Table of Contents for
Mastering Wireshark 2

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition Mastering Wireshark 2 by Andrew Crouthamel Published by Packt Publishing, 2018
  1. Mastering Wireshark 2
  2. Title Page
  3. Copyright and Credits
  4. Mastering Wireshark 2
  5. Packt Upsell
  6. Why subscribe?
  7. PacktPub.com
  8. Contributor
  9. About the author
  10. Packt is searching for authors like you
  11. Table of Contents
  12. Preface
  13. Who this book is for
  14. What this book covers
  15. To get the most out of this book
  16. Download the color images
  17. Conventions used
  18. Get in touch
  19. Reviews
  20. Installing Wireshark 2
  21. Installation and setup
  22. Installing Wireshark on Windows
  23. Installing Wireshark on macOS
  24. Installing Wireshark on Linux
  25. Summary
  26. Getting Started with Wireshark
  27. What's new in Wireshark 2?
  28. Capturing traffic
  29. How to capture traffic
  30. Saving and exporting packets
  31. Annotating and printing packets
  32. Remote capture setup
  33. Prerequisites
  34. Remote capture usage
  35. Summary
  36. Filtering Traffic
  37. Berkeley Packet Filter (BPF) syntax
  38. Capturing filters
  39. Displaying filters
  40. Following streams
  41. Advanced filtering
  42. Summary
  43. Customizing Wireshark
  44. Preferences
  45. Appearance
  46. Layout
  47. Columns
  48. Fonts and colors
  49. Capture
  50. Filter buttons
  51. Name resolution
  52. Protocols
  53. Statistics
  54. Advanced
  55. Profiles
  56. Colorizing traffic
  57. Examples of colorizing traffic
  58. Example 1
  59. Example 2
  60. Summary
  61. Statistics
  62. TCP/IP overview
  63. Time values and summaries
  64. Trace file statistics
  65. Resolved addresses
  66. Protocol hierarchy
  67. Conversations
  68. Endpoints
  69. Packet lengths
  70. I/O graph
  71. Load distribution
  72. DNS statistics
  73. Flow graph
  74. Expert system usage
  75. Summary
  76. Introductory Analysis
  77. DNS analysis
  78. An example for DNS request failure
  79. ARP analysis
  80. An example for ARP request failure
  81. IPv4 and IPv6 analysis
  82. ICMP analysis
  83. Using traceroute
  84. Summary
  85. Network Protocol Analysis
  86. UDP analysis
  87. TCP analysis I
  88. TCP analysis II
  89. Graph I/O rates and TCP trends
  90. Throughput
  91. I/O graph
  92. Summary
  93. Application Protocol Analysis I
  94. DHCP analysis
  95. HTTP analysis I
  96. HTTP analysis II
  97. FTP analysis
  98. Summary
  99. Application Protocol Analysis II
  100. Email analysis
  101. POP and SMTP
  102. 802.11 analysis
  103. VoIP analysis
  104. VoIP playback
  105. Summary
  106. Command-Line Tools
  107. Running Wireshark from a command line
  108. Running tshark
  109. Running tcpdump
  110. Running dumpcap
  111. Summary
  112. A Troubleshooting Scenario
  113. Wireshark plugins
  114. Lua programming
  115. Determining where to capture
  116. Capturing scenario traffic
  117. Diagnosing scenario traffic
  118. Summary
  119. Other Books You May Enjoy
  120. Leave a review - let other readers know what you think

How to capture traffic

In order to capture traffic inline for Wireshark, you need to place some sort of device on the wire where it can see the traffic being sent and received, and then replicate that traffic to additional ports for your diagnostic machines, which might be possibly running Wireshark, for example. One of the early devices that we can use for older networks that we're running half duplex is the hub. This is the predecessor to the switch, and it has a very basic functionality where it sees the electrical signals being sent across the wire, and it replicates those electrical signals out all the other ports that it has, without any care as to what's on these actual ports. It's just a splitter, basically. That's great for a slower, older, half-duplex network; but for a modern, switched, full-duplex network, you'll need something a little bit fancier. One of the devices that you could use is a TAP.

