Network administrators and security analysts often work packet captures to analyze the traffic and determine the cause of network events and attacks in the network. With Wireshark being the preferred tool to capture and analyze network traffic, it is important to have an understanding of how to use Wireshark’s features and know about its options. This chapter focuses on various features and options available in Wireshark.
Overview of Wireshark tool
Performing packet capture using Wireshark
Working with Wireshark capture files
Analyzing packets in Wireshark
Overview of Wireshark Tool
Wireshark user interface
Wireshark Preferences
Mac: Wireshark | Preferences
Windows: Edit | Preferences
Linux: Edit | Preferences
From the Preferences window, users can change the settings for the following sections.
Appearance
Custom Wireshark layout
Capture
Enable or disable the option to capture packets in promiscuous mode
Enable or disable the option to capture packets in pcapng format
Enable or disable the option to update the list of packets in real time
Enable or disable the option for automatic scrolling when capturing live packets
Enable or disable the option to not load interfaces on startup
Enable or disable the option to disable external capture interfaces
Expert
The Expert section of the Wireshark Preferences window allows you to define different field names and set the severity for those fields.
The Expert section is covered later when covering Expert Information.
Filter Buttons
HTTP GET filter button
Name Resolution
The Name Resolution settings allow users to update the settings with regard to MAC address resolution and transport and network address resolution. These settings also allow users to use Domain Name System (DNS) packets for address resolution, use an external network name resolver, and also use the list of DNS servers for name resolution. The Name Resolution section also has options to list the DNS servers that can be used by Wireshark.
Protocols
The Protocols section of the Preferences window allows the user to configure settings for various lists of protocols supported by Wireshark. This is useful for analyzing traffic in network environments where the protocols are being used ports different than the default port numbers.
RSA Keys
The RSA Keys section allows user to configure the RSA private keys for decryption. In this section, use the Add New Keyfile button to select a file. The user will be prompted for a password if necessary. The Add New Token button can be used to add keys from a hardware security module (HSM), which might require using Add New Provider to add a vendor-specific configuration.
Statistics
This section allows you to customize the settings used by Wireshark to perform and display statistical analysis of the captured traffic. Settings such as burst rate resolution, burst rate window size, tab update interval, and so on, can be configured under this section.
Advanced
Wireshark Advanced preferences
Performing Packet Capture Using Wireshark
Input: This tab displays all the interfaces. You can enable the listed network interfaces and select one of the interfaces on which you wish to capture incoming and outgoing packets.
Output: This tab allows the user to edit the output settings, such as the output format, permanent file name where the packet capture will be saved, and also options to save the captured traffic into a new file by limiting the number of packets, file size, duration, and so on.
Options: The Options tab gives you options to set the display settings of the captured packets, such as updating the list of packets in real time, automatic scrolling during live capture, and showing capture information during live capture. It also has options for name resolution such as resolving MAC addresses, network names, and transport names. Users can also define the settings for when they can stop the packet capture.
Wireshark - Capture Options window
Once all the capture options are set, users can click the Start button to begin the packet capture. It is important to note that you can capture traffic on interfaces that are in promiscuous mode. This mode allows you to see all the traffic coming into the NIC. In Figure 2-5, notice that all the listed interfaces have promiscuous mode enabled.
To perform on Mac OS, users are required to install the ChmodBPF application. By default, users on Mac OS do not have privileges or permission to capture traffic on local interfaces. Once the ChmodBPF daemon is launched, it creates the access_bpf group and adds the user to that group. Similarly, on Windows, Wireshark requires either Npcap or WinPcap to capture live network traffic.
Dissectors
Protocol tree: Performs detailed analysis of a single packet.
Dissectors: Hold the information from the Request for Comment (RFC) and other specifications on how to decode and interpret fields of different protocol packets.
Dissector plug-ins: Allows the use of default dissectors that come with Wireshark and also allows the use of user-created dissector plug-ins.
Display filters: – Provide options to perform filtering on captured data.
- 1.
Wireshark identifies the frame type of any incoming packet and hands it off to the correct frame dissector, for instance, Ethernet.
- 2.
The dissector breaks down the contents of the frame header to understand which section to look up next. For instance, Ethernet type 0x0800 in the Type field of the Ethernet header indicates Internet Protocol version 4 (IPv4). Wireshark then hands off the packet to the IP dissector.
- 3.
After the IP dissector decodes the IP header, it identifies the next protocol header by looking at the Protocol field in the IP header. If the value is 0x06 it hands off the packet to the TCP dissector. If the value is 0x11, it hands off the packet to the User Datagram Protocol (UDP) dissector.
- 4.
This process is followed until there are no further dissections identified by the current dissector.
Wireshark - Decode As
This feature comes in very handy when the network administrators are running the protocols on a port numbers other than their defaults.
Configuration Profiles
Default: Default profile
Bluetooth: Global profile
Classic: Global profile
No Reassembly: Global profile
Preferences
Capture filters (cfilters)
Display filters (dfilters)
Coloring rules
Disabled drotocols
User accessible tables (e.g., custom HTTP headers, custom LDAP AttributeValue types, etc.)
Dissector assignments (decode_as_entries)
Recent settings such as pane sizes, column widths, and so on
- 1.
On the Edit menu, click Configuration Profiles. This opens the Configuration Profiles dialog box.
- 2.
In the Configuration Profiles dialog box, click the + icon to add a new profile. For example, let’s create a configuration profile named Network Profile. This profile will be of type Personal. The newly created profile is created with the default settings that are part of the Default profile.
- 3.
Select the Network Profile and click OK.
Once the custom profile is created and selected, all the preferences and other settings such as capture or display filters will be saved under the custom configuration profile.
Filtering with Wireshark
Crashing of Wireshark application due to large file size
Longer time needed to load and analyze the captured packets
Might not be able to capture problematic traffic during a short time span due to higher packet per second (pps) rate
Capture filter: This is used to filter or restrict the packets that will be captured by Wireshark.
Display filter: This is used to filter the packets from the captured traffic.
We next discuss both these filtering capabilities in detail.
Capture Filters
Wireshark capture filter
Default Wireshark Capture Filters
Filter Name | Filter Config |
|---|---|
Ethernet address 00:08:15:00:08:15 | ether host 00:08:15:00:08:15 |
Ethernet type 0x0806 (ARP) | ether proto 0x0806 |
No Broadcast and no Multicast | not broadcast and not multicast |
No ARP | not arp |
IPv4 only | ip |
IPv4 address 192.0.2.1 | host 192.0.2.1 |
IPv6 only | ip6 |
IPv6 address 2001:db8::1 | host 2001:db8::1 |
TCP only | tcp |
UDP only | udp |
Non-DNS | not port 53 |
TCP or UDP port 80 (HTTP) | port 80 |
HTTP TCP port 80 | tcp port http |
No ARP and no DNS | not arp and port not 53 |
Non-HTTP and non-SMTP to/from www.wireshark.org | not port 80 and not port 25 and host www.wireshark.org |
- 1.
Go to the Capture menu and select Capture Filters to open the Capture Filters dialog box.
- 2.
In the Capture Filters dialog box, click the + icon, which will add an entry at the end of the existing default list.
- 3.
Edit the name of the filter and set it to VXLAN only and then edit the Filter Expression and set it to udp port 4789.
- 4.
Click OK to save.
- 5.
Once saved, go to the Capture menu and select Options. This will open the Wireshark Capture Options dialog box.
- 6.
In this dialog box, click the green bookmark icon next to Capture Filter for Selected Interfaces. This displays the list of all capture filters that are available. Select the VXLAN Only option as shown in Figure 2-8.
- 7.
Once the interface and capture filter are selected, click Start to start the capture.
Selecting a customdefined capture filter
You will now notice that only the VXLAN packets are being captured in Wireshark. This method of capturing packets has the benefit of capturing only specific traffic, but if the user is unsure about which traffic to capture, it might be a better option to use display filters.
