10 wireshark for security professionals
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (12.66 MB, 391 trang )
TableofContents
Cover
TitlePage
Introduction
OverviewoftheBookandTechnology
HowThisBookIsOrganized
WhoShouldReadThisBook
ToolsYouWillNeed
What’sontheWebsite
Summary
Chapter1:IntroducingWireshark
WhatIsWireshark?
TheWiresharkUserInterface
Filters
Summary
Exercises
Chapter2:SettingUptheLab
KaliLinux
Virtualization
VirtualBox
TheW4SPLab
Summary
Exercises
Chapter3:TheFundamentals
Networking
Security
PacketandProtocolAnalysis
Summary
Exercises
Chapter4:CapturingPackets
Sniffing
DealingwiththeNetwork
LoadingandSavingCaptureFiles
Dissectors
ViewingSomeoneElse’sCaptures
Summary
Exercises
Chapter5:DiagnosingAttacks
AttackType:Man-in-the-Middle
AttackType:DenialofService
AttackType:AdvancedPersistentThreat
Summary
Exercises
Chapter6:OffensiveWireshark
AttackMethodology
ReconnaissanceUsingWireshark
EvadingIPS/IDS
Exploitation
RemoteCaptureoverSSH
Summary
Exercises
Chapter7:DecryptingTLS,CapturingUSB,Keyloggers,andNetwork
Graphing
DecryptingSSL/TLS
USBandWireshark
GraphingtheNetwork
Summary
Exercises
Chapter8:ScriptingwithLua
WhyLua?
ScriptingBasics
Setup
Tools
CreatingDissectorsforWireshark
ExtendingWireshark
Summary
EndUserLicenseAgreement
ListofIllustrations
Chapter1:IntroducingWireshark
Figure1-1:TheWiresharkhomescreen
Figure1-2:ThePacketListpane
Figure1-3:ThePacketDetailspane
Figure1-4:Fieldinformationinthestatusbar
Figure1-5:ARPpacketOpcode
Figure1-6:FilterresultsofARPfromasourceaddress
Figure1-7:Complexdisplayfilterexample
Chapter2:SettingUptheLab
Figure2-1:GettingSHA-256filehashinPowerShell
Figure2-2:VirtualBoxSHA-256checksums
Figure2-3:VirtualBoxinstallationwindow
Figure2-4:VirtualBoxfeatureselection
Figure2-5:VirtualBoxshortcutcreation
Figure2-6:VirtualBoxnetworkingwarning
Figure2-7:VirtualBoxinstallationwindow
Figure2-8:VirtualBoxinstallationstatus
Figure2-9:VirtualBoxdriverinstallationprompt
Figure2-10:VirtualBoxinstallationfinished
Figure2-11:VirtualBoxGUIandrestartwindow
Figure2-12:VirtualBoxExtensionPackdownload
Figure2-13:VirtualBoxExtensionPackpreferences
Figure2-14:VirtualBoxExtensionPackinstallation
Figure2-15:SuccessfulVirtualBoxExtensionPackinstallation
Figure2-16:Kalidownloadwebpage
Figure2-17:Creatinganewvirtualmachine
Figure2-18:Selectingvirtualmachinememory
Figure2-19:Creatingvirtualdisk
Figure2-20:Selectingvirtualdisktype
Figure2-21:Storageonphysicaldisk
Figure2-22:Virtualdisksize
Figure2-23:EnablingPAE
Figure2-24:Selectingstart-updisk
Figure2-25:Kalibootmenu
Figure2-26:Possibletemporaryerror
Figure2-27:Enteringahostname
Figure2-28:Skippingthedomain
Figure2-29:Enteringarootpassword
Figure2-30:Partitioningthedisk
Figure2-31:Confirmingthedisk
Figure2-32:Confirmingasinglepartition
Figure2-33:Writingchangestothedisk
Figure2-34:Confirmingdiskchanges
Figure2-35:Theinstallationprogressbar
Figure2-36:Theoptionforanetworkmirror
Figure2-37:Networkconnectionproxy
Figure2-38:GRUBbootloader
Figure2-39:Installationiscomplete
Figure2-40:Systemsettings
Figure2-41:Newuserw4sp-lab
Figure2-42:FirefoxtoGitHub
