39,59 €
Mehr erfahren.
- Herausgeber: Packt Publishing
- Kategorie: Fachliteratur
- Sprache: Englisch
Is your network slow? Are your users complaining? Disconnections? IP Telephony problems? Video freezes? Network analysis is the process of isolating these problems and fixing them, and Wireshark has long been the most popular network analyzer for achieving this goal. Based on hundreds of solved cases, Network Analysis using Wireshark Cookbook provides you with practical recipes for effective Wireshark network analysis to analyze and troubleshoot your network.
"Network analysis using Wireshark Cookbook" highlights the operations of Wireshark as a network analyzer tool. This book provides you with a set of practical recipes to help you solve any problems in your network using a step-by-step approach.
"Network analysis using Wireshark Cookbook" starts by discussing the capabilities of Wireshark, such as the statistical tools and the expert system, capture and display filters, and how to use them. The book then guides you through the details of the main networking protocols, that is, Ethernet, LAN switching, and TCP/IP, and then discusses the details of application protocols and their behavior over the network. Among the application protocols that are discussed in the book are standard Internet protocols like HTTP, mail protocols, FTP, and DNS, along with the behavior of databases, terminal server clients, Citrix, and other applications that are common in the IT environment.
In a bottom-up troubleshooting approach, the book goes up through the layers of the OSI reference model explaining how to resolve networking problems. The book starts from Ethernet and LAN switching, through IP, and then on to TCP/UDP with a focus on TCP performance problems. It also focuses on WLAN security. Then, we go through application behavior issues including HTTP, mail, DNS, and other common protocols. The book finishes with a look at network forensics and how to search and find security problems that might harm the network.
Das E-Book können Sie in Legimi-Apps oder einer beliebigen App lesen, die das folgende Format unterstützen:
Seitenzahl: 504
Veröffentlichungsjahr: 2013
Ähnliche
Table of Contents
Network Analysis Using Wireshark Cookbook
Network Analysis Using Wireshark Cookbook
Copyright © 2013 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
First published: December 2013
Production Reference: 1171213
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham B3 2PB, UK.
ISBN 978-1-84951-764-5
www.packtpub.com
Cover Image by iStockPhoto
Credits
Author
Yoram Orzach
Reviewers
Charles L. Brooks
Praveen Darshanam
Ritwik Ghoshal
Gilbert Ramirez
Acquisition Editors
Nikhil Chinnari
Akram Hussain
Antony Lowe
Lead Technical Editor
Ritika Dewani
Copy Editors
Roshni Banerjee
Janbal Dharmaraj
Brandt D'Mello
Kirti Pai
Shambhavi Pai
Alfida Paiva
Lavina Pereira
Sayanee Mukherjee
Karuna Narayanan
Technical Editors
Vrinda Nitesh Bhosale
Amit Ramadas
Pratik More
Anita Nayak
Project Coordinator
Anugya Khurana
Proofreader
Bridget Braund
Indexers
Monica Ajmera Mehta
Rekha Nair
Priya Subramani
Graphics
Disha Haria
Abhinash Sahu
Production Coordinator
Nitesh Thakur
Cover Work
Nitesh Thakur
About the Author
Yoram Orzach gained his Bachelor's degree in Science from the Technion in Haifa, Israel, and worked in Bezeq as a systems engineer in the fields of transmission and access networks from 1991 to 1995. In 1995, he joined Netplus from the Leadcom group as technical manager, and since 1999 he has worked as the CTO of NDI Communications (www.ndi-com.com), involved in the design, implementation, and troubleshooting of data communication networks worldwide. Yoram's experience is both with corporate networks, service providers, and Internet service provider's networks, and among his customers are companies such as Comverse, Motorola, Intel, Ceragon networks, Marvel, HP, and others. Yoram's experience is in design, implementation, and troubleshooting, along with training for R&D, engineering, and IT groups.
