Module-06

Wireshark

27 Sep 2022 TCSP

 Overview of Wireshark

27 Sep 2022 TCSP

 What is Wireshark

● Wireshark is a network protocol analyzer, or an application that captures packets from a

network connection, such as from your computer to your home office or the internet.

Uses of Wireshark:

● It is used by network security engineers to examine security problems.

● It allows the users to watch all the traffic being passed over the network.
● It is used by network engineers to troubleshoot network issues.
● It also helps to troubleshoot latency issues and malicious activities on your network.
● It can also analyze dropped packets.
● It helps us to know how all the devices like laptop, mobile phones, desktop, switch,
routers, etc., communicate in a local network or the rest of the world.

27 Sep 2022 TCSP

 Features of Wireshark

● Available for UNIX and Windows.

● Capture live packet data from a network interface.
● Open files containing packet data captured with tcpdump/WinDump, Wireshark, and many
other packet capture programs.
● Import packets from text files containing hex dumps of packet data.
● Display packets with very detailed protocol information.
● Save packet data captured.
● Export some or all packets in a number of capture file formats.
● Filter packets on many criteria.
● Search for packets on many criteria.
● Colorize packet display based on filters.
● Create various statistics.

27 Sep 2022 TCSP

 Brief history of Wireshark

● In late 1997 Gerald Combs needed a tool for tracking down network problems and wanted to
learn more about networking so he started writing Ethereal (the original name of the
Wireshark project) as a way to solve both problems.
● Ethereal was initially released after several pauses in development in July 1998 as version
0.2.0. Within days patches, bug reports, and words of encouragement started arriving and
Ethereal was on its way to success.
● Not long after that Gilbert Ramirez saw its potential and contributed a low-level dissector to
it.
● In October, 1998 Guy Harris was looking for something better than tcpview so he started
applying patches and contributing dissectors to Ethereal.

27 Sep 2022 TCSP

 Brief History of Wireshark

● In late 1998 Richard Sharpe, who was giving TCP/IP courses, saw its potential on such courses
and started looking at it to see if it supported the protocols he needed. While it didn’t at that
point new protocols could be easily added. So he started contributing dissectors and
contributing patches.
● The list of people who have contributed to the project has become very long since then, and
almost all of them started with a protocol that they needed that Wireshark did not already
handle. So they copied an existing dissector and contributed the code back to the team.
● In 2006 the project moved house and re-emerged under a new name: Wireshark.
● In 2008, after ten years of development, Wireshark finally arrived at version 1.0. This release
was the first deemed complete, with the minimum features implemented. Its release coincided
with the first Wireshark Developer and User Conference, called Sharkfest.
● In 2015 Wireshark 2.0 was released, which featured a new user interface.

27 Sep 2022 TCSP

 Understanding Wireshark Interface

27 Sep 2022 TCSP

 Main window

27 Sep 2022 TCSP

 ➢ File
This menu contains items to open and merge capture files, save, print, or export capture files in
whole or in part, and to quit the Wireshark application
➢ Edit
This menu contains items to find a packet, time reference or mark one or more packets, handle
configuration profiles, and set your preferences;
➢ View
This menu controls the display of the captured data, including colorization of packets, zooming the
font, showing a packet in a separate window, expanding and collapsing trees in packet details,

27 Sep 2022 TCSP

 ➢ Go
This menu contains items to go to a specific packet.

➢ Capture
This menu allows you to start and stop captures and to edit capture filters

➢ Analyze
This menu contains items to manipulate display filters, enable or disable the dissection of protocols,
configure user specified decodes and follow a TCP stream.

➢ Statistics
This menu contains items to display various statistic windows, including a summary of the packets
that have been captured, display protocol hierarchy statistics and much more

27 Sep 2022 TCSP

 ➢ Telephony
This menu contains items to display various telephony related statistic windows, including a media
analysis, flow diagrams, display protocol hierarchy statistics and much more.
➢ Wireless
This menu contains items to display Bluetooth and IEEE 802.11 wireless statistics
➢ Tools
This menu contains various tools available in Wireshark, such as creating Firewall ACL Rules.
➢ Help
This menu contains items to help the user, e.g., access to some basic help, manual pages of the
various command line tools.

