Wireshark Primer

by ramdyne in Circuits > Software

3172 Views, 11 Favorites, 0 Comments

Wireshark Primer

heading.jpg

At some point you will have network problems, whether at home or somewhere else and the Instructables website won't load. Or you will use an Arduino to monitor your washing machine in the basement but for some reason you don't receive any notifications from it.

You could move to a different Starbucks or step through every single line of Arduino code every time it supposed to send that message, or find out what is really going on on your network and find if the problem is there and if so, fix it.

Enter Wireshark, a free network protocol analyser. It is available for all major desktop operating systems (Windows, Linux, Mac, etc).

This primer assumes that you have basic networking knowledge, mainly IP and DNS. These two protocols are used in examples to find interesting traffic.

Install Wireshark

Screen Shot 2015-08-12 at 23.45.57 .png

First you need to install Wireshark. Go to the download page and download the version that is right for you. I am assuming that you know how install newly downloaded applications on your computer.

If you are not installing Wireshark on your own computer, your system administrator might not allow you to install it. Wireshark is a very powerful tool that can be used for good and bad, so keep that in mind.

Start Wireshark

Screen Shot 2015-08-12 at 23.16.30 .png

Go to your Start menu (on Windows), the Task bar (on Linux) or the Applications folder (on a Mac) and start Wireshark. You should see a window not terribly different from the image for this step.

I am using the latest pre-release version for the Mac, so it is a little different than the Windows and Linux versions, but since I am going to use the menus, there shouldn't be any confusion.

Start a Capture

Screen Shot 2015-08-13 at 00.02.22 .png
Screen Shot 2015-08-13 at 00.09.42 .png

Using Wireshark starts with "capturing" network traffic. In the Capture menu, click on Options. Wireshark shows you a list of all the network interfaces in your computer. There are probably more network interfaces in your computer than you might have expected. There's the Ethernet interface (using a cable) and/or a WiFi interface and possibly quite a few more.

I am interested in the traffic on my Ethernet interface, so I am selecting that one by clicking on it and then clicking the Start button.

Stop Your Capture

Screen Shot 2015-08-13 at 00.22.58 .png
Screen Shot 2015-08-13 at 00.34.07 .png

Usually Wireshark will scroll to the latest received packet. If it doesn't, just scroll once all the way down in the top part of the Wireshark window, where all the differently colored lines are. This will start showing every single newly received network message (first screenshot).

Since I am very interested in what kind of network traffic a visit to the Apple website is generating, I'm going to open that page in a browser. Once it has fully loaded, I go back to Wireshark and stop the capture by going to the Capture menu and clicking on Stop.

The second screenshot shows the Wireshark window after the capture has stopped. As the number of different colors show, there's quite a number of very different types of network communication going on. Also, this is just the traffic hat your computer is sending and receiving, thee could be a lot more going on in your network. This can be intimidating, but if you know some networking basics Wireshark has just the tools to make sense of it.

How to Find Interesting Traffic

Screen Shot 2015-08-13 at 00.34.07 .png
Screen Shot 2015-08-13 at 22.57.31 .png

I hope that I have captured all the traffic related to my visit to the Apple website, but how do I find that in the capture I've just made? I could have captured thousands and thousands of messages.

Looking at the first screenshot I can see I have captured 5254 unique messages. That is way too many to start looking for the interesting traffic one by one by hand.

Bringing the number of messages down is done using Display Filters. These filters allow you to only show packets that match the filter. But where to start? I don't know where the traffic from Apple is coming from and I don't know where it is going on my computer!

But I do know one thing, I know I was going to the server www.apple.com so the computer must have used DNS to convert www.apple.com to an IP address.

For most protocols Wireshark uses their abbreviation as a keyword in display filters, so let's type dns (in lowercase) in the Display Filter bar just below the Wireshark button bar (second screenshot).

Then hit ENTER or RETURN.

How to Find Interesting Traffic Part 2

Screen Shot 2015-08-13 at 23.01.20 .png
Screen Shot 2015-08-13 at 23.02.01 .png
Screen Shot 2015-08-13 at 23.02.39 .png
Screen Shot 2015-08-13 at 23.13.20 .png
Screen Shot 2015-08-13 at 23.13.35 .png
Screen Shot 2015-08-13 at 23.13.53 .png
Screen Shot 2015-08-13 at 23.14.13 .png
Screen Shot 2015-08-13 at 23.14.47 .png

So in the first screenshot I find the request for www.apple.com, in the second screenshot I expand the message tree to show more detail. In the third screenshot I move the horizontal bars around to enlarge the useful screen area.