Acknowledgments
First and foremost, I would like to thank my family: my parents Israel and Selma; my father, the smartest man on earth, who survived the holocaust weighing 35 kilos alone in the world, and 40 years later became a leading expert in telecommunications; my mother, who taught me so many things; my amazing wife Ena, who has been tolerating me being at work over the last 20 years and more; my children Nadav, Dana, and Idan, whose achievements made my work look so simple. Thanks to my sister Hana, her husband Ofer, and their children.
I would also like to thank many colleagues. First, Reuven Matzliach, who started the Comverse IP college with me in the later 90s, transferring Comverse from TDM to IP networks, and helped me through some difficult times. Along with him, I would like to thank Omer Fuchs and Moshe Sakal for their assistance in this great project. Thanks to many colleagues and friends, who this paper is too short to mention.
Thanks to Lior Tzuberi, for many tips and case studies. Hanan Man, for a very interesting network. Yoel Saban and Rami Kletshevsky for very interesting network designs; your design groups are one of the best I've ever seen. Zvi Shacham, for the data-communication teaching experience I've gained from him. Asi Alajem for a very interesting network and Oren Gerstner for very interesting wireless cases. Chen Heffer, the best security expert I've ever known. Yoni Zini, for helping me with the system part. Ibrahim Jubram, for very interesting cellular cases. Ofer Sela, for very interesting projects. Amir Lavi and Eran Niditz, for very interesting cases. Dimitrios Liappis, for interesting cellular cases. Avner Mimon, for great tips and so many others.
Thanks to many training professionals that I've learned so much from. Thirty years ago I thought giving courses is fun; you taught me it's a profession. Harriet Rubin, Merav Sagi, Rvital Keinan, Guy Einav, Raanan Dagan, and many others.
Special thanks to Yoav Nokrean and his son Eran, who assisted me with many ideas, giving me assistance in all possible ways.
I would also like to thank the many colleagues who worked with me over the years; to customers at home, in Europe, North America, Eastern Asia, and other exotic places. Troubleshooting a network is always the same, the only question is, is it snowing outside or is there an exotic coast nearby with tequila?
Special thanks to the many designers that designed bad networks, to developers that wrote strange implementations for TCP/IP, to IT guys who connected the wrong cables, to engineering departments who thought that you just connect the cables to the boxes and it works. That's the best way to learn networking.
To many thousands of students, thanks to all of them for all the hard questions and the interesting cases that you brought with you; I've learned new things in every course. There is nothing that is more fun than connecting to networks and fixing problems in real time.
My admiration to the networking and security pioneers—Vint Cerf, Bob Kahn, Radia Perlman, Adi Shamir, Ronald Rivest, Van Jacobson, Steven McCanne, and so many others. Without you, we wouldn't have all this.
And lastly to Packt Publishing, for coming up with the idea to write this book and very patiently accompanying me through the process.
About the Reviewers
Charles L. Brooks is the founder and principal consultant at Security Technical Education, where he offers services in technical writing, reviewing, instructional design, and education. Charles also facilitates online courses at Boston University in data communications and networking, and teaches courses in network security, secure software development, securing virtualized and cloud infrastructures at Brandeis University, Rabb School of Graduate Professional Studies, in the MS in Information Security program. Prior to founding Security Technical Education (www.securityteched.com), Charles worked at EMC and at RSA as a senior technical education consultant, developing courseware for storage security, Big Data, network security analysis, and network forensics. Prior to EMC, Charles worked for many years as a software engineer, team leader, and software architect; and most recently as a systems architect for a managed VPN service offered by GTE Internetworking and Genuity.
Charles earned a BS and MA degree in English from Clark University, a MSCIS degree from Boston University, and holds several industry certifications including the CISSP, CEH, and CHFI.
I want to thank Helyn Pultz for her encouragement, support, and timely counsel for all these many years.
