Wireshark Cheat Sheet - ComparitechWireshark Cheat Sheet Resource: Wireshark Docs
I12: Capturing a packet - from Ether and Wire to Wireshark · 2017. 12. 8. · I12: Capturing a...
Transcript of I12: Capturing a packet - from Ether and Wire to Wireshark · 2017. 12. 8. · I12: Capturing a...
![Page 1: I12: Capturing a packet - from Ether and Wire to Wireshark · 2017. 12. 8. · I12: Capturing a packet - from Ether and Wire to Wireshark Jörg Mayer](https://reader033.fdocuments.us/reader033/viewer/2022051608/603fbba78d3fd353b308f81d/html5/thumbnails/1.jpg)
I12: Capturing a packet - I12: Capturing a packet -
from Ether and Wire to Wiresharkfrom Ether and Wire to Wireshark
Jörg MayerJörg Mayer<[email protected]><[email protected]>
![Page 2: I12: Capturing a packet - from Ether and Wire to Wireshark · 2017. 12. 8. · I12: Capturing a packet - from Ether and Wire to Wireshark Jörg Mayer](https://reader033.fdocuments.us/reader033/viewer/2022051608/603fbba78d3fd353b308f81d/html5/thumbnails/2.jpg)
Onlineversion of Sharkfest talk
The slides of this talk are © 2014 Jörg Mayer
Licensed under CC-BY-SA 3.0
https://creativecommons.org/licenses/by-sa/3.0/
Sharkfest 2014
![Page 3: I12: Capturing a packet - from Ether and Wire to Wireshark · 2017. 12. 8. · I12: Capturing a packet - from Ether and Wire to Wireshark Jörg Mayer](https://reader033.fdocuments.us/reader033/viewer/2022051608/603fbba78d3fd353b308f81d/html5/thumbnails/3.jpg)
Introduction
Jörg Mayer
1st sniffer: Etherfind on SunOS (1992)
Ethereal user since 1998
1st patch submitted 1998
Core Developer
Dayjob:
Network Consultant (Design, Implementing, Troubleshooting)
Sharkfest 2014
![Page 4: I12: Capturing a packet - from Ether and Wire to Wireshark · 2017. 12. 8. · I12: Capturing a packet - from Ether and Wire to Wireshark Jörg Mayer](https://reader033.fdocuments.us/reader033/viewer/2022051608/603fbba78d3fd353b308f81d/html5/thumbnails/4.jpg)
Content● Part 1
Capturing data on the wire
Passing the OS
dumpcap and wireshark
● Part 2
What's diferent with wireless
OS
Capture
![Page 5: I12: Capturing a packet - from Ether and Wire to Wireshark · 2017. 12. 8. · I12: Capturing a packet - from Ether and Wire to Wireshark Jörg Mayer](https://reader033.fdocuments.us/reader033/viewer/2022051608/603fbba78d3fd353b308f81d/html5/thumbnails/5.jpg)
Part I
From wire to Wireshark
Sharkfest 2014
![Page 6: I12: Capturing a packet - from Ether and Wire to Wireshark · 2017. 12. 8. · I12: Capturing a packet - from Ether and Wire to Wireshark Jörg Mayer](https://reader033.fdocuments.us/reader033/viewer/2022051608/603fbba78d3fd353b308f81d/html5/thumbnails/6.jpg)
Data Capture
3 Scenarios how data is captured
(ultra short version, there are whole talks just about this)
● Shared media
● Mirror ports
● Taps
Sharkfest 2014
![Page 7: I12: Capturing a packet - from Ether and Wire to Wireshark · 2017. 12. 8. · I12: Capturing a packet - from Ether and Wire to Wireshark Jörg Mayer](https://reader033.fdocuments.us/reader033/viewer/2022051608/603fbba78d3fd353b308f81d/html5/thumbnails/7.jpg)
Data Capture
•Shared/BUS
• All network participants may see each other’s traffic
![Page 8: I12: Capturing a packet - from Ether and Wire to Wireshark · 2017. 12. 8. · I12: Capturing a packet - from Ether and Wire to Wireshark Jörg Mayer](https://reader033.fdocuments.us/reader033/viewer/2022051608/603fbba78d3fd353b308f81d/html5/thumbnails/8.jpg)
Data Capture
•Tap
Sharkfest 2014
![Page 9: I12: Capturing a packet - from Ether and Wire to Wireshark · 2017. 12. 8. · I12: Capturing a packet - from Ether and Wire to Wireshark Jörg Mayer](https://reader033.fdocuments.us/reader033/viewer/2022051608/603fbba78d3fd353b308f81d/html5/thumbnails/9.jpg)
Data Capture
•Mirror port
Sharkfest 2014
![Page 10: I12: Capturing a packet - from Ether and Wire to Wireshark · 2017. 12. 8. · I12: Capturing a packet - from Ether and Wire to Wireshark Jörg Mayer](https://reader033.fdocuments.us/reader033/viewer/2022051608/603fbba78d3fd353b308f81d/html5/thumbnails/10.jpg)