27 Sep 2022 TCSP

File Menu

27 Sep 2022 TCSP

Edit Menu

27 Sep 2022 TCSP

View Menu

27 Sep 2022 TCSP

Go Menu

27 Sep 2022 TCSP

Capture Menu

27 Sep 2022 TCSP

Analyze Menu

27 Sep 2022 TCSP

Statistics Menu

27 Sep 2022 TCSP

Telephony Menu

27 Sep 2022 TCSP

Wireless Menu

27 Sep 2022 TCSP

Tools Menu

27 Sep 2022 TCSP

Help Menu

27 Sep 2022 TCSP

Main Toolbar

27 Sep 2022 TCSP

Filter toolbar
Packet list pane
Packet list pane (Contd)

● Each line in the packet list corresponds to one packet in the capture file. If you select a line in
this pane, more details will be displayed in the “Packet Details” and “Packet Bytes” panes.
● While dissecting a packet, Wireshark will place information from the protocol dissectors into
the columns. As higher-level protocols might overwrite information from lower levels, you
will typically see the information from the highest possible level only.
Packet list pane (Contd)

The default columns will show:

● No : The number of the packet in the capture file. This number won’t change, even if a display
filter is used.
● Time : The timestamp of the packet. The presentation format of this timestamp can be
changed, Source The address where this packet is coming from.
● Destination : The address where this packet is going to.
● Protocol :The protocol name in a short (perhaps abbreviated) version.
● Length : The length of each packet.
● Info : Additional information about the packet content.
Packet Details Pane
Packet Details Pane (Contd)

● The packet details pane shows the current packet (selected in the “Packet List” pane) in a more
detailed form.

● This pane shows the protocols and protocol fields of the packet selected in the “Packet List”
pane.

● The protocol summary lines (subtree labels) and fields of the packet are shown in a tree which
can be expanded and collapsed.
Packet Bytes Pane

● The packet bytes pane shows the data of the current packet (selected in the “Packet List” pane)
in a hexdump style.
● Each line contains the data offset, sixteen hexadecimal bytes, and sixteen ASCII bytes.
Packet Diagram Pane
This pane shows the protocols and top-level protocol
fields of the packet selected in the “Packet List” pane
as a series of diagrams.
Packet Processing Element
Using Capture Engine

Part of effectively capturing traffic is the capture engine. A packet capture or pcap engine provides
an Application Programming Interface (API) to capture traffic from the network before the traffic
is processed by the operating system.
As a result, when installing Wireshark, you will see a window appear, prompting you to install
Npcap. A lot of times, people aren't really sure if we should install Npcap. Wireshark requires either
Npcap or WinPcap to capture data.
Functional Block
Function Block

The function blocks in more detail:

GUI
Handling of all user input/output (all windows, dialogs and such). Source code can be found in the
ui/qt directory.
Core
Main "glue code" that holds the other blocks together. Source code can be found in the root directory.
Epan

Enhanced Packet ANalyzer — the packet analyzing engine. Source code can be found in the epan
directory.
Epan provides the following APIs:

● Protocol Tree. Dissection information for an individual packet.

● Dissectors. The various protocol dissectors in epan/dissectors.
● Dissector Plugins - Support for implementing dissectors as separate modules. Source code can
be found in plugins.
● Display Filters - The display filter engine at epan/dfilter.
Wiretap
The wiretap library is used to read and write capture files in libpcap, pcapng, and many other file
formats. Source code is in the wiretap directory.
Capture
The interface to the capture engine. Source code is in the root directory.
Dumpcap
The capture engine itself. This is the only part that executes with elevated privileges. Source code is
in the root directory.
Npcap and libpcap
These are external libraries that provide packet capture and filtering support on different platforms.
The filtering in Npcap and libpcap works at a much lower level than Wireshark’s display filters and
uses a significantly different mechanism. That’s why there are different display and capture filter
syntaxes
Capture Packets on wired or wireless
Libpcap

Wireshark uses one of several capture engines, libpcap, WinPcap, AirPcap, and
Npcap.
● Libpcap is a capture engine originally developed for Unix-like operating
systems, and it's baked right into Snort, tcpdump, WinDump, and other packet
analyzers to grab packets as they come off the network interface.
WinPcap

● A version of libpcap was adapted for Windows, and is called WinPcap.