Figure2-43:SavingtheW4SPLabfile
Figure2-44:OpeningTerminal
Figure2-45:UnzippingtheW4SPLab
Figure2-46:RunningtheW4SPLabinstallationscript
Figure2-47:RunningtheW4SPLabsetup
Figure2-48:ThefullW4SPLabnetwork
Chapter3:TheFundamentals
Figure3-1:OSIlayersinWireshark
Figure3-2:VirtualBoxnetworkingoptions
Figure3-3:Malwaresignaturecode
Figure3-4:SmallIncomingLayer2frame
Figure3-5:SmalleroutgoingLayer2frame
Figure3-6:GratuitousARP
Figure3-7:TCP’s3-wayhandshake
Chapter4:CapturingPackets
Figure4-1:TheCaptureinterfaceslist
Figure4-2:Superuserwarning
Figure4-3:Newtraffic
Figure4-4:Renaminganetworkinterface
Figure4-5:SamplelocalhostICMPtraffic
Figure4-6:InstallingtheloopbackadapteronWindows
Figure4-7:RawCaploopbacksniffing
Figure4-8:RawCappcapinWireshark
Figure4-9:VirtualBoxbridging
Figure4-10:Wiresharksniffingbridgednetwork
Figure4-11:Capturingpacketswithahub
Figure4-12:Trafficwhensniffingonahub
Figure4-13:SPANsniffingconnections
Figure4-14:ThrowingstarLANtap
Figure4-15:TrafficflowwhensniffingaLinuxbridge
Figure4-16:RawwirelesspacketsinWireshark
Figure4-17:TheFileSavedialogbox
Figure4-18:Propertiesofacapturefile
Figure4-19:Multiplefilesettings
Figure4-20:Stopcaptureoptions
Figure4-21:Settingmultiplefilesandringbuffer
Figure4-22:Resultantringbufferfiles
Figure4-23:Mergecapverbose
Figure4-24:Mergecapcomplete
Figure4-25:Clearingrecentfiles
Figure4-26:Changingthenumberofrecentfilesshown
Figure4-27:Wireshark’sDecodeAswindow
Figure4-28:Wireshark’sDecodeAswindow
Figure4-29:PacketlistfilteringforSMB
Figure4-30:SMBpacketsreferencingafile
Figure4-31:PacketlistfilteredforNTCreatecalls
Figure4-32:Adjustingpacketcolors
Figure4-33:Colorizingconversations
Chapter5:DiagnosingAttacks
Figure5-1:Man-in-the-middleposition
Figure5-2:PingandARPtransaction
Figure5-3:W4SPLabnetwork
Figure5-4:W4SP’svic1
Figure5-5:LOCALSIP
Figure5-6:Exploitinprogress
Figure5-7:ARPpacketsfly
Figure5-8:FTPcredentialstoattacker
Figure5-9:Expertinformation
Figure5-10:NotingyourIPaddress
Figure5-11:DHCPmoduleoptions
Figure5-12:DHCPrunning
Figure5-13:DNSsettingsdone
Figure5-14:DNSqueries
Figure5-15:QuieterfakeDNS
Figure5-16:FTPcapturing
Figure5-17:Miraipasswordlist
Figure5-18:Pingbed
Figure5-19:Gh0st
Figure5-20:Xinmic
Figure5-21:Malwareanalysispractice
Chapter6:OffensiveWireshark
Figure6-1:W4SPLabnetwork
Figure6-2:Nmapportscan
Figure6-3:NmapportscaninWireshark
Figure6-4:OpenportinWireshark
Figure6-5:MetasploitableanditsIP
Figure6-6:SearchingfortheVSFTPDexploit
Figure6-7:Exploitsuccessbutnoshell
Figure6-8:ExploitattemptinWireshark
Figure6-9:Exploitsuccesswithshell
Figure6-10:RootshellcommandWHOAMI
Figure6-11:Rootinpacketbytes
Figure6-12:MetasploitRMIdata
Figure6-13:MetasploitHTTPJARdata
Figure6-14:Metasploithexdump
Figure6-15:UnansweredSYNs
Figure6-16:Filterfortcp/4444
Figure6-17:Encryptedtraffic
Figure6-18:ELK
Figure6-19:Time-fieldname
Figure6-20:SSHdumpinstall
Chapter7:DecryptingTLS,CapturingUSB,Keyloggers,andNetwork
Graphing
Figure7-1:Browsingtoftp1.labs
Figure7-2:FollowTCPstreamonSSL/TLStraffic
Figure7-3:WiresharkSSL/TLSprotocoloptions
Figure7-4:SettingupSSL/TLSdecryption
