Wireshark has long been a standard tool for network analysis. With the rapid development of the Internet and TCP/IP networks, Wireshark is popular among network analysis experts and troubleshooting engineers. The latter need to know how protocols actually work on the network and the problems they run into.

Many examples are included, all from real life examples. The amount of time the authors take to deal with these cases varies, but the principles they follow are: step by step, choose the right tools, be a “worm” in the app developer’s mind, and, as some would say, think in terms of the web. If you follow this principle and use Wireshark wisely, you can get to the bottom of the problem. That’s the purpose of this article. Enjoy it.







Wireshark version 2 Basics

This article describes the basic functions that Wireshark can perform. After you reach the conclusion that the Wireshark needs to be used, test the Wireshark to install it in a correct position on the network, configure it, and optimize it accordingly to make it more convenient to use.

Setting the Wireshark to perform simple packet capture tasks is simple and intuitive. However, the Wireshark provides many options in special cases. When capturing packets through a link, you need to divide the captured packet file into smaller files, and display the name of the connected device instead of the IP address when viewing the captured packet file. This article will show you how to configure Wireshark to handle these special cases.

After a brief introduction to Wireshark version 2, this article reveals a few tips on how to set up and start the software.

In this article, you will learn how and where to place the Wireshark to capture packets. Should the Wireshark be installed on the server, or should the host on which it is installed be connected to a port on the switch? Should I place Wireshark in front of or behind a firewall? Should it be placed on the WAN side or LAN side of the router? In which of the above locations can you correctly collect the data you want to get? For the answers to these questions, tips on how to place the Wireshark, and more about Wireshark capturing, see Section 1.2.

Capturing packets on virtual machines has become increasingly important in recent years, and the second tip in this article relates to that. For practical installation and configuration tips for using Wireshark to monitor VMS, see Section 1.3. Most servers used in recent years are virtual machines.

Just as important is the question of how to monitor virtual machines that reside in the cloud. The section on “Grabbing Data in the Cloud” discusses several issues, including how to decrypt data that is encrypted between the local end and the cloud (as most do), how to use the analytics tools available in the cloud, and what are available from major cloud providers such as Amazon AWS and Microsoft Azure.

For details about how to start the Wireshark and how to configure, print, and export data, see Section 1.4. This section explains how to manipulate a packet capture file, that is, how to save captured data. Do you want to save the captured data in whole, in part, or only to save filtered data? Not only can we export captured data in a variety of file formats, but we can also merge captured files (for example, two Wireshark captured files are combined so that the data in the two captured files is captured from different router interfaces).

Resettlement Wireshark

Before using Wireshark to determine the cause of a network fault, determine where to install or deploy the Wireshark. To do this, you need to obtain an accurate network topology (at least the topology of the network affected by the fault) and place the Wireshark based on the topology.

The principle for installing the Wireshark is simple. First, determine which devices (or devices) are capturing and monitoring traffic; Second, connect the Wireshark installed host (or laptop computer) to the switch connected to the monitored device. Finally, enable the Port monitoring function (called Switched Port Analyzer (SPAN) in Cisco jargon) on the switch to redirect traffic from monitored devices to the Wireshark host. By doing this, you can capture and view all traffic going in and out of the monitored device. This is the simplest packet capture scenario.

Wireshark can be used to monitor traffic to and from LAN ports, WAN ports, server/router ports, or any other device connected to the network.

Take the network shown in Figure 1.1 as an example. The Wireshark software is installed on the laptop on the left and the monitored server S2.

In this simplest packet capture scenario, configure port mirroring in the direction shown in Figure 1.1 to monitor all traffic to and from server S2. You can also install Wireshark directly on server S2 and then view incoming and outgoing traffic directly on server S2.




Figure 1.1

Some vendors’ switches also support the following traffic monitoring features.

Monitoring traffic of the entire VLAN: Monitors all traffic of the entire VLAN (server VLAN or voice VLAN). You can use this feature to monitor traffic in a specific VLAN.

