Wireshark in a nutshell What is Wireshark and how can it help me? Marco S. Zuppone & the precious review of Tim Lloyd What is Wireshark? • Wireshark is a free open-source packet analyzer created by Gerald Combs and initially was named Ethereal. The name changed in Wireshark in 2006 for copyright reasons. • Wireshark is very similar to tcpdump but has the advantage of a very good GUI that greatly improves and simplifies its usage. • As with tcpdump Wireshark needs the libpcap library to be able to capture traffic. Under Windows this library is called WinPcap What I need and how to get it • Wireshark is available on many platforms: Microsoft Windows: from Windows 2000* to Windows 2008 R2. It is available for x86 and x64 OS. • Mac OS >= Snow Leopard (10.5). • Various Linux flavors and Unix: the source code is available. • You can download it free at www.wireshark.org. The pre-compiled versions include the libpcap library that is installed if needed. Why it can help me? • As you can easily spot LANDesk depends strongly on network communications to work and most of the problems you will face supporting it are due to network problems. • “Yes but we have logs! Why I need another software?” It is true that you have logs but CAN YOU TRUST THEM? Packets never lie! • Logs can be misleading or they do not capture the whole story: A simple IIS log can tell you that the client called vulcore.aspx but they are not telling you what the client really asked to the Web Service if you do not enable a specific log. How to install it and where? • To install Wireshark on Windows and MacOS you need to be NNN Certified (Next -> Next -> Next). • Where to install it? You need to install it on the device where you want to capture the traffic*. • Sometimes choosing where you need to capture the traffic can be tricky and depends on the problem and the network configuration. • If you suspect or know that between the client and the server there are some devices that can ‘’mangle’’ the network communications (NAT/SNAT/Websense appliances, firewalls etc etc…) you may need to capture the traffic in multiple places to find out where the problem is. • Generally speaking capture the traffic closer to the problem. The interface The interface • The interface is consistent on all the supported platforms and there are only very small differences between the OSX, Unix and Windows version. • Always keep and eye on the status bar. It always shows important information as: Expert info, profile used, packet field name • Now it is time to begin a capture: this can be done in a lot of ways! How to start a capture • Starting a capture can be done in multiple ways. The most common are: 1. Select an interface from the interface list: the capture begins immediately with the default option 2. Click on the Interface List 3. Click on the one of the two first icons of the ribbon How to start a capture 4. Press Ctrl+E 5. Use the Capture menu • When you start a capture you can generally choose some options (except when you press CTRL+E or click directly on the interface: In these cases the capture starts immediately). • The most important options you need to know in the option pane are: promiscuous mode, capture filter & enable network name resolution. • CAVEAT: use the enable network name resolution option sparingly! This option will generate a lot of DNS requests and so DNS replies as well.. You may not want to generate this kind of traffic. Promiscuous mode or not? • In Promiscuous Mode your network interface is going to receive all the traffic even if it is not directed specifically to it. Example: a device (IP 10.14.8.1) is trying to talk with another device (IP 10.14.8.2) on the same network segment. If you are in Promiscuous Mode you should be able to see the conversation even if it is not for you. • There are many factors that may limit your visibility while you are in Promiscuous Mode such as network switches! If your switch is a ‘’proper one’’ should direct the traffic from device A to device B to the switch ports where A and B are physically plugged in. • There are some solutions to this problem: configure the switch to repeat all the traffic to a SPAN port, use an HUB to connect the devices (if you are still able to find one) or ask budget to buy an Aggregating Network TAP (I know! I’m a dreamer!) • If you are not in Promiscuous Mode you will be able to see all the traffic direct to you, broadcast and multicast traffic. Capture filters • In some specific circumstances you need to limit the traffic that you want to capture and so you can use Capture filters. • The use the BPF (Berkeley packet filter) syntax that is different from the Wireshark display filter syntax. • In the version 1.6 of Wireshark two useful features about Capture filters were introduced: the Compile BPF button and the fact that the field where you define the rule changes color if the syntax in valid or not valid The compile button is useful to validate the rule a well. • Use capture filter sparingly! What is not captured simply is not there anymore. There are not ways to get it back! • Example: if you have a problem browsing internet you may be tempted to use