Praveen Darshanam has over seven years of experience in Information Security with companies such as McAfee, Cisco Systems, and iPolicy Networks. His core expertise and passions are vulnerability research, signature development, Snort, application security, and malware analysis. He pursued B.Tech in Electrical Engineering (EE) and ME/M.Tech in Control and Instrumentation; EE from one of the premier institutes of India. He holds industry certifications such as CHFI, CEH, and ECSA.
Ritwik Ghoshal is a Senior Security Analyst at Oracle Corporation, responsible for Oracle software and hardware security assurance. His primary work areas are network security, operating systems, and virtualization. Before coming to Oracle in 2010, when the company acquired Sun Microsystems, he had been working at Sun since 2008 as a part of the Sun security engineering team and the Solaris team. At Oracle, Ritwik continues to be responsible for all Sun systems products and Oracle Linux and Virtualization products.
Ritwik earned a Bachelor's degree in Computer Science and Engineering in 2008 from Heritage Institute of Technology, Kolkata, India.
I'm heavily indebted to my parents and Sara E Taverner for their continuous help and support.
Gilbert Ramirez is a long-time contributor to Wireshark, starting when it was first released. He has added protocol dissectors, core routines such as the display filter engine, as well as the initial port to Windows. He works at Cisco Systems, where he handles software build systems as well as other software tools.
Gilbert has authored books on Wireshark, including Wireshark & Ethereal Network Protocol Analyzer Toolkit, Ethereal Packet Sniffing, and Nessus, Snort, & Ethereal Power Tools, all published by Syngress Publishing Inc.
www.PacktPub.com
Support files, eBooks, discount offers and more
You might want to visit www.PacktPub.com for support files and downloads related to your book.
Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at <[email protected]> for more details.
At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.
http://PacktLib.PacktPub.com
Do you need instant solutions to your IT questions? PacktLib is Packt's online digital book library. Here, you can access, read and search across Packt's entire library of books.
Why Subscribe?
Free Access for Packt account holders
If you have an account with Packt at www.PacktPub.com, you can use this to access PacktLib today and view nine entirely free books. Simply use your login credentials for immediate access.
Preface
Wireshark has long become the market standard for network analysis, and with the growth of the Internet and TCP/IP-based networks, it became very popular for network analysis, troubleshooting, as well as for R&D engineers to understand what is actually running over the network and what are the problems that we face.
This book is written from a practical point of view. The first part of it, from Chapter 1, Introducing Wireshark, to Chapter 6, Using the Expert Infos Window, describes the Wireshark software and how to work with it. This includes how to start it, where to locate it in the network, how to work with statistical tools, and how to use the Expert system. The second part, from Chapter 7, Ethernet, LAN Switching, and Wireless LAN, to Chapter 14, Understanding Network Security, describes how to use it for the analysis and troubleshooting of common networking protocols; among them, the TCP/IP protocol stack with emphasis on TCP performance issues, common Internet protocols such as HTTP, SMTP, POP and DNS, databases, Citrix and Microsoft Terminal Server, IP telephony, and multimedia applications. The last chapter is about network security. It describes how to locate security breaches and other problems in your network.
As the name of the book implies, this is a Cookbook. It is a list of effective, targeted recipes of how to analyze networks. Every recipe comes with a specific issue, how to use Wireshark for it, where to look and what to look for, and what is the reason for what you see. To complete the picture, every recipe provides the theoretical foundations of the subject, in order to give the reader the required theoretical background.
You will see many examples in the book, and all of them are real cases. Some of them took me minutes to solve, some hours, and some of them took many days. There is one thing common to all of them: work systematically, use the proper tools, try to get inside the head of the application writer, and like someone told me once, "Try to think like the network". Do this, use Wireshark, and you will get results. The purpose of this book is to try and get you there. Have fun!
What this book covers
Chapter 1, Introducing Wireshark, starts with introducing Wireshark, explaining where to locate it for effective network analysis. We will learn how to configure the basic parameters, the start window, the time values, and the coloring rules; and most importantly, we will learn how to use the Preferences window.