Figure7-5:DecryptingTLStrafficinWireshark
Figure7-6:AddingSSLKEYLOGFILE
Figure7-7:DecryptedSSL/TLSdata
Figure7-8:USBdeviceoverview
Figure7-9:usbmoninterfaces
Figure7-10:ConnectingUSBdevicetoKaliVM
Figure7-11:Wiresharkusbmonerror
Figure7-12:Capturingonusbmon2
Figure7-13:USBPcapdevicelist
Figure7-14:USBPcaprunningacapture
Figure7-15:FilteringUSBtraffictohost
Figure7-16:HIDkeycodes
Figure7-17:TSharkkeysniffer
Figure7-18:TShark-generatednetworkgraph
Chapter8:ScriptingwithLua
Figure8-1:LuaInteractiveInterpreter
Figure8-2:WiresharkAboutpage
Figure8-3:LuainToolsmenu
Figure8-4:LuaConsoleinWireshark
Figure8-5:WiresharkEvaluateLua
Figure8-6:Wiresharkwithoutadissector
Figure8-7:Ourprotocolfields
Figure8-8:Sampleprotocolhexdump
Figure8-9:TreeitemsinWireshark
Figure8-10:Runningdirectionscript
Figure8-11:Findingasuspiciouspacket
ListofTables
Chapter1:IntroducingWireshark
Table1-1:ComparisonOperators
Table1-2:LogicalOperators
Chapter4:CapturingPackets
Table4-1:CommonWiresharkCaptureFileFormats
Chapter5:DiagnosingAttacks
Table5-1:ExploitOptions
Table5-2:Well-KnownDoSTools
Wireshark® forSecurityProfessionals
UsingWiresharkandtheMetasploit®
Framework
JesseyBullock
JeffT.Parker
Introduction
WelcometoWiresharkforSecurityProfessionals.Thiswasanexcitingbookforus
towrite.Acombinedeffortofafewpeoplewithvariedbackgrounds—spanning
informationsecurity,softwaredevelopment,andonlinevirtuallabdevelopment
andteaching—thisbookshouldappealandrelatetomanypeople.
Wiresharkisthetoolforcapturingandanalyzingnetworktraffic.Originally
namedEtherealbutchangedin2006,Wiresharkiswellestablishedandrespected
amongyourpeers.Butyoualreadyknewthat,orwhywouldyouinvestyourtime
andmoneyinthisbook?Whatyou’rereallyhereforistodelveintohow
Wiresharkmakesyourjobeasierandyourskillsmoreeffective.
OverviewoftheBookandTechnology
Thisbookhopestomeetthreegoals:
Broadentheinformationsecurityprofessional’sskillsetthroughWireshark.
Providelearningresources,includinglabsandexercises,toapplywhatyou
learn.
DemonstratehowWiresharkhelpswithreal-lifescenariosthroughLua
scripting.
Thebookisn’tonlyforreading;it’sfordoing.AnyWiresharkbookcanshowhow
wonderfulWiresharkcanbe,butthisbookalsogivesyouopportunitiestopractice
thecraft,honeyourskills,andmasterthefeaturesWiresharkoffers.
Theseopportunitiescomeinafewforms.First,toapplywhat’sinthetext,youwill
practiceinlabs.Youbuildthelabenvironmentearlyonthebookandputittouse
throughoutthechaptersthatfollow.Thesecondopportunityforpracticeisatthe
endofeachchapter,savethelastLuascriptingchapter.Theend-of-chapter
exerciseslargelybuildonthelabstochallengeyouagain,butwithfarlesshandholding.Betweenthelabsandexercises,yourtimespentwithWiresharkensures
timespentreadingisnotforgotten.
Thelabenvironmentwascreatedusingcontainerizationtechnology,resultingin
afairlylightweightvirtualenvironmenttobeinstalledandrunonyourown
system.Thewholeenvironmentwasdesignedspecificallyforyou,thebook
reader,topracticethebook’scontent.Theselabsweredevelopedandare
maintainedbyoneoftheauthors,JesseyBullock.Thesourcecodeforthelabsis
availableonline.SeeChapter2forspecifics.
