Workshop 2
Sniffing for Packets
The purpose of this workshop is to introduce the packet sniffer WIRESHARK. WIRESHARK will be used for several of the upcoming workshops. This worksheet introduces the basic operation of a packet sniffer, installation, and a test run of WIRESHARK.
PACKER SNIFFER
The basic tool for observing the messages exchanged between entities (nodes) on a network is called a packet sniffer. As the name suggests, a packet sniffer captures (“sniffs”) messages being sent/received from/by your computer; it will also typically store and/or display the contents of the various protocol fields in these captured messages.
A packet sniffer itself is passive. It observes messages being sent and received by applications and protocols running on your computer, but never sends packets itself. Similarly, received packets are never explicitly addressed to the packet sniffer. Instead, a packet sniffer receives a copy of packets that are sent / received from/by application and protocols executing on your machine.
We will be using the Wireshark packet sniffer [http://www.wireshark.org/] for these workshops, allowing us to display the contents of messages being sent/received from/by protocols at different levels of the protocol stack. (Technically speaking, Wireshark is a packet analyser that uses a packet capture library in your computer).
Wireshark is a free network protocol analyzer that runs on Windows, Linux/Unix, and Mac computers. It’s an ideal packet analyzer for our workshops – it is stable, has a large user base and well-documented support that includes a user-guide (http://www.wireshark.org/docs/wsug_html_chunked/) , man pages (http://www.wireshark.org/docs/man-pages/), and a detailed FAQ (http://www.wireshark.org/faq.html), rich functionality that includes the capability to
analyze hundreds of protocols, and a well-designed user interface. It operates in
computers using Ethernet, Token-Ring, FDDI, serial (PPP and SLIP), 802.11 wireless LANs, and ATM connections (if the OS on which it’s running allows Wireshark to do so).
Task 1 – Download and Install Wireshark
The first thing we need to do is install Wireshark so we can use it. Go to the Wireshark website and download and install the version for the computer you’re on, be that Windows or Linux:
http://www.wireshark.org/download.html
Workshop 2
Task 2 – Familiarise yourself with Wireshark.
The Wireshark interface has five major components:
The command menus are standard pulldown menus located at the top of the window. Of interest to us now are the File and Capture menus. The File menu allows you to save captured packet data or open a file containing previously captured packet data, and exit the Wireshark application. The Capture menu allows you to begin packet capture.
The packet-listing window displays a one-line summary for each packet captured, including the packet number (assigned by Wireshark; this is not a packet number contained in any protocol’s header), the time at which the packet was captured, the packet’s source and destination addresses, the protocol type, and protocol-specific information contained in the packet. The packet listing can be sorted according to any of these categories by clicking on a column name. The protocol type field lists the highest level protocol that sent or received this packet, i.e., the protocol that is the source or ultimate sink for this packet.
The packet-header details window provides details about the packet selected (highlighted) in the packet listing window. (To select a packet in the packet listing window, place the cursor over the packet’s one-line summary in the packet listing window and click with the left mouse button.). These details include information about the Ethernet frame and IP datagram that contains this packet. The amount of Ethernet and IP-layer detail displayed can be expanded or minimized by clicking on the right-pointing or down-pointing arrowhead to the left of the Ethernet frame or IP datagram line in the packet details window. If the packet has been carried over TCP or UDP, TCP or UDP details will also be displayed, which can
Workshop 2
similarly be expanded or minimized. Finally, details about the highest level protocol that sent or received this packet are also provided.
The packet-contents window displays the entire contents of the captured frame, in both ASCII and hexadecimal format.
Towards the top of the Wireshark graphical user interface, is the packet display filter field, into which a protocol name or other information can be entered in order to filter the information displayed in the packet-listing window (and hence the packet-header and packet-contents windows). In the example below, we’ll use the packet-display filter field to have Wireshark hide (not display) packets except those that correspond to HTTP messages.
Colour Coding
You’ll probably see packets highlighted in green, blue and black. Wireshark uses colours to help you identify the types of traffic at a glance. By default, green is TCP traffic, dark blue is DNS traffic, light blue is UDP traffic and black identifies TCP packets with problems — for example, they could have been delivered out-of-order.
Workshop 2
Filtering Packets
If you’re trying to inspect something specific, such as the traffic a program sends when phoning home, it helps to close down all other applications using the network so you can narrow down the traffic. Still, you’ll likely have a large amount of packets to sift through. That’s where Wireshark’s filters come in.
The most basic way to apply a filter is by typing it into the filter box at the top of the window and clicking Apply (or pressing Enter). For example, type “dns” and you’ll see only DNS packets. When you start typing, Wireshark will help you autocomplete your filter.
Another interesting thing you can do is right-click a packet and select Follow TCP Stream.
Workshop 2
Workshop 2
Inspecting Packets
Click a packet to select it and you can dig down to view its details.
Task 3 – Run some tests
Now that you have familiarised yourself with Wireshark have a look at the different data it can receive. Open up a web browser and go to google. Has any data been captured by Wireshark?
You will find there is a lot of information going through the network, as such you might need to apply a filter. Find out your machines IP Address (remember from last week) and in the filer box type:
ip.addr == IP_ADDRESS
Now you should see ONLY packets to and from your machine. Again, refresh the web browser to access Google again. Do we see anything?
Analyse this packet, you can see in plain data the web address you wanted to look at. Try applying the filter to the machine next to yours and see what web sites they are visiting.
———————————————————————————————————————————-
Workshop 2
Now in the filter box try applying some protocol commands. Try looking for packets that are specific to one type, for example try each of these:
udp
tcp
dns
icmp
are there any others you can think of?
What do you notice about icmp packets? Try doing a ping command.
Remember the firewall rules from last week!! ———————————————————————————————————————————–