Chapter 2, Using Capture Filters, explains how to use capture filters which are used in order to define what data will be captured. This chapter explains how to configure these filters and how to use them in order to capture only the desired data.
Chapter 3, Using Display Filters, explains how to configure display filters which are used in order to display only the desired data, after the data is captured. This chapter explains how to configure these filters and how they can assist us in network troubleshooting.
Chapter 4, Using Basic Statistics Tools, explains how to work with the basic Wireshark statistical features, starting from the simple tables that provides us with "who is talking" information, conversations and HTTP statistics, and others.
Chapter 5, Using Advanced Statistics Tools, explains how to work with the advanced Wireshark statistical features, including the IO graphs and TCP stream graphs that provides us with powerful capabilities for network and application performance analysis.
Chapter 6, Using the Expert Infos Window, explains how to work with the Expert system, which is a powerful tool that pinpoints various types of events, such as TCP retransmissions, zero-window, low TTL and routing loops, out-of-order segments, and other events that might influence the behavior of our network.
Chapter 7, Ethernet, LAN Switching, and Wireless LAN, explains the Ethernet protocol and LAN switching, along with problems that might occur in this layer. It also focuses on Wireless LAN (WiFi), how to test it, and how to resolve problems in these networks.
Chapter 8, ARP and IP Analysis, explains about ARP, IP, and how to analyze IP connectivity and routing problems. This chapter also explains how to find duplicate IP addresses, DHCP problems, and other related issues.
Chapter 9, UDP/TCP Analysis, focuses on layer 4 protocols, TCP, and UDP, with emphasis on TCP performance issues. It provides recipes for allocation of TCP performance problems, such as retransmission, duplicate ACKs, sliding-window problems such as window-full and zero-window, resets, and other related issues.
Chapter 10, HTTP and DNS, focuses on DNS, HTTP, and HTTPs. In this chapter, we will see how they work and what can go wrong in these protocols.
Chapter 11, Analyzing Enterprise Applications', Behavior, talks about other applications such as FTP, mail protocols, terminal services, and databases. We will see how they are affected by network problems and how we can solve network-related problems in these applications.
Chapter 12, SIP, Multimedia, and IP Telephony, is about voice and video over IP, including recipes for finding VoIP SIP connectivity problems, RTP/RTCP performance problems, and video problems such as picture freezing and bad picture quality.
Chapter 13, Troubleshooting Bandwidth and Delay Problems, provides recipes for finding problems caused by low-bandwidth, high-delay, and high-jitter networks. The chapter explains the behavior of TCP over high-delay, high-jitter networks, and what we can do in order to improve this behavior.
Chapter 14, Understanding Network Security, focuses on TCP/IP-based network security, and it includes recipes for finding network scanning, SYN attacks, DOS/DDOS, and other attacks that can harm the network. This chapter provides recipes for finding various attack patterns and what causes them.
Appendix, Links, Tools, and Reading, provides references to some useful links from which you can get further information about Wireshark: learning sources, additional software, and so on.
What you need for this book
For working with this book, you will need to install the Wireshark software that can be downloaded from www.wireshark.org.
Who this book is for
This book is aimed at R&D, engineering and technical support, IT, and communication managers who are using Wireshark for network analysis and troubleshooting. It requires basic understanding of the networking concepts, but does not require specific and detailed technical knowledge of the protocols or vendor implementations.
Conventions
In this book, you will find a number of styles of text that distinguish between different kinds of information. Here are some examples of these styles, and an explanation of their meaning.
Code words in text are shown as follows: "Add the string tcp.window_size to view the TCP window size".
A block of code is set as follows:
Any command-line input or output is written as follows:
New terms and important words are shown in bold. Words that you see on the screen, in menus or dialog boxes for example, appear in the text like this: "clicking the Next button moves you to the next screen".