Inshort,thisbookisahands-on,practice-orientedWiresharkguidecreatedfor
you,theinformationsecurityprofessional.Theexerciseswillhelpyoutokeepyou
advancingyourWiresharkexpertiselongafterthelastpage.
HowThisBookIsOrganized
Thebookisstructuredontheassumptionthatreaderswillstartfromthe
beginningandthenworkthroughthemaincontent.Theinitialthreechapters
notonlyintroducethetitleapplicationWiresharkbutalsothetechnologytobe
usedforthelabs,alongwiththebasicconceptsrequiredofthereader.Readers
alreadyfamiliarwithWiresharkshouldstillworkthroughthelabsetupchapter,
sincefuturechaptersdependontheworkbeingdone.Thesefirstthreechapters
arenecessarytocoverfirst,beforeputtingthefollowingchapterstouse.
ThemajorityofthebookthatfollowsisstructuredtodiscussWiresharkinthe
contextofinformationsecurity.Whethercapturing,analyzing,orconfirming
attacks,thebook’smaincontentanditslabsaredesignedtomostbenefit
informationsecurityprofessionals.
ThefinalchapterisbuiltaroundthescriptinglanguageLua.Luagreatlyincreases
Wireshark’sflexabilityasanalreadypowerfulnetworkanalyzer.Initially,theLua
scriptswerescatteredthoughoutchapters,buttheywerelatercombinedintoa
singlechapteralltheirown.Itwasalsoappreciatedthatnotallreadersare
coders,soLuascriptsarebetterservedthroughonego-toresource.
Here’sasummaryofthebook’scontents:
Chapter1,“IntroducingWireshark,”isbestfortheprofessionalwithlittletono
experiencewithWireshark.Themaingoalistohelpyouavoidbeing
overwhelmed,introducetheinterface,andshowhowWiresharkcanbeyour
friend.
Chapter2,“SettingUptheLab,”isnottobeskipped.Startingwithsettingupa
virtualizedmachine,thischapterthensetsuptheW4SPLab,whichyouwilluse
severaltimesinupcomingchapters.
Chapter3,“TheFundamentals,”coversbasicconceptsandisdividedintothree
parts:networking,informationsecurity,andpacketanalysis.Thebookassumes
mostreadersmightbefamiliarwithatleastoneortwoareas,butthechapter
makesnoassumptions.
Chapter4,“CapturingPackets,”discussesnetworkcaptures,ortherecordingof
networkpackets.WetakeadeepdiveintohowWiresharkcaptures,manipulates
capturefiles,andinterpretsthepackets.There’salsoadiscussionaround
workingwiththevarietyofdevicesyouencounteronanetwork.
Chapter5,“DiagnosingAttacks,”makesgooduseoftheW4SPLab,re-creating
variousattackscommonlyseenintherealworld.Maninthemiddleattacks,
spoofingvariousservices,denialofserviceattacksandmorearealldiscussed.
Chapter6,“OffensiveWireshark,”alsocoversmalicoustraffic,butfromthe
hacker’sperspective.WiresharkandtheW4SPLabareagainreliedontolaunch,
debug,andunderstandexploits.
Chapter7,“DecryptingTLS,CapturingUSB,Keyloggers,andNetworkGraphing,”
isamash-upofmoreactivitiesasweleverageWireshark.Fromdecrypting
SSL/TLStraffictocapturingUSBtrafficacrossmultipleplatforms,thischapter
promisestodemonstratesomethingyoucanusewhereveryouworkorplay.
Chapter8,“ScriptingwithLua,”containsabout95%ofthebook’sscriptcontent.
ItstartssimplewithscriptingconceptsandLuasetup,whetheryou’reworkingon
WindowsorLinux.Scriptsstartwith“Hello,World”butleadtopacketcounting
andfarmorecomplextopics.YourscriptswillbothenhancetheWireshark
graphicinterfaceandrunfromthecommandline.
WhoShouldReadThisBook
Toclaimthisbookisforsecurityprofessionalsmightbespecificenoughtothe
generalITcrowd.However,tomostinformationsecurityprofessionals,it’sstill
toobroadacategory.Mostofusspecializeinsomewayoranother,andidentify
ourselvesbyourroleorcurrentpassion.Someexamplesincludefirewall
administrator,networksecurityengineer,malwareanalyst,andincident
responder.
