Internet Traffic Monitoring

and Analysis:
Wireshark Tutorial

Kevin Curran

Ulster University
What is Wireshark?
 The De-Facto Network Protocol Analyzer
 Open-Source (GNU Public License)
 Multi-platform (Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and others)
 Easily extensible
 Large development group
 Previously Named “Ethereal”

 Features
 Deep inspection of thousands of protocols
 Live capture and offline analysis
 Standard three-pane packet browser
 Captured network data can be browsed via a GUI, or via the TTY-mode
TShark utility
 The most powerful display filters in the industry
 Rich VoIP analysis
 Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Blue-
tooth, USB, Token Ring, Frame Relay, FDDI, and others
 Coloring rules can be applied to the packet list for quick, intuitive analysis
 Output can be exported to XML, PostScript®, CSV, or plain text
What is Wireshark?
 What we can do:
 Capture network traffic
 Decode packet protocols using dissectors
 Define filters – capture and display
 Watch smart statistics
 Analyze problems
 Interactively browse that traffic

 Some examples people use Wireshark for:

 Network administrators: troubleshoot network problems
 Network security engineers: examine security problems
 Developers: debug protocol implementations
 People: learn network protocol internals
Interfaces

Packet
List

Packet
Details

Packet
Bytes
Capturing Packets (1/3)
Capturing Packets (2/3)

Capture all packets on the

network
Buffer size – in order not
to fill your laptop disk

Capture filter
Display
options

Capture in Name res-

multiple files olution op-
tions

When to au-
tomatically
stop the cap-
ture
Capturing Packets (3/3)

Example (W-LAN):
Received Signal Strength
Indication (RSSI) and Link
speed (BW)
Analyzing Packets (1/9)
 Ethernet Frame Example
Analyzing Packets (2/9)
 IP Packet Example
Analyzing Packets (3/9)
 TCP Packet Example
Analyzing Packets (4/9)
 TCP 3-way Handshake

SY N

CK
SYN, A
ACK
Analyzing Packets (5/9)
 Flow Graph
 Giving us a graphical flow, for better understanding of
what we see
Analyzing Packets (6/9)
 Flow Graph
Analyzing Packets (7/9)
 Filtering Specific TCP Stream
Analyzing Packets (8/9)
 Filtering Specific TCP Stream
Analyzing Packets (9/9)
 RTP Stream Analysis

Stable
stream BW
Filtering Packets (1/4)
 Applying Filter when Capturing Packets

:Capture  Interfaces  Options

Filtering Packets (2/4)
 Applying Filter when Analyzing Packets
Filtering Packets (3/4)
 Capture only traffic to or from IP address 172.18.5.4
• host 172.18.5.4

 Capture traffic to or from a range of IP addresses

• net 192.168.0.0/24
• net 192.168.0.0 mask 255.255.255.0

 Capture traffic from a range of IP addresses

• src net 192.168.0.0/24
• src net 192.168.0.0 mask 255.255.255.0

 Capture traffic to a range of IP addresses

• dst net 192.168.0.0/24
• dst net 192.168.0.0 mask 255.255.255.0

 Capture only DNS (port 53) traffic

• port 53

 Capture non-HTTP and non-SMTP traffic on your server

• host www.example.com and not (port 80 or port 25)
• host www.example.com and not port 80 and not port 25

 Capture except all ARP and DNS traffic

• port not 53 and not arp

 Capture traffic within a range of ports

• (tcp[2:2] > 1500 and tcp[2:2] < 1550) or (tcp[4:2] > 1500 and tcp[4:2] < 1550)
• tcp portrange 1501-1549

 Capture only Ethernet type EAPOL

• ether proto 0x888e

 Capture only IP traffic

(the shortest filter, but sometimes very useful to get rid of lower layer protocols like ARP and STP)
• ip

 Capture only unicast traffic

(useful to get rid of noise on the network if you only want to see traffic to and from your machine, not, for example, broadcast and multicast announcements)
Saving and Manipulating Packets (1/3)

 Save only displayed packets

Saving and Manipulating Packets (2/3)

 Export to CSV file

 Exported CSV File

Packet Statistics
 Protocol Hierarchy  Conversation
 Traffic between two specific endpoints
Packet Statistics
 I/O Graph  Configurable Options
 I/O Graphs
• Graph 1-5: enable the specific graph 1-5 (graph 1 by
default)
• Filter: a display filter for this graph (only the packets
that pass this filter will be taken into account for this
graph)
• Style: the style of the graph (Line/Impulse/FBar/Dot)
 X Axis
• Tick interval: an interval in x direction lasts
(10/1 minutes or 10/1/0.1/0.01/0.001 seconds)
• Pixels per tick: use 10/5/2/1 pixels per tick interval
• View as time of day: option to view x direction labels
as time of day instead of seconds or minutes since
beginning of capture
 Y Axis
• Unit: the unit for the y direction
(Packets/Tick, Bytes/Tick, Bits/Tick, Advanced...)
• Scale: the scale for the y unit
(Logarithmic,Auto,10,20,50,100,200,...)
Packet Statistics
 TCP Stream Graph  Round-Trip Time Graph

RTT Vs. Sequence numbers gives us the

time that take to Ack every packet.
In case of variations, it can cause DU-
PACKs and even Retransmissions
Usually will happen on communications
lines:
Over the Internet
Over cellular networks
Packet Statistics
 Time / Sequence Graph  Time / Sequence Graph
Seq No [B] Seq No [B]

Time / Sequence represents how se-

quence numbers advances with time
In a good connection (like in the ex-
ample), the line will be linear
The angle of the line indicates the
speed of the connection. In this ex-
ample – fast connection In this case, we see a
non-contiguous graph
Can be due to:
Severe packet loss
Server response
(processing) time

Time [Sec] Time [Sec]

Colorizing Specific Packets (1/4)
 Packet Colorization
 Colorize packets according to a filter
 Allow to emphasize the packets interested in
 A lot of Coloring Rule examples at the Wireshark Wiki
Coloring Rules page at http://wiki.wireshark.org/Color-
We want to watch a
ingRules specific protocol through
out the capture file
Colorizing Specific Packets (2/4)
Colorizing Specific Packets (3/4)
Colorizing Specific Packets (4/4)
 TLS Connection Establishment
References
 Wireshark Website
 http://www.wireshark.org

 Wireshark Documentation
 http://www.wireshark.org/docs/

 Wireshark Wiki
 http://wiki.wireshark.org

 Network analysis Using Wireshark Cookbook

 http://www.amazon.com/Network-Analysis-Using-Wire-
shark-Cookbook/dp/1849517649