Note
Warnings or important notes appear in a box like this.
Tip
Tips and tricks appear like this.
Reader feedback
Feedback from our readers is always welcome. Let us know what you think about this book—what you liked or may have disliked. Reader feedback is important for us to develop titles that you really get the most out of.
To send us general feedback, simply send an e-mail to <[email protected]>, and mention the book title via the subject of your message.
If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide on www.packtpub.com/authors.
Customer support
Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.
Piracy
Piracy of copyright material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works, in any form, on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy.
Please contact us at <[email protected]> with a link to the suspected pirated material.
We appreciate your help in protecting our authors, and our ability to bring you valuable content.
Questions
You can contact us at <[email protected]> if you are having a problem with any aspect of the book, and we will do our best to address it.
Chapter 1. Introducing Wireshark
In this chapter you will learn:
Introduction
In this chapter, we will cover the basic tasks related to Wireshark. In the Preface of this book, we discussed network troubleshooting and the various tools that can help us in the process. After reaching the conclusion that we need to use the Wireshark protocol analyzer, it's time to locate it for testing in the network, to configure it with basic configurations, and to adapt it to be user friendly.
While setting Wireshark for basic data capture is considered to be very simple and intuitive, there are many options that we can use in special cases; for example, when we capture data continuously over a connection and we want to split the capture file into small files, when we want to see names of the devices participating in the connection and not only IP addresses, and so on. In this chapter we will learn how to configure Wireshark for these special cases.
Another important issue is where to locate Wireshark to capture data. Will it be before a firewall or after it? On which side of the router should we connect it? On the LAN side or on the WAN side? What should we expect to receive in each one of them? All these issues and more will be covered in the Locating Wireshark recipe in this chapter, along with recommendations on how to do it.
Another important issue that will be covered in this chapter is how to configure time values, that is, how you would like Wireshark to present the arrival time of captured packets. This is significantly important when we capture data of time-sensitive applications, when it is important to see the timing of packets inside a TCP connection or a UDP flow.
The next recipe will be on file manipulations, that is, how to save the captured data, whether we want to save the whole of it or part of it, save only filtered data, export that data into various formats, merge files (for example, when you want to merge captured files on two different router interfaces), and so on.
One more issue that will be discussed in this chapter is how to configure coloring rules. That is, how to configure Wireshark to present different packets and protocols in different colors. While Wireshark by default has its coloring scheme, we might want to configure it for special cases, for example, to give a special color to a specific protocol that we monitor or to a specific error or event that we expect. The Configuring coloring rules and navigation techniques recipe discusses these issues.
The last two recipes of the chapter will cover the configuration of the Wireshark preferences. These recipes discuss how to configure the user interface, that is, to configure the Wireshark windows, the columns and what to see in each one of them, text formats, and so on, along with specific protocol configurations; for example, which TCP ports should be resolved by default as a proxy service, whether or not to validate a protocol checksum, whether or not to calculate TCP timestamps, how to decode fields in the protocol header, and so on.
Locating Wireshark
After understanding the problem and deciding to use Wireshark, the first step would be to decide where to locate it. For this purpose, we need to have a precise network diagram (at least the part of the network that is relevant to our test).
The principle is to locate the device that you want to monitor, connect your laptop to the same switch that it is connected to, and configure a port mirror or monitor to the monitored device. This operation enables you to see all traffic coming in and out of the monitored device.
You can monitor a LAN port, WAN port, server or router port, or any other device connected to the network.
In the preceding diagram, the Wireshark software (installed on the PC on the left) and the port mirror, also called port monitor (configured on the switch in the direction as in the diagram), will monitor all the traffic coming in and out of server S2. Of course, we can also install Wireshark directly on the server itself, and by doing so, we will be able to watch the traffic directly on the server.
Some LAN switch vendors also enable other features such as:
Getting ready
To start working with Wireshark, go to the the Wireshark website, and download the latest version of the tool.
