CCNA Voice Questions and Answers » Wireshark Beginner guide

Ensurepass

Wireshark/Ethereal is a free network protocol analyzer for almost all operating systems (including Unix, Linux and MS Windows). It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, viewing summary and detail information for each packet. Wireshark/Ethereal has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session.

The installation of Wireshark is easy so I will not mention here, you can find newest Wireshark version at http://www.wireshark.org/download.html

Using of Wireshark/Ethereal

1. Capturing
Normally it is possible to use Ethernet hub with ethereal or some better switch on which one Ethernet port can be configured as monitoring portTo capture Ethernet traffic start Wireshark/Ethereal, select Capture menu and click to Options. Following screen will appear:

wireshark_1.jpg

Capture Options

In interface selection select Ethernet interface from which you would like to capture traffic. In some configurations default selection can be for example Generic NdisWan Adapter – which is not physical network card from which Wireshark/Ethereal is able to capture. This adapter can be founded in configurations with enabled terminal services. If capture for some specific host is needed it is possible to define filter. Examples of some filters related to hosts:

Capture filter Explanation
host 192.168.1.2 Shows packets in which host 192.168.1.1 is source or destination
host
host 192.168.1.1 and host 192.168.1.2 Shows packets in which host 192.168.1.1 is source host and host
192.168.1.2 is destination host (or vice versa)
host 192.168.1.1 and (host 192.168.1.2
or host 192.168.1.3)
Shows packets in which host 192.168.1.1 is source host and hosts
192.168.1.2 or host 192.168.1.3 are destination hosts (or vice versa)
host 192.168.1.1 and not 192.168.1.2 Shows packets in which 192.168.1.1 is source or destination side but
only if packets are not coming from or going to 192.168.1.2

It is possible to capture just some low-level protocol. Here a few examples:

Capture filter Explanation
tcp Captures just packages transmitted using tcp protocol.
tcp port 80 Captures just packages transmitted using tcp protocol from/to port 80.
tcp port 80 or udp Captures packages transmitted tcp protocol from/to port 80 and packages
transmitted using udp protocol

2. Filtering (during capture session)

It is possible, during capture session, to define another filter which will apply to captured information. See following example

wireshark_2.jpg

(Wireshark/Ethereal in action)

In filter field is string: “ldap” which means that Wireshark/Ethereal will show just transactions which are using ldap protocol. It is possible to change value of this filter during capturing session.
Some simple examples:

Filter Explanation
sip Shows just packages transmitted using
sip protocol.
mgcp Shows just packages transmitted using
mgcp protocol.
ldap Shows just packages transmitted using
ldap protocol.

More complicated examples:

Filter Explanation
ldap.bind.version = = 3 Show just Bind LDAP messages where
protocol version equals to three.
tcp contains surpass Shows all tcp packages with world
surpass anywhere in message
sip contains UHURA or
ip.addr==192.168.10.60
Shows BOTH – all sip packages
containing word UHURA, and also
shows packages where source or
destination IP is 192.168.10.60
sip.Method == “REGISTER” and
ip.addr==192.168.10.60
Shows ONLY sip packages where
Method is REGISTER AND source or
destination IP is 192.168.10.60

Note: Filtering is case sensitive!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.