you are done:

In the next section, we'll go over how to install Wireshark on macOS and Linux.

Installing Wireshark on macOS

To install Wireshark on macOS, perform the following steps:

Start by going to the 

https://www.wireshark.org/

web page.

When you're on the web page, scroll down on the main page, and click on

Download

. The latest version of Wireshark will be displayed.

Go down to

macOS 10.6 and later Intel 64-bit .dmg

, and click on it to download:

At this point, we can choose to save the file to our

Downloads

folder and then open it, or simply open it directly off the web page with the

D

iskImageMounter (default)

.

Go ahead and click on

OK

. It downloads the file and opens it up.

We can then double-click on the

PKG

file, and click on

Continue

:

Read the

License Agreement

and click on

Continue

again, and then on

Agree

to indicate that you agree to the license agreement.

Click on

Install

.

Enter your administrator credentials and click on

Install Software

.

Once the installation is successful, click on

Close

.

If you go to your applications list in the lower right, and scroll down, you should see Wireshark at the bottom of the list. You can select Wireshark, and you can see that it's now loaded:

Once Wireshark is up and running, that's it—you're done.

Installing Wireshark on Linux

Installing Wireshark on Linux will differ, based on the distribution that you're using. Here, I'm using one of the most common distributions available: Ubuntu. In order to install Wireshark, perform the following steps:

We'll go to the Ubuntu software application; go ahead and click on that and we'll search for

synaptic

:

Simply click on

Install

; enter your administrator password (your root password) and the software will be installed:

Go ahead and click on

Synaptic Package Manager

to open that up. Enter in our credentials again, and now we have our Synaptic application loaded:

This is again very similar to the Ubuntu software application, but it's less pretty.

Click on the

Search

button, and we will search for Wireshark. Enter

wireshark

and click on

Search

, and you'll see everything that has Wireshark in its name or description now shows up in the package list:

We'll scroll down and select the main

wireshark

package, just the one that says Wireshark, as shown in the following screenshot:

So we'll select that; click on that, and select

Mark for Installation

. It will then ask you if it's okay to install other packages that are required. We can say sure, that's fine;

Mark

them for installation as well. So now all of our dependencies will be installed, as well:

We can then go up and click on

Apply

, and it'll tell us that we'll be installing the following packages. Click on

Apply

again, and Synaptic will go ahead and download and install all the programs that we've selected:

Once everything is complete, you'll receive a

Changes applied

window. It'll say:

Successfully applied all changes. 

You can now close the window.

Simply click on

Close

, and you'll see everything here marked in green is now installed, including Wireshark:

So, at this point, we can close this program as well as the Ubuntu software. Next, click on the

Search

button in the upper left corner of the interface, and we'll type in

wireshark

. It automatically shows that Wireshark is here. We can simply click on that and it will load Wireshark.

At this point, once Wireshark loads, you're done.

Summary

In this chapter, you've learned how to install Wireshark on both macOS and Linux—specifically, Ubuntu.

In Chapter 2, Getting Started with Wireshark, we are going to take a look at what's new in Wireshark 2, capturing traffic, saving and exporting packets, annotating and printing packets, remote capture setup, and remote capture usage.

Getting Started with Wireshark

In this chapter, we'll cover the following topics:

What's new in Wireshark 2

Capturing traffic

Saving and exporting packets

Annotating and printing packets

Remote capture setup

Remote capture usage

What's new in Wireshark 2?

There's a new version of Wireshark out—a new major version that has many interesting features. Here, you can see the new Qt GUI:

It looks very similar to the Legacy GTK GUI, with few minor tweaks. The main menu bar here has had some icons changed and removed; the general interface is a little bit cleaner. All the general functionality, though, is all the same. Capture options are on the upper left-hand side and they are denoted by a gear icon. When you click on the gear icon, you have multiple tabs for Input options, Output options, and general Options:

When you click on Edit | Preferences..., you can see the preferences window, as shown in the following screenshot. Options such as Show up to makes it easy to navigate and view what you need to see:

As shown in the following screenshot, on the left-hand side, you can see the related packets diagram show up, based on what you select. So if you select different packets, this will change in size and shape; and what might appear for you is then what you select. This makes it easy to pick out packets that are related to each other without having to follow TCP or UDP streams:

Under the Statistics menu that is present in the menu bar, many of these statistics options now have a similar-looking window, as shown in the following screenshot. If you look at how the buttons, filters, and general interface is set up, they're all now standardized and look very, very similar to each other, which I'm sure makes coding much easier for those who work on the Wireshark code:

Click on Statistics | I/O Graph; now you can see the Wireshark IO graph. In the bottom left-hand, you can click on the plus icon and add multiple items to the chart on your IO graph, and you can do this an unlimited number of times:

Additionally, any changes you make in here are saved to your profile. With this graph, you can also click on Save As... and select different file formats to choose from:

Click on Analyze | Follow | UDP Stream; you can see the follow stream dialog box has been updated so that it now allows you to select whether it's the entire conversation or just one side at a time. It also allows you to search for text within:

In the preceding screenshot you can see the context-aware hints in action. Within this stream, if you look at the bottom, you have some information such as client packets, server packets, and so on, that changes based on what you're hovering over. The main capture window will change to that actual packet.

This is very handy for jumping through the data and being able to see it in relation to the entire capture.