There are four different TAPs available:

  • Non-aggregating TAPs
  • Aggregating TAPs
  • Regenerating TAPs
  • Link aggregation TAPs

Each one of these TAPs have different functions. I mentioned switched port analysis (SPAN) ports or port mirroring. In a modern-switched network, this is a very common way of receiving traffic. If you have a managed switch, such as a Cisco switch or whoever's it might be, you can go into the switch and tell it to replicate the traffic that it sees on one port to a different port. This port could then be connected to your Wireshark machine to capture traffic. It's very useful for modern networks because there's no other hardware required. You can just go into the switch and tell it to replicate the data out to your monitoring system. In order to capture traffic on wireless, you need to be aware that there are multiple modes that you could use. There are two modes that we will be discussing:

  • Monitor mode: This mode receives all packets on a specified channel. So, in the US we have 11 channels on 2.4 GHz, for example. You could tell your network card or wireless card to receive all traffic on channel number 3, and then it would capture all of that traffic for any SSID and any network that is on channel 3.
  • Promiscuous mode: This mode is more common to find in your wireless drivers, and it allows you to receive all packets on a connected SSID, on a connected network. If you're connected to your work network or your home network-whatever it is you're trying to diagnose-it'll capture anything that's traversing that network name and that SSID. But it will ignore any others on the same channel, and it will certainly ignore anything else on any other channel, as well.

In the following screenshot, we can see that Wireshark is running. You can see that I have a list of interfaces here, including a local area connection and some virtual adapters. I do not have any wireless adapters on this computer, or else they would show up here as well. And any other additional network interface controller (NIC) cards that you might have-wired cards, it doesn't matter-they'd all show up here in a list:

You will also see that there's a chart that's continuing to be drawn by Wireshark, and it's showing us the amount of data that it sees on each connection. This is actually pretty useful, especially if you have a diagnostic computer that has many different interfaces—the different SPAN ports, or whatever it might be. Maybe you turned on SPAN to a specific port that's receiving a lot of data, and you don't know which one it's connected to on the monitoring system. You could take a look here. Whichever port is receiving the most data or the expected amount of data might be the one that you want to try and capture on. So I find that useful on, for example, crowded systems.

In order to capture traffic, all you have to do in the latest version of Wireshark is double-click on that and it will begin capturing your traffic, and you can see that traffic begins to scroll by. In this computer, I'm not actually doing anything which is very interesting, considering how much traffic is being sent and received, but there are services that are running in the background and there's possibly minimized web browsers, and things like that. But you'll see there's quite a bit of communications just on a standard, idling computer:

In order to stop this capture, you just go up to the top and click on the stop icon:

You'll notice that the packets were scrolling by and being updated in real time. Well, this is useful for some situations—it might not be useful for all. So, if you have a system that's receiving a lot of data, for example, possibly gigabits per second or if you're trying to run this on a computer that's very old and slow, that might not be an ideal situation, especially if you're using the GUI.

So you can turn that off so that it doesn't use the graphics card and processor power to try and update this screen for you in real time. In order to do that, perform the following steps:

  1. Click on the gear icon, as shown in the following screenshot:
  1. Go to Options, and you can see that there are some check boxes here that we can turn off. So, you can see the Update list of packets in real-time. If I uncheck that, it will prevent the list from populating as it continues to receive packets, and I can turn off Automatically scroll during live capture. You will notice that the scroll bar on the right went down to the very bottom. If I turn off Automatically scroll during live capture, it would remain up at the top. So these two things are very helpful to disable if you are running on an older computer, like I mentioned:
  1. You can also select multiple interfaces. If you go back up to that Options selection and you look at the Input tab, you can select multiple interfaces with the Shift key; or, with the Ctrl key, you can select them individually and then click on Start, and it will be then capturing on all the interfaces that you selected. Depending on your situation, that may be a useful feature.

In this section, we went over some different ways of capturing packets; how to get them into your Wireshark capturing system. Up next, we will save those packets and export them in various ways.