Data Flow
Sharkfest 2014
![Page 11: I12: Capturing a packet - from Ether and Wire to Wireshark · 2017. 12. 8. · I12: Capturing a packet - from Ether and Wire to Wireshark Jörg Mayer](https://reader033.fdocuments.us/reader033/viewer/2022051608/603fbba78d3fd353b308f81d/html5/thumbnails/11.jpg)
Data Flow
Sharkfest 2014
![Page 12: I12: Capturing a packet - from Ether and Wire to Wireshark · 2017. 12. 8. · I12: Capturing a packet - from Ether and Wire to Wireshark Jörg Mayer](https://reader033.fdocuments.us/reader033/viewer/2022051608/603fbba78d3fd353b308f81d/html5/thumbnails/12.jpg)
Ethernet chip „surprises“
● always filters errored frames
● fcs often missing
● mac filtering (turn off via „promiscous mode“)
● vlan tagging offloading
● ip/udp/tcp checksum offloading
● generic/udp/tcp segmentation offloading
● link-pulse, autonegotiation invisible
![Page 13: I12: Capturing a packet - from Ether and Wire to Wireshark · 2017. 12. 8. · I12: Capturing a packet - from Ether and Wire to Wireshark Jörg Mayer](https://reader033.fdocuments.us/reader033/viewer/2022051608/603fbba78d3fd353b308f81d/html5/thumbnails/13.jpg)
Data Flow
Sharkfest 2014
![Page 14: I12: Capturing a packet - from Ether and Wire to Wireshark · 2017. 12. 8. · I12: Capturing a packet - from Ether and Wire to Wireshark Jörg Mayer](https://reader033.fdocuments.us/reader033/viewer/2022051608/603fbba78d3fd353b308f81d/html5/thumbnails/14.jpg)
Driver (not Windows)
● adds metadata (some of)
● timestamp
● direction
● packet size
● capture size
● encapsulation type
![Page 15: I12: Capturing a packet - from Ether and Wire to Wireshark · 2017. 12. 8. · I12: Capturing a packet - from Ether and Wire to Wireshark Jörg Mayer](https://reader033.fdocuments.us/reader033/viewer/2022051608/603fbba78d3fd353b308f81d/html5/thumbnails/15.jpg)
Data Flow
Sharkfest 2014
![Page 16: I12: Capturing a packet - from Ether and Wire to Wireshark · 2017. 12. 8. · I12: Capturing a packet - from Ether and Wire to Wireshark Jörg Mayer](https://reader033.fdocuments.us/reader033/viewer/2022051608/603fbba78d3fd353b308f81d/html5/thumbnails/16.jpg)
Sidetrack: NDIS
Windows „driver framework“
(ultra short version)
● Drivers and IP-Stack hook into it
● WinPcap uses NDIS version 5
● Responsible for many „features“ of
windowscaptureSharkfest 2014
![Page 17: I12: Capturing a packet - from Ether and Wire to Wireshark · 2017. 12. 8. · I12: Capturing a packet - from Ether and Wire to Wireshark Jörg Mayer](https://reader033.fdocuments.us/reader033/viewer/2022051608/603fbba78d3fd353b308f81d/html5/thumbnails/17.jpg)
Sidetrack: NDIS „surprises“
● No capture on Loopback, ppp, vpn interfaces
● „random“ placement in the chain of other clients
● Firewalls
● Virus checkers
● VPN
Sharkfest 2014
![Page 18: I12: Capturing a packet - from Ether and Wire to Wireshark · 2017. 12. 8. · I12: Capturing a packet - from Ether and Wire to Wireshark Jörg Mayer](https://reader033.fdocuments.us/reader033/viewer/2022051608/603fbba78d3fd353b308f81d/html5/thumbnails/18.jpg)
Data Flow
Sharkfest 2014
![Page 19: I12: Capturing a packet - from Ether and Wire to Wireshark · 2017. 12. 8. · I12: Capturing a packet - from Ether and Wire to Wireshark Jörg Mayer](https://reader033.fdocuments.us/reader033/viewer/2022051608/603fbba78d3fd353b308f81d/html5/thumbnails/19.jpg)
More on packet.dll (Windows only)
Compensates for missing stuff in kernel/drivers
(ultra short version)
● Provides NPF
● Provides timestamps (and other metainfo)
Timestamps on Windows are way more inaccurate than on Unix'ish systems
Sharkfest 2014
![Page 20: I12: Capturing a packet - from Ether and Wire to Wireshark · 2017. 12. 8. · I12: Capturing a packet - from Ether and Wire to Wireshark Jörg Mayer](https://reader033.fdocuments.us/reader033/viewer/2022051608/603fbba78d3fd353b308f81d/html5/thumbnails/20.jpg)
Data Flow
Sharkfest 2014
