Wireshark is a staple of any network administrator's toolkit, and it can be equally useful for any network solution providers or consultants who troubleshoot business networks. Most of the readers of this tutorial have probably used Gerald Combs' open source protocol analyzer for years. In this edition of Traffic Talk, I'd like to discuss a few new features of Wireshark as present in the 1.2 version released on June 15, 2009. I use Windows XP SP3 as my test platform.
To try Wireshark 1.2, I uninstalled Wireshark 1.0.8. I had no trouble replacing 1.0.8 with 1.2, and I allowed the installer to replace my old version of WinPcap with the newer WinPcap 4.1beta5 bundled with Wireshark 1.2.
I decided to try running Wireshark as a user with no administrative privileges. I relied on manually starting the WinPcap driver called "NPF" in order to give Wireshark the privileges required to sniff traffic on my laptop's wireless NIC. ...
To continue reading for free, register below or login
To read more you must become a member of SearchNetworkingChannel.com
To start NPF manually, I ran the following:
The "net start npf" command is sufficient to launch Wireshark with sniffing capabilities. I ran the "sc query npf" to show details on the NPF driver.
Now I was ready to start Wireshark, which I did using the desktop icon added during installation. I was surprised to see the following screen.
[IMAGE]
Figure 1. Wireshark Start Screen (click image to enlarge)
Rather than present the user with simply a menu and three blank panes, Wireshark now provides a Web-like interface to the program.
Once you start capturing packets, it is very useful to be able to see a single packet in its own window. One way to access this feature is to highlight any packet in the Wireshark display, right click, and select "Show Packet In New Window." The following figure demonstrates what that looks like.
[IMAGE]
Figure 2. Single Packet Window (click image to enlarge)
One advantage of this feature is the ability to open several such independent windows simultaneously, allowing the analyst to visually compare two or more packets directly.
Wireshark users are very familiar with the Follow TCP Stream feature that selects TCP segments associated with a particular conversation. Recent versions of Wireshark offer similar functionality for non-TCP protocols. For example, users can now Follow UDP Streams as shown below for DNS traffic.
[IMAGE]
Figure 3. Follow UDP Stream (click image to enlarge)
Users may notice a "Follow SSL Stream" option in the Analyze menu. This is only possible if you have the right keys. For a short discussion please see my blog post from last year, "Wireshark Display Filters and SSL."
One of the most interesting, but probably underdeveloped, areas of Wireshark is its Protocol Hierarchy Statistics (PHS) feature, found in the Statistics menu.
[IMAGE]
Figure 4. Wireshark Protocol Hierarchy Statistics (click image to enlarge)
Wireshark's PHS provides a detailed analysis of protocols that Wireshark recognizes, breaking them down as far as one might expect. However, the display is static. Users cannot click on any part of it to select packets or conversations of interest. There is no way to know more about the findings or even to export them for use in another program. One might think it could be possible to run Tshark, the command line version of Wireshark, to obtain the same information. It turns out that Tshark presents a different yet similar view of the same traffic.
Wireshark offers a Conversations feature under the Statistics menu as another way to learn more about a trace from the "bigger picture" perspective. Wireshark will provide summaries for the traffic at whatever level it can recognize. For example, the following screenshot shows that Wireshark has detected Ethernet, IPv4, TCP and UDP traffic in the loaded trace. I'm showing the Ethernet conversations, ordered by the Rel Start column.
[IMAGE]
Figure 5. Wireshark Conversations Showing Ethernet (click image to enlarge)
Looking at the TCP Conversations list, you can see a variety of Web traffic.
[IMAGE]
Figure 6. Wireshark Conversations Showing TCP (click image to enlarge)
Compared with a session-only program like Argus, Wireshark's session summarization is somewhat limited. TCP flags are not displayed. No state of the connection is listed. The time is depicted as "Rel Start" instead of a real date and time stamp.
It's important to remember that most people use Wireshark to focus on the details of specific packets. In this respect, Wireshark is incredibly powerful, with an amazing number of protocol dissectors ready to tear through almost any protocol found on today's networks. As the product continues to mature, I expect to see more attention paid to larger issues, such as the nature of a trace or even the network from which it was collected.
For more information on Wireshark features, I recommend reading the Wireshark online users guide and Wireshark Wiki.
About the author:
Richard Bejtlich is the director of incident response for General Electric. Richard is also the founder of TaoSecurity, author of several books on network security monitoring (including Extrusion Detection: Security Monitoring for Internal Intrusions), and operator of the TaoSecurity blog.
![[IMAGE]](http://media.techtarget.com/digitalguide/images/Misc/wireshark_1-2_cap1.jpg){kind=link}
![[IMAGE]](http://media.techtarget.com/digitalguide/images/Misc/wireshark_1-2_cap2.jpg){kind=link}
![[IMAGE]](http://media.techtarget.com/digitalguide/images/Misc/wireshark_1-2_cap3.jpg){kind=link}
![[IMAGE]](http://media.techtarget.com/digitalguide/images/Misc/wireshark_1-2_cap4.jpg){kind=link}
![[IMAGE]](http://media.techtarget.com/digitalguide/images/Misc/wireshark_1-2_cap5.jpg){kind=link}
![[IMAGE]](http://media.techtarget.com/digitalguide/images/Misc/wireshark_1-2_cap6.jpg){kind=link}