An updated version of Wireshark can be found on the website at http://www.wireshark.org/, under the Download heading. Download the latest Wireshark stable release that is available at http://www.wireshark.org/download.html.
Each Wireshark Windows package comes with the latest stable release of WinPcap, which is required for live packet capture. The WinPcap driver is a Windows version of the UNIX Libpcap library for traffic capture.
How to do it...
Let's take a look at the typical network architecture and network devices, how they work, how to configure them when required, and where to locate Wireshark.
Let's have a look at the simple and common network architecture in the preceding diagram.
Monitoring a server
This will be one of the most common requirements that we will have. It can be done by either configuring the port monitor to the server (numbered as 1 in the preceding diagram), or installing Wireshark on the server itself.
Monitoring a router
In order to monitor a router, we can monitor a LAN port (numbered as 2 and 6 in the preceding diagram), or a WAN port (numbered as 5 in the preceding diagram). To monitor a LAN port is easy—simply configure the port monitor to the port you wish to monitor. In order to monitor a WAN port, you can connect a switch between the router port and the Service Provider (SP) network, and configure the port monitor on this switch, as in the following illustration.
Connecting a switch between the router and the service provider is an operation that breaks the connection; however, when you prepare for it, it should take less than a minute.
When monitoring a router, don't forget—not all packets coming in to a router will be forwarded. Some packets can be lost, dropped on the router buffers, or routed back on the same port that they came in from.
Two additional devices that you can use are TAPs and Hubs.
Monitoring a firewall
When monitoring a firewall, it differs depending on whether you monitor the internal port (numbered 3 in the diagram) or the external port (numbered 4 in the diagram). On the internal port you will see all the internal addresses and all traffic initiated by the users working in the internal network, while on the external port you will see the external addresses that we go out with (translated by NAT from the internal addresses); you will not see requests from the internal network that were blocked by the firewall. If someone is attacking the firewall from the Internet, you will see it (hopefully) only on the external port.
How it works...
To understand how the port monitor works, it is first important to understand the way that a LAN switch works. A LAN switch forwards packets in the following way:
Therefore, when you configure a port monitor to a specific port, you will see all the traffic coming in and out of it. If you connect your laptop to the network, without configuring anything, you will see only the traffic coming in and out of your laptop, along with broadcasts and multicasts from the network.
There's more...
When capturing data, there are some tricky scenarios that you should be aware of.
One such scenario is monitoring a VLAN. When monitoring a VLAN, you should be aware of several important issues. The first issue is that even when you monitor a VLAN, the packet must physically be transferred through the switch you are connected to, in order to see it. If, for example, you monitor VLAN-10 that is configured across the network, and you are connected to your floor switch, you will not see the traffic that goes from other switches to the servers on the central switch.
This is because when building a network, the users are usually connected to floor switches in single or multiple locations in the floor, that are connected to the building central switch (or two redundant switches). For monitoring all traffic on a VLAN, you have to connect to a switch on which all traffic of the VLAN goes through, and this is usually the central switch.
In the preceding diagram, if you connect Wireshark to Switch SW2, and configure a monitor to VLAN30, you will see all the packets coming in and out of P2, P4, and P5, inside or outside the switch. You will not see packets transferred between devices on SW3 and SW1, or packets between SW1 and SW3.
Another issue when monitoring a VLAN is that you might see duplicate packets. This is because when you monitor a VLAN, and packets are going in and out of the VLAN, you will see the same packet when it is comes in, and then when it goes out of the VLAN.
You can see the reason in the following illustration. When, for example, S4 sends a packet to S2, and you configure the port mirror to VLAN30, you will see the packet once when sent from S4 passing through the switch and entering the VLAN30, and then when leaving VLAN30 and coming to S2.
See also
For information on how to configure the port mirror, refer to the vendor's instructions. It can be called port monitor, port mirror, or SPAN (Switched Port Analyzer from Cisco).
