Network Analysis using Wireshark 2 Cookbook E-Book

Network Analysis Using Wireshark 2 Cookbook Second Edition

Copyright © 2018 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Commissioning Editor:Vijin BorichaAcquisition Editor: Rahul NairContent Development Editor: Mayur PawanikarTechnical Editor: Dinesh PawarCopy Editor: Vikrant Phadkay, Safis EditingProject Coordinator: Nidhi JoshiProofreader: Safis EditingIndexer: Priyanka DhadkeGraphics: Tania DuttaProduction Coordinator: Arvindkumar Gupta

First published: December 2013 Second edition: March 2018

Production reference: 1280318

Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK.

ISBN 978-1-78646-167-4

www.packtpub.com

Mapt is an online digital library that gives you full access to over 5,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website.

Why subscribe?

Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals

Improve your learning with Skill Plans built especially for you

Get a free eBook or video every month

Mapt is fully searchable

Copy and paste, print, and bookmark content

PacktPub.com

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.

At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks.

Contributors

About the authors

Nagendra Kumar Nainar (CCIE#20987) is a senior technical leader with RP escalation team in Cisco Systems. He is the co-inventor of more than 80 patent applications and the coauthor of six internet RFCs, various internet drafts and IEEE papers. He is a guest lecturer in North Carolina State University and a speaker in different network forums.

Yogesh Ramdoss (CCIE #16183) is a senior technical leader in the technical services organization of Cisco Systems. He is a distinguished speaker at CiscoLive, sharing knowledge and educating customers on enterprise/datacenter technologies and platforms, troubleshooting and packet capturing tools, and open network programmability. Co-inventor of patent in machine/behavior learning.

Yoram Orzach gained his bachelor's degree in science from the Technion in Haifa, Israel, and worked in Bezeq as a systems engineer in the fields of transmission and access networks. From being the technical manager at Netplus, he is now the CTO of NDI Communications. His experience is with corporate networks, service providers, and internet service provider's networks, and his client companies are Comverse, Motorola, Intel, Ceragon networks, Marvel, HP, and others. His experience is in design, implementation, troubleshooting as well as training for R&D, engineering, and IT groups.

About the reviewer

Abayomi Adefila is a technical leader in services organization of Cisco systems. His array of accomplishments include B.Tech, M.Sc, CCNA, CCDA, CCNP, CCIP, CCDP, CCIE (R&S) along with MPLS L3 VPN, VRF, ISIS, IPv6, BGP4, MP-BGP, OSPFv2&3, RIPng, Eigrpv6, DS1, DS3, Metro-Ethernet, EEM, OER, advanced routing and switching on Cisco network gears, VPN concentrator, GRE, IPSec, Junipere, and so on. He has been awarded with MCI's outstanding performance ovation award at Verizon and Multiple CAP awards for outstanding performances at Cisco.

Jason Morris is a systems and research engineer with 18+ years of experience in system architecture, research engineering, and large data analysis.

He is a speaker and a consultant for designing large-scale architectures, best security practices on the cloud, near real-time image detection analytics with deep learning, and serverless architectures to aid in ETL. His most recent roles include solution architect, big data engineer, big data specialist, and instructor at Amazon Web Services. He is currently the chief technology officer of Next Rev Technologies.

Packt is searching for authors like you

If you're interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea.

Table of Contents

Title Page

Copyright and Credits

Network Analysis Using Wireshark 2 Cookbook Second Edition

Dedication

Packt Upsell

Why subscribe?

PacktPub.com

Contributors

About the authors

About the reviewer

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the color images

Conventions used

Sections

Getting ready

How to do it...

How it works...

There's more...

See also

Get in touch

Reviews

Introduction to Wireshark Version 2

Wireshark Version 2 basics

Locating Wireshark

Getting ready

How to do it...

Monitoring a server

Monitoring a router

Monitoring a firewall

Test access points and hubs

How it works...

There's more...

See also

Capturing data on virtual machines

Getting ready

How to do it...

Packet capture on a VM installed on a single hardware

Packet capture on a blade server

How it works...

Standard and distributed vSwitch

See also

Starting the capture of data

Getting ready

How to do it...

Capture on multiple interfaces

How to configure the interface you capture data from

Capture data to multiple files

Configure output parameters

Manage interfaces (under the Input tab)

Capture packets on a remote machine

Start capturing data – capture data on Linux/Unix machines

Collecting from a remote communication device

How it works...

There's more...

See also

Configuring the start window

Getting ready

The main menu

The main toolbar

Display filter toolbar

Status bar

How to do it...

Toolbars configuration

Main window configuration

Name resolution

Colorize packet list

Zoom

Mastering Wireshark for Network Troubleshooting

Introduction

Configuring the user interface, and global and protocol preferences

Getting ready

How to do it...

General appearance preferences

Layout preferences

Column preferences

Font and color preferences

Capture preferences

Filter expression preferences

Name resolution preferences

IPv4 preference configuration

TCP and UDP configuration

How it works...

There's more...

Importing and exporting files

Getting ready

How to do it...

Exporting an entire or partial file

Saving data in various formats

Printing data

How it works...

There's more...

Configuring coloring rules and navigation techniques

Getting ready

How to do it...

How it works...

See also

Using time values and summaries

Getting ready

How to do it...

How it works...