Let's now see how we'll capture traffic and get the first packets in that main window.

Capturing traffic

One of the first things I'm sure you want to do in Wireshark is to begin capturing some traffic so that you can get used to the utility and possibly diagnose some issues on your own network. In this section, we'll talk about exactly that: where to capture that traffic and how to capture it.

Wireshark needs to receive packets in one way or another, so that you may begin analyzing the data and performing your network diagnostics. There are several ways of doing so in Wireshark. One way is to begin capturing on a local device with Wireshark installed through the GUI. You also have the option of doing so through a command-line. You can capture remotely from a Wireshark install on a management computer, for example. It can retrieve the packets being received and sent from a device somewhere else on your network, using a special driver install. You can also capture the traffic inline on the wire, which means you place a device called a test action port (TAP) somewhere along the data path that you need to diagnose, and it will then send that data back to your diagnostic utilities, one of which could possibly be Wireshark. And lastly, we'll go over how to store packets locally on a internetwork device (specifically, a Cisco router or switch) for export into Wireshark as a pcap file.

How to capture traffic

In order to capture traffic inline for Wireshark, you need to place some sort of device on the wire where it can see the traffic being sent and received, and then replicate that traffic to additional ports for your diagnostic machines, which might be possibly running Wireshark, for example. One of the early devices that we can use for older networks that we're running half duplex is the hub. This is the predecessor to the switch, and it has a very basic functionality where it sees the electrical signals being sent across the wire, and it replicates those electrical signals out all the other ports that it has, without any care as to what's on these actual ports. It's just a splitter, basically. That's great for a slower, older, half-duplex network; but for a modern, switched, full-duplex network, you'll need something a little bit fancier. One of the devices that you could use is a TAP.

There are four different TAPs available:

Non-aggregating TAPs

Aggregating TAPs

Regenerating TAPs

Link aggregation TAPs

Each one of these TAPs have different functions. I mentioned switched port analysis (SPAN) ports or port mirroring. In a modern-switched network, this is a very common way of receiving traffic. If you have a managed switch, such as a Cisco switch or whoever's it might be, you can go into the switch and tell it to replicate the traffic that it sees on one port to a different port. This port could then be connected to your Wireshark machine to capture traffic. It's very useful for modern networks because there's no other hardware required. You can just go into the switch and tell it to replicate the data out to your monitoring system. In order to capture traffic on wireless, you need to be aware that there are multiple modes that you could use. There are two modes that we will be discussing:

Monitor mode

: This mode receives all packets on a specified channel. So, in the US we have 11 channels on 2.4 GHz, for example. You could tell your network card or wireless card to receive all traffic on channel number 3,

and then it would capture all of that traffic for any SSID and any network that is on channel 3.

Promiscuous mode

: This mode is more common to find in your wireless drivers, and it allows you to receive all packets on a connected SSID, on a connected network. If you're connected to your work network or your home network-whatever it is you're trying to diagnose-it'll capture anything that's traversing that network name and that SSID. But it will ignore any others on the same channel, and it will certainly ignore anything else on any other channel, as well.

In the following screenshot, we can see that Wireshark is running. You can see that I have a list of interfaces here, including a local area connection and some virtual adapters. I do not have any wireless adapters on this computer, or else they would show up here as well. And any other additional network interface controller (NIC) cards that you might have-wired cards, it doesn't matter-they'd all show up here in a list:

You will also see that there's a chart that's continuing to be drawn by Wireshark, and it's showing us the amount of data that it sees on each connection. This is actually pretty useful, especially if you have a diagnostic computer that has many different interfaces—the different SPAN ports, or whatever it might be. Maybe you turned on SPAN to a specific port that's receiving a lot of data, and you don't know which one it's connected to on the monitoring system. You could take a look here. Whichever port is receiving the most data or the expected amount of data might be the one that you want to try and capture on. So I find that useful on, for example, crowded systems.

In order to capture traffic, all you have to do in the latest version of Wireshark is double-click on that and it will begin capturing your traffic, and you can see that traffic begins to scroll by. In this computer, I'm not actually doing anything which is very interesting, considering how much traffic is being sent and received, but there are services that are running in the background and there's possibly minimized web browsers, and things like that. But you'll see there's quite a bit of communications just on a standard, idling computer:

In order to stop this capture, you just go up to the top and click on the stop icon:

You'll notice that the packets were scrolling by and being updated in real time. Well, this is useful for some situations—it might not be useful for all. So, if you have a system that's receiving a lot of data, for example, possibly gigabits per second or if you're trying to run this on a computer that's very old and slow, that might not be an ideal situation, especially if you're using the GUI.

So you can turn that off so that it doesn't use the graphics card and processor power to try and update this screen for you in real time. In order to do that, perform the following steps:

Click on the gear icon, as shown in the following screenshot:

Go to 

Options

, and you can see that there are some check boxes here that we can turn off. So, you can see the

Update list of packets in real-time

. If I uncheck that, it will prevent the list from populating as it continues to receive packets, and I can turn off

Automatically scroll during live capture

. You will notice that the scroll bar on the right went down to the very bottom. If I turn off 

Automatically scroll during live captur

e

, it would remain up at the top. So these two things are very helpful to disable if you are running on an older computer, like I mentioned: