Wireshark is the world’s foremost and widely-used network protocol analyzer. It lets you see what’s happening on your network at a microscopic level and is the de facto (and often de jure) standard across many commercial and non-profit enterprises, government agencies, and educational institutions. Wireshark development thrives thanks to the volunteer contributions of networking experts around the globe and is the continuation of a project started by Gerald Combs in 1998.
1. Install Wireshark:
2. Run Wireshark
3. Capture-> Interfaces
a. How many interfaces does your system have?
This System has Nine Interfaces:
b. Identify the IP address of “lo” interface.
The IP address of “lo” interface is: 127.0.0.1
4. Go to Capture->Options menu.
a. Check “eth0” interface and uncheck all other interfaces:
b. Uncheck “Use promiscuous mode on all interfaces”:
5. Do packet capturing by clicking Capture->Start button. Now, the captured packets are shown in the center window. Browse one or more websites. After a while (15 to 20 seconds), stop capturing (Capture->Stop button).
a. What is promiscuous mode of operation?
In a network, promiscuous mode allows a network device to intercept and read each network packet that arrives in its entirety. This mode of operation is sometimes given to a network snoop server that captures and saves all packets for analysis (for example, for monitoring network usage).
In an Ethernet local area network (LAN), promiscuous mode is a mode of operation in which every data packet transmitted can be received and read by a network adapter. Promiscuous mode is often used to monitor network activity.
b. There are several protocol packets captured by your system. Write down the names of five of them?
i. DNS – Domain Name System
ii. TCP – Transmission Control Protocol
iii. HTTP – Hypertext Transfer Protocol
iv. TLSv1.2 – Transport Layer Security Version 1.2
v. OCSP – Online Certificate Status Protocol
6. Filters – There are display filters and capture filters. Display filters can be used on already captured packets. Specify any one of the following items in the display filter and press “Apply”.
Observations: Only the packets related to TCP and associated protocols are displayed. Other packets are hidden. Such as TCP, HTTP, TLSV1.2, OCSP.
Observations: Only the packets related to UDP protocols are displayed. Other packets are hidden such as DNS. The packets are filtered in display only, all the packets captured are still present.
7. Capture filters is used to restrict the type of packets to capture. Capture filters can be specified in Capture->Options by typing in “Capture Filter” textbox. For each of the following filters, type them in the text space for Capture Filter and start a new capture. Note your observation.
Observations: Only Packets that use underlying TCP protocol are captured:
Observations: Only Packets that use underlying UDP protocol are captured:
c. tcp port 22
Observations: No Packets are captured (port 22 is for SSH and it’s not used in this case.):
8. Coloring rules – Depending on the protocol (IP, TCP, ARP, etc.) the color of a packet is different. These rules can be changed accordingly (View->Coloring Rules).
9. By observing the packets in Wireshark, identify your own IP address and the IP address of the website you visited:
My Machine IP Address: 10.0.2.15
Yahoo.com’ IP Address: 22.214.171.124
10. Saving the output while capturing: After stopping the capture, do it from File->Save As:
a. Close the file and try to open the pcap file in Wireshark:
1. Type the following filter commands in the filter bar and click on “Apply” button. Note your observations.
a. ip.addr == Your IP address
Only the packets which have the ip address = 10.0.2.15 as either source address or destination address only are displayed.
b. ip.src == Your IP address
Only the packets which have the ip address = 10.0.2.15 as source address only are displayed.
c. ip.dst == Your IP address
Only the packets which have the ip address = 10.0.2.15 as destination address only are displayed.
d. dns and http
No packet is captured because each packet has only one associated protocol UDP or TCP. DNS uses UDP whereas HTTP uses TCP.
e. tcp.port == 443
Only packets which have protocol = tcp AND port = 443 associated with them are captured.
g. !(arp or dns or icmp)
All packets except ARP or DNS or ICMP are displayed.
h. tcp contains facebook
All TCP traffic packets which contains the word “facebook” will be displayed.
i. udp contains facebook
All UDP packets which contains the word “facebook” will be displayed.
All packets from the PC with http request will be displayed.
k. http.response.code == 200
The packets which contains successful request fulfilment by servers but not any content will be displayed.
l. tcp.flags.syn == 1
Displays all TCP packets with SYN flag = true
m. tcp.flags.reset == 1
Displays all TCP packets with RST flag = true.
n. sip && rtp
No packets displayed. As a packet could either be associated with Session Initiation Protocol (SIP) or RTP Real Time Transport Protocol. First session is initiated by SIP then data is transmitted by RTP.
Statistics in Wireshark
1. Start a new capture in Wireshark.
2. Browse a couple of websites.
3. Stop the capture after a while (30 to 40 seconds).
4. Explore Statistics -> Endpoints to identify entities involved in capture.
a. How many ethernet endpoints are visible? Is your PC’s MAC address part of the ethernet endpoints?
Two Ethernet Points are available.
Yes Mac Addresses are part of ethernet end points.
b. How many IP address are visible? Is your PC’s IP address part of the IPv4 endpoints?
There are total 30 IP addresses visible.
Yes my PCs IP Address is part of the IPV4 end points.
5. Explore Statistics->Conversations to cover flows (pair of end points).
a. Sort on different columns in TCP –e.g. Duration, Packets, Address A, Rel Start etc.
b. Experiment with “Follow Stream” button on the popup dialog which adds a Display filter.
6. Explore Statistics -> Flow Graph to understand sequence of events for the filtered capture.
7. Explore Statistics -> Packet Lengths to get a list of different packet size ranges and its statistics.
8. Explore Statistics -> IO Graph for complete communication, and after filtering for TCP communication.
a. Compare two TCP flows – e.g. stream 6 and 4 below.
b. Observe the time slider below the graph.
We hope the above information was useful for you. If you liked this article, click the Like button. If you find it useful, Share it with your friends. If you have suggestions for improvements, please leave your valuable feedback or suggestions as Comment.