Building profiles for troubleshooting

Getting ready

How to do it...

How it works...

There's more...

See also

Using Capture Filters

Introduction

Configuring capture filters

Getting ready

How to do it...

How it works...

There's more...

See also

Configuring Ethernet filters

Getting ready

How to do it...

How it works...

There's more...

See also

Configuring hosts and network filters

Getting ready

How to do it...

How it works...

There's more...

See also

Configuring TCP/UDP and port filters

Getting ready

How to do it...

How it works...

There's more...

See also

Configuring compound filters

Getting ready

How to do it...

How it works...

There's more...

See also

Configuring byte offset and payload matching filters

Getting ready

How to do it...

How it works...

There's more...

See also

Using Display Filters

Introduction

Configuring display filters

Getting ready

How to do it...

How it works...

There's more...

Configuring Ethernet, ARP, host, and network filters

Getting ready

How to do it...

How it works...

See also

Configuring TCP/UDP filters

Getting ready

TCP and UDP port number display filters

TCP header filters

How to do it...

How it works...

There's more...

See also

Configuring specific protocol filters

Getting ready

How to do it...

HTTP display filters

DNS display filters

FTP display filters

How it works...

See also

Configuring substring operator filters

Getting ready

How to do it...

How it works...

Configuring macros

Getting ready

How to do it...

How it works...

Using Basic Statistics Tools

Introduction

Using the statistics – capture file properties menu

Getting ready

How to do it...

How it works...

There's more...

Using the statistics – resolved addresses

Getting ready

How to do it...

How it works...

There's more

Using the statistics – protocol hierarchy menu

Getting ready

How to do it...

How it works...

There's more...

Using the statistics – conversations menu

Getting ready

How to do it...

How it works...

There's more...

Using the statistics – endpoints menu

Getting ready

How to do it...

How it works...

There's more...

Using the statistics – HTTP menu

Getting ready

How to do it...

How it works...

There's more...

Configuring a flow graph for viewing TCP flows

Getting ready

How to do it...

How it works...

There's more...

Creating IP-based statistics

Getting ready

How to do it...

How it works...

There's more...

Using Advanced Statistics Tools

Introduction

Configuring I/O graphs with filters for measuring network performance issues

Getting ready

How to do it...

How it works...

There's more...

Throughput measurements with I/O graphs

Getting ready

How to do it...

Measuring download/upload traffic

Measuring several streams between two end devices

Measuring application throughput

Measuring a TCP stream with TCP event analysis

How it works...

There's more...

Advanced I/O graph configurations with y axis parameters

Getting ready

How to do it...

Monitoring inter-frame time delta statistics

Monitoring the number of TCP events in a stream

Monitoring the number of field appearances

How it works...

There's more...

Getting information through TCP stream graphs – time/sequence (Steven's) window

Getting ready

How to do it...

How it works...

There's more...

Getting information through TCP stream graphs – time/sequences (TCP-trace) window

Getting ready

How to do it...

How it works...

There's more...

Getting information through TCP stream graphs – throughput window

Getting ready

How to do it...

How it works...

There's more...

Getting information through TCP stream graphs – round-trip-time window

Getting ready

How to do it...

How it works...

There's more...

Getting information through TCP stream graphs – window-scaling window

Getting ready

How to do it...

How it works...

There's more...

Using the Expert System

Introduction

The expert system window and how to use it for network troubleshooting

Getting ready

How to do it...

How it works...

There's more...

See also

Error events and what we can understand from them

Getting ready

How to do it...

How it works...

There's more...

See also

Warning events and what we can understand from them

Getting ready

How to do it...

How it works...

There's more...

See also

Note events and what we can understand from them

Getting ready

How to do it...

How it works...

There's more...

See also

Ethernet and LAN Switching

Introduction

Discovering broadcast and error storms

Getting ready

How to do it...

Spanning tree problems

A device that generates broadcasts

Fixed pattern broadcasts

How it works...

There's more...

See also

Analyzing spanning tree problems

Getting ready

How to do it...

Which STP version is running on the network?

Are there too many topology changes?

How it works...

Port states

There's more...

Analyzing VLANs and VLAN tagging issues

Getting ready

How to do it...

Monitoring traffic inside a VLAN

Viewing tagged frames going through a VLAN tagged port

How it works...

There's more...

See also

Wireless LAN

Skills learned

Introduction to wireless networks and standards

Understanding WLAN devices, protocols, and terminologies

Access point (AP)

Wireless LAN controller (WLC)

Wireless radio issues, analysis, and troubleshooting

Getting ready

How to do it...

Zero wireless connectivity

Poor or intermittent wireless connectivity

Capturing wireless LAN traffic

Capturing options

Getting ready

How to do it...

Wireless station not joining a specific SSID

Users not able to authenticate after successful association

There's more...

Network Layer Protocols and Operations

Introduction

The IPv4 principles of operations

IP addressing

IPv4 address resolution protocol operation and troubleshooting

Getting ready

How to do it...

ARP attacks and mitigations

ARP poisoning and man-in-the-middle attacks

Gratuitous ARP

ARP sweep-based DoS attacks

How it works...

ICMP – protocol operation, analysis, and troubleshooting

Getting ready

How to do it...

ICMP attacks and mitigations

ICMP flood attack

ICMP smurf attack

How it works...

