On the Internet there are hundreds of excellent open source tools and utilities that can be used for network analysis, but not many technicians use them. Indeed, several open source solutions are truly effective and can help the specialist networks in daily work.
In this first article i’ll show you Wireshark an useful tool for network analysis.
Wireshark (formerly known as Ethereal) has become the defacto, open-source standard for protocol analysis. It provides low-level packet filtering and analytical capability. Trace files captured from your network can be opened in Wireshark and analysed right down to individual packet level.
Here are some examples people use Wireshark for:
- network administrators use it to troubleshoot network problems
- network security engineers use it to examine security problems
- developers use it to debug protocol implementations
- people use it to learn network protocol internals
Beside these examples, Wireshark can be helpful in many other situations too.
Wireshark it’s available in official repository of Ubuntu 10.04, so to install it just do a :
sudo aptitude install wireshark
Once installed run it from terminal typing
sudo wireshark , yes this way it’s run as user root, not the safer option but the alternative is much longer to configure, check it here, under Linux
You’ll get this screen:
Under Interface list you should see all your interfaces, just click on the one you want to start capture and you’ ll get a new screen where you’ll be able to see packets moving through that interface.
A very common problem when you launch Wireshark with the default settings is that you will get too much information on the screen and thus will not find the information you are looking for.
Too much information kills the information.
That’s why filters are so important, they will help us to target, in the prolific logs, the data you are looking for.
- Capture filters: Used to select the data to record in the logs. They are defined before starting the capture
- Display filters: Used to search inside the captured logs. They can be modified while data is captured.
So should I use the capture or the display filter?
The goals of the two filters are different.
The capture filter is used as a first large filter to limit the size of captured data to avoid generating a log too big.
The display filter is much more powerful (and complex); it will permit you to search exactly the data you want.
The capture filter syntax is the same as the one used by programs using the Lipcap (Linux) or Winpcap (Windows) library like the famous TCPdump. The capture filter must be set before launching the Wiershark capture, which is not the case for the display filters that can be modified at any time during the capture.
The steps to configure a capture filter are the following:
– select Capture -> options.
– Fill the “capture filter” field or click on the “capture filter” button to give a name to your filter to reuse it for subsequent captures.
– Click on Start to capture data.
If you need a capture filter for a specific protocol, have a look for it at the ProtocolReference.
For making otehr filters the basic syntax to know is:
Protocol Direction Host(s) Value Logical_Operations Other_expression
Capture only traffic to or from IP address 172.18.5.4:
Capture traffic to or from a range of IP addresses:
net 192.168.0.0 mask 255.255.255.0
Capture traffic from a range of IP addresses:
src net 192.168.0.0/24
src net 192.168.0.0 mask 255.255.255.0
Capture traffic to a range of IP addresses:
dst net 192.168.0.0/24
dst net 192.168.0.0 mask 255.255.255.0
Capture only DNS (port 53) traffic:
Capture non-HTTP and non-SMTP traffic on your server (both are equivalent):
host www.example.com and not (port 80 or port 25)
host www.example.com and not port 80 and not port 25
Capture except all ARP and DNS traffic:
port not 53 and not arp
Capture traffic within a range of ports
(tcp[0:2] > 1500 and tcp[0:2] < 1550) or (tcp[2:2] > 1500 and tcp[2:2] < 1550)
or, with newer versions of libpcap (0.9.1 and later):
tcp portrange 1501-1549
Displays packets with source IP address 10.4.1.12 or source network 10.6.0.0/16, the result is then concatenated with packets having destination TCP portrange from 200 to 10000 and destination IP network 10.0.0.0/8
(src host 10.4.1.12 or src net 10.6.0.0/16) and tcp dst portrange 200-10000 and dst net 10.0.0.0/8
Wireshark uses display filters for general packet filtering while viewing and for its ColoringRules.
The basics and the syntax of the display filters are described in the User’s Guide.
tcp.port eq 25 or icmp
Show only traffic in the LAN (192.168.x.x), between workstations and servers — no Internet:
ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16
TCP buffer full — Source is instructing Destination to stop sending data
tcp.window_size == 0 && tcp.flags.reset != 1
Match HTTP requests where the last characters in the uri are the characters “gl=se”:
http.request.uri matches "gl=se$"
Note: The $ character is a PCRE punctuation character that matches the end of a string, in this case the end of http.request.uri field.
Filter by a protocol ( e.g. SIP ) and filter out unwanted IPs:
ip.src != xxx.xxx.xxx.xxx && ip.dst != xxx.xxx.xxx.xxx && sip
See here for the official guide.
This is just an introduction on wireshark, for more info check their wiki plenty of useful informations.