There are also advanced features such as remote monitoring (monitoring a port that is not directly connected to your switch), advanced filtering (such as filtering specific MAC addresses), and so on. There are also advanced switches that have capture and analysis capabilities on the switch itself. It is also possible to monitor virtual ports (for example, LAG or Ether channel groups). For all cases, refer to the vendor's specifications.
Starting the capture of data
In this recipe, we will learn how to start capturing data, and what we will get in various capture scenarios, after we have located Wireshark in the network.
Getting ready
After you install Wireshark on your computer, the only thing to do will be to start the analyzer from the desktop, program files, or the quick start bar.
When you do so, the following window will be opened (Version 1.10.2):
How to do it...
You can start the capture from the upper bar Capture menu, or from the quick-launch bar with the capture symbol, or from the center-left capture window on the Wireshark main screen. There are options that you can choose from.
How to choose the interface to start the capture
If you simply click on the green icon, third to the right, in Wireshark and start the capture, Wireshark will start the capture on the default interface as configured in the software (explained later in the chapter in the recipe Configuring the user interface in the Preferences menu). In order to choose the interface you want to capture on, click on the List the available capture interfaces symbol, and the Wireshark Capture Interfaces window will open.
The best way to see which interface is active is simply to look at the right of the window of the interface on which you see the traffic running. There you will see the number of total Packets seen by Wireshark, and the number of Packets/sec in each interface.
In Wireshark Version 1.10.2 and above, you can choose one or more interfaces for the capture. This can be helpful in many cases; for example, when you have multiple physical NICs, you can monitor the port on two different servers, two ports of a router, or other multiple ports at the same time. A typical configuration is seen in the following screenshot:
How to configure the interface you capture data from
To configure the interface you capture data from, choose Options from the Capture menu. The following window will appear:
In the preceding window you can configure the following parameters:
How it works...
Here the answer is very simple. When Wireshark is connected to a wired or wireless network, there is a software driver that is located between the physical or wireless interface and the capture engine. In Windows we have the WinPcap driver, in Unix platforms the Libpcap driver, and for wireless interfaces we have the AirPcap driver.
There's more...
In cases where the capture time is important, and you wish to capture data on one interface or more, and be time-synchronized with the server you are monitoring, you can use Network Time Protocol(NTP) to synchronize your Wireshark and the monitored servers with a central time source.
This is important in cases when you want to go through the Wireshark capture file in parallel to a server logfile, and look for events that are shown on both. For example, if you see retransmissions in the capture file at the same time as a server or application error on the monitored server, you will know that the retransmissions are because of server errors and not because of the network.
The Wireshark software takes its time from the OS clock (Windows, Linux, and so on) For configuring the OS to work with a time server, go to the relevant manuals of the operating system that you work with.
In Microsoft Windows7, configure it as follows:
Note
In Microsoft Windows7 and later versions, there is a default setting for the time server. As long as all devices are tuned to it, you can use it as any other time server.
NTP is a network protocol used for time synchronization. When you configure your network devices (routers, switches, FWs, and so on) and servers to the same time source, they will be time synchronized to this source. The accuracy of the synchronization depends on the accuracy of the time server that is measured in levels or stratums. The higher the level, the more accurate it will be. Level 1 is the highest. Usually you will have levels 2 to 4.
NTP was first standardized in RFC 1059 (NTPv1), and then in RFC 1119 (NTPv2); the common versions in the last years are NTPv3 (RFC1305) and NTPv4 (RFC 5905).
You can get a list of NTP servers on various web sites, among them http://support.ntp.org/bin/view/Servers/StratumOneTimeServers and
http://wpollock.com/AUnix2/NTPstratum1PublicServers.htm.
See also
You can get more information about Pcap drivers at:
Configuring the start window
In this recipe we will see some basic configurations for the start window. We will talk about configuring the main window, file formats, and viewing options.