Display Filters
Typing the display filter criteria with the help of auto-complete
Applying saved display filters
Using expressions
Right-clicking the filter
Applying conversation or endpoint filters
Filtering packets using a display filter
Simple Display Filters
Filter Config | Filter Description |
|---|---|
tcp | Filtering only TCP packets |
udp | Filtering only UDP packets |
ip | Filtering only IPv4 traffic |
ipv6 | Filtering only IPv6 traffic |
arp | Filtering only ARP broadcast packets |
dns | Filtering only DNS packets |
Display Filters for Packet Characteristics
Filter Config | Filter Description |
|---|---|
tcp.analysis.flags | Displays packets that contain one of the TCP analysis flags packets |
tcp.bogus_header_length | Filters TCP packets that have bogus header length in the TCP header |
ip.bogus_header_length | Filters packets that have bogus header length in the IP header |
Operators for Display Filters
Operators | Operator Description |
|---|---|
== | Exactly matches the specified value |
> | Matches when the value of the field is greater than the specified value |
< | Matches when the value of the field is less than the specified value |
>= | Matches when the value of the field is greater than or equal to the specified value |
<= | Matches when the value of the field is less than or equal to the specified value |
! | Filters all the values of the field that do not match the specified expression |
!= | Filters all the values that do not match the specified value |
&& | Allows AND operation between two different expressions; filters the packets that match all the specified expressions |
|| | Allows OR operation between two different expressions; filters the packets that match any of the two expressions |
Expressions for Display Filters
Filter Expressions | Filter Description |
|---|---|
http.request.method == "POST" | Filters traffic that includes the HTTP POST method in the HTTP headers |
tcp.window_size < 1500 | Matches packets that have TCP window size less than 1,500 |
Filters DNS queries for www.google.com | |
udp.port != 686 | Filters out packets that do not match UDP port number 686 |
(arp.opcode == 0x0001) && (arp.src.hw_mac == 00:01:ab:cd:0e:02) | Displays ARP request only from MAC address 00:01:ab:cd:0e:02 |
(tcp.flags.syn == 1) && !(tcp.flags.ack == 1) | Displays packets that have the TCP SYN bit set but do not have the TCP ACK bit set. |
(icmp.type == 3) && ((icmp.code = 0x01) || (ip.addr == 192.168.100.1)) | Displays Internet Control Message Protocol (ICMP) unreachable packets where the host is unreachable or either the source or destination address is 192.168.100.1 |
Display filter using auto-complete
Display filter bookmarks and options
Right-click filtering
Selected: Creates a filter matching the selection
Not Selected: Creates an exclusion filter
And Selected: Must match both the existing filter and the selection
Or Selected: Must match either the existing filter or the selection
And Not Selected: Must match the existing filter with the exclusion of the selection
Or Not Selected: Must match either the existing filter or filter based on the exclusion of the selection
Users can also leverage the Copy | As Filter feature available in Wireshark as part of right-click filtering. This feature allows users to copy the filter expression without applying or listing the filter in the display filter pane. This feature can be very useful for creating complex display filters or for copying filters between different Wireshark instances where we want to trace the packets across multiple capture files.
Although there are many ways of creating display filters, one of the features that really stands out in Wireshark is its ability to catch errors or mistakes in display filters, which prevents users from applying the wrong display filters on the packet captures. The display filter pane turns red and disables the option to apply a filter if there is an incomplete or incorrect display filter expression typed in the pane.
Working with Wireshark Capture Files
As stated before, Wireshark captures network traffic and allows the user to save the packets with either .pcap or .pcapng extensions. The pcap file format is the initial version of the file format that was originally implemented in UNIX and Linux using the libcap library. This file format was implemented in Windows using the WinPcap library. The pcapng file format was the result of an Internet Engineering Task Force (IETF) draft that specifies the PCAP Next Generation (pcapng) Capture File Format. Through this IETF draft, the proponents defined standardized blocks and fields, thus making the pcapng format a more extensible and futureproof file format.