Wiresharkisnotlimitedtojustoneortwoofthoseroles.TheneedforWireshark
canbefoundinrolessuchaspenetrationtesterorethicalhacker—rolesdefined
bybeingproactiveandengaging.Additionalroleslikeforensicsanalyst,
vulnerabilitytester,anddeveloperalsobenefitfrombeingfamiliarwith
Wireshark.We’llshowthisthroughexamplesinthebook.
Regardingexpectationsonthereader,thebookmakesnoassumptions.
Informationsecurityspecializationsvaryenoughsothatsomeonewith15yearsof
experienceinonefieldislikelyanoviceinotherfields.Wiresharkoffersvaluefor
anyoneinthosefields,butitdoesexpectabasicunderstandingofnetworking,
securityandhowprotocolswork.Chapter3ensureswe’reallonthesamepage.
Anyreadermustbetechnicallysavyenoughtoinstallsoftwareorunderstand
systemsarenetworked.Andsincethebooktargetssecurityprofessionals,we
presumeafundamentallevelforinformationsecurity.Still,asfaras
“fundamentals”go,Chapter3actsasarefresherforwhat’snecessaryaround
networking,informationsecurity,andpacketandprotocolanalysis.
Furtherinthebook,Wiresharkisusedinthecontextofvariousroles,butthere’s
noexperiencerequirementforgraspingthecontentormakinguseofthelabs.For
example,thetoolsusedinChapter6,“OffensiveWireshark”mightbealready
familiartothepenetrationtester,butthechapterassumeszeroexperiencewhen
instructingsetup.
Tosumup,weunderstandthereisawidespectrumofpossiblerolesand
experiencelevels.Youmightbeemployedinoneoftheserolesandwanttouse
Wiresharkmore.Oryoumightbegettingreadytotakeononeoftheseroles,and
recognizeWiresharkasessentialtooltouse.Ineithercase,thisbookisforyou.
ToolsYouWillNeed
Theonetoolrequiredforthisbookisasystem.Yoursystemdoesnotneedtobe
especiallypowerful;atthemostafewyearsoldwouldbebest.Yoursystemwillbe
firstusedinChapter2,“SettingUptheLab.”Youfirstinstallandsetupa
virtualizedmachine.Thenuponthatvirtualmachineyouwillsetupthelabs.
Ofcourse,thisbookcanbenefitthosewithoutasystem,butasystemisneededto
performthelabsreferencedthroughoutthebook.
What’sontheWebsite
TheprimarywebsiteneededforthisbookistheGitHubrepositoryfortheW4SP
Labcode.TheGitHubrepoanditscontentsareexplainedfurtherinChapter2,
“SettingUptheLab,”whereyoufirstdownloadandbuildthevirtuallab
environment.ThentheLabfilesareinstalledontoyourvirtualmachine.
Otherwebsitesarecitedthroughoutthebook,mostlyaspointersforadditional
resources.Forexample,somesitesholdhundredsofnetworkcapturefilesthat
areavailableforanalysis.
Summary
Thisiswheretheauthorsareattheedgeofourseats,hopingyouwillleapinto
andenjoythebook,itsmaterials,andthelabs.Alotofthoughtandeffortwent
intothisbook.Ouronlydesirewastocreatearesourcethatinspiredmorepeople
tohaveadeeperappreciationofWireshark.Beinginformationsecurity
professionalsourselves,wecraftedthisbookforourpeers.
Chapter1
IntroducingWireshark
WelcometoWiresharkforSecurityProfessionals.Thisintroductorychapter
coversthreebroadtopics.Inthefirstpart,wediscusswhatWiresharkisusedfor
andwhentouseit.
Thesecondpartofthischapterintroducesthepopulargraphicuserinterface
(GUI).TheGUIforWiresharkcanappearquitebusyatfirst,soweimmediately
wanttogetfamiliarwithitslayout.Webreakdownthedifferentareasofthe
interface,howtheyrelatetooneanother,andthereasoningforneedingeach
one.Wealsodiscusshowandwheneachpartoftheinterfacehelpsyoumaximize
youruseofWireshark.
