Wireshark Lecture

Jul 11, 2024

Wireshark Lecture Notes

Introduction to Wireshark

  • Wireshark is a powerful tool for network analysis and troubleshooting.
  • It allows real-time capture and deep inspection of network traffic across various protocols (Ethernet, Wi-Fi, Bluetooth, etc.).
  • Useful for tech professionals, security analysts, and students studying networking.

Features of Wireshark

Platform Compatibility

  • Works on major operating systems: Windows, Linux, Mac OS, Unix.

Core Functionalities

  • Live Packet Capture: Capture network data in real time.
  • Data Import: Analyze captures from other tools like TCPDUMP, Windump, TShark.
  • Hex Dumps: Import and analyze hex dumps.
  • Data Export: Export captured data in various formats.
  • Detailed Packet Analysis: Provides extensive protocol information.
  • Filtering and Searching: Filter packets and search for specific types of traffic.
  • Statistics and Graphs: Generate graphs and stats based on captured data.
  • Decrypted Data: Can decode encrypted data if necessary information is available.

Getting Wireshark

Installation

  • Download from Wireshark's website for Windows and Mac OS.
  • Kali Linux users have Wireshark pre-installed.

Opening Wireshark

  • For Kali Linux: Open via Applications Menu -> Sniffing & Spoofing -> Wireshark or use terminal command wireshark.

Choosing the Right Interface

  • Select the network interface to capture data from.
  • Wireshark automatically detects and lists active interfaces.

Understanding Network Protocols

  • Knowledge of network protocols is essential for effective use of Wireshark.
  • Video guide available for learning networking protocols.

Wireshark Interface Overview

Key Components

  • Menu Bar: Central command center for all tools and options.
  • Toolbar: Quick access to common tools like start/stop capture.
  • Filter Pane: Enter specific criteria to filter captured packets.
  • Packet List Pane: Displays all captured packets.
  • Packet Details Pane: Provides an in-depth look at selected packets.
  • Bytes Pane: Shows raw data in hexadecimal and ASCII representation.
  • Status Bar: Displays real-time updates and summary information.

Troubleshooting

  • No Packet Capture: Might be due to lack of network traffic, network packets not intended for your device, or promiscuous mode not activated.

Performing Your First Capture

  • Open Wireshark and select an interface.
  • Perform some network activity (e.g., browsing) to generate traffic.
  • Save the capture data for later analysis or sharing.

Filters in Wireshark

Types of Filters

  • Capture Filters: Specify criteria for capturing specific packets while ignoring others.
  • Display Filters: Hide irrelevant packets post-capture for easier analysis.

Common Display Filters

  • tcp: Shows only TCP traffic.
  • udp: Shows only UDP traffic.
  • http: Shows only HTTP traffic.
  • ip.addr == 192.168.1.1: Show packets involving a specific IP address.
  • tcp.port == 80: Focus on packets through a specific port.
  • Logical Operators: and, or, not for complex filters.

Customization

Traffic Colorization

  • Highlight different types of traffic with various colors.
  • Access default color rules or create custom rules.

Profiles

  • Create profiles for customized settings (filters, preferences, color rules).
  • Profiles can be easily imported/exported.

Statistics and Analysis Tools

Capture File Properties

  • Provides detailed info about captured packets, capture hardware, and more.

Protocol Hierarchy

  • Breaks down and shows the percentage distribution of different protocols in the captured data.
  • Helps in identifying unusual activities.

Conversations Window

  • Displays details about conversations between network devices.
  • Helps identify devices using most bandwidth.

Endpoints Dialog

  • Shows details about network endpoints (devices).
  • Helps pinpoint devices causing unusual network activity.

Packet Length Analysis

  • Indicates data size within packets.
  • Important for monitoring network performance and identifying issues.

IO Graphs

  • Visual representation of network traffic over time.
  • Can filter to show specific types of traffic like UDP or TCP.

DHCP, DNS, and Protocol Specific Analysis

  • Gather and analyze protocol-specific data.

TCP and UDP Protocol Analysis

  • Detailed study of protocols, including TCP 3-way handshake, troubles, and anomaly detection.
  • Useful for troubleshooting common issues and detecting security threats.

Conclusion

  • Practice and additional resources are key to mastering Wireshark. Future videos will cover more detailed protocol analysis.

Final Tips

  • Customize Wireshark environment to suit your specific needs.
  • Continuous monitoring and vigilance necessary for maintaining network security and efficiency.