Wireshark: Essential for a Network Professional’s Toolbox
This article, the second in the series, presents further experiments with Wireshark, the open source packet analyser. In this part, Wireshark will be used to analyse packets captured from an Ethernet hub.
The first article in the Wireshark series, published in the July 2014 issue of OSFY, covered Wireshark architecture, its installation on Windows and Ubuntu, as well as various ways to capture traffic in a switched environment. Interpretation of DNS and ICMP Ping protocol captures was also covered. Let us now carry the baton forward and understand additional Wireshark features and protocol interpretation.
To start with, capture some traffic from a network connected to an Ethernet hub—which is the simplest way to capture complete network traffic.
Interested readers may purchase an Ethernet hub from a second hand computer dealer at a throwaway price and go ahead to capture a few packets in their test environment. The aim of this is to acquire better hands-on practice of using Wireshark. So start the capture and once you have sufficient packets, stop and view the packets before you continue reading.
An interesting observation about this capture is that, unlike only broadcast and host traffic in a switched environment, it contains packets from all source IP addresses connected in the network. Did you notice this? The traffic thus contains: Broadcast packets Packets from all systems towards the Internet PC-to-PC communication packets Multicast packets Now, at this point, imagine analysing traffic captured from hundreds of computers in a busy network—the sheer volume of captured packets will be baffling. Here, an important Wireshark
feature called ‘Display Filter' can be used very effectively.
Wireshark’s Display Filter
This helps to sort/view the network traffic using various parameters such as the traffic originating from a particular IP or MAC address, traffic with a particular source or destination port, ARP traffic and so on. It is impossible to imagine Wireshark without display filters!
Click on ‘Expressions’ or go to ‘Analyse – Display filters’ to find a list of pre-defined filters available with Wireshark. You can create custom filters depending upon the analysis requirements—the syntax is really simple.
As seen in Figure 2, the background colours of the display filter box offer ready help while creating proper filters. A green background indicates the correct command or syntax, while a red background indicates an incorrect or incomplete command. Use these background colours to quickly identify syntax and gain confidence in creating the desired display filters.
A few simple filters are listed below:
tcp: Displays TCP traffic only
arp: Displays ARP traffic
eth.addr == aa:bb:cc:dd:ee:ff: Displays traffic where the
Ethernet MAC address is aa:bb:cc:dd:ee:ff
ip.src == 192.168.51.203: Displays traffic where the source IP address is 192.168.51.203
ip.dst == 4.2.2.1: Displays traffic where the destination IP address is 4.2.2.1
ip.addr == 192.168.51.1: Displays traffic where the source or the destination IP address is 192.168.51.1
Click on ‘Save’ to store the required filter for future use. By default, the top 10 custom filters created are available for ready use under the dropdown menu of the ‘Filter’ dialogue box.
With this background, let us look at two simple protocols —ARP and DHCP.
Address Resolution Protocol (ARP)
This is used to find the MAC address from the IP address. It works in two steps—the ARP request and ARP reply. Here are the details.
Apply the appropriate display filter (ARP) and view only ARP traffic from the complete capture. Also, refer to Figure 3 - the ARP protocol. The protocol consists of the ARP request and ARP reply. ARP request: This is used to find the MAC address of a system with a known IP address. For this, an ARP request is sent as a broadcast towards the MAC broadcast address: Sender MAC address – 7c:05:07:ad:42:53 Sender IP address – 192.168.51.208 Target MAC address – 00:00:00:00:00:00 Target IP address – 192.168.51.1 Wireshark displays the ARP request under the‘Info’ box as: Who has 192.168.51.1? tell 192.168.51.208 ARP reply: This ARP request broadcast is received by all systems connected to the network segment of the sender (below the router), mind well, this broadcast also reach router port connected to this segment.
The system with the destination IP address mentioned in the ARP request packet replies with its MAC address via an ARP reply. The important contents of the ARP reply are:
Sender MAC Address – Belonging to system which replies to the ARP request Updated by the system – 00:21:97:88:28:21 Sender IP Address – Belonging to system which replies to the ARP request – 192.168.51.1 Target MAC Address – Source MAC of ARP request packet – 7c:05:07:ad:42:53 Target IP Address – Source IP address of the ARP request packet – 192.168.51.208
Wireshark displays the ARP reply under the ‘Info’ box as: 192.168.51.1 is at 00:21:97:88:28:21.
Thus, with the help of an ARP request and reply, system 192.168.51.208 has detected the MAC address belonging to 192.168.51.1.
Dynamic Host Configuration Protocol (DHCP)
This protocol saves a lot of time for network engineers by offering a unique dynamic IP address to a system without an IP address, which is connected in a network. This also helps to avoid IP conflicts (the use of one IP address by multiple systems) to a certain extent. The computer users also benefit by the ability to connect to various networks without knowing the corresponding IP address range and the unused IP address.
This DHCP protocol consists of four phases—DHCP discover, DHCP offer, DHCP request and DHCP ACK. Let us understand the protocol and interpret how these packets are seen in Wireshark.