effectively teaching with wireshark laura chappell effectively teaching with wireshark laura...
TRANSCRIPT
Chappell University™EFFECTIVELY TEACHING WITH WIRESHARK
LAURA [email protected] • WIRESHARKTRAINING.COM
®
Chappell University™2
Wireshark Techniques
• Wireshark Functionality and Resources
• The “Golden Rules” of Wireshark Analysis
• Key Tasks Everyone Should Learn– Capturing Wired/Wireless Traffic
– Custom Profiles
– Top Capture Filters
– Top Display Filters
– Custom Coloring Rules
– Finding Problems Using Graphs
– Using the Wireshark Expert
Chappell University™
SECTION 1:WIRESHARK FUNCTIONALITY OVERVIEW
Chappell University™4
Capturing Traffic
Network
Capture Filters
WinPcap – AirPcap - libpcap
CaptureEngine
Chappell University™5
Opening Trace Files
Drive
WiretapLibrary
Chappell University™6
Processing Packets
CaptureEngine
WiretapLibrary
Core Engine
Dissectors – Plugins – Display Filters
GTK
Chappell University™7
Help? Problems?
• Website www.wireshark.org• Wiki Page wiki.wireshark.org• FAQ
www.wireshark.org/faq.html• WinPcap www.winpcap.org• Mailing Lists
www.wireshark.org/lists.html• Bug Tracker
bugs.wireshark.org/bugzilla• Q&A ask.wireshark.org
Chappell University™8
General Analyst Resources
• www.wiresharktraining.com - Tips• www.chappellU.com – info@ (me)• www.iana.org – Protocol Numbers• www.ietf.org – the RFCs• www.wiresharkbook.com – videos/traces• www.pcapr.net – lots of trace files• ask.wireshark.org – got questions?
Chappell University™
SECTION 2:THE “GOLDEN RULES” OF WIRESHARK ANALYSIS
Chappell University™10
The Golden Rules
• Capture as close to the complaining user/device as possible
• Know how to capture the packets before you need to (e.g., spanning vs. tapping and WLAN capture options)
• Use capture filters sparingly/display filters liberally• Customize Wireshark (profiles, coloring rules,
filters)• Build a HOT trace file library• The packets never lie – but they will not tell why
something is happening
Chappell University™
SECTION 3:THE KEY TASKS EVERYONE SHOULD MASTER
Chappell University™12
Let’s Go Live Now
• Capturing Wired/Wireless Traffic
• Using Profiles
• Hot Capture Filters
• Hot Display Filters
• Using Coloring Rules
• Finding Problems Using Graphs
• Using the Wireshark Expert
Chappell University™13
Wireless Traffic Capture
• You must have a promiscuous and monitor mode adapter
• Check out AirPcap Adapters (www.cacetech.com)
Chappell University™14
WLAN OS/Driver Issues
Display Filter
Capture Filter
Promiscuous Mode
Monitor Mode (rfmon mode)
Signal
http://wiki.wireshark.org/CaptureSetup/WLAN
Promiscuous Mode
=Monitor Mode
Chappell University™
Port Spanning or Mirroring
Visibility
Spanport #3
to port #1
port #1
port #3
Chappell University™16
Full Duplex Links
iTap GigaBit CopperDual Port Aggregator
10/100BaseT Dual Port Aggregator Tap
10/100BaseT Port Aggregator Tap
Visibility
Server
Chappell University™17
Using Profiles
• Custom preferences, capture/display filters and coloring rules
• Sample: WLAN Profile
Chappell University™18
Capture Filters
Network
Capture Filters
WinPcap – AirPcap - LibPcap
CaptureEngine
Chappell University™19
Hot Capture Filters
• host 10.2.1.3• port 67 (TCP or UDP)• tcp port 80• ether host 00:08:15:00:08:15 (my MAC)• not ether host 00:08:15:00:08:15 (not me)• wlan host 00:2A:4B:23:36:2A
Chappell University™20
Hot Display Filters
• ip.addr == 10.2.0.0/16• !ip.addr == 10.2.0.0/16 (don’t use !=)• tcp.analysis.flags• wlan.fc.type_subtype ==8 (beacons only)• http.response.code > 399 (HTTP errors)• tcp.options contains 01:01:01:01 (ASA issue)• ftp.response.arg == "Login incorrect."
Chappell University™21
Using Coloring Rules
Consider disablingChecksum Errors
Chappell University™22
Finding Problems with Graphs
• IO Graph – click on dips• Advanced IO Graph – count
tcp.analysis.retransmissions, etc.• TCP Time/Sequence Graph• RTT Graph – client’s perspective
• Oh… and use Endpoint Statistics to determine top talkers
Chappell University™23
Graph Delays and Errors
Chappell University™24
Always Check the Expert