Inthethirdpartofthischapter,wediscussthewayWiresharkfiltersdata
presentedontheinterface.BeingfamiliarwithWireshark’sinterfacehelpsyou
appreciateallthedatapresented,buttheamountofdatacanstillbe
overpowering.Wiresharkofferswaystofilterorseparatewhatyouneedfromall
thatispresented.Thelastpartisaboutdifferenttypesoffiltersandhowyoucan
customizethesefilters.
Wiresharkcanappeartobeacomplicatedtool,butbytheendofthisfirstchapter,
thehopeisyouhaveamuchhighercomfortlevelwiththetool’spurpose,
interface,andabilitytopresentyouwithwhatyouwanttosee.
WhatIsWireshark?
Wireshark,initsmostbasicsense,isatooltounderstanddatayoucapturefroma
network.Thecaptureddataisinterpretedandpresentedinindividualpacket
formforanalysis,allwithinWireshark.Asyouprobablyalreadyknow,packets
arethechunksofdatastreamingonanetwork.(Technically,dependingonthe
contextlevelofwhereinthesystemthedataisinterpreted,chunksarecalled
frames,datagrams,packets,orsegments,butwe’lljustuse“packets”fornow.)
Wiresharkisanetworkandprotocolanalyzertool,freefordownloadanduseon
avarietyofplatforms,spanningmanyflavorsofUnixandWindows.
Wiresharkfirstcapturesthedatafromanetworkinterfaceandthenbreaksthe
captureintotheframes,segments,andpackets,understandingwheretheybegin
andend.Wiresharktheninterpretsandpresentsthisdatainthecontextof
addressing,protocolsanddata.Youcananalyzethecapturesimmediatelyor
savethemtoloadlaterandsharewithothers.InorderforWiresharktoviewand
captureallpackets,notjustthoseinvolvingthecapturingsystem,thenetwork
interfaceisplacedinpromiscuousmode(alsocalledmonitormode)inthecontext
ofcapturingonawirelessnetwork.Finally,whatgrantsyoutheabilitytoanalyze
packetsinWiresharkarethedissectors.Allthesebasicelementsarediscussedin
moredetailinChapter4,inthecontextof“sniffing”orcapturingdata,andhow
thatcaptureddataisinterpreted.
ABestTimetoUseWireshark?
Wiresharkisanimmenselypowerfultoolwithquiteabitofdeepandcomplex
functionality.Itiscapableofhandlingawiderangeofknown(andunknown)
protocols.Butalthoughthefunctionalityrangeisbroad,mostofitalignstoone
end:tocapturepacketsandanalyzethem.Beingabletotakethebitsandbytes
andpresenttheminanorganized,familiar,andhuman-readableformatiswhat
bringspeopletothinkofusingWireshark.
BeforelaunchingWireshark,it’simportanttounderstandwhentouseitand
whennottouseit.Sure,it’sagreattool,butlikeanytool,it’sbestusedwhenit’s
therighttoolforthejob.
Herearescenarioswhenit’sidealtouseWireshark:
Tolookfortherootcauseofaknownproblem
Tosearchforacertainprotocolorstreambetweendevices
Toanalyzespecifictiming,protocolflags,orbitsonthewire
Andwhilenotideal,Wiresharkcanalsobeused:
Todiscoverwhichdevicesorprotocolsarethetoptalkers
Toseearoughpictureofnetworktraffic
Tofollowaconversationbetweentwodevices
Yougettheidea.Wiresharkisidealfordeterminingarootcauseofanunderstood
problem.Whilenotidealforbrowsingnetworktrafficormakinghigh-level
judgmentsaboutthenetwork,Wiresharkdoeshavesomefeaturestoshowthose
statistics.ButWiresharkcan’tandshouldn’tbethefirsttoolthoughtofearlyon
indiscoveringaproblem.SomeonewhoopensWiresharktoskimthroughthelist
ofpacketstoassessnetworkhealthwouldsoonbeoverwhelmed.Instead,
Wiresharkisforproblemsolvers,forthedetectiveswhoalreadyknowtheir
suspectswell.
AvoidingBeingOverwhelmed
ThemajorityofpeoplewhowalkawayfromWiresharkdosobecausetheyfindit
overwhelmingafteronlyafewearlyexperiences.TolabelWiresharkas
overwhelmingismisleading,however.Whatreallyparalyzesnewusersisthe
traffic,thelistofpacketsflyingby,nottheapplication’sfunctionality.And,fair
enough,onceyoustartacaptureandthepacketsscrollbyinrealtime,it’s
definitelyintimidating.(Butthat’swhatfiltersarefor!)
