Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Capturing network communication packets with Wireshark Utility

Created: 23 Jun 2009 • Updated: 09 Sep 2010 | 17 comments
Aniket Amdekar's picture
+15 15 Votes
Login to vote

Introduction to Wireshark:

This article is focused on a few things about the Wireshark tool which is used for packet capture in the networks.

Wireshark is a free packet sniffer computer application. It is used for network troubleshooting, analysis, software and communications protocol development, and education. It was originally named as etheral.

Wireshark puts your network card into promiscuous mode, which basically tells it to accept every packet it receives. It allows the user to see all traffic being passed over the network.

Wireshark uses pcap to capture packets. Basically, pcap is a library of information about various protocols, their packet structure, and different messages passed in those protocols. So it can only capture the packets on the networks supported by pcap.

When you install Wireshark you will receive a prompt to install the WinPcap component, which is nothing but the windows version of pcap. For unix like environments, another library by the name libcap is available.
 

  • When you open Wireshark, the first thing you need to do is to choose the interface on which you need to capture the packets. To do that you can either click on the Capture menu or click on the interface, or you can click on the NIC icon in the left hand top corner. Once you get the screen, you can decide which interface to choose. You can select it based on the IP address you can see, or the name of the interface.

Once you click on start, then Wireshark starts to capture the packets on that interface.

You can stop the capture using the Capture->Stop or pressing Ctrl+e on the keyboard.

Filters:

Wireshark provides you with a very wide scope of configuration according to your needs. You can setup filters. These filters are of 2 types

1. Capture Filters

As the name indicates, capture filters are used to filter the packets when they are captured. When you are in a corporate network, there are a lot of packets that your NIC card receives. The benefit of having capture filters set is that the size of the output of the capture can be limited. And very precise information can be extracted from the live packet flow. This can be used when you know exactly what kind of traffic you are looking for. For example, if you are looking for a packet capture for the network communication between the SEP client and SEPM, you can use the capture filter:

host 172.18.5.4 where the IP address will be of the SEPM, if you are running wireshark at a client machine. Or, if you are running wireshark at a server, then you can provide the IP address of one the clients.

As the name indicates, its a capture filter so you will need to specify it before the capture begins. You can go to Capture->Interfaces->Options [in front of the desired interface], or you can use the NIC card icon in the lft hand top corner and click on the options in front of the desired interface.

2. Display Filters

Display filters can be useful, when you have a packet capture file with you and you want to extract specific information from you.
The number of packets that match a particular filter will be less than all the packets and is much more easier to analyze.

FOLLOW TCP STREAMS:

If you are working with TCP based protocols it can be very helpful to see the data from a TCP stream in the way that the application layer sees it.
Maybe you just need a display filter to show only the packets of that TCP stream. As you will see, when you right click on a TCP packet and select Follow TCP Stream, it builds its own display filter and shows you the data transmitted in that TCP Stream.

EXPERT INFO:

The expert info is a kind of log of the anomalies found by Wireshark in a capture file.

The general idea behind the following "Expert Info" is to have a better display of "uncommon" or just notable network behavior. This way, both novice and expert users will hopefully find probable network problems a lot faster, compared to scanning the packet list "manually”.

Click on Analyze->Expert Info Composite.

FLOW GRAPH:

Click on Statistics->Flow Graph and click on OK in the next window. It will show you a detailed flow graph of every message used in that particular TCP stream. It also shows you the comments, that help in understanding the flow of messages. This particular utility can be very useful if you are understanding the working of a particular protocol, are investing a particular protocol.

DESTINATIONS:

Click on Statistics->Destinations and click on OK. It will give you detailed analysis on each IP address in the packet capture.It will show, how many packets were sent/received on a particular port. If you are investigating a port scan/ DOS attach these figures will indicate the pattern used for probing the hosts.

SUMMARY:

It can be accessed from the menu-: Statistics-> Summary :

Basic global statistics are available in the summary window such as:
- Capture file properties
- Capture time
- Capture filter information.
- Display filter information.
- How much data was transferred while this capture was going on

CONVERSATIONS:

Statistics->Conversations: This particular view will provide you with a statistical view of the TCP connections.