Multi-source Unified traffic monitoring mode: Figure 1.1 is used as an example to show how to monitor traffic on servers S1 and S2.

Direction selection: You can configure the switch to mirror (redirect) incoming and outgoing traffic of the monitored port to the monitored port.

1.2.1 Preparations

Before using the Wireshark to capture packets, visit the Wireshark official website, download and install the Wireshark of the latest version.

The Wireshark 2.0 and subsequent updates are published on the Download page of the Wireshark official website.

Each Wireshark Windows installation package contains the WinPcap driver of the latest stable version. The WinPcap driver is essential for real-time packet capture. The WinPcap driver used for packet capture is a Windows version of the UNIX libpcap library.

During installation, you will see the package installation window shown in Figure 1.2.




Figure 1.2

Typically, in the component selection window shown in Figure 1.2, you simply select to install all components. For such a choice, the following components are installed.

Wireshark components: Wireshark version 2.

TShark component: A command line protocol analyzer.

Wireshark 1 components: Wireshark of an earlier version. When you select to install this component, the old Wireshark version 1 is also installed. From personal experience, the author will choose to install this component when installing future versions of Wireshark. The reason for this is that the old Version of Wireshark is always available when version 2 fails to capture packets properly or when certain features are not available.

The Plugins & Extensions component consists of the following modules.

Dissector Plugins: A plug-in that contains some extended dissection functionality.

Tree Statistics Plugins: Extended Statistics.

MATE (Meta-analysis and Tracing Engine) : A user-configurable extension of the display filtering Engine.

SNMP MIB: More detailed SNMP MIB parsing.

Tools components, consisting of the following modules.

Editcap: Reads the capture file and writes all or part of the packet to another capture file.

Text2Pcap: Reads data from an ASCII hexadecimal dump file and writes the data to a PCAP capture file.

Reordercap: Use time stamps to record captured packet files.

Mergecap: Combines multiple saved capture files into a single output file.

Capinfos: provides information about captured packet files.

Rawshark: raw packet filter.

1.2.2 Operation Methods

Take a typical network as an example to see how the network devices deployed on it work, how to configure them when necessary, and how to place Wireshark, as shown in Figure 1.3.




Figure 1.3

Please examine the simple but common network topology shown in Figure 1.3.

1. Server Traffic Monitoring

Such requirements as server traffic monitoring are often put forward in practice. To monitor traffic received and sent by a server, you can configure port mirroring on the switch to redirect traffic to the Wireshark host, as shown in Figure 1.3, or install the Wireshark on the server.

2. Router Traffic monitoring

You can monitor the traffic to and from the router based on the following scenarios.

Scenario 1: Monitor incoming and outgoing traffic through the LAN port on the router that connects to the switch.

1. In this case, as shown in Figure 1.3 at Number 2, connect the Wireshark installed laptop to the switch to which the router is connected.

2. Enable port mirroring on the switch to redirect traffic from the port connected to the LAN port of the router to the port connected to the Wireshark.

Scenario 2: Monitor incoming and outgoing traffic on the switch module ports installed on the router.

1. In this case, when a router is equipped with a switch module (such as Cisco EtherSwitch or HWIC module), the switch module can be considered a standard switch, as shown in Figure 1.3 at number 6 (number 5 refers to a WAN port and number 6 to a LAN port).

Routers generally do not support port mirroring or SPAN. For a simple home /SOHO router, there are no configuration options. Switch modules installed on certain Cisco routers (such as the Cisco 2800 or 3800) support port mirroring, not to mention larger routers such as the Cisco 6800.

2. In this case, you can monitor only the traffic of devices connected to the switch modules.

Scenario 3: Monitor the traffic on the WAN interface of the router without switch modules.

1. In this case, port monitoring can be performed on a switch between the ROUTER WAN port and the service provider (SP) network equipment, as shown in Figure 1.4.




Figure 1.4

2. In this case, enable port mirroring on the switch to redirect traffic from the WAN port on the router to the port on the Wireshark.