a filter such this one: ip port 80 but what about HTTPS traffic? What about it the problem is a DNS issue or of the HTTP port used is not 80?? • CAVEAT: if a rule is syntactically valid this does not imply that the rule is logically meaningful!! As analogy a lot of politicians make declaration without spelling or grammar errors but they are totally meaningless! Wireshark 1.6 is able to spot some of these meaningless expressions but not all of them Capture filters The most common and useful capture filters are: ip Only IP traffic tcp Only TCP traffic udp Only UDP traffic host 192.168.0.1 All the traffic to/for 192.168.0.1 not broadcast and not multicast Self explanatory ether src 10:10:EA:11:33:22 All the Ethernet traffic from that MAC address ether dst 10:10:EA:11:33:22 All the Ethernet traffic to that MAC address ether host 10:10:EA:11:33:22 All the Ethernet traffic to/for that MAC address port 80 Udp or Tcp traffic where the source or destination port is the 80 tcp and udp Something stinks here! Let’s capture a bit of traffic now • It is finally the time to capture some traffic. So after setting our favorite interface options in the Capture settings window it is time to press Start. • In my test example I installed Wireshark on Windows XP with the LANDesk client on it and then from the LANDesk Console I selected the XP machine and the following screen is the result. • The core IP is 192.168.60.128 and the client IP is 192.168.60.129 Let’s have a look to the traffic then.. • The first 2 packet are ARP: the core needs to talk with the client but does not know the MAC address of it and so it sends an ARP request to determine it. In the packet 2 the client replies with his MAC address to the core server. • Packet 3 and 4: the core pings the client and the client replies. • Packet 5 to 12: the core server try to talk with the mngsuite port (9535) to determine if the remote control is active on the client • Some ports has some symbolic name associated to it. These names are registered by the interested parties to IANA. The file SERVICES in the Program File\Wireshark folder contains the association between the number and the symbolic name. This file can be edited if we want. • If we want to know what is the number of a port without opening the file just click on the packet. In the detail section you are able to see the symbolic and numeric port. • TIP: to determine where are the configuration files of Wireshark go to the Help Menu -> About -> Folders tab. This works in every architecture. • Packets from 13 to 19: The core does a PDS ping (tcp port 9595) and the client replies. If you have a close look to the packet 16 you can see in the payload of it some text that resembles HTTP traffic…how can you read it better ??!?!? Follow TCP or UDP stream • This is one of the most useful functions of Wireshark and you will use it a lot. You can see that in packet 16 there is some data (payload) and in the subsequent packets as well. It is not very handy to read all the conversation in this way so…try to right click on packet 16 and choose the option “follow tcp stream” • You’d obtain something like this: Follow UDP or TCP steam • Much better! Isn’t it? The requests and replies are colored differently (red and blue) • This is very handy when you need to analyze HTTP conversation or FTP, SMTP, POP3 and all the protocols where there is some clear text. • This feature is handy even if the payload is not ‘clear text’ (as SMB for example) because it is possible [we will demonstrate how] to save the conversation (stream) to a file. Display filters • It’s the time to introduce the display filters: their knowledge is essential to analyze the traffic. They help us to display only the interesting traffic and solve the famous ‘’needle in the haystack” problem • Their syntax is very different and more flexible than the BFP filters. • They can be applied while you are capturing or after the capture is finished. • Their syntax is used for Columns definition and coloring rules as well. • Wireshark comes already with a predefined list of filters that can be used as example (starting point) • Display Filters as the Capture Filters are case sensitive ! HTTP is not the same of http • Fortunately when you type filters in the filter field you can use Intellisense. This will help you a lot!! Display filters • To create a filter you can simply type it in the filter field and get the advantage of Intellisense. • Another way to create a filter is to explode a packet in the details section, click on a particular section of it, then right click and choose Prepare Filter or Apply filter. • The difference between apply and prepare is that Apply will immediately apply the filter instead prepare will only prepare the filter in the filter field and then you will need to press the Apply button. The advantage is that you can have a look to the syntax generated and eventually amend it before to apply it. • Another way is to press the Expression button that’s near the Filter field: a GUI to help you to formulate the expression will appear. Display filters • But what about if I want to filter a certain field but I do not know its name? The simplest way is to explode the packet and select the field in the Packet Display section and have a look to the Status Bar. • In this case we selected the Do not fragment field and its syntax is so ip.flags.df == 1 (1 is set , 0 is not) • The general structure of a display filter is a sequence of expressions eventually concatenated by logic operators. An expression is a field + comparison operator + value. Example: tcp.dstport == 80 • The most common comparison operators are: ==, ||, &&, >=, !