effectively teaching with wireshark laura chappell effectively teaching with wireshark laura...

Chappell University™EFFECTIVELY TEACHING WITH WIRESHARK

LAURA CHAPPELLLAURA@CHAPPELLU.COMCHAPPELLU.COM • WIRESHARKTRAINING.COM

®

Chappell University™2

Wireshark Techniques

• Wireshark Functionality and Resources

• The “Golden Rules” of Wireshark Analysis

• Key Tasks Everyone Should Learn– Capturing Wired/Wireless Traffic

– Custom Profiles

– Top Capture Filters

– Top Display Filters

– Custom Coloring Rules

– Finding Problems Using Graphs

– Using the Wireshark Expert

Chappell University™

SECTION 1:WIRESHARK FUNCTIONALITY OVERVIEW

Chappell University™4

Capturing Traffic

Network

Capture Filters

WinPcap – AirPcap - libpcap

CaptureEngine

Chappell University™5

Opening Trace Files

Drive

WiretapLibrary

Chappell University™6

Processing Packets

CaptureEngine

WiretapLibrary

Core Engine

Dissectors – Plugins – Display Filters

GTK

Chappell University™7

Help? Problems?

• Website www.wireshark.org• Wiki Page wiki.wireshark.org• FAQ

www.wireshark.org/faq.html• WinPcap www.winpcap.org• Mailing Lists

www.wireshark.org/lists.html• Bug Tracker

bugs.wireshark.org/bugzilla• Q&A ask.wireshark.org

Chappell University™8

General Analyst Resources

• www.wiresharktraining.com - Tips• www.chappellU.com – info@ (me)• www.iana.org – Protocol Numbers• www.ietf.org – the RFCs• www.wiresharkbook.com – videos/traces• www.pcapr.net – lots of trace files• ask.wireshark.org – got questions?

Chappell University™

SECTION 2:THE “GOLDEN RULES” OF WIRESHARK ANALYSIS

Chappell University™10

The Golden Rules

• Capture as close to the complaining user/device as possible

• Know how to capture the packets before you need to (e.g., spanning vs. tapping and WLAN capture options)

• Use capture filters sparingly/display filters liberally• Customize Wireshark (profiles, coloring rules,

filters)• Build a HOT trace file library• The packets never lie – but they will not tell why

something is happening

Chappell University™

SECTION 3:THE KEY TASKS EVERYONE SHOULD MASTER

Chappell University™12

Let’s Go Live Now

• Capturing Wired/Wireless Traffic

• Using Profiles

• Hot Capture Filters

• Hot Display Filters

• Using Coloring Rules

• Finding Problems Using Graphs

• Using the Wireshark Expert

Chappell University™13

Wireless Traffic Capture

• You must have a promiscuous and monitor mode adapter

• Check out AirPcap Adapters (www.cacetech.com)

Chappell University™14

WLAN OS/Driver Issues

Display Filter

Capture Filter

Promiscuous Mode

Monitor Mode (rfmon mode)

Signal

http://wiki.wireshark.org/CaptureSetup/WLAN

Promiscuous Mode

=Monitor Mode

Chappell University™

Port Spanning or Mirroring

Visibility

Spanport #3

to port #1

port #1

port #3

Chappell University™16

Full Duplex Links

 iTap GigaBit CopperDual Port Aggregator

 10/100BaseT Dual Port Aggregator Tap

 10/100BaseT Port Aggregator Tap

Visibility

Server

Chappell University™17

Using Profiles

• Custom preferences, capture/display filters and coloring rules

• Sample: WLAN Profile

Chappell University™18

Capture Filters

Network

Capture Filters

WinPcap – AirPcap - LibPcap

CaptureEngine

Chappell University™19

Hot Capture Filters

• host 10.2.1.3• port 67 (TCP or UDP)• tcp port 80• ether host 00:08:15:00:08:15 (my MAC)• not ether host 00:08:15:00:08:15 (not me)• wlan host 00:2A:4B:23:36:2A

Chappell University™20

Hot Display Filters

• ip.addr == 10.2.0.0/16• !ip.addr == 10.2.0.0/16 (don’t use !=)• tcp.analysis.flags• wlan.fc.type_subtype ==8 (beacons only)• http.response.code > 399 (HTTP errors)• tcp.options contains 01:01:01:01 (ASA issue)• ftp.response.arg == "Login incorrect."

Chappell University™21

Using Coloring Rules

Consider disablingChecksum Errors

Chappell University™22

Finding Problems with Graphs

• IO Graph – click on dips• Advanced IO Graph – count

tcp.analysis.retransmissions, etc.• TCP Time/Sequence Graph• RTT Graph – client’s perspective

• Oh… and use Endpoint Statistics to determine top talkers

Chappell University™23

Graph Delays and Errors

Chappell University™24

Always Check the Expert

Chappell University™

WRAP-UP

LAURA@CHAPPELLU.COM