Endpoint Protection

 View Only

Capturing network communication packets with Wireshark Utility 

Jun 23, 2009 04:29 PM

Introduction to Wireshark:

This article is focused on a few things about the Wireshark tool which is used for packet capture in the networks.

Wireshark is a free packet sniffer computer application. It is used for network troubleshooting, analysis, software and communications protocol development, and education. It was originally named as etheral.


Wireshark puts your network card into promiscuous mode, which basically tells it to accept every packet it receives. It allows the user to see all traffic being passed over the network.


Wireshark uses pcap to capture packets. Basically, pcap is a library of information about various protocols, their packet structure, and different messages passed in those protocols. So it can only capture the packets on the networks supported by pcap.

When you install Wireshark you will receive a prompt to install the WinPcap component, which is nothing but the windows version of pcap. For unix like environments, another library by the name libcap is available.
 

  • When you open Wireshark, the first thing you need to do is to choose the interface on which you need to capture the packets. To do that you can either click on the Capture menu or click on the interface, or you can click on the NIC icon in the left hand top corner. Once you get the screen, you can decide which interface to choose. You can select it based on the IP address you can see, or the name of the interface.

Once you click on start, then Wireshark starts to capture the packets on that interface.

You can stop the capture using the Capture->Stop or pressing Ctrl+e on the keyboard.


Filters:

Wireshark provides you with a very wide scope of configuration according to your needs. You can setup filters. These filters are of 2 types

1. Capture Filters

As the name indicates, capture filters are used to filter the packets when they are captured. When you are in a corporate network, there are a lot of packets that your NIC card receives. The benefit of having capture filters set is that the size of the output of the capture can be limited. And very precise information can be extracted from the live packet flow. This can be used when you know exactly what kind of traffic you are looking for. For example, if you are looking for a packet capture for the network communication between the SEP client and SEPM, you can use the capture filter:

host 172.18.5.4 where the IP address will be of the SEPM, if you are running wireshark at a client machine. Or, if you are running wireshark at a server, then you can provide the IP address of one the clients.

As the name indicates, its a capture filter so you will need to specify it before the capture begins. You can go to Capture->Interfaces->Options [in front of the desired interface], or you can use the NIC card icon in the lft hand top corner and click on the options in front of the desired interface.

2. Display Filters

Display filters can be useful, when you have a packet capture file with you and you want to extract specific information from you.
The number of packets that match a particular filter will be less than all the packets and is much more easier to analyze.


FOLLOW TCP STREAMS:

If you are working with TCP based protocols it can be very helpful to see the data from a TCP stream in the way that the application layer sees it.
Maybe you just need a display filter to show only the packets of that TCP stream. As you will see, when you right click on a TCP packet and select Follow TCP Stream, it builds its own display filter and shows you the data transmitted in that TCP Stream.

EXPERT INFO:

The expert info is a kind of log of the anomalies found by Wireshark in a capture file.

The general idea behind the following "Expert Info" is to have a better display of "uncommon" or just notable network behavior. This way, both novice and expert users will hopefully find probable network problems a lot faster, compared to scanning the packet list "manually”.

Click on Analyze->Expert Info Composite.

FLOW GRAPH:

Click on Statistics->Flow Graph and click on OK in the next window. It will show you a detailed flow graph of every message used in that particular TCP stream. It also shows you the comments, that help in understanding the flow of messages. This particular utility can be very useful if you are understanding the working of a particular protocol, are investing a particular protocol.

DESTINATIONS:

Click on Statistics->Destinations and click on OK. It will give you detailed analysis on each IP address in the packet capture.It will show, how many packets were sent/received on a particular port. If you are investigating a port scan/ DOS attach these figures will indicate the pattern used for probing the hosts.

SUMMARY:

It can be accessed from the menu-: Statistics-> Summary :

Basic global statistics are available in the summary window such as:
- Capture file properties
- Capture time
- Capture filter information.
- Display filter information.
- How much data was transferred while this capture was going on

CONVERSATIONS:

Statistics->Conversations: This particular view will provide you with a statistical view of the TCP connections.


