Wireshark Quick-Start Guide Instructions on Using the Wireshark Packet Analyzer July 2, 2008
Table of Contents Chapter 1: Getting Started .............................................................................................................. 3 I) Current Version................................................................................................................... 4 II) Installation........................................................................................................................... 4 III) Specifying the Default Network Adapter ..............................
Wireshark Quickstart Guide Chapter 1: Getting Started You can find more information on the Wireshark web site at www.wireshark.com . Wireshark may not work on Windows computers using wireless network adapters. Try switching off Promiscuous mode (Edit / Preferences / Capture). For more discussion of what Wireshark can or can not capture, refer to Appendix 1 Wireshark is a network packet analyzer, known previously as Ethereal.
Wireshark Quickstart Guide Refer to Appendix 1 for a discussion of the type of packets that Wireshark captures. This discussion also explains how your particular network configuration may affect the type of packets you see. I) Current Version This documentation is based on Wireshark version 1.0.1 (released 30 June 2008), running on Windows Vista and XP. Although you may find a newer release available when you download the software, the concepts in this manual should still be relevant.
Wireshark Quickstart Guide windows network stack processes the data. Without WinPcap, you may still use Wireshark to analyze previously captured data but you will not be able to perform the actual data capture. While WinPcap allows the capture of “raw” data, there will be some slight differences between the data that is provided to Wireshark, and the data which actually exists “on the wire”.
Wireshark Quickstart Guide Figure 3: Preferences Dialog Note: The apply button may be hidden. On many displays, the dialog box runs off the bottom of the screen. If you can not see the apply button, click on the blue bar at the top of the window and drag the box upward. Many other settings may be configured within the preferences dialog box. If you find that you are regularly changing settings before starting a capture, then you may benefit from setting your preferred settings as defaults.
Wireshark Quickstart Guide Chapter 2: Using Wireshark I) Two ways to capture some packets: i) A Simple capture You are now ready to capture packets coming to and from your machine. Begin the capture process by selecting the “Capture” menu and then clicking “Start”. Wireshark will immediately begin capturing data from the network adapter you selected earlier, or give an error message that no adapter is selected if you didn’t perform the preconfiguration.
Wireshark Quickstart Guide Figure 4 Capture Options 3) Hide Capture Info dialog: The “Capture Info” dialog was always displayed in earlier versions of Wireshark and Ethereal but is now disabled by default. This dialog displays a bar-graph summary of the protocols during the capture, but disappears when the capture is stopped. This dialog is shown in Figure 5. You may find this useful in deciding whether you have captured enough of the packets of interest to you (default is on – i.e.
Wireshark Quickstart Guide Figure 5 Capture Info Dialog 4) Enable MAC name resolution: This tells Wireshark to display the name of the manufacturer of the network card when it lists the MAC address. Figure 6 shows an example of MAC name resolution with a MAC address generated from an Asiarock network card (default is on). Figure 6 MAC name resolution 5) Enable network name resolution: Network Name Resolution (NNR) tells Wireshark to use names, such as cnn.com, in the summaries.
Wireshark Quickstart Guide time-out and fail. This may take an exceptionally long time, and make Wireshark appear to freeze. Also, the DNS lookup will add extra packets into the capture. This adds an artificial component to the capture. This feature is turned off by default; you may prefer to turn it on if you are working on a computer with access to a DNS server. 6) Enable transport name resolution: This option tells Wireshark to display the typical name of a protocol rather than the port value.
Wireshark Quickstart Guide III) What if I can’t find any packets? If you don’t see any packets while Wireshark is performing the capture, you may have de-selected the option to “Update packets in real time (item 1 in Figure 4). When the capture stops, you should see Wireshark process and load each packet which was captured. There are several things to check out if you don’t see packets after you end the capture.
