Using Wireshark to View Protocol Data Units Learning

Objectives Be able to explain the purpose of a agreement analyzer (Wireshark). Be able to accomplish basal PDU abduction appliance Wireshark. Be able to accomplish basal PDU assay on aboveboard arrangement abstracts traffic. Experiment with Wireshark appearance and options such as PDU abduction and affectation filtering. Background Wireshark is a software agreement analyzer, or "packet sniffer" application, acclimated for arrangement troubleshooting, analysis, software and agreement development, and education. Afore June 2006, Wireshark was accepted as Ethereal. A packet adenoids (also accepted as a arrangement analyzer or agreement analyzer) is computer software that can ambush and log abstracts cartage casual over a abstracts network. As abstracts streams biking aback and alternating over the network, the adenoids "captures" anniversary agreement abstracts assemblage (PDU) and can break and assay its agreeable according to the adapted RFC or alternative specifications. Wireshark is programmed to admit the anatomy of altered arrangement protocols. This enables it to affectation the encapsulation and alone fields of a PDU and adapt its meaning. It is a advantageous apparatus for anyone alive with networks and can be acclimated with best labs in the CCNA courses for abstracts assay and troubleshooting. For advice and to download the affairs go to - http://www. Wireshark. org Scenario To abduction PDUs the computer on which Wireshark is installed charge accept a alive affiliation to the arrangement and Wireshark charge be active afore any abstracts can be captured. Back Wireshark is launched, the awning beneath is displayed. To alpha abstracts abduction it is aboriginal all-important to go to the Abduction card and baddest the Options choice. The Options chat provides a ambit of settings and filters which actuate which and how abundant abstracts cartage is captured. First, it is all-important to ensure that Wireshark is set to adviser the absolute interface. From the Interface drop-down list, baddest the arrangement adapter in use. Typically, for a computer this will be the affiliated Ethernet Adapter. Afresh alternative Options can be set. Among those accessible in Abduction Options, the two accent beneath are account examination. Setting Wireshark to abduction packets in abandoned mode If this affection is NOT checked, alone PDUs destined for this computer will be captured. If this affection is checked, all PDUs destined for this computer AND all those detected by the computer NIC on the aforementioned arrangement articulation (i. e. , those that "pass by" the NIC but are not destined for the computer) are captured. Note: The capturing of these alternative PDUs depends on the agent accessory abutting the end accessory computers on this network. As you use altered agent accessories (hubs, switches, routers) throughout these courses, you will acquaintance the altered Wireshark results. Setting Wireshark for arrangement name resolution This advantage allows you to ascendancy whether or not Wireshark translates arrangement addresses begin in PDUs into names. Although this is a advantageous feature, the name resolution action may add added PDUs to your captured abstracts conceivably distorting the analysis. There are additionally a cardinal of alternative abduction clarification and action settings available. Beat on the Alpha button starts the abstracts abduction action and a bulletin box displays the advance of this process. As abstracts PDUs are captured, the types and cardinal are adumbrated in the bulletin box The examples aloft appearance the abduction of a ping action and afresh accessing a web page. Back the Stop button is clicked, the abduction action is concluded and the capital awning is displayed. This capital affectation window of Wireshark has three panes. The PDU (or Packet) Account Area at the top of the diagram displays a arbitrary of anniversary packet captured. By beat on packets in this pane, you ascendancy what is displayed in the alternative two panes. The PDU (or Packet) Capacity Area in the average of the diagram displays the packet called in the Packet Account Area in added detail. The PDU (or Packet) Bytes Area at the basal of the diagram displays the absolute abstracts (in a hexadecimal anatomy apery the absolute binary) from the packet called in the Packet Account Pane, and highlights the acreage called in the Packet Capacity Pane. Anniversary band in the Packet Account corresponds to one PDU or packet of the captured data. If you baddest a band in this pane, added capacity will be displayed in the "Packet Details" and "Packet Bytes" panes. The archetype aloft shows the PDUs captured back the ping account was acclimated and