Analyzing IPv4 unicast routing operations

Getting ready

How it works...

IP TTL failures and attacks

Duplicate IP addresses

Analyzing IP fragmentation failures

TCP path MTU discovery

How to do it...

Fragmentation-based attack

How it works...

IPv4 multicast routing operations

How it works...

There's more...

IPv6 principle of operations

IPv6 addressing

IPv6 extension headers

IPv6 extension headers and attacks

Getting ready

How to do it...

IPv6 fragmentation

How it works...

ICMPv6 – protocol operations, analysis, and troubleshooting

Getting ready

How to do it...

IPv6 auto configuration

Getting ready

How to do it...

How it works...

DHCPv6-based address assignment

Getting ready

How to do it...

How it works...

IPv6 neighbor discovery protocol operation and analysis

How to do it...

IPv6 duplicate address detection

How it works...

Transport Layer Protocol Analysis

Introduction

UDP principle of operation

UDP protocol analysis and troubleshooting

Getting ready

How to do it...

TCP principle of operation

Troubleshooting TCP connectivity problems

Getting ready

How to do it...

How it works...

There's more...

Troubleshooting TCP retransmission issues

Getting ready

How to do it...

Case 1 – retransmissions to many destinations

Case 2 – retransmissions on a single connection

Case 3 – retransmission patterns

Case 4 – retransmission due to a non-responsive application

Case 5 - retransmission due to delayed variations

Finding out what it is

How it works...

Regular operation of the TCP sequence/acknowledge mechanism

What are TCP retransmissions and what do they cause?

There's more...

See also

TCP sliding window mechanism

Getting ready

How to do it...

How it works...

TCP enhancements – selective ACK and timestamps

Getting ready

How to do it...

TCP selective acknowledgement option

TCP timestamp option

How it works...

TCP selective acknowledgement

TCP timestamp

There's more...

Troubleshooting TCP throughput

Getting ready

How to do it...

How it works...

FTP, HTTP/1, and HTTP/2

Introduction

Analyzing FTP problems

Getting ready

How to do it...

How it works...

There's more...

Filtering HTTP traffic

Getting ready

How to do it...

How it works...

HTTP methods

Status codes

There's more...

Configuring HTTP preferences

Getting ready

How to do it...

Custom HTTP headers fields

How it works...

There's more...

Analyzing HTTP problems

Getting ready

How to do it...

How it works...

There's more...

Exporting HTTP objects

Getting ready

How to do it...

How it works...

There's more...

HTTP flow analysis

Getting ready

How to do it...

How it works...

There's more...

Analyzing HTTPS traffic – SSL/TLS basics

Getting ready

How to do it...

How it works...

There's more...

DNS Protocol Analysis

Introduction

Analyzing DNS record types

Getting ready

How to do it...

How it works...

SOA record

A resource record

AAAA resource record

CNAME resource record

There's more...

Analyzing regular DNS operations

Getting ready

How to do it...

How it works...

DNS server assignment

DNS operation

DNS namespace

The resolving process

There's more...

Analyzing DNSSEC regular operations

Getting ready

How to do it...

How it works...

There's more...

Troubleshooting DNS performance

Getting ready

How to do it...

How it works...

There's more...

Analyzing Mail Protocols

Introduction

Normal operation of mail protocols

Getting ready

How to do it...

POP3 communications

IMAP communications

SMTP communications

How it works...

POP3

IMAP

SMTP

There's more...

SSL decryption in Wireshark

Analyzing POP, IMAP, and SMTP problems

Getting ready

How to do it...

How it works...

Filtering and analyzing different error codes

Getting ready

How to do it...

SMTP

IMAP

POP3

How it works...

There's more...

IMAP response code (RFC 5530)

POP3 response code (RFC 2449)

SMTP and SMTP error codes (RFC 3463)

Malicious and spam email analysis

Getting ready

How to do it...

How it works...

NetBIOS and SMB Protocol Analysis

Introduction

Understanding the NetBIOS protocol

Understanding the SMB protocol

How it works...

Analyzing problems in the NetBIOS/SMB protocols

Getting ready

How to do it...

General tests

Specific issues

There's more...

Example 1 – application freezing

Example 2 – broadcast storm caused by SMB

Analyzing the database traffic and common problems

Getting ready

How to do it...

How it works...

There's more...

Exporting SMB objects

Getting ready

How to do it...

How it works...

Analyzing Enterprise Applications' Behavior

Introduction

Finding out what is running over your network

Getting ready

How to do it...

There's more...

Analyzing Microsoft Terminal Server and Citrix communications problems

Getting ready

How to do it...

How it works...

There's more...

Analyzing the database traffic and common problems

Getting ready

How to do it...

How it works...

There's more...

Analyzing SNMP

Getting ready

How to do it...

Polling a managed device with a wrong SNMP version

Polling a managed device with a wrong MIB object ID (OID)

How it works...

There's more...

Troubleshooting SIP, Multimedia, and IP Telephony

Introduction

IP telephony principle and normal operation

Getting ready

How to do it...

RTP operation

RTCP operation

How it works...

RTP principles of operation

The RTCP principle of operation

SIP principle of operation, messages, and error codes

Getting ready

How to do it...

How it works...