Toavoidbeingoverwhelmed,considertwoaspectsofWiresharkbeforediving
intoit:
Theinterface—howit’slaidoutandwhy
Filters—howtheyworktorevealwhatyouwant
Onceyougetaquickappreciationofthetool’sinterfaceandhowtowriteafilter,
Wiresharksuddenlyappearsintuitiveandshowsitspower,withoutthescare
factor.Andthat’swhatwefocusonfortherestofthischapter.
Thefollowingsectionsareonthemostimportantaspectsthatyouneed
immediatelytobecomfortableusingWireshark.Ifyouarealreadyfamiliarwith
Wireshark,aswellasfilters,feelfreetoskimthischapterasarefreshersothat
youcanbesureyouareonthesamepagefortherestofthebook.
TheWiresharkUserInterface
WestartwiththebusyWiresharkGUI,whichispackedwithfeatures.Weprovide
ahigh-leveloverviewofwhereyouneedtolooktostartseeingsomepacketdata.
Withpacketcapturingcovered,wethendiscussthemorepowerfulfeaturesof
Wireshark,startingwithdissectors.InWireshark,dissectorsarewhatparsea
protocolanddecodeitforpresentingontheinterface.TheyenableWiresharkto
givetherawbitsandbytesstreamingacrossthewiresomecontextbydisplaying
themintosomethingmoremeaningfultothehumananalyst.Wethenroundoff
thechapterbycoveringthevariousfiltersavailabletohelplimitandzeroinon
justthenetworkdatayouareinterestedin.
ThehomescreenappearswhenyouopenWireshark.Onthisscreenareshortcuts
youcanusetostartanewcaptureoropenapreviouscapturefile.Formost
newcomerstoWireshark,thebrightlycoloredCapturebuttonisthemost
attractiveoption.Startingacaptureleadstoaflurryofscrollingpackets,which
forthenewcomerthenleadstooverwhelm.Butlet’sgobacktothehomescreen.
Therearealsolinkstoonlinedocumentationthatyoucanusetofigureouthowto
accomplishacertaintask.
Onthetopofthescreen,asshowninFigure1-1,isthemenubarintheclassic
formatyouareprobablyfamiliarwith.Thesemenushavesettingsandother
featureslikestatisticsthatcanbeaccessedwhenneeded.(Don’tworry—we
aren’treallyworriedaboutstatistics.)BelowthesemenusistheMaintoolbar,
whichhasquickaccessiconsforthefunctionalityyouwillusemostwhile
analyzingnetworktraffic.Theseiconsincludethingslikestartingorstoppinga
capture,andthevariousnavigationbuttonsforfindingyourwayaround
capturedpackets.Iconbuttonsaretypicallygrayedifnotapplicableorusable—
forexample,withoutacaptureyet.
Figure1-1:TheWiresharkhomescreen
Iconschangeovertimefromversiontoversion.Atthetimethisbookwaswritten,
thebluesharkfinstartsacaptureandtheredsquarestopsacapture.Theshark
finisgrayuntilthenetworkinterfaceischosen,andwecoverthatsoon.Alsonote
thatthistoolbarareagivesyouavisualindicationofthecaptureprocess.Again,
manyoptionsaregrayedoutinFigure1-1becausewearenotyetcapturingor
don’thaveacapturecompleted.Asyougothroughthischapter,payattentionto
thisareatounderstandhowitchangesandhowitreflectsthevariouscapture
states.Inmanyrespects,Wiresharkhasanintuitiveuserexperience.
TheFiltertoolbar,whichisbelowtheMaintoolbar,isavitalpartoftheWireshark
UI.Youwillsoonfallinlovewiththislittlebox,asyouoftenfindyourself
drowninginatorrentoftraffic.TheFiltertoolbarletsyouremovewhateveris
uninterestingtothetaskathandandpresentsjustwhatyou’relookingfor(or
takesoutwhatyou’renotlookingfor).YoucanenterdisplayfiltersintheFilter
textboxthathelpyoudrilldownwhatpacketsyouseeinthePacketListpane.We
discussfiltersindetaillaterinthischapter,butfornowjusttrustme:Theywillbe
yournewbestfriends.
