1 / 42

TSS Academy

TSS Academy. Troubleshooting with. So What is WireShark?. Open Source Network Tool Packet sniffer/protocol analyzer. 0010100100101011101010101. WiFi Packet Sniffing Association Issues. Air PCAP (Hardware). Cascade Pilot (Commercial). From the F irehose.

Télécharger la présentation

TSS Academy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. TSS Academy Troubleshooting with

  2. So What is WireShark? • Open Source Network Tool • Packet sniffer/protocol analyzer 0010100100101011101010101

  3. WiFi Packet Sniffing Association Issues Air PCAP (Hardware)

  4. Cascade Pilot (Commercial)

  5. From the Firehose One gigabit per second, equates to over 83,000 packets per second, or only 12 microseconds per packet. 

  6. Wireshark Process • Capture Traffic • Display & Analyze Traffic • Summarize Traffic

  7. Where do I put WireShark?

  8. Location, Location, Location

  9. Hub

  10. Switches

  11. Switch with a SPAN port

  12. TAP

  13. HUBS

  14. Switch interface FastEthernet0/1 port monitor FastEthernet0/2

  15. Switch interface FastEthernet0/1 port monitor FastEthernet0/2 rx Interface FastEthernet0/3 port monitor FastEthernet0/2 tx

  16. VLAN Monitoring interface FastEthernet0/1 port monitor VLAN1

  17. “Promiscuous” Mode • Ethernet Frames are Addressed. • Ethernet NICs ignore frames not for them.

  18. Install Wireshark on Client/Server • Wireshark runs on demand. • WinPCAP can be disabled in Services.

  19. Selectively Ignore Traffic

  20. Capture Filter Examples host 10.1.11.24 host 192.168.0.1 and host 10.1.11.1 net 192.168.0.0/24 net 192.168.0.0 mask 255.255.255.0 src net 192.168.0.0/24 port 53 tcp port http ip not broadcast not multicast ether host 00:04:13:00:09:a3

  21. Capture Filter

  22. Capture Options

  23. Capture Interfaces

  24. Capturing Data (Capture Window)

  25. Stopping the Packet Capture

  26. Displaying Packets

  27. Display (Post) Filters • Display filters (also called post-filters) only filter the view of what you are seeing. All packets in the capture still exist in the trace • Display filters use their own format and are much more powerful then capture filters

  28. Wireshark Display Filter CheatSheet (packetlife.net)

  29. Display Filter Expression Builder To Search.. Just type….

  30. Display Filter Examples ip.src==10.1.11.24 ip.addr==192.168.1.10 && ip.addr==192.168.1.20 tcp.port==80 || tcp.port==3389 !(ip.addr==192.168.1.10 && ip.addr==192.168.1.20) (ip.addr==192.168.1.10 && ip.addr==192.168.1.20) && (tcp.port==445 || tcp.port==139) (ip.addr==192.168.1.10 && ip.addr==192.168.1.20) && (udp.port==67 || udp.port==68)

  31. Display Example dns.qry.name == "www.youtube.com" and not dns.resp.addr == 208.70.74.21

  32. Analyzing Data

  33. Statistics Menu

  34. I/O Graph (With Filters)

  35. Protocol Hierarchy

  36. Protocol Hierarchy

  37. Follow TCP Stream

  38. Follow TCP Stream red - stuff you sent blue - stuff you get

  39. Resources & Credits • Wireshark WIKI http://wiki.wireshark.org • http://ilta.ebiz.uapps.net/ProductFiles/productfiles/672/wireshark.ppt‎ • www.wiresharkuniversity.com

More Related