Wireshark Quickstart Guide displayed – do not click the “Stop” button. Then go to your web browser and enter a web address, such as www.cnn.com . Finally return to Wireshark and click on the “stop” button. 5) If none of these options worked, go to the Wireshark web site and check the FAQs, the documentation and the wiki at www.wireshark.com .
Wireshark Quickstart Guide Figure 8: Areas 2 Details (Extract from previous figure) The first line of area two is created by Wireshark and contains statistical and informational data about the frame. It shows that this is the eighth frame (packet) that Wireshark captured. The next line in area 2 reveals that it was an Ethernet packet. Since the payload of this Ethernet packet was an Internet Protocol (IP) packet, the third line indicates that.
Wireshark Quickstart Guide i) Filters Following a TCP stream also hides some of the data by setting a display filter. “Clear” the display filter (Appendix 2) to reveal the entire data set. Filters can be used to narrow in the focus on only important packets. See Appendix 2 for a discussion of filters. ii) Follow TCP Stream Choose a TCP packet from the packet listing window (Area 1 in Figure 7). Right click on the chosen packet and select “Follow TCP Stream”.
Wireshark Quickstart Guide A conversation report is similar to an endpoint report. A conversation is defined as all of the traffic between two specific endpoints. As an example, consider packets at the TCP level. Let’s say that you started capturing packets and then went to two web sites: www.cnn.com and www.usatoday.com . The endpoint report on your web browser will combine all traffic from your browser and both of these web sites. A conversation report between your browser and the www.cnn.
Wireshark Quickstart Guide Appendix 1: Packets Captured: Explanation and Troubleshooting Wireshark is designed to show you all packets that come into and out of your computer. You are probably using Ethernet for your LAN, and Ethernet is a shared-access protocol. As a result, Wireshark would theoretically allow you to see the following types of traffic: • Packets sent to/from your computer. • Broadcast packets sent to all computers on your local network.
Wireshark Quickstart Guide packets sent to/from other computers that are not addressed to your computer. Some higher-end switches have the capability to duplicate all traffic passing through the switch and to send the copied traffic to a single port. This may be done by an administrator during a troubleshooting exercise and is normally disabled. This feature is known variously as “port mirroring” or “port spanning” II) Your Network Adapter Many computers today have more than one network adapter.
Wireshark Quickstart Guide pass through all traffic it sees. Even if you are on a broadcast, or hub-type network, Wireshark may not report traffic from/to other computers if promiscuous mode is not turned on. III) When editing preferences, save using the save button. On some monitors the button may be off the bottom of the screen, and you must move the window up to find it. If you don’t save you will lose your changes.
Wireshark Quickstart Guide • • • • http://wiki.Wireshark.com/CaptureSetup http://www.wireshark.com/docs/ http://www.wireshark.com/faq.html http://wiki.Wireshark.
Wireshark Quickstart Guide Appendix 2: Filters in Wireshark Wireshark can filter results so that you only see certain packets. An example of a filter condition would be to only remember packets sent to/from a specific IP address. Wireshark uses two types of filters, capture filters and display filters. Capture filters are used to decide which packets should be kept. Only packets that meet filter criteria will be kept. Display filters work after the capture is completed.
Wireshark Quickstart Guide Some commands, such as “Follow TCP Stream” automatically enter values in the filter field. After you use a command like this, you may need to “Clear” the filter to see the complete set of packets.
Wireshark Quickstart Guide Appendix 3: Hits Versus Page Views This topic is appropriate for this guide because it helps explains the plethora of packets that add together to display a single web page. However, it is also interesting to consider the implications for the number of ‘hits’ a web site gets. Let’s analyze what it takes to get a million hits on a web page. First, assume an average page has 150 images. In comparison, this would be 10% smaller than CNN’s front page.
Wireshark Quickstart Guide Especially in the case of advertisements, these hits may not come from the original web site. Therefore, at the packet level there may be many packets from many different sources that have to be considered as part of the same web page. Increasingly, developers are making dynamic web pages. This means that some portion of the web page may be continuously updated through interaction between the user and the server.