Getting ready
Start Wireshark, and you will get the start window. There are several parameters you can change here in order to adapt the capture window to meet your requirements:
First, let's have a look at the toolbars that are used by the software:
For operations with the other toolbars as follows, which are covered in the coming subsections in this recipe:
Main Toolbar
In the main toolbar you have the icons shown in the following screenshot:
The five leftmost symbols are for capture operations, then you have symbols for file operations, zoom and "go to packet" operations, colorize and auto-scroll, zoom and resize, filters, preferences, and help.
Display Filter Toolbar
In the filter toolbar, you have the following fields:
Status Bar
In the status bar on the lower side of the Wireshark window, you can see the data shown in the following screenshot:
In the preceding screenshot you can see the following:
How to do it...
In this part we will go step by step and configure the main menu.
Configuring toolbars
Usually for regular packet capture, you don't have to change anything. This is different when you want to capture wireless data over the network (not only from your laptop); you will have to enable the wireless toolbar, and this will be done by clicking on it under the view menu, as shown in the following screenshot:
Configuring the main window
To configure the main menu for capturing, you can configure Wireshark to show the following windows:
In most of the cases you will not need to change anything here. In some cases, you can cancel the packet bytes when you don't need to see them, and you will get more "space" for the packet list and details.
Name Resolution
Name Resolution is the translation of layer 2 (MAC addresses), layer 3 (IP addresses), and layer 4 (Port numbers) into meaningful information.
In the preceding screenshot, we see the MAC address 60:d8:19:c7:8e:73 (from Hon Hai Precision Ind., used by Lenovo), the website (that is, Packtpub.com), and the HTTP port number (that is 80).
Colorizing the packet list
Usually you start a capture in order to establish a baseline profile of what normal traffic looks like on your network. During the capture, you look at the captured data and you might find a TCP connection, IP or Ethernet connectivity that are suspects, and you want to see them in another color.
To do so, right-click on the packet that belongs to the conversation you want to color, choose Ethernet, IP, or TCP/UDP (the appearance of TCP or UDP will depend on the packet), and choose the color for the conversation.
In the example you see that we want to color a Transport Layer Security (TLS) conversation.
For canceling the coloring rule:
Auto scrolling in live capture
To configure Wireshark to auto-scroll the packets as it captures them, do the following:
For zooming in and out:
Using time values and summaries
Time format configuration is about how the time column (second from the left on default configuration) will be presented. In some scenarios, there is a significant importance given to this; for example, in TCP connections that you want to see time intervals between packets, when you capture data from several sources and you want to see the exact time of every packet, and so on.
Getting ready
To configure the time format, go to the View menu, and under Time Display Format you will get the following window:
How to do it...
You can chose from the following options:
The lower part of the submenu provides the format of the time display. Change it only if a more accurate measurement is required.
You can also use Ctrl + Alt + any numbered digit key on the keyboard for the various options.
How it works...
This is quite simple. Wireshark works on the system clock and presents the time as it is in the system. By default you see the time since the beginning of capture.
Configuring coloring rules and navigation techniques
Coloring rules define how Wireshark will color protocols and events in the captured data. Working with the coloring rules will help you a lot with network troubleshooting, since you are able to see different protocols in different colors, and you can also configure different colors for different events.
Coloring rules enable you to configure new coloring rules according to various filters. It will help you to configure different coloring schemes for different scenarios and save them in different profiles. In this way you can configure coloring rules for resolving TCP issues, rules for resolving Sip and Telephony problems, and so on.
Tip
You can configure Wireshark Profiles in order to save Wireshark configuration; for example, predefined colors, filters, and so on. To do so, navigate to Configuration Profiles from the Edit menu.
Getting ready
To start with the coloring rules, proceed as follows:
How to do it...
We will now move on to the coloring rules:
Click on the New button, and you will get the following window:
In order to configure a new coloring rule, follow these steps:
