Wire­shark: Es­sen­tial for a Net­work Pro­fes­sional’s Tool­box

This ar­ti­cle, the sec­ond in the se­ries, presents fur­ther ex­per­i­ments with Wire­shark, the open source packet anal­yser. In this part, Wire­shark will be used to an­a­lyse pack­ets cap­tured from an Eth­er­net hub.

OpenSource For You - - ADMIN HOW TO -

The first ar­ti­cle in the Wire­shark se­ries, pub­lished in the July 2014 is­sue of OSFY, cov­ered Wire­shark ar­chi­tec­ture, its in­stal­la­tion on Win­dows and Ubuntu, as well as var­i­ous ways to cap­ture traf­fic in a switched en­vi­ron­ment. In­ter­pre­ta­tion of DNS and ICMP Ping pro­to­col cap­tures was also cov­ered. Let us now carry the ba­ton for­ward and un­der­stand ad­di­tional Wire­shark fea­tures and pro­to­col in­ter­pre­ta­tion.

To start with, cap­ture some traf­fic from a net­work con­nected to an Eth­er­net hub—which is the sim­plest way to cap­ture com­plete net­work traf­fic.

In­ter­ested read­ers may pur­chase an Eth­er­net hub from a sec­ond hand com­puter dealer at a throw­away price and go ahead to cap­ture a few pack­ets in their test en­vi­ron­ment. The aim of this is to ac­quire bet­ter hands-on prac­tice of us­ing Wire­shark. So start the cap­ture and once you have suf­fi­cient pack­ets, stop and view the pack­ets be­fore you con­tinue read­ing.

An in­ter­est­ing ob­ser­va­tion about this cap­ture is that, un­like only broad­cast and host traf­fic in a switched en­vi­ron­ment, it con­tains pack­ets from all source IP ad­dresses con­nected in the net­work. Did you no­tice this? The traf­fic thus con­tains: Broad­cast pack­ets Pack­ets from all sys­tems to­wards the In­ter­net PC-to-PC com­mu­ni­ca­tion pack­ets Mul­ti­cast pack­ets Now, at this point, imag­ine analysing traf­fic cap­tured from hun­dreds of com­put­ers in a busy net­work—the sheer vol­ume of cap­tured pack­ets will be baf­fling. Here, an im­por­tant Wire­shark

fea­ture called ‘Dis­play Fil­ter' can be used very ef­fec­tively.

Wire­shark’s Dis­play Fil­ter

This helps to sort/view the net­work traf­fic us­ing var­i­ous pa­ram­e­ters such as the traf­fic orig­i­nat­ing from a par­tic­u­lar IP or MAC ad­dress, traf­fic with a par­tic­u­lar source or des­ti­na­tion port, ARP traf­fic and so on. It is im­pos­si­ble to imag­ine Wire­shark with­out dis­play fil­ters!

Click on ‘Ex­pres­sions’ or go to ‘An­a­lyse – Dis­play fil­ters’ to find a list of pre-de­fined fil­ters avail­able with Wire­shark. You can cre­ate cus­tom fil­ters de­pend­ing upon the anal­y­sis re­quire­ments—the syn­tax is re­ally sim­ple.

As seen in Fig­ure 2, the back­ground colours of the dis­play fil­ter box of­fer ready help while cre­at­ing proper fil­ters. A green back­ground in­di­cates the cor­rect com­mand or syn­tax, while a red back­ground in­di­cates an in­cor­rect or in­com­plete com­mand. Use these back­ground colours to quickly iden­tify syn­tax and gain con­fi­dence in cre­at­ing the de­sired dis­play fil­ters.