PCAP vs. PCAPng
There are several differences between the pcap and pcapng file formats, some of which are listed in the sections that follow.
Capture from Multiple Interfaces
Interface description block
A simple packet block, which is a smaller and simpler packet block that is easy to process and contains a minimal set of information, does not contain the Interface ID field and is thus set to a default value of 0. With a simple packet block, it is assumed that the packets have been captured on the interface that was previously specified in the first interface description block.
Packets with interface id 1
Timestamps
With pcap format, one of the major concerns for network analysts was its resolution on packet timestamps. Each packet in the pcap format has a time resolution accurate to the microsecond level (i.e., 10-6 seconds), which provides a resolution for 999,999 packets per second. On first look, this number looks reasonable, but with the modern-day networks evolving to 25 Gig, 40 Gig, and 100 Gig links, microsecond-level accuracy can create a huge gap. It is imperative to note that even a common 1 Gig link can easily exceed this link. The pcapng file format provides the capability to adjust the resolution using a flexible timestamp format, which is now expressed as a 64-bit time unit that can easily accommodate evolving network speeds. The default resolution value on packet timestamps is still given in microseconds, but this can be altered by setting the if_tsresol option in the interface description block.
Embedding Comments
Adding comments on a packet
Packet headers with comments
To add top-level comments or file-level comments, go to Statistics | Capture File Properties. This opens a window that includes a Capture File Comments section. Users can add the comments and then click Save Comments to save the top-level comments.
Metadata
Additional information is always useful when investigating network issues. Although adding top-level and per-packet comments can be extremely useful, additional information such as the source of the packet capture can be very useful. With pcapng, additional fields such as a description field, OS field, and filter field within the interface description block can provide additional information regarding the capture source.
Extendable Format
Because the pcapng format is standardized and deploys a generic block structure, it allows the format to evolve over time. In pcapng, specific blocks are defined for packets (enhanced packet block or simple packet block) and interfaces (interface description block). Additional information such as metadata can be stored in other optional blocks, such as a name resolution block or interface statistics block. With the options to define experimental blocks and metadata, pcapng allows organizations to develop their own customized yet compatible network analysis tools.
Splitting Packet Captures into Multiple Files
- 1.
On the Capture menu, select Capture Options. This opens the Capture Options window in Wireshark.
- 2.In the Capture Options window, click the Output tab.
On the Output tab, set the capture file from under Capture to a Permanent File by clicking Browse and specifying the file name. Click Save.
Choose the output format. The default option is pcapng.
Select the Create a New File Automatically check box.
You can then select one or multiple options to decide which factors will trigger the creation of a new file. For instance, you can select an option to create a new file after the file has reached 100 packets, as shown in Figure 2-17.
- 3.
Once these options are selected, click Start.
Splitting packet capture into multiple files
Merging Multiple Capture Files
Prepend Packets: Prepends the packets from the selected file before the currently loaded packets.
Merge Chronologically: Merge packets from both opened and selected files in chronological order. This option is selected by default.
Append Packets: Appends the packets from the selected file after the currently loaded packets.
- 1.
Open or load a packet capture file on Wireshark.
- 2.
On the File menu, select Merge to open the Merge dialog box.
- 3.
Select the file that you want to merge with the opened file, as shown in Figure 2-18.
Merging multiple capture files
Once the packets are merged, the user can then save the merged file with the same or a different name.
Analyzing Packets in Wireshark
- 1.
When did the problem start?
- 2.
What is or was the trigger for the problem?
- 3.
Can we re-create the problem?
- 4.
Does the problem happen at a particular time in the day?
- 5.
How frequently does the problem occur in the network?
- 6.
What kind of traffic is affected?
- 7.
Is the issue currently occurring?
- 8.
To which segment of the network is the problem isolated?
- 9.
How many network users are affected due to the given problem?
Baselining the network
Troubleshooting a network issue (e.g., packet loss, latency issue, network attack, etc.)