1xx codes – provisional/informational

2xx codes – success

3xx codes – redirection

4xx codes – client error

5xx codes – server error

6xx codes – global failure

Video over IP and RTSP

Getting ready

How to do it...

How it works...

There's more...

Wireshark features for RTP stream analysis and filtering

Getting ready

How to do it...

How it works...

Wireshark feature for VoIP call replay

Getting ready

How to do it...

How it works...

There's more...

Troubleshooting Bandwidth and Delay Issues

Introduction

Measuring network bandwidth and application traffic

Getting ready

How to do it...

How it works...

There's more...

Measurement of jitter and delay using Wireshark

Getting ready

How to do it...

How it works...

There's more...

Analyzing network bottlenecks, issues, and troubleshooting

Getting ready

How to do it...

How it works...

There's more...

Security and Network Forensics

Introduction

Discovering unusual traffic patterns

Getting ready

How to do it...

How it works...

There's more...

See also

Discovering MAC-based and ARP-based attacks

Getting ready

How to do it...

How it works...

There's more...

Discovering ICMP and TCP SYN/port scans

Getting ready

How to do it...

How it works...

There's more...

See also

Discovering DoS and DDoS attacks

Getting ready

How to do it...

How it works...

There's more...

Locating smart TCP attacks

Getting ready

How to do it

How it works...

There's more...

See also

Discovering brute force and application attacks

Getting ready

How to do it...

How it works...

There's more...

Preface

Wireshark has long since become the market standard for network analysis, and with the growth of the internet and TCP/IP-based networks, it became very popular for network analysis and troubleshooting, as well as for R&D engineering, to understand what is actually running over the network and what problems we face.

This book contains practical recipes on troubleshooting a data communications network. This second edition of the book focuses on Wireshark 2, which has already gained a lot of traction due to the enhanced features that it offers. The book expands on some of the subjects explored in the first edition, including TCP performance, network security, Wireless LANs, and how to use Wireshark for cloud and virtual system monitoring. You will learn how to analyze end-to-end IPv4 and IPv6 connectivity failures for unicast and multicast traffic using Wireshark. The book also includes Wireshark capture files so that you can practice what you've learned. You will understand the normal operation of email protocols and learn how to use Wireshark for basic analysis and troubleshooting. Using Wireshark, you will be able to troubleshoot common applications that are used in an enterprise network, such as NetBIOS and SMB protocols. Finally, you will also be able to measure network parameters, check for network problems caused by them, and solve them effectively. By the end of this book, you’ll know how to analyze traffic, how to find patterns of various offending traffic, and how to secure your network from them.

As the name of the book implies, this is a cookbook. It is a list of effective, targeted recipes on how to analyze networks. Every recipe targets a specific issue, how to use Wireshark for it, where to look for it, what to look for, and how to find the cause of the issue. To complete the picture, every recipe provides the theoretical foundations of the subject, in order to give the reader the required theoretical background.

You will see many examples in the book, and all of them are real-world cases. Some of them took me minutes to solve, some hours, and some took many days. But there is one process common to all of them: work systematically, use the proper tools, try to get inside the head of the application writer, and, as someone told me once, try to think like the network. Do this, use Wireshark, and you will get results. The purpose of this book is to try and get you there. Have fun!

Who this book is for

This book is for security professionals, network administrators, R&D, engineering and technical support, and communication managers who use Wireshark for network analysis and troubleshooting. It requires a basic understanding of networking concepts but does not require specific and detailed technical knowledge of protocols or vendor implementations.

What this book covers

Chapter 1,Introduction to Wireshark Version 2, covers basic tasks related to Wireshark.

Chapter 2,Mastering Wireshark for Network Troubleshooting, covers issues that improve the use of Wireshark as a network analysis tool.

Chapter 3,Using Capture Filters, talks about capture filters.

Chapter 4,Using Display Filters, shows how to work with display filters.

Chapter 5,Using Basic Statistics Tools, looks at simple tools that provide us with basic network statistics.

Chapter 6,Using Advanced Statistics Tools, covers advanced statistical tools—I/O graphs, TCP stream graphs, and, in brief, UDP multicast streams.

Chapter 7,Using the Expert System, teaches you how to use the expert system, a tool that provides deeper analysis of network phenomena, including events and problems.

Chapter 8,Ethernet and LAN Switching, focuses on how to find and resolve layer 2-based problems, with a focus on Ethernet-based issues such as broadcast/multicast events, errors, and finding their source.

Chapter 9,Wireless LAN, analyzes wireless LAN traffic and diagnoses connectivity and performance problems reported by users.

Chapter 10,Network Layer Protocols and Operations, primarily focuses on layer 3 of the OSI reference model and shows how to analyze the layer 3 protocol (IPv4/IPv6) operations. We also cover unicast and multicast traffic flow analysis.

Chapter 11,Transport Layer Protocol Analysis, primarily focuses on the transport layer of the OSI reference model, but also teaches you how to analyze various layer 4 protocol (TCP/UDP/SCTP) operations.

Chapter 12,FTP, HTTP/1, and HTTP/2, discusses these protocols, how they work, and how to use Wireshark to find common errors and problems in the network.

Chapter 13, DNS Protocol Analysis, covers the basic principles of the DNS protocol, the functionality, commonly faced issues, and the use of Wireshark to analyze and troubleshoot the protocol.