A few sim­ple fil­ters are listed below:

tcp: Dis­plays TCP traf­fic only

arp: Dis­plays ARP traf­fic

eth.addr == aa:bb:cc:dd:ee:ff: Dis­plays traf­fic where the

Eth­er­net MAC ad­dress is aa:bb:cc:dd:ee:ff

ip.src == 192.168.51.203: Dis­plays traf­fic where the source IP ad­dress is 192.168.51.203

ip.dst == 4.2.2.1: Dis­plays traf­fic where the des­ti­na­tion IP ad­dress is 4.2.2.1

ip.addr == 192.168.51.1: Dis­plays traf­fic where the source or the des­ti­na­tion IP ad­dress is 192.168.51.1

Click on ‘Save’ to store the re­quired fil­ter for fu­ture use. By de­fault, the top 10 cus­tom fil­ters cre­ated are avail­able for ready use un­der the drop­down menu of the ‘Fil­ter’ di­a­logue box.

With this back­ground, let us look at two sim­ple pro­to­cols —ARP and DHCP.

Ad­dress Res­o­lu­tion Pro­to­col (ARP)

This is used to find the MAC ad­dress from the IP ad­dress. It works in two steps—the ARP re­quest and ARP re­ply. Here are the de­tails.

Ap­ply the ap­pro­pri­ate dis­play fil­ter (ARP) and view only ARP traf­fic from the com­plete cap­ture. Also, re­fer to Fig­ure 3 - the ARP pro­to­col. The pro­to­col con­sists of the ARP re­quest and ARP re­ply. ARP re­quest: This is used to find the MAC ad­dress of a sys­tem with a known IP ad­dress. For this, an ARP re­quest is sent as a broad­cast to­wards the MAC broad­cast ad­dress: Sender MAC ad­dress – 7c:05:07:ad:42:53 Sender IP ad­dress – 192.168.51.208 Tar­get MAC ad­dress – 00:00:00:00:00:00 Tar­get IP ad­dress – 192.168.51.1 Wire­shark dis­plays the ARP re­quest un­der the‘Info’ box as: Who has 192.168.51.1? tell 192.168.51.208 ARP re­ply: This ARP re­quest broad­cast is re­ceived by all sys­tems con­nected to the net­work seg­ment of the sender (below the router), mind well, this broad­cast also reach router port con­nected to this seg­ment.

The sys­tem with the des­ti­na­tion IP ad­dress men­tioned in the ARP re­quest packet replies with its MAC ad­dress via an ARP re­ply. The im­por­tant con­tents of the ARP re­ply are:

Sender MAC Ad­dress – Be­long­ing to sys­tem which replies to the ARP re­quest Up­dated by the sys­tem – 00:21:97:88:28:21 Sender IP Ad­dress – Be­long­ing to sys­tem which replies to the ARP re­quest – 192.168.51.1 Tar­get MAC Ad­dress – Source MAC of ARP re­quest packet – 7c:05:07:ad:42:53 Tar­get IP Ad­dress – Source IP ad­dress of the ARP re­quest packet – 192.168.51.208

Wire­shark dis­plays the ARP re­ply un­der the ‘Info’ box as: 192.168.51.1 is at 00:21:97:88:28:21.

Thus, with the help of an ARP re­quest and re­ply, sys­tem 192.168.51.208 has de­tected the MAC ad­dress be­long­ing to 192.168.51.1.

Dy­namic Host Con­fig­u­ra­tion Pro­to­col (DHCP)

This pro­to­col saves a lot of time for net­work en­gi­neers by of­fer­ing a unique dy­namic IP ad­dress to a sys­tem with­out an IP ad­dress, which is con­nected in a net­work. This also helps to avoid IP con­flicts (the use of one IP ad­dress by mul­ti­ple sys­tems) to a cer­tain ex­tent. The com­puter users also ben­e­fit by the abil­ity to con­nect to var­i­ous net­works with­out know­ing the cor­re­spond­ing IP ad­dress range and the un­used IP ad­dress.

This DHCP pro­to­col con­sists of four phases—DHCP dis­cover, DHCP of­fer, DHCP re­quest and DHCP ACK. Let us un­der­stand the pro­to­col and in­ter­pret how these pack­ets are seen in Wire­shark.

Fig­ure 3: ARP pro­to­col

Fig­ure 2: De­fault Wire­shark dis­play fil­ters

Fig­ure 1: Traf­fic cap­tured us­ing HUB

Fig­ure 4: DHCP pro­to­col

Newspapers in English

Newspapers from India

© PressReader. All rights reserved.