Deploying a switch between the SP network and the WAN port on the router is an operation that may cause network interruption. But with adequate preparation, you can only be offline for a minute or two at most.

Scenario 4: The router with the packet capture function embedded.

In recent years, some vendors have integrated packet capture into routers or router operating systems. 12.4(20)T or higher Cisco IOS Router, 15.2(4)S-3.7.0 or higher Cisco ios-XE Router, Juniper SRX/J Series Router, Riverbed Stealhead Router, And many other routers have packet capture embedded in them.

Before enabling the built-in packet capture function on the router, ensure that the router has sufficient memory to ensure that the function does not affect the running speed of the router.

When monitoring router traffic, it is important to note that not all packets destined for a router are forwarded. Some packets may get lost en route, and the router may either lose some packets due to cache overflows or send some packets back through the receiving port. Also, broadcast packets are not forwarded by routers.

3. Firewall Traffic Monitoring

There are two ways to monitor firewall traffic. One is to monitor the traffic of the internal firewall interface (as shown in Figure 1.5), and the other is to monitor the traffic of the external firewall interface (as shown in Figure 1.5). Of course, there are differences between the two approaches.




Figure 1.5

By monitoring the firewall internal interface, you can view all Internet traffic sent by Intranet users. The source IP addresses are the internal IP addresses assigned to Intranet users. Monitor the external interface of the firewall, and view all the traffic that passes through the firewall to access the Internet. The source IP addresses of the traffic are external IP addresses (thanks to NAT, the internal IP addresses assigned to Intranet users are translated into external IP addresses). The traffic initiated by Intranet users but not allowed by the firewall cannot be detected by monitoring the external firewall interface. If someone launches an attack on the firewall or Intranet from the Internet, the observation point to observe the attack traffic must be the external firewall interface.

Some vendors’ firewalls also support embedded packet capture like the routers described above.

4. Shunt and Hub

The following two devices may be used to monitor traffic.

Splitter: The switch in Figure 1.4 can be replaced by a device called a Test Access Point (TAP) on the monitored link. This is a simple “three-way” (three-port) device that performs traffic monitoring in the same way as a switch. TAP is cheaper and easier to use than a switch. In addition, TAP passes the error packets as they are to Wireshark, while LAN switches discard the error packets completely. Switches are expensive, take time to configure, and have more monitoring capabilities (for example, simple Network Management Protocol (SNMP) is supported by common LAN switches). When troubleshooting the network, it is best to use a manageable switch, even a less functional network management switch.

Hub: You can replace the switch in Figure 1.4 with a Hub on the monitored link. The Hub is a half-duplex device. Using the Wireshark, the Wireshark can view every data packet passing between a router and an SP device. The biggest disadvantage of using a Hub is that it significantly aggravates traffic latency, which affects traffic collection. Nowadays, monitoring traffic on gigabit ports is common practice. Using a Hub in this situation can cause link speeds to plummet to 100 gigabits, which can have a serious impact on packet capture. Therefore, the Hub is generally not used when capturing packets.

1.2.3 Principles behind the Scenes

To understand how port mirroring (port monitoring) works, you need to understand how LAN switches work. The following lists the actions of LAN switches when performing packet forwarding tasks.

The LAN switch will “persistently” learn the MAC addresses of all devices connected to the machine.

When receiving a data frame destined for a CERTAIN MAC address, the LAN switch sends it out only to the port from which it learned the MAC address.

When a broadcast frame is received, the switch sends it from all ports except the receiving port.

If the Cisco Group Management Protocol (CGMP) or Internet Group Management Protocol (IGMP) listening feature is not enabled when a multicast frame is received, LAN switches send packets from all ports except the receiving port. If either feature is enabled, the LAN switch sends out multicast frames through the port connected to the corresponding multicast receiving host.

When a data frame with an unknown destination MAC address is received (which is rare), the switch sends it from all ports except the receiving one.