Chapter 14,Analyzing Mail Protocols, looks at the normal operation of email protocols and how to use Wireshark for basic analysis and troubleshooting.

Chapter 15,NetBIOS and SMB Protocol Analysis, teaches you how to use Wireshark to resolve and troubleshoot common applications that are used in an enterprise network, such as NetBIOS and SMB protocols.

Chapter 16,Analyzing Enterprise Applications' Behavior, explains how to use Wireshark to resolve and troubleshoot common applications that are used in an enterprise network.

Chapter 17,Troubleshooting SIP, Multimedia, and IP Telephony, discusses different protocols and how to analyze audio and video streams using Wireshark.

Chapter 18,Troubleshooting Bandwidth and Delay Issues, teaches you how to measure these network parameters, check for network problems caused by them, and solve these when possible.

Chapter 19,Security and Network Forensics, starts by differentiating between normal and unusual network traffic. Then, the chapter introduces the various types of attacks, where they come from, and how to isolate and solve them.

To get the most out of this book

You will need to install the Wireshark software. It can be downloaded from www.wireshark.org.

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: https://www.packtpub.com/sites/default/files/downloads/NetworkAnalysisUsingWireshark2CookbookSecondEdition_ColorImages.pdf.

Conventions used

There are a number of text conventions used throughout this book.

CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "Add the string tcp.window_sizeto view the TCP window size."

A block of code is set as follows:

tcp[Offset:Bytes] //Orudp[Offset:Bytes]

Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "When you go to the configuration menu and choose Networking."

Sections

In this book, you will find several headings that appear frequently (Getting ready, How to do it..., How it works..., There's more..., and See also).

To give clear instructions on how to complete a recipe, use these sections as follows:

Getting ready

This section tells you what to expect in the recipe and describes how to set up any software or any preliminary settings required for the recipe.

How to do it...

This section contains the steps required to follow the recipe.

How it works...

This section usually consists of a detailed explanation of what happened in the previous section.

There's more...

This section consists of additional information about the recipe in order to make you more knowledgeable about the recipe.

See also

This section provides helpful links to other useful information for the recipe.

Get in touch

Feedback from our readers is always welcome.

General feedback: Email [email protected] and mention the book title in the subject of your message. If you have questions about any aspect of this book, please email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Reviews

Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!

For more information about Packt, please visit packtpub.com.

Introduction to Wireshark Version 2

In this chapter, you will learn about:

Wireshark version 2 basics

Locating Wireshark

Capturing data on virtual machines and on the cloud

Starting the capture of data

Configuring the start window

Saving, printing, and exporting data

Wireshark Version 2 basics

In this chapter, we will cover the basic tasks related to Wireshark. In the Preface of this book, we talked a little bit about network troubleshooting, and we saw various tools that can help us in the process. After we reached the conclusion that we need to use the Wireshark protocol analyzer, it's time to locate it for testing in the network, configure it with basic configurations, and adapt it to be friendly.

While setting Wireshark for basic data capture is considered to be very simple and intuitive, there are many options that we can use in special cases; for example, when we capture data continuously over a connection and we want to split the capture file into small files, when we want to see names of devices participating in the connection and not only IP addresses, and so on. In this chapter, we will learn how to configure Wireshark for these special cases.

After this short introduction to Wireshark version 2, we present in this chapter several recipes to describe how to locate and start to work with the software.

The first recipe in this chapter is Locating Wireshark; it describes how and where to locate Wireshark for capturing data. Will it be on a server? On a switch port? Before a firewall? After it? On which side of the router should we connect it, the LAN side or on the WAN side? What should we expect to receive in each one of them? The first recipe describes this issue, along with recommendations on how to do it.

The next recipe is about an issue that has become very important in the last few years, and that is the recipe Capturing data on virtual machines that describes practical aspects of how to install and configure Wireshark in order to monitor virtual machines that have been used by the majority of servers in the last several years.

Another issue that has come up in recent years is how to monitor virtual machines that are stored in the cloud. In the Capture data on the cloud recipe,we have several issues to discuss, among them how to decrypt the data that in most of the cases is encrypted between you and the cloud, how to use analysis tools available on the cloud and also which tools are available from major cloud vendors like Amazon AWS, Microsoft Azure, and others.

The next recipe in this chapter is Starting the Capture of data, which is actually how to start working with the software, and configuring, printing and exporting data. We talk about file manipulations, that is, how to save the captured data whether we want to save the whole of it, part of it, or only filtered data. We export that data into various formats, merge files (for example, when you want to merge captured files on two different router interfaces), and so on.

Locating Wireshark

The first step after understanding the problem and deciding to use Wireshark is the decision on where to locate it. For this purpose, we need to have a precise network illustration (at least the part of the network that is relevant to our test) and locate Wireshark.

The principle is basically to locate the device that you want to monitor, connect your laptop to the same switch that it is connected to, and configure a port mirror or in Cisco it is called a port monitor or Switched Port Analyzer (SPAN to the monitored device. This operation enables you to see all traffic coming in and out of the monitored device. This is the simplest case.

You can monitor a LAN port, WAN port, server or router port, or any other device connected to the network.