I can find the response to a DNS query by looking for the corresponding response. I can click through all the responses in the capture, but I can also make Wireshark do the hard work by filtering on the unique transaction ID which every DNS message exchange has. The easiest way to do that is to first click on the line that says "Transaction ID:" (screenshot 4), then right-click it (screenshot 5), select "Apply as Filter" (screenshot 6) and then click on "Selected".

The Wireshark screen will now show just the DNS message exchange between my computer and the DNS server about "www.apple.com". As you can see in the final screenshot, www.apple.com has the IP address 2.17.45.15.

Discovering Display Filters Part 1

Screen Shot 2015-08-13 at 23.32.10 .png
Screen Shot 2015-08-13 at 23.32.10 .png
Screen Shot 2015-08-13 at 23.36.34 .png
Screen Shot 2015-08-13 at 23.36.43 .png

Now that I know www.apple.com has IP address 2.17.45.15 I want to see all traffic from and to this IP address. There are a few ways to accomplish that and I am going to show the two most useful strategies. They also both show two different ways to discover Display Filter keywords.

The first way to discover Display Filter keywords is by using the contents of a captured message shown in the "Packet Detail" section (the middle section of a Wireshark window, screenshot 1). To find out how to filter based on an IP address, I scroll up to the "Internet Protocol Version 4" line in the packet detail section and expand it to show the first level of detail (screenshots 3 and 4). Click on the "Source:" line below "Internet Protocol".

Note the statusbar in screenshot 4, there's this line saying "Source (ip.src), 4 bytes". The real clue (for us now) is between the braces, "ip.src" is a display filter keyword. If you click on the "Destination" you'll see in the status bar that "ip.dst" is also a display filter keyword.

So if the IP address we're looking for is 2.17.45.15 and we want to see all traffic from or to that IP address and combining that part with the two keywords we found earlier, finding the relevant traffic for www.apple.com could be done using the display filter "ip.src == 2.17.45.15 OR ip.dst == 2.17.45.15"

Discovering Display Filters Part 2

Screen Shot 2015-08-13 at 23.53.24 .png
Screen Shot 2015-08-13 at 23.58.35 .png
Screen Shot 2015-08-14 at 00.01.39 .png
Screen Shot 2015-08-14 at 00.02.01 .png
IMG_2444.JPG

After executing the display filter "ip.src == 2.17.45.15 OR ip.dst == 2.17.45.15" Wireshark shows me an empty result window (screenshot 1). For some reason there is no IPv4 traffic going from/to www.apple.com. But hang on, I have IPv6, so maybe DNS also returned an IPv6 address?

I again filter on "dns" and notice a request for an AAAA record for www.apple.com (IPv4 is always looking for an A record, IPv6 is looking for an AAAA record). Screenshot 2 shows that there is indeed an IPv6 answer for www.apple.com Remembering an IPv6 address is way too hard, so I copy the IPv6 address into the the copy/paste buffer by right clicking on the relevant line, clicking "Copy" (screenshot 3) and then clicking "Value" (screenshot 4).

The second most important way to discover new display filter keywords is by using the Display Filter bar. It will try to automatically suggest keywords based on what you have typed. So if I want to start searching for an IPv6 address I start by typing "ipv6." in the display filter bar (screenshot 5).

Note "ipv6.addr". Most lower level protocols have some source and/or destination field and you can search for "source or destination", but some protocols also add an "addr" keyword as a short for "source or destination".

So if I want to search for traffic to or from IPv6 address I can enter "ipv6.addr==" into the display filter bar, paste the value of the address field and press ENTER or RETURN to find all the traffic.

Reading a Network Message

Screen Shot 2015-08-14 at 00.19.27 .jpg

So now that I've found the first really interesting message it is time to give a little more detail on what Wireshark tells us about a message.

Every message (frame) has a unique number within the capture file, so you can tell people to check frame 26218 instead of pointing them to the first HTTP GET. Wireshark always show the full decoded protocol hierarchy for each message, starting at "layer 1" (the capture file) and moving through (in this example) layers 2 (Ethernet), 3 (IPv6 and TCP) and 4 (HTTP).

For a stream based protocol like TCP, Wireshark will link to the frames before and after the current one so to walk through the sequence. For protocols like HTTP it will also try and give you the most context for each frame as possible.

Finally

This primer should have given you enough hints on how to start looking for that message your Arduino is trying to send to your PC to tell you that your clothes are ready for the dryer.

This is just a short introduction into Wireshark. If you really want
to start using it, or its text-mode variant tshark, go to the Wireshark documentation and start playing.

If the traffic is going from a client without a desktop OS to a server you don't have access to or something similar, it can become quite a challenge to capture the network traffic. Go to the Wireshark FAQ and read the questions in chapter 6 and move on from there.