![Page 21: I12: Capturing a packet - from Ether and Wire to Wireshark · 2017. 12. 8. · I12: Capturing a packet - from Ether and Wire to Wireshark Jörg Mayer](https://reader033.fdocuments.us/reader033/viewer/2022051608/603fbba78d3fd353b308f81d/html5/thumbnails/21.jpg)
Data Flow
Sharkfest 2014
![Page 22: I12: Capturing a packet - from Ether and Wire to Wireshark · 2017. 12. 8. · I12: Capturing a packet - from Ether and Wire to Wireshark Jörg Mayer](https://reader033.fdocuments.us/reader033/viewer/2022051608/603fbba78d3fd353b308f81d/html5/thumbnails/22.jpg)
dumpcap
The program that does (almost) nothing
● Asks the kernel to capture (often requires special
privileges)
● Adds pcapng header to packet and writes to file
● Signals Wireshark that new data is available
Sharkfest 2014
![Page 23: I12: Capturing a packet - from Ether and Wire to Wireshark · 2017. 12. 8. · I12: Capturing a packet - from Ether and Wire to Wireshark Jörg Mayer](https://reader033.fdocuments.us/reader033/viewer/2022051608/603fbba78d3fd353b308f81d/html5/thumbnails/23.jpg)
Data Flow
Sharkfest 2014
![Page 24: I12: Capturing a packet - from Ether and Wire to Wireshark · 2017. 12. 8. · I12: Capturing a packet - from Ether and Wire to Wireshark Jörg Mayer](https://reader033.fdocuments.us/reader033/viewer/2022051608/603fbba78d3fd353b308f81d/html5/thumbnails/24.jpg)
Data Flow
Sharkfest 2014
![Page 25: I12: Capturing a packet - from Ether and Wire to Wireshark · 2017. 12. 8. · I12: Capturing a packet - from Ether and Wire to Wireshark Jörg Mayer](https://reader033.fdocuments.us/reader033/viewer/2022051608/603fbba78d3fd353b308f81d/html5/thumbnails/25.jpg)
Inside Wireshark
Read filters
The packets Wireshark knows about
Command line syntax: -R <read filter>
Same syntax as display filters
Display filters
The packets Wireshark shows
Command line syntax: -Y
![Page 26: I12: Capturing a packet - from Ether and Wire to Wireshark · 2017. 12. 8. · I12: Capturing a packet - from Ether and Wire to Wireshark Jörg Mayer](https://reader033.fdocuments.us/reader033/viewer/2022051608/603fbba78d3fd353b308f81d/html5/thumbnails/26.jpg)
Inside Wireshark
Filtering is expensive (CPU, memory)
Read filters easily filter too much:
● IP fragments relevant to your protocol
● TCP packets without payload relevant to your protocol
● There are talks about what can go wrong here
![Page 27: I12: Capturing a packet - from Ether and Wire to Wireshark · 2017. 12. 8. · I12: Capturing a packet - from Ether and Wire to Wireshark Jörg Mayer](https://reader033.fdocuments.us/reader033/viewer/2022051608/603fbba78d3fd353b308f81d/html5/thumbnails/27.jpg)
Part II
Wireless
Sharkfest 2014
![Page 28: I12: Capturing a packet - from Ether and Wire to Wireshark · 2017. 12. 8. · I12: Capturing a packet - from Ether and Wire to Wireshark Jörg Mayer](https://reader033.fdocuments.us/reader033/viewer/2022051608/603fbba78d3fd353b308f81d/html5/thumbnails/28.jpg)
Wireless works the same
if we only
● do cooked capture
(frames look like Ethernet frames)
● don't turn on promiscous on Windows
(some Windows drivers do „interesting“ things)
Sharkfest 2014
![Page 29: I12: Capturing a packet - from Ether and Wire to Wireshark · 2017. 12. 8. · I12: Capturing a packet - from Ether and Wire to Wireshark Jörg Mayer](https://reader033.fdocuments.us/reader033/viewer/2022051608/603fbba78d3fd353b308f81d/html5/thumbnails/29.jpg)
… well - almost the same
cooked capture means
● replace IEEE802.11 header by Ethernet_V2 header
● we only see traffic as we would do on a switch
Broadcasts, Multicasts, Unicasts to/from us
● data frames only
no wireless control, management or eapol frames (4-way-handshake)
● already decryptedSharkfest 2014
![Page 30: I12: Capturing a packet - from Ether and Wire to Wireshark · 2017. 12. 8. · I12: Capturing a packet - from Ether and Wire to Wireshark Jörg Mayer](https://reader033.fdocuments.us/reader033/viewer/2022051608/603fbba78d3fd353b308f81d/html5/thumbnails/30.jpg)
Surprises with WLAN captures
● No packets captured at all
● Are you on Windows?