In the example presented in this diagram, the Wireshark software is installed on the laptop on the left and a server S2 that we want to monitor:

In the simplest case, we configure the port mirror in the direction as in the diagram; that will monitor all traffic coming in and out of server S2. Of course, we can also install Wireshark directly on the server itself, and by doing so we will be able to watch the traffic directly on the server.

Some LAN switch vendors also enable other features, such as:

Monitoring a whole VLAN

: We can monitor a server's VLAN, telephony VLAN, and so on. In this case, you will see all traffic on a specific VLAN.

Monitoring several ports to a single analyzer

: We can monitor traffic on servers

S1

and

S2

together.

Filtering

: Filtering consists of configuring whether to monitor incoming traffic, outgoing traffic, or bo

th.

Getting ready

To start working with Wireshark, go to the Wireshark website and download the latest version of the tool.

An updated version of Wireshark can be found on the website http://www.wireshark.org/; choose Download. This brings you the Download Wireshark page. Download the latest Wireshark Version 2.X.X stable release that is available at https://www.wireshark.org/#download.

Each Wireshark Windows package comes with the latest stable release of WinPcap, which is required for live packet capture. The WinPcap driver is a Windows version of the UNIX libpcap library for traffic capture.

During the installation, you will get the package's installation window, presented in the following screenshot:

Usually in these setup windows, we simply check all and install. In this case, we have some interesting things:

Wireshark

: This is the Wireshark version 2 software.

TSark

: A command-line protocol analyzer.

Wireshark 1

: The good old Wireshark version 1. When you check this, the legacy Wireshark version 1 will be also installed. Personally, I prefer to install it for the next several versions, so if something doesn't work with Wireshark version 2 or you don't know how to work with it, you always have the good old version available.

Plugins & Extensions

:

Dissector Plugins

: Plugins with some extended dissections

Tree Statistics Plugins

: Extended statistics

Mate: Meta-Analysis and Tracing Engine

: User-configurable extension(s) of the display filter engine

SNMP MIBs

: For a more detailed SNMP dissection

Tools

:

Editcap

: Reads a capture file and writes some or all of the packets into another capture file

Text2Pcap

: Reads in an ASCII hex dump and writes the data into a pcap capture file

Reordercap

: Reords a capture file by timestamp

Mergecap

: Combines multiple saved capture files into a single output file

Capinfos

: Provides information on capture files

Rawshark

: Raw packet filter

How to do it...

Let's take a look at the typical network architecture, the network devices, how they work, how to configure them when required, and where to locate Wireshark:

Let's have a look at the simple and common network architecture in the preceding diagram.

Monitoring a server

This is one of the most common requirements that we have. It can be done by configuring the port monitor to the server (numbered 1 in the preceding diagram) or installing Wireshark on the server itself.

Monitoring a router

In order to monitor a router, we can use the following:

Case 1: Monitoring the switch port that the router is connected to:

In this case, numbered

2

in the previous drawing, we connect our laptop to the switch that the router is connected to

On the switch, configure the port mirror from the port that the router is connected to, to the port that the laptop is connected to

Case 2: Router with a switch module

In this case, numbered

5

and

6

in the previous diagram, we have a switch module on the router (for example,

Cisco EtherSwitch®

or

HWIC

modules), we can use it the same way as a standard switch (numbered

5

for the LAN port and 6 for the WAN port, in the previous diagram)

In this case, you will be able to monitor only those ports that are connected to the switch module

Case 3: Router without switch module

In this case you can connect a switch between the router port and the

Service Provider

(

SP

) network, and configure the port monitor on this switch, as in the following diagram:

In this case, configure the port monitor from the port the router is connected to, to the port your laptop is connected to.

Case 4: Router with embedded packet capture

In routers from recent years, you will have also an option for integrated packet capture in the router itself. This is the case, for example, in Cisco IOS Release 12.4(20)T or later, Cisco IOS-XE Release 15.2(4)S-3.7.0 or later, and also from SRX/J-Series routers from Juniper, Stealhead from Riverbed, and many other brands.

When monitoring a router, don't forget this: it might happen that not all packets coming in to a router will be forwarded out! Some packets can be lost, dropped on the router buffers, or routed back on the same port that they came in from, and there are, of course, broadcasts that are not forwarded by the router.

Monitoring a firewall

When monitoring a firewall, it is, of course, different whether you monitor the internal port (numbered 1 in the following diagram) or the external port (numbered 2 in the following diagram):

On the internal port, you will see all the internal addresses and all traffic initiated by the users working in the internal network, while on the external port, you will see the external addresses that we go out with (translated by NAT from the internal addresses), and you will not see requests from the internal network that were blocked by the firewall. If someone is attacking the firewall from the internet, you will see it (hopefully) only on the external port.

Test access points and hubs

Two additional devices that you can use are TAPs and Hubs:

Test Access Point (TAPs): Instead of connecting a switch to the link you wish to monitor, you can connect a device called a TAP, a simple three-port device that, in this case, will play the same role as the switch. The advantage of a TAP over a switch is the simplicity and price. TAPs also forward errors that can be monitored on Wireshark, unlike a LAN switch that drops them. Switches, on the other hand, are much more expensive, take a few minutes to configure, but provide you with additional monitoring capabilities, for example, SNMP. When you troubleshoot a network, it is better to have an available managed LAN switch, even a simple one, for this purpose.