Capture Filters:

• Capture only traffic to or from IP address 172.18.5.4: host 172.18.5.4    [  Can be used for capturing the traffic between SEP and SEPM based on the IP addresses  ]

• Capture only DNS (port 53) traffic: port 53  [  Can be used for capturing the SEP-SEPM traffic based on the port on which SEPM is installed  ]

• Capture traffic to or from a range of IP addresses: net 192.168.0.0/24 or net 192.168.0.0 mask 255.255.255.0

• Capture traffic from a range of IP addresses: src net 192.168.0.0/24 or src net 192.168.0.0 mask 255.255.255.0

• Capture traffic to a range of IP addresses: dst net 192.168.0.0/24 or dst net 192.168.0.0 mask 255.255.255.0

• Capture traffic within a range of ports (tcp[2:2] > 1500 and tcp[2:2] < 1550) or (tcp[4:2] > 1500 and tcp[4:2] < 1550)

• Capture only Ethernet type EAPOL: ether proto 0x888e


Display Filters:

Wireshark uses display filters for general packet filtering while viewing and for its ColoringRules. The basics and the syntax of the display filters are described in the User's Guide.

• HTTP : a filter that can be used to show only the HTTP traffic between SEP and SEPM based on the communication settings protocol

• Show only SMTP (port 25) and ICMP traffic:

tcp.port eq 25 or icmp

• Show only traffic to and from an IP address

ip.addr eq 127.0.0.1

 

Statistics
0 Favorited
6 Views
1 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

May 08, 2014 03:02 PM

Good Job :) yes

Jan 03, 2013 05:53 PM

Excellent & Very informative. By the way, this feature (Analyze->Expert Info Composite) is not on the latest Wireshark.

Jun 27, 2011 12:04 AM

Brilliant tips here.  I reckon this would come in handy for capturing and interactively tracking the traffic running on a computer and streaming tv network too.

Oct 20, 2010 02:07 AM

good work.... :)

Sep 07, 2010 09:53 AM

good work

May 31, 2010 07:21 AM


Really informative and help ful to anyalize the network traffice and trouble shoot the SEP communcaiotn

Once again Thanks to Aniket.

Regards

Nov 27, 2009 05:35 AM

Just for your info, VSA available on this post : Wireshark: Free Packet Analyzer Tool
regards
Paolo

Jul 22, 2009 03:59 PM

Amazing Video Explanation Aniket.

Jul 01, 2009 06:06 AM

Hay,
Thanks a lot for the post..

I think if you can provide a case ID that will be more helpful. I will look into my resources to find any other reports of a similar issue.

Cheers,
Aniket

Jul 01, 2009 05:48 AM

..you forgot to mention that in order to do this successfully, you must first turn off SEP 11 (kinda ironic, isn't it?).

Whenever we start captures in promiscuous mode, SEP (11.0.4014.26) goes absolutely ape, and starts blocking a lot of network traffic (Active Response blocked).
This does not happen when you're not in promiscuous mode.
Logged a case with Symantec support, hopefulle they can figure it out..

:-)

Jun 30, 2009 08:47 AM

Good job dude....

Jun 29, 2009 05:30 PM

Great job!  Nice little intro to a valuable tool and great way for me to show my team.  Thanks for sharing and keep them coming.

Jun 29, 2009 01:34 AM

Nice job dude..

Jun 26, 2009 11:02 PM

this keeps me glued to my seats...
2 votes aint enough for this wonderful and informative video...
thanks Aniket Amdekar...

Jun 24, 2009 08:20 AM

Nice Work ... THUMB from me for this...

Jun 23, 2009 04:37 PM


Hello,

An amazing video with amazing explaination....

I am sure ..it would help all....

Mithun

Jun 23, 2009 04:32 PM

Based on the feedback you've provided, we'll be creating additional videos!

Best,

Eric

Related Entries and Links

No Related Resource entered.