=, <=, >, <, matches, contain. For the nostalgic geek it is possible to use the literals eq, or, and, ge, ne,le,gt,lt • && and || are logic operators • An example: tcp.port == 80 || tcp.port == 443 • As with the display filter we need to be careful of the meaning of them • For example tcp && arp is a syntactically valid filter but….I will pay you a pizza if you are be able to match some traffic with it. • Some popular protocols define some basic filters that help us to speed up the writing of filters. • For example instead of writing: tcp.port == 53 || udp.port == 53 we can simply write: dns • Instead of tcp.port==80 ||tcp.port == 443 we can write: http • Other popular protocols are: arp, bootp, smtp, pop3, smb, ftp, ftp-data, ldap, icmp, imap Advanced filters • In some special circumstances we need to match one or more bytes of a packet in specific positions. This type of filter is called offset filter and it is in this form: field (or protocol layer)[offset 0 based:length] comparison value • Example: eth.src[4:2]==22:1f • Example: ip[14:2] == 90:20 • To formulate this kind of filter you need to know the protocol well and know what you are looking for. Coloring rules • Now that we introduced a bit of the filter syntax we can introduce the Coloring Rules and Columns: they are defined with the same syntax used for Display Filters. • Have you noticed in your first capture that some packets have a different colour from the others?! • The Coloring Rules are a very import tool that will help you to better understand the trace file: you will be able to display different kind of packets in a different color and this will help you a lot to find the needle in the haystack. • You can manage them via the View -> Coloring Rules… menu Coloring Rules Colouring Rules • Coloring rules colour a packet if the rule, expressed with Display Filter syntax, is matched. • Colouring rules can be created, deleted, moved up and down, disabled, imported, exported or reset to default (Cleared). • Colouring rules are saved in the colourfilters file. • Rule precedence: the rules are evaluated from the top to the bottom of the list. When a rule is matched the evaluation finishes for that packet. • Now let’s disable a very annoying one: Checksum errors*(Most of the time this a false positive error caused by TCP/UDP offloading settings of your network adapter) • To disable it simply select it and then press the disable button. A line will appear on it marking that the rule is disabled. It is better to disable rules than delete them! Columns • Columns are fundamental to view the traffic you captured. • The default column set not always appropriate for the analysis of all the problems you want to analyse. • So it is possible to define custom columns, resize them and re-arrange them as you like. • Clicking on a column you can sort the data in ascending and descending order: this feature is particularly useful when you order the capture for “Seconds since previous captured/displayed packet” • Custom Column definition needs the field name you want to display: the same field name you use in the Display Filter syntax. How to create a new column • There are many ways to create a custom column: -Edit -> Preferences -> Column section. -Right click on a column and select Column Preferences. -Right click on a field and choose the option Apply as a column: in this case the column definition is applied immediately. If the column definition created is not what you want you will need to edit or remove it using the Column Preferences menu • Column definition is saved in your current profile directory in the preferences file(the active profile is displayed in the right down corner of Wireshark Window) How to define a custom column • So let’s try to create a new custom column 1. Click on Edit -> Preferences -> Column section. 2. Click the button. 3. Select Custom from the Field Type drop down 4. Enter the field that you want to display in the column in the “Field name” field 5. Click on the title of the column and name it, then press and then Useful columns to add • The columns you add depend on the traffic you are going to analyse. You may want to create different configuration profiles for different situations and define a different column set in every profile. • You can reposition the columns, delete them or simply hide them. (check out the bug 6077 Rearranging columns in preferences in bugs.wireshark.org and eventually vote for it ) • A couple of useful columns to add in all the circumstances are: tcp.stream and tcp.window_size_value. The first is useful to distinguish between a TCP Streams and the other to spot Window Size 0 conditions.