Hubs: You can simply connect a hub in parallel to the link you want to monitor, and since a hub is a half-duplex device, every packet sent between the router and the SP device will be watched on your Wireshark. The biggest con of this method is that the hub itself slows the traffic, and therefore it influences the test. In many cases, you also want to monitor 1 Gbps ports, and since there is no hub available for this, you will have to reduce the speed to 100 Mbps that again will influence the traffic. Therefore, hubs are not commonly used for this purpose.

How it works...

For understanding how the port monitor works, it is first important to understand the way that a LAN switch works. A LAN switch forwards packets in the following way:

The LAN switch continuously learns the MAC addresses of the devices connected to it

Now, if a packet is sent to a destination MAC, it will be forwarded only to the physical port that the switch has learned that this MAC address is coming from

If a broadcast is sent, it will be forwarded to all ports of the switch

If a multicast is sent, and CGMP or IGMP is disabled, it will be forwarded to all ports of the switch (CGMP and IGMP are protocols that enable multicast packets to be forwarded only to devices on a specific multicast group)

If a packet is sent to a MAC address that the switch has not learned (which is a very rare case), it will be forwarded to all ports of the switch

In the following diagram, you see an example for how a layer 2-based network operates. Every device connected to the network sends periodic broadcasts. It can be ARP requests, NetBIOS advertisements, and others. The moment a broadcast is sent, it is forwarded through the entire layer 2 network (dashed arrows in the drawing). In the example, all switches learn the MAC address M1 on the port they have received it from.

Now, when PC2 wants to send a frame to PC1, it sends the frame to the switch that it is connected to, SW5. SW5 has learned the MAC address M1 on the fifth port to the left, and that is where the frame is forwarded. In the same way, every switch forwards the frame to the port it has learned it from, and finally it is forwarded to PC1.

Therefore, when you configure a port monitor to a specific port, you will see all traffic coming in and out of it. If you connect your laptop to the network, without configuring anything, you will see only traffic coming in and out of your laptop, along with broadcasts and multicasts from the network.

There's more...

There are some tricky scenarios when capturing data that you should be aware of.

Monitoring a VLAN—when monitoring a VLAN, you should be aware of several important issues. The first issue is that even when you monitor a VLAN, the packet must physically be transferred through the switch you are connected to in order to see it. If, for example, you monitor VLAN-10 that is configured across the network, and you are connected to your floor switch, you will not see traffic that goes from other switches to the servers on the central switch. This is because in building networks, the users are usually connected to floor switches, in single or multiple locations in the floor, that are connected to the building central switch (or two redundant switches). For monitoring all traffic on a VLAN, you have to connect to a switch on which all traffic of the VLAN goes through, and this is usually the central switch:

In the preceding diagram, if you connect Wireshark to Switch SW2, and configure a monitor to VLAN30, you will see all packets coming in and out of P2, P4, and P5, inside or outside the switch. You will not see packets transferred between devices on SW3, SW1, or packets between SW1 and SW3.

Another issue when monitoring a VLAN is that you might see duplicate packets. This is because when you monitor a VLAN and packets are going in and out of the VLAN, you will see the same packet when it is coming in and going out of the VLAN.

You can see the reason in the following illustration. When, for example, S4 sends a packet to S2 and you configure the port mirror to VLAN30, you will see the packet once sent from S4 to the switch and entering the VLAN30, and then when leaving VLAN30 to S2:

See also

For information on how to configure the port mirror, refer to the vendor's instructions. It can be called port monitor, port mirror, or SPAN from Cisco.

There are also advanced features such as remote monitoring, when you monitor a port that is not directly connected to your switch, advanced filtering (such as filtering specific MAC addresses), and so on. There are also advanced switches that have capture and analysis capabilities on the switch itself. It is also possible to monitor virtual ports (for example, a LAG or EtherChannel groups). For all cases, and other cases described in this recipe, refer to the vendor's specifications.

For vendor information you can look, for example, at these links:

Cisco IOS SPAN (for catalyst switches):

http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/10570-41.html

Cisco IOS Embedded Packet Capture feature:

http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-embedded-packet-capture/datasheet_c78-502727.html

Check point Packet Sniffer feature:

https://www.checkpoint.com/smb/help/utm1/8.2/2002.htm

Fortinet FortiOS packet sniffer:

http://kb.fortinet.com/kb/viewContent.do?externalId=11186

Capturing data on virtual machines

Getting ready

In the last few years, a significant amount of servers are moving to virtual environments—that is a large amount of servers on a single hardware device.

First, to put some order in the terms. There are two major terms to remember in the virtual world:

A virtual machine is an emulation of a computer system that is installed on single or multiple hardware platforms. A virtual machine is mostly used in the context of virtual servers. The major platforms used for server virtualization are

VMware ESX

,

Microsoft Hyper-V

, or

Citrix XenServer.

A Blade server is a cage that holds inside server cards and LAN switches to connect them to the world.

In this section, we will look at each one of these components and see how to monitor each one of them.

How to do it...

Let's see how to do it.

Packet capture on a VM installed on a single hardware

A single hardware with virtual machines is illustrated in the following diagram:

As you see in the preceding diagram, we have the applications that run on the operating systems (guest OS in the drawing). Several guest OSs are running on the virtualization software that runs on the hardware platform.

