Case Project 2-2: Install and Use Wireshark

Wireshark is a free, open source network protocol analyzer that can help

demystify network messages and help make the OSI model a little more tangible.

Using Wireshark for the first time can be an epiphany experience for you.

You can study the OSI layers, all of the information that is added to every message, and all

of the messages that have to go back and forth just to bring up a Web page or even just to

connect to the network. It all becomes much more real when you see how many packets Wireshark

collects during even a short capture.

Well install Wireshark in this project and take a first look at how it works. In later chapters,

well dig deeper into Wiresharks capabilities.

1. To begin, go to the Web site at wireshark.org. Download and install the appropriate

version for your OS.

You may also need to install WinPcap during the Wireshark installation process.

WinPcap is a Windows service that does not come standard in Windows, but is

required to capture live network data. You can keep the default setting presented

in the Wireshark installer to start WinPcap at boot time, but consider

unchecking this option if other, nonadministrative users of the computer should

not have access to live network data.

2. To start our first capture, in the Wireshark Network Analyzer window, look in the Capture

pane under the Start group and select your network interface. Then click Start.

While the capture is running, challenge your network a bit by opening a couple of Web

pages, sending an email with a local email client, or pinging other hosts on the network.

3. You can adjust the pane sizes by grabbing a border between them and dragging.

Expand the top pane so you can see more of the captured packets at one time.

4. Let the capture run for a couple of minutes, and then click Stop on the command

ribbon.

Take a look at some of the items you might have captured, and start to decode this blur of

numbers and letters.

The color highlighting can help you begin to make sense of whats on the screen. Notice in

Figure 2-35 that TCP messages are a light gray color, SMB2 packets are a yellowish color, and

pnrp packets are a light bluish color. You can see the protocol names in the Protocol column.

Figure 2-35 Different highlight colors correspond to different protocols

5. To see a list of all colors used for highlighting that are currently assigned and to adjust

these assignments, click the Edit coloring rules button. Here, you can change the priority

for matching protocols to colors (because often more than one protocol is used in a

single message), and you can assign colors that are easier to spot. In Figure 2-36, the

assigned color for TCP is a bright green.

Figure 2-36 Choose colors that are easier to spot

Source: The Wireshark Foundation

6. To filter for a particular kind of packet, type the name of the protocol in the Filter box.

Figure 2-37 shows Wireshark filtered for ICMPv6 packets. Try filtering for other protocols

discussed earlier in this chapter and see how many different types you can find

in your capture. Click Clear between searches to return to the complete capture data.

Figure 2-37 Use the filter to narrow your search

7. To compare OSI layers represented by each of these protocols, do a slightly more complicated

filter where you can see both HTTP packets and ICMPv6 packets in the same

search. Enter the following fields into the Filter box: http or icmpv6.

8. Look at an ICMPv6 packet and count how many sections of information are available

in the middle pane. In Figure 2-38, there are four sections of information, which correspond

to Layer 2 (Frame and Ethernet II) and Layer 3 (Internet Protocol Version 6 and

Internet Control Message Protocol v6).

9. Examine an HTTP packet (in Figure 2-39, the labeled protocol is SSDP). In

Figure 2-39, there are now five sections of information. This time, Layer 7 (Hypertext

Transfer Protocol) and Layer 4 (User Datagram Protocol) are represented, in addition

to Layer 3 (Internet Protocol Version 4) and Layer 2 (Ethernet II and Frame).

Figure 2-38 Use the middle pane to dig into each layers headers

Figure 2-39 This HTTP message is using UDP

10. Recall that TCP is a connection-oriented protocol. You can filter a capture to follow a

TCP stream so you can see how these messages go back and forth for a single session.

Find a TCP packet, right-click it, and select Follow TCP Stream. Next, close the Follow

TCP Stream window and note that Wireshark has filtered the capture for this streams

packets.

11. Select a TCP message from this filtered data, and explore the middle pane. Click to

open each section in that pane. In Figure 2-40, Frame 229 is opened, and the list for

the Flags bits is expanded. Notice that the Acknowledgment bit is set, which corresponds

to the (ACK) flag on the packet Info in the top pane. Youll learn about these

flags in the next chapter.

Figure 2-40 Other TCP segments might have other bits set

12. Click Close this capture file without saving the file. This returns you to the Wireshark

home page, where you can open saved capture files, or you can look through sample

captures. Click Sample Captures to go to the Wireshark wiki site where you can find

samples of many different types of captures. Browse through some of these to become

familiar with what to look for when examining different types of messages.