cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Live event FAQ- Basic Wireshark for Networking Students

593
Views
5
Helpful
0
Comments

This event had place on Tuesday 14th, April 2020 at 10hrs PDT 

Introduction

Event slides

Featured Expert

dr-moises.pngDr. Moisés André Nisenbaum is a full-time professor at the Federal Institute of Rio de Janeiro (IFRJ) since 1986. He has experience in the Information Science area, and he specializes in Information and Communication metrics. In the area of education, he works with different Information and Communication Technologies, with a focus on networks, help desk, Physics Teaching and Youth, and adult education. Moisés holds a Bachelor’s degree in physics from the State University of Rio de Janeiro and a Master’s degree in Physical Science from the Brazilian Center of Physical Research. He holds a Ph.D. in Information Science from IBICT / UFRJ.

You can download the slides of the presentation in PDF format here.

Live Questions

Q: How can I download Wireshark and install it on my machine?

A: You can download it here: https://www.wireshark.org/download.html

Q: Is Wireshark license based?

A: It is free software, supported in many operating systems

Q: Are there any practice sites available?

A: You can go to my friend Chris Youtube Channel. His channel name is Packet life, and also a Facebook group called Wireshark.

Q: How can we query/search for a specific DNS server?

A: You can apply a filter for destination IP address. Specify your DNS server address and you will see all packets that are destined to your server

Q: What version of Wireshark do you recommend to use? 

A: The latest stable is 3.2.3 unless you are using an operating system that does not support it.

Q:  Is it possible to run Wireshark automatically and save pcap as a part of the network disconnection log or as a shutdown log? 

A: With a Windows script, you can do almost anything. I didn't try it yet, but I am sure that if you use Windows Script or Linux Script you can run it, because there is a CLI version of Wireshark called TShark, so with this common line, we can do any script.

Q: What is the difference between Tshark and Wireshark?

A: Tshark is the live sea version of Wireshark. If you want to do a scrip or something like this, you have TShark as a Common line version of Wireshark. 

Q: What is Moises's opinion about Microsoft Message Analyzer?

A: It is another tool. I don't use this tool, so I can not give an opinion.

Q: Could you detail your notice about the Cisco emulator on DevNet, please?

A: I have this on my Youtube Channel, but it is in Portuguese. It is a very interesting thing because you just go, login, then you go to send boxes, search for Cisco IOS Virl, and it will open the emulator for you.

Q: Is it possible to capture our own customized protocols? If yes, how?

A: If you are in an upper layer, you can capture anything, and Wireshark will show it, but you have a layer2 protocol it will show, but it will not read it.

Q: Is the remote capture also possible over L3 connection?

A: No, all participating devices must be connected by Layer 2 trunks.

Q: Are there protocols that Wireshark does not capture? Why?

A: Wireshark should capture all protocols; however, due to platform restrictions, sometimes it will not happen. An example is the dot1q headers because the switch removes the VLAN tags before delivering it to the end device.

Q: In packet life, can we have voice-related packet captures?

A:  In the Wireshark Wiki, you can find some:https://wiki.wireshark.org/RTP 

Q:  Can we analyze the SIP messages by using this?

A: Yes, further information here: https://wiki.wireshark.org/SIP

Q: What is the real ACK number in the packet?

A: To disable relative sequence numbers and instead display them as the real absolute numbers, go to the TCP preferences and untick the box for relative sequence numbers.

Q: Regarding SPAN, does the monitor port mirrors ingress traffic or egress traffic for capturing?

A: It depends on how it is configured; the default is both.

Q: Does it count as remote capture as we are capturing in the same switch?

A: No, when we mirror traffic from one interface to another interface on the same device it is a local span.

Q: What simulation tool was Moises using during the presentation?

A: It was Packet Tracer: https://www.netacad.com/courses/packet-tracer

Q: DORA process in DHCP can be captured?

A: Absolutely.

Q: How granular can you get with SPAN and RSPAN? Is it just an on/off feature or can you specify certain parameters?

A: You can apply access lists when you configure the session, filtering anything you want.

Q: What is the Cisco emulator name? Is it Cisco Vio?

A: Cisco VIRL: https://learningnetwork.cisco.com/s/virl

Q: Can you give an example of RSPAN, please?

A: You can find an example here: https://community.cisco.com/t5/networking-documents/understanding-span-rspan-and-erspan/ta-p/3144951 

Q: Can you give a suggestion about some practice captures and analyses, please?

A: You can find some good examples here: https://wiki.wireshark.org/SampleCaptures

Q: Can you cover wireless packet captures?

A: Please find the Fundamentals of 802.11 Wireless Sniffing here: https://www.cisco.com/c/en/us/support/docs/wireless-mobility/80211/200527-Fundamentals-of-802-11-Wireless-Sniffing.html

Q: Having pcap from both source and dest having captured at the same time, how it will help for a network engineer to analyze?

A: You can check timestamps and see if anything is lost, for example.

Q: Sometimes, I’m having captures from source and a destination is requested. Could you please tell me, how it will help to analyze?

A:You can use this display filter to show packet with specific IP source and destination:

ip.src== 192.168.1.1 and ip.dst == 209.165.10.20

Q: Can you explain more about the tap hardware and how the general setup will be?

A:Sure. Tap makes possible for you to have a copy of the traffic between A and B in a third device C.

The simpler TAP is a hub. If you insert a Hub between A and B you will be able to see traffic in C connected in another hub port.

Of course, there are more sophisticated TAPs you can buy from 100 to several thousands of dollars. Take a look at https://en.wikipedia.org/wiki/Network_tap for more information.

Q: It seems like stream index filer cannot be applied in certain cases; can you please explain in what conditions it is not selectable? If there is a packet loss during transmission, how do we figure out that?

A:Both streams and packet loss have to do with the TCP protocol. A Wireshark stream is nothing more than a socket filter. It identifies traffic with specific source and destination IP: PORT that can be understood as a TCP conversation. So, to filter by the stream, you must be looking for TCP communication. It does not work with UDP, for example. Packet loss can be identified, for example, when a retransmission occurs, that is marked as a black packet in packet pane. That's why Wireshark is so important to learn and teach TCP.

Q: Does Wireshark have any programmability aspects to it? That is, can we interact with this same information using Python or another programming language?

A:The command-line version of Wireshark - Tshark - can be called by programming languages like Python.

Also, Wireshark is a free and open-source packet analyzer, so, you can go deep and program new stuff like drivers for Wireshark.

Q: Can we have or generate diagrams of the packet flow? May you please explain how can encrypted traffic be analyzed?

A: There are some graphic tools in Wireshark. Please explore the menu Statistics --> TCP stream graphics.

For the decryption of capture data such as SSH and TLS, you will have to inform Wireshark of the keys. That can be done using the menu Wireshark --> preferences. Step by step you can find googling "how to decrypt Wireshark packets".

Q: Any tips for Wi-Fi capture on Wireshark?

A:If you use Linux it is straightforward. Just use a Wi-fi driver. Windows is very difficult.

For step by step, take a look at https://wiki.wireshark.org/CaptureSetup/WLAN

Q: Any sites with more examples for checking the DORA process and such?

A: I encourage you to check DHCP by yourself. It is easy and you will learn a lot. Open Wireshark, turn off and on your NIC and filter the results using "dhcp" or "bootp" filter. Simple like that.

Q: In the TCP explanation, about the data that is on brackets, is it only calculated by Wireshark, it does not exist in the packet?

A:Wireshark, TCPDump and other capture software read and show the Headers content. The gold mine of Wireshark is that it processes this information almost in real-time and display the analysis results in that information between brackets.

For example, Wireshark reads the TCP sequence number and the size of the segment. So it calculates the next sequence number. This info will be displayed between brackets. Everything in the bracket is NOT in headers.

Q: What are the options of Cisco dump, I mean, can you give some examples? Can we have or generate diagrams of the packet flow?

A:  Sure. The simpler is the "debug ip packet". It is similar to TCPDump in Linux. The "monitor capture" is more sophisticated and capture can be saved in a pcap file (https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-embedded-packet-capture/116045-productconfig-epc-00.html)

Ciscodump is an extcap tool that relies on Cisco EPC to allow a user to run a remote capture on a Cisco router in a SSH connection. The minimum IOS version supporting this feature is 12.4(20)T.

More details can be found here: https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-embedded-packet-capture/datasheet_c78-502727.html 

But, many times, with Cisco Netflow, we can do a better network diagnostic (https://www.cisco.com/c/en/us/products/ios-nx-os-software/ios-netflow/index.html)

About the diagrams, please, explore the Wireshark Statistics menu. It is awesome.

Q: Is there any front-end tool that can summarize the Wireshark findings?

A: I don't know any tool that does this, but the Wireshark front-end is very good. Maybe what you want can be done just with the display filters. Also, explore the Statistics and Analyze menus.

Q: How to analyze SIP messages in Wireshark. Is it possible for you to show us?

A: You can find a very good example here: https://community.cisco.com/t5/collaboration-voice-and-video/how-to-use-wireshark-for-voip-troubleshooting/ba-p/3098804

Related Information