Viewing packet details

Wireshark can be used to capture data, but can also be used to open PCAP files from other sources (for example, tcpdump). You open a PCAP file through File | Open, which will reveal the list of frames that were captured. The following screenshot is a captured DNS request for www.packtpub.com, which is being submitted to the name server (UDP port 53) at 208.67.220.220 (OpenDNS). The Packet Details pane (highlighted) separates out all the details into the appropriate layers, with each one expandable using the arrows on the left-hand side of the section header:

Wireshark main window

The addresses, ports, protocols, and payloads fields under each layer are highlighted (color coded as per the previous chapter); notice how the details in each header are presented as a header: value pair. This allows the operator to easily establish what each data point refers to.

When each item is selected, the relevant section in the Packet Bytes pane (bottom) is also highlighted, so the operator can see the continuous data stream in hexadecimal format or the dissected data with related labels. Three instances of the destination port are highlighted. In the Packet Details pane, Wireshark correctly displays this as an integer value (53). In the Packet Bytes pane, the value is 00 35 (53 in hex), and in the ASCII version, it is -5 (the  0 character is a special character, and the 53 character is the  5 digit).

tcpdump can present data on the command line, although this is, of course, less user-friendly than the Wireshark GUI. The following screenshot is one tcpdump view of the same DNS request as we saw in the preceding section (equivalent to the Packet Bytes pane). Notice that there are some formatting differences between tcpdump and Wireshark. One noticeable difference is how the data link layer information is presented in the line rather than in the hex and ASCII representation as it is in Wireshark.

More importantly, compare the  08:19:39.949382 timestamp in tcpdump to the 165.954223 timestamp in the Wireshark Packet list pane. This is because in the Packet list pane, the timestamps are relative time stamps, whereas the tcpdump timestamp is the actual time of capture. In Wireshark, you can verify this in the Packet Details pane (compare the two boxed values), as shown in the following command-line view:

Command-line view of a PCAP in hex and ASCII view (-X) using tcpdump. Color coding has been applied to match the highlights from the preceding Wireshark screenshot

Notice that achieving this specific view requires some tweaking of the parameters provided to tcpdump. This is beyond the scope of this course; the tcpdump man page is listed in the Further reading section.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.146.221.144