Wireshark

1. Wireshark By: Patrick Causey Debbie Wallace Tony Agront Stephen Garbesi

2. What is Wireshark? • Wireshark is an open source software project • Wireshark is a network packet analyzer • Wireshark is released under the GNU General Public License (GPL). • GPL basically means you can freely use Wireshark on any number of computers you like, without worrying about license keys or fees or such. • A network packet analyzer will try to capture network packets and tries to display that packet data as detailed as possible. You could think of a network packet analyzer as a measuring device used to examine what's going on inside a network cable, just like a voltmeter is used by an electrician to examine what's going on inside an electric cable (but at a higher level, of course).

3. Some intended purposes Here are some examples people use Wireshark for: • Network admins use it to troubleshoot network problems • Network security engineers use it to examine security problems • Developers use it to debug protocol implementations

4. Features The following are some of the many features Wireshark provides: • Available for UNIX and Windows. • Capturelive packet data from a network interface. • Open files containing packet data captured with tcpdump/WinDump, Wireshark, and a number of other packet capture programs. • Import packets from text files containing hex dumps of packet data. • Display packets with very detailed protocol information. • Save packet data captured. • Export some or all packets in a number of capture file formats. • Filter packets on many criteria. • Search for packets on many criteria. • Colorize packet display based on filters. • Create various statistics. • ... and a lot more!

5. Peer to Peer In Wireshark: In general the TCP packets used by p2p (peer to peer) protocol have PSH (PUSH) flag set. Whenever you see PSH flag set in TCP packets. You can be almost sure of p2p in action. p2p is not a common protocol, it comes into picture only if you are using p2p software's like Kaza lite etc. Otherwise it sure could be a cause of worry. • The PSH flag set implies that the TCP packets are intended to be "push" across the buffers ahead of any other data. • For this reason p2p traffic is notorious for eating up bandwidth and is generally “banned” in corporate networks. • P2P isn't a very reliable means of obtaining things. You never know the benign executable (that came in disguise of your favorite game) could be a Trojan or a bot. One click and your computer becomes the zombia of a botnet.

6. This is an example of the three way handshake

7. This is an example of p2p packets in wireshark.

8. Worms • If your computer is searching the whole subnet (say 10.0.0,1 to 10.0.0.254), its trying to figure out who else is present on your LAN. • If any host replies back, the worm will try to infect it. • The netbios (port 135, 139, 445) services of a windows machine are available to the LAN only. • Any worm outside the LAN cannot attack it. But if any machine in your LAN is infected, chances are that all vulnerable windows machines will get infected. • Unless your antivirus and OS is updated to face the most recent vulnerabilities.

9. This is an example of a worm in wireshark.

10. Live capture from many different network mediaat: http://wiki.wireshark.org/CaptureSetup/NetworkMedia. 1.1.4. Import files from many other capture programs Wireshark can open packets captured from a large number of other capture programs. For a list of input formats see Section 5.2.2, “Input File Formats”. 1.1.5. Export files for many other capture programs Wireshark can save packets captured in a large number of formats of other capture programs. For a list of output formats see Section 5.3.2, “Output File Formats”. 1.1.6. Many protocol decoders There are protocol decoders (or dissectors, as they are known in Wireshark) for a great many protocols: see Appendix B, Protocols and Protocol Fields http://support.citrix.com/article/ctx114188