● Have you promiscous mode turned on?
● I only see my own traffic
● Maybe you are actually looking at cooked traffic?
● What is the L2-Header: 802.11 or Ethernet?
Sharkfest 2014
![Page 31: I12: Capturing a packet - from Ether and Wire to Wireshark · 2017. 12. 8. · I12: Capturing a packet - from Ether and Wire to Wireshark Jörg Mayer](https://reader033.fdocuments.us/reader033/viewer/2022051608/603fbba78d3fd353b308f81d/html5/thumbnails/31.jpg)
Surprises with WLAN captures
● No machines visible or only traffic in one direction
● Are you on the same channel/band that they are on?
● Is the „invisible“ machine a „hidden station“ (AP can see station but we
can't)?
● Special case of hidden station: Incompatible antenna (polarization)
● I see traffic from machines not on my channel
● A channel is 5 MHz wide, a signal is 22(b), 20 (a/g), 20/40 (n),
20/40/80/160(ac) MHz wide. So we see neighboring traffic as well.Sharkfest 2014
![Page 32: I12: Capturing a packet - from Ether and Wire to Wireshark · 2017. 12. 8. · I12: Capturing a packet - from Ether and Wire to Wireshark Jörg Mayer](https://reader033.fdocuments.us/reader033/viewer/2022051608/603fbba78d3fd353b308f81d/html5/thumbnails/32.jpg)
Surprises with WLAN captures
● Some packets are missing
● Channel hopping sniffing software (e.g. kismet)
● Rarely: AP changing channel (DFS: regulator, ACS: optimize)
● Some of ACK, RTS, CTS frames are missing
● Some (mostly older chips) process these frames and can't forward them to
the driver (redued raw capture)
Sharkfest 2014
![Page 33: I12: Capturing a packet - from Ether and Wire to Wireshark · 2017. 12. 8. · I12: Capturing a packet - from Ether and Wire to Wireshark Jörg Mayer](https://reader033.fdocuments.us/reader033/viewer/2022051608/603fbba78d3fd353b308f81d/html5/thumbnails/33.jpg)
Surprises with WLAN captures
● No data frames or multicast/broadcast frames
only
● The capture hardware is too old (b < g < n2, a < n5 < ac)
● The capture hardware supports not enough streams (n, ac)
● Lots of corrupted but ACK'ed frames
● Sniffer close to interference source
Sharkfest 2014
![Page 34: I12: Capturing a packet - from Ether and Wire to Wireshark · 2017. 12. 8. · I12: Capturing a packet - from Ether and Wire to Wireshark Jörg Mayer](https://reader033.fdocuments.us/reader033/viewer/2022051608/603fbba78d3fd353b308f81d/html5/thumbnails/34.jpg)
Surprises with WLAN captures
● Decryption of WPA/WPA2 doesn't work
● raw capture required AND 4-way-handshake capture required AND
no 802.1X
● Wireshark: pwd vs. psk
● Network not visible but active clients
● Hidden SSID
● deactivated beacons
Sharkfest 2014
![Page 35: I12: Capturing a packet - from Ether and Wire to Wireshark · 2017. 12. 8. · I12: Capturing a packet - from Ether and Wire to Wireshark Jörg Mayer](https://reader033.fdocuments.us/reader033/viewer/2022051608/603fbba78d3fd353b308f81d/html5/thumbnails/35.jpg)
Thanks to....
● Gerald Combs for providing me with a hobby that
has lasted for close to 16 years
● Janice and all the other helpers: It has been a
great time
● Riverbed for sponsoring
● The Wireshark community
Sharkfest 2014
![Page 36: I12: Capturing a packet - from Ether and Wire to Wireshark · 2017. 12. 8. · I12: Capturing a packet - from Ether and Wire to Wireshark Jörg Mayer](https://reader033.fdocuments.us/reader033/viewer/2022051608/603fbba78d3fd353b308f81d/html5/thumbnails/36.jpg)
THANKS for listening!
Questions?
Sharkfest 2014