Capture Filters:

• Capture only traffic to or from IP address 172.18.5.4: host 172.18.5.4    [  Can be used for capturing the traffic between SEP and SEPM based on the IP addresses  ]

• Capture only DNS (port 53) traffic: port 53  [  Can be used for capturing the SEP-SEPM traffic based on the port on which SEPM is installed  ]

• Capture traffic to or from a range of IP addresses: net 192.168.0.0/24 or net 192.168.0.0 mask 255.255.255.0

• Capture traffic from a range of IP addresses: src net 192.168.0.0/24 or src net 192.168.0.0 mask 255.255.255.0

• Capture traffic to a range of IP addresses: dst net 192.168.0.0/24 or dst net 192.168.0.0 mask 255.255.255.0

• Capture traffic within a range of ports (tcp[2:2] > 1500 and tcp[2:2] < 1550) or (tcp[4:2] > 1500 and tcp[4:2] < 1550)

• Capture only Ethernet type EAPOL: ether proto 0x888e

Display Filters:

Wireshark uses display filters for general packet filtering while viewing and for its ColoringRules. The basics and the syntax of the display filters are described in the User's Guide.

• HTTP : a filter that can be used to show only the HTTP traffic between SEP and SEPM based on the communication settings protocol

• Show only SMTP (port 25) and ICMP traffic:

tcp.port eq 25 or icmp

• Show only traffic to and from an IP address

ip.addr eq 127.0.0.1

 

Video Upload: 

Comments 17 CommentsJump to latest comment

Hear4U's picture

Based on the feedback you've provided, we'll be creating additional videos!

Best,

Eric

check out the community at www.infoblox.com/community

+1
Login to vote
Mithun Sanghavi's picture

Hello,

An amazing video with amazing explaination....

I am sure ..it would help all....

Mithun

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

+2
Login to vote
Kedar Mohile's picture

Nice Work ... THUMB from me for this...

+1
Login to vote
Nel Ramos's picture

this keeps me glued to my seats...
2 votes aint enough for this wonderful and informative video...
thanks Aniket Amdekar...

Nel Ramos

+3
Login to vote
Vikram Kumar-SAV to SEP's picture

Nice job dude..

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

+1
Login to vote
Adrian Diaz's picture

Great job!  Nice little intro to a valuable tool and great way for me to show my team.  Thanks for sharing and keep them coming.

+1
Login to vote
Saeed's picture

Good job dude....

If a forum post solves your problem, please flag it as a solution. If you like an article, blog post or download vote it up.
 

+2
Login to vote
reedmohn's picture

..you forgot to mention that in order to do this successfully, you must first turn off SEP 11 (kinda ironic, isn't it?).

Whenever we start captures in promiscuous mode, SEP (11.0.4014.26) goes absolutely ape, and starts blocking a lot of network traffic (Active Response blocked).
This does not happen when you're not in promiscuous mode.
Logged a case with Symantec support, hopefulle they can figure it out..

:-)

+1
Login to vote
Aniket Amdekar's picture

Hay,
Thanks a lot for the post..

I think if you can provide a case ID that will be more helpful. I will look into my resources to find any other reports of a similar issue.

Cheers,
Aniket

+1
Login to vote
Shaizad's picture

Amazing Video Explanation Aniket.

+1
Login to vote
riva11's picture

Just for your info, VSA available on this post : Wireshark: Free Packet Analyzer Tool
regards
Paolo

+4
Login to vote
salamz's picture

Really informative and help ful to anyalize the network traffice and trouble shoot the SEP communcaiotn

Once again Thanks to Aniket.

Regards

Saqib Alam|Senior Systems Engineer|Symantec Technical Specialist|

0
Login to vote
WiseUser's picture

good work

Wiseuser
Altiris Certified Professional

0
Login to vote
chantalterry's picture

Brilliant tips here.  I reckon this would come in handy for capturing and interactively tracking the traffic running on a computer and streaming tv network too.

Chantal Terry - Closed Captioning Software

0
Login to vote
jsmall's picture

Excellent & Very informative. By the way, this feature (Analyze->Expert Info Composite) is not on the latest Wireshark.

0
Login to vote
ontherocks's picture

Good Job :) yes

OTR

0
Login to vote