OSI Model
Before diving into the steps involved in performing packet analysis, it is important to understand the Open Systems Interconnection (OSI) model. The OSI model was developed by the International Organization for Standardization (ISO) in 1984 with the sole intent of standardizing the communication functions of a telecommunications or computing system irrespective of its underlying structure and technology. The OSI model helps with interoperability across different computers or network devices.
OSI model
OSI Model Layers and Their Functions
Layer | Functions |
|---|---|
Physical layer | Transits and receives raw bit streams over a physical medium Examples: 1000BaseTX, ISDN, etc. |
Data Link layer | Provides reliable transmission of data frames between two devices connected via the physical layer Examples: Ethernet, Frame Relay, ATM, etc. |
Network layer | Provides mechanism for structuring and managing a multinode network. The network layer takes care of IP/IPv6 addressing, routing protocols, and traffic control. Examples: IPv4, IPv6, ICMP, IPSEC |
Transport layer | Provides reliable transmission of data segments between two points in a network through transport layer protocols. Examples: TCP and UDP |
Session layer | Manages communication sessions. Examples: NetBIOS, SAP |
Presentation layer | Also known as the Translation layer; Provides three primary functions: Translation Encryption/decryption Compression Examples: SSL, TLS, MPEG |
Application layer | Provides high-level application programming interfaces (APIs) including resource sharing and remote file access. Examples: FTP, SMTP |
To enable communication across each layer, communication protocols enable the communication between two hosts on the same corresponding layer. We learn more about these communication protocols in the coming chapters.
Analyzing Packets
Wireshark organizes the captured packets in an incredibly easy-to-read packet list pane. Once the packets are captured, and if users want to identify the details of the packet, all they need to do is find the packet and click on it. On clicking any packet in the packet list pane, the details about the structure of the packet along with all its fields are visible in the packet details pane. The details displayed in the packet details pane make it incredibly easy to learn and understand more about the packet.
Wireshark user interface
No.: This column displays the number order of the captured packet. If there is a bracket displayed along with the packet number, it indicates that the packet is part of the conversation.
Time: This column displays how long after the packet capture was started each packet got captured.
Source: This column displays the source address of the system from where the packet originated.
Destination: This column displays the address of the destination device or host for which the packet is destined.
Protocol: This column displays the type of each packet; for instance, TCP, ICMP, DNS, and so on.
Length: Displays the length of each packet in bytes.
Info: This column displays more information about the packet and could have varied information from packet to packet.
Out of these fields, the Time and Length fields require a bit more explanation, as the rest of the fields are self-explanatory.
Time
Seconds
Tenths of a second
Hundredths of a second
Milliseconds
Microseconds
Nanoseconds
Time (format as specified); this is the default option
Absolute date, as YYYY-MM-DD, and time
Absolute date, as YYYY/DOY, and time
Absolute time
Delta time
Delta time displayed
Relative time
UTC date, as YYYY-MM-DD, and time
UTC date, as YYYY/DOY, and time
UTC time
Wireshark with UTC date and time timestamps
Length
Packet Lengths
Count
Average
Min Val
Max Val
Rate (ms)
Percent
Burst Rate
Burst Start
Packet Lengths statistics
Capture File Properties
Packets (total packets captured)
Time span (total time span for which the capture was running)
Average pps
Average packet size in bytes
Bytes
Average bytes/second
Average bits/second
Capture File Properties dialog box
There is other statistical and deep packet analysis that can be done, but those topics are covered in the coming chapters once we have built a more foundational knowledge on troubleshooting issues with different packet types.
Summary
In this chapter we gained a basic understanding of how to use the Wireshark tool and became familiar with its UI. Initially, we learned about Wireshark preferences and how users can change the default settings and UI according to their requirements and oreferences. We then learned how to perform packet captures and how dissectors play a role in Wireshark to break down packets into a more consumable format. We also covered various filtering techniques, such as capture filters, display filters, and how users can save the filters based on their usage. This chapter also discussed in detail the differences between the pcap and the pcapng file formats and the information available across these file formats. Finally, we concluded this chapter by learning how to analyze the packet using the Wireshark UI and how various statistical information can be identified from the captured packets.