● WinPcap is an industry standard that has been around for many years. It works well in a
Windows environment, specifically the Windows NT family.
● WinPcap enables packet capture right from a network interface, and presents it to Wireshark
before any processing is done by the operating system.
● WinPcap must be installed on a Windows operating system to capture packets
Airpcap

AirPcap is the first open, affordable and easy-to-deploy 802.11 packet capture solution for Windows.
All of the AirPcap offerings will capture full 802.11 data, management, and control frames that then
can be viewed in Wireshark, providing in-depth protocol dissection and analysis capabilities.

Set up the Packet Capture

1. Click View > Wireless Toolbar. The Wireless Toolbar will appear just below the Main toolbar.
2. Use the Wireless Toolbar to configure the desired channel and channel width.
3. Under Capture, click on AirPcap USB wireless capture adapter to select the capture interface.
4. Click the Start Capture button to begin the capture
Capturing live N/W Data
Start Capturing

The following methods can be used to start capturing packets with Wireshark:

● You can double-click on an interface in the welcome screen.

● You can select an interface in the welcome screen, then select Capture → Start or click the first
toolbar button.
● You can get more detailed information about available interfaces .
● If you already know the name of the capture interface you can start Wireshark from the
command line:

$ wireshark -i eth0 -k
This will start Wireshark capturing on interface eth0.
Capture section of welcome screen

● When you open Wireshark without starting a capture or opening a capture file
it will display the “Welcome Screen,” which lists any recently opened capture
files and available capture interfaces.
● Network activity for each interface will be shown in a sparkline next to the
interface name. It is possible to select more than one interface and capture
from them simultaneously.
Stop Running Capture

A running capture session will be stopped in one of the following ways:

1. The Stop Capture button in the “Capture Information” dialog box.

2. The Capture → Stop menu item.
3. The Stop toolbar button.
4. Pressing Ctrl+E.
5. The capture will be automatically stopped if one of the Stop Conditions is met, e.g., the
maximum amount of data was captured.
Saving Captured Packets

● You can save captured packets by using the File → Save or File → Save As…​
menu items. You can choose which packets to save and which file format to
be used.
● The “Save Capture File As” dialog box allows you to save the current capture
to a file.
● The exact appearance of this dialog depends on your system.
Merge with captured packets

Sometimes you need to merge several capture files into one. For example, this can be useful if you
have captured simultaneously from multiple interfaces at once (e.g., using multiple instances of
Wireshark).

There are three ways to merge capture files using Wireshark:

● Use the File → Merge menu to open the “Merge” dialog.

● Use drag and drop to drop multiple files on the main window. Wireshark will try to merge the
packets in chronological order from the dropped files into a newly created temporary file. If
you drop a single file, it will simply replace the existing capture.
● Use the mergecap tool from the command line to merge capture files. This tool provides the
most options to merge capture files.
Printing Packets
● To print packets, select the
File → Print…​menu item.
Wireshark will display the
“Print” dialog box as
shown below.
Working with captured packets
Viewing packets

● You can view individual packets in a separate window.

● You can do this by double-clicking on an item in the packet list or by selecting the packet in
which you are interested in the packet list pane and selecting View → Show Packet in New
Window.
● This allows you to easily compare two or more packets, even across multiple files.
Pop-up menu of the packet list pane
Packet filtering

Wireshark provides a display filter language that enables you to precisely control
which packets are displayed.
They can be used to check for the presence of a protocol or field, the value of a
field, or even compare two fields to each other.
These comparisons can be combined with logical operators, like "and" and "or",
and parentheses into complex expressions.
Display filter
Finding packets

● You can easily find packets once you have captured some packets or have read in a
previously saved capture file. Simply select Edit → Find Packet…​in the main menu.
Additional Features
I/O Graph
● This window contains a chart
drawing area along with a
customizable list of graphs.

● Graphs are saved in your current

profile They are divided into
time intervals
Colorization options