As mentioned earlier in this chapter, in order to capture packets we have two possibilities: to install Wireshark on the device that we want to monitor, or to configure port mirror to the LAN switch to which the Network Interface Card (NIC) is connected.

For this reason, in the case of a virtual platform on a single hardware, we have the following possibilities:

Install Wireshark on the specific server that you want to monitor, and start capturing packets on the server itself.

Connect your laptop to the switch

8

, and configure a port mirror to the server. In the preceding diagram, it would be to connect a laptop to a free port on the switch, with a port mirror to ports

1

and

2

.

The problem

that can

happen

here is that you monitor.

The first case is obvious, but some problems can happen in the second one:

As illustrated in the preceding diagram, there are usually two ports or more that are connected between the server and the LAN switch. This

topology

is called

Link Aggregation

(

LAG

), teaming, or if you are using Cisco switches, EtherChannel. When

monitoring

a server, check

whether

it is configured with

load sharing

or

port redundancy

(also referred to as

Failover

). If it is configured with port redundancy, it is simple: check what the active port is and configure the port mirror to it. If it is configured with load sharing, you have to configure one of the following:

Port

mirror

to LAG interface: that is, port mirror

to

the virtual interface that holds the two or more

physical

interfaces. Usually, it

is

termed by the switch vendor as

Port-Group

or

Port-Channel

interface.

The server NICs are configured in the port redundancy: the port mirror from one port to two physical ports (in the diagram to ports 1 and 2 of the switch).

Configure two port mirrors from two interface cards on your PC to the two interfaces on the LAN switch at the same time. A diagram of the three cases is presented here:

There is another problem that might happen. When monitoring heavy traffic on ports configured with load sharing, in

Option A

you will have a mirror of two NICs sending data to a single one, for example, two ports of 1 Gbps to a single port of 1 Gbps. Then of course, in case of traffic that exceeds the speed of the laptop, not all packets will be captured and some of them will be lost. For this reason, when you use this method, make sure that the laptop has a faster NIC than the monitored ports or use

Option C

(capture with two interfaces).

Packet capture on a blade server

In the case of using a BLADE Center, we have the following hardware topology:

As illustrated, we have a BLADE Center that contains the following components:

Blade servers

: These are hardware cards, usually located at the front side of the blade.

Servers

: The virtual servers installed on the hardware servers, also called

VMs

.

Internal LAN switch

: Internal LAN switches that are installed at the front or back of the blade center. These switches usually have 12-16 internal or virtual ports (

Int

in the diagram) and 4-8 external or physical ports (

Ext

in the diagram).

External switch

: Installed in the communication rack, and it's not a part of the

BLADE Center

.

Monitoring a blade center is more difficult because we don't have direct access to all of the traffic that goes through it. There are several options for doing so:

Internal monitoring on the blade center:

For traffic on a specific server, install Wireshark on the virtual server. In this case you just have to make sure from which virtual ports traffic is sent and received. You will see this in the VM configuration, and also choose one interface a the time on the Wireshark and see to which one the traffic goes.

A second option is to install Wireshark on a different VM and configure the port mirror in the blade center switch, between the server you wish to monitor and the VM with the Wireshark installed on it.

From servers to blade center switch (

1

) in the previous diagram:

For traffic that goes from the servers to the switch, configure, port mirror from the virtual ports the server is connected to, to the physical port where you connect the laptop. Most vendors support this option, and it can be configured.

For external monitoring, traffic from the internal blade center switch to the external switches:

Use a standard port mirror on the internal or external switches

How it works...

As described before, there are several types of virtual platforms. I will explain the way one operates on VMware, which is one of the popular ones.

On every virtual platform, you configure hosts that are provided with the CPU and memory resources that virtual machines use and give virtual machines access to these resources.

In the next screenshot, you see a virtualization server with address 192.168.1.110, configured with four virtual machines: Account1, Account2, Term1, and Term2. These are the virtual servers, in this case, two servers for accounting and two terminal servers:

When you go to the configuration menu and choose Networking, as illustrated in the next screenshot, you see the vSwitch. On the left, you see the internal ports connected to the servers, and on the right, you see the external port.

In this example, we see the virtual servers Account1, Account2, Term1 and Term2; on the right, we see the physical port vmnic0.

Standard and distributed vSwitch

The VMware platform vSphere offers two kinds of virtual switches, standard and distributed:

The

standard vSwitch

is what every vSphere installation has, no matter what license it is running on

Distributed

vSwitches

are only available for those who have an

Enterprise Plus

license

Port mirror is enabled in distributed vSwitch; how to configure it? You can find that out in the Working With Port Mirroring section on the VMware vSphere 6.0 documentation center: http://pubs.vmware.com/vsphere-60/index.jsp#com.vmware.vsphere.networking.doc/GUID-CFFD9157-FC17-440D-BDB4-E16FD447A1BA.html.

See also

For specific vendor's mirroring configuration:

For Alteon (now Radware) blade switches:

http://www.bladenetwork.net/userfiles/file/PDFs/IBM_GbE_L2-3_Applicat_Guide.pdf

For Cisco blade switches (called SPAN):

http://www.cisco.com/c/dam/en/us/td/docs/switches/blades/igesm/software/release/12-1_14_ay/configuration/guide/25K8411B.pdf

, Page 340,

SPAN and RSPAN Concepts and Terminology

Starting the capture of data