Take the network shown in Figure 1.6 as an example to illustrate the operation of the layer 2 (L2) network. Every device connected to the network periodically sends broadcast packets. ARP request messages and NetBIOS notification messages belong to broadcast packets. Once a broadcast packet is sent, it travels through the L2 network (dotted arrows in the figure). For this example, all switches use the ports learned from M1 to send Ethernet frames with destination MAC addresses M1.




Figure 1.6

When PC2 sends a frame to PC1, the frame is first sent to SW5, which is directly connected to PC2. SW5 has learned the MAC address M1 of PC1, the destination MAC address of this frame, from port 6 from the left. Similarly, each switch in the network will send this frame out through the port learning from M1 until it finally reaches PC1.

Therefore, you can configure a port on the switch as a mirrored port, redirect traffic from the monitored port to the port, and then connect to the Wireshark to view all traffic going in and out of the monitored port. However, if a laptop is randomly connected to a port on the switch without any configuration, only unicast traffic in and out of the laptop as well as broadcast and multicast traffic in the network can be observed.

1.2.4 Pick up the slack

There are several special cases to be aware of when using Wireshark to capture packets.

There are several important things to keep in mind when capturing traffic for the entire VLAN (VLAN traffic monitoring). The first thing to note is that the Wireshark can only collect traffic from the same VLAN that is carried by the switches directly connected to the Wireshark, even though the purpose is to monitor traffic from the entire VLAN. For example, on a switched network, ports on multiple switches are allocated to VLAN 10. To connect only one access switch to the Wireshark, Traffic from hosts on other access layer switches in VLAN 10 to servers directly connected to core layer switches cannot be collected. In the network shown in Figure 1.7, user hosts are generally distributed on each floor and connected to the access layer switches on each floor. Each access layer switch connects to one or two (redundant) core layer switches. To monitor all traffic in a VLAN, the Wireshark host must be directly connected to the switch carrying the VLAN traffic. To capture all VLAN 10 traffic, Wireshark hosts must be directly connected to core layer switches.




Figure 1.7

On the network shown in Figure 1.7, if the Wireshark is directly connected to SW2 and the mirroring function is enabled on SW2 to monitor the traffic on VLAN 30, only the traffic on ports P2, P4, and P5 of SW2 and the traffic on the same VLAN carried by SW2 can be captured. The Wireshark cannot collect traffic from VLAN 30 that travels between SW3 and SW1, or devices connected to SW3 or SW1 that belong to VLAN 30.

In the packet capture task based on the entire VLAN, duplicate packets may be captured, which is another problem that needs to be paid attention to. If port mirroring is enabled, the Wireshark collects traffic on the same VLAN exchanged between ports on different switches from the input and output directions of the receiving and sending ports.

Port mirroring is enabled on the switch shown in Figure 1.8 to monitor traffic on VLAN 30. The Wireshark collects data packets sent from S4 to S2 from the switch port connected to S4 into VLAN 30. When VLAN 30 is ejected from the switch port connected to S2, the Wireshark master collects VLAN 30 again. In this way, repeated traffic is caught.







Wireshark Network Analysis in Action (2nd Edition)

[India] Gandra Kumar Nana, Yaogesh Ramdos [Israel] Yoram Ozah

Wireshark is an updated version of the bestselling book of the same name. This step-by-step guide explains how to use Wireshark and how to use it to solve real-world network problems.

Wireshark Version 2 provides an overview of Wireshark version 2, including Wireshark troubleshooting, packet capture filter, display filter, basic Information statistics tool, advanced Information statistics tool, and Expert Information tool. Ethernet and LAN switching, wireless LAN, network layer protocols and how they operate, Transport layer protocol analysis, FTP, HTTP/1 and HTTP/2, DNS protocol analysis, E-mail protocol analysis, NetBIOS and SMB protocol analysis, Enterprise Network application behavior analysis, Troubleshooting SIP, multimedia and IP phone faults, troubleshooting caused by low bandwidth or high latency, network security and network forensics knowledge.