Wireshark Network Protocol Analyzer

Sensor Standardization & Harmonization Working Group

1

Manufacturing Engineering Laboratory (MEL)National Institute of Standards & Technology (NIST)

U.S. Department of Commerce, Technology Administration

Wireshark Network Protocol Analyzer

Jim GilsinnManufacturing Engineering Laboratory (MEL)

National Institute of Standards & Technology (NIST)

May 18, 2010



Sensor Standardization & Harmonization Working Group 2

Overview

• Wireshark: What Is It?• A Brief History• What Can It Do?• How Do I Use It?• Demo

– Starting Screen– Capture Screen– Capture File Statistics– Packet Filtering

• Summary• Where Can I Get It?

May 18, 2010




Wireshark: What Is It?

• De-facto network packet analyzer• Open-source

– GNU General Public License– Over 680 Contributors

• Multi-platform– Pre-compiled installers for PC/Mac– Source code & instructions for Unix & Linux

• Extensible– Add-ons and extensions are relatively easy to build

May 18, 2010




A Brief History

• Started out in 1998 as Ethereal 0.2.0• Became Wireshark in 2006

– Original developer changed companies– Name remained property of previous company– Started as Wireshark 0.99

• Currently 3 versions available– Version 1.0.13 – Old stable release– Version 1.2.8 – Stable release– Version 1.3.5 – Development release

May 18, 2010




What Can It Do?

• Capture live network traffic– Variety of networks (Ethernet, WiFi, Bluetooth, USB, etc.)

• Import capture files from multiple packages– 35 different file network capture file formats

• Display packets in great detail– Over 1000 different protocol decoders have been written

• Identify bad packets– Wireshark knows what the packets should look like

• Search and filter packets– Over 75k different filter variables

• Track “conversations”

May 18, 2010




How Do I Use It?

• Protocol & data analysis– Analyze client-server interaction, errors, network data

verification

• Latency– Client-server request-response timing

May 18, 2010




How Do I Use It?

• Non-web-based applications– Jitter on repeating network packets– Hardware-assisted packet analysis

May 18, 2010




How Do I Use It?

May 18, 2010




Starting Screen

May 18, 2010




Capture Screen

May 18, 2010




Capture Screen: Filtered Packets

May 18, 2010




Capture Screen: Packet Details

May 18, 2010




Capture Screen: Packet Hex/ASCII

May 18, 2010




Capture File Statistics

May 18, 2010




Statistics: Summary

May 18, 2010

• Basic information about the file

• File format• Number of packets• Capture duration• Average

packets/second




Statistics: Protocol Hierarchy

May 18, 2010

• Displays protocol layering• Shows basic statistics for each protocol layer




Statistics: Conversations

May 18, 2010

• Identifies and tracks individual streams of traffic• Can track multiple protocols




Statistics: IO Graph

• Graphical representation of packet timing• Helps identify causes/effects for packets

May 18, 2010




Packet Filtering

May 18, 2010




Building Packet Filters

May 18, 2010




Summary

• Wireshark is the de-factor standard– Very versatile– Extensible

• Wireshark provides insight into what’s happening on the network– Capture and view network traffic– Investigate network issues– Monitor application interactions

• The only way to understand your network is to understand the packets

May 18, 2010




Where Can I Get It?

• Wireshark Website– http://www.wireshark.org

• Wireshark Download– http://www.wireshark.org/download.html

• Wireshark Documentation– http://www.wireshark.org/docs/

• Wireshark Wiki– http://wiki.wireshark.org/

May 18, 2010

http://www.wireshark.org/

http://www.wireshark.org/download.html

http://www.wireshark.org/docs/

http://wiki.wireshark.org/




Questions?

• Jim Gilsinn– Intelligent Systems Division

Manufacturing Engineering LaboratoryNational Institute of Standards & Technology100 Bureau Drive, Stop 8230Gaithersburg, MD 20899-8230

– 301-975-3865– [email protected]– http://www.nist.gov/mel/isd

May 18, 2010

mailto:[email protected]

http://www.nist.gov/mel/isd