Re: Ask Me Anything- Basic Wireshark for Networking Students

ciscomoderator · ‎04-14-2020

This topic is a chance to clarify your questions about how to use Wireshark, particularly for those who study networking. The session provides key information and best practices for students and instructors who want to enhance their theoretical classes and studies with packet capture analysis. During the event, you can clarify your questions about how to use Wireshark, including related topics such as TCP, UDP, ICMPv4, ICMPv6, and OSPF.

To participate in this event, please use the button below to ask your questions

Ask questions from Tuesday 14 to Friday, April 24, 2020

Featured Expert

Dr. Moisés André Nisenbaum is a full-time professor at the Federal Institute of Rio de Janeiro (IFRJ) since 1986. He has experience in the Information Science area, and he specializes in Information and Communication metrics. In the area of education, he works with different Information and Communication technologies, with a focus on networks, help desk, Physics Teaching and Youth, and adult education. Moisés holds a Bachelor’s degree in physics from the state University of Rio de Janeiro and a Master’s degree in Physical Science form the Brazilian Center of Physical Research. He holds a PhD in Information Science from IBICT / UFRJ.

Dr. Moisés might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Networking category.

Find further events on https://community.cisco.com/t5/custom/page/page-id/Events?categoryId=technology-support

Do you know you can get answers before opening a TAC case by visiting the Cisco Community.

**Helpful votes Encourage Participation! **
Please be sure to rate the Answers to Questions

pompeychimes · ‎04-18-2020

I was really looking forward to this but i couldn't understand the guy. No disrespect intended. Cisco, please stop having non-native English speakers present English content. As a native English speaker i wouldn't dream of teaching something in another language

Hilda Arteaga · ‎04-20-2020

Hi James

Thank you so much for your feedback, we apologize for the issues and bad experiences this event has provided you.

We’re looking to provide the best experience to our members and event attendees, your comments help us improve.

ciscomoderator · ‎04-23-2020

Hi Dr. Moises Andre Nisenbaum, thank you so much for sharing your knowledge in a Cisco Community Live event

Please help us to cover some of the pending questions from the live session:

Sometimes, I’m having captures from source and a destination is requested. Could you please tell me, how it will help to analyze?

moises.nisenbaum · ‎04-28-2020

Hi.

You can use this display filter to show packet with specific ip source and destination:

ip.src== 192.168.1.1 and ip.dst == 209.165.10.20

ciscomoderator · ‎04-23-2020

Can you explain more about the tap hardware and how the general setup will be?

moises.nisenbaum · ‎04-28-2020

Sure.

Tap makes possible for you to have a copy of the traffic between A and B in a third device C.

The simpler TAP is a hub. If you insert a Hub between A and B you will be able see traffic in C connected in another hub port.

Of course, there are more sophisticated TAPs you can buy from 100 to several thousands of dollars.

Take a look at https://en.wikipedia.org/wiki/Network_tap for more information.

Cheers

Moisés

ciscomoderator · ‎04-23-2020

It seems like stream index filer cannot be applied in certain cases; can you please explain in what conditions it is not selectable?
If there is a packet loss during transmission, how do we figure out that?

moises.nisenbaum · ‎04-28-2020

Both streams and packet loss have to do with TCP protocol.

A Wireshark stream is nothing more that a socket filter. It identify traffic with specific source and destination IP:PORT that can be understand as a TCP conversation. So, to filter by stream, you must be looking for TCP communication. It does not work with UDP, for example.

Packet loss can be identified, for example, when retransmission occurs, that is marked as black packet in packet pane.

That's why Wireshark is so important to learn and teach TCP.

Cheers

Moisés

ciscomoderator · ‎04-23-2020

• Does Wireshark have any programmability aspects to it? That is, can we interact with this same information using Python or another programming language?

moises.nisenbaum · ‎04-28-2020

The command line version of Wireshark - Tshark - can be called by programming languages like Python.

Also, Wireshark is a free and open-source packet analyzer, so, you can go deep and program new stuff like drivers for wireshark

Cheers

Moisés

ciscomoderator · ‎04-23-2020

Can we have or generate diagrams of the packet flow?
May you please explain how can encrypted traffic be analyzed?

moises.nisenbaum · ‎04-28-2020

There are some graphic tools in Wireshark. Please explore the menu Statistics --> TCP stream graphics.

For decryption of capture data such SSH and TLS, you will have to inform Wireshark the keys. That can be done using the menu Wireshark --> preferences.

Step by step you can find googling "how to decrypt wireshark packets"

Cheers

Moisés

ciscomoderator · ‎04-23-2020

• Any tips for Wi-Fi capture on Wireshark?

moises.nisenbaum · ‎04-28-2020

If you use Linux it is straightforward. Just use Wi-fi driver.

In Windows is very difficult.

For step by step, take a look at: https://wiki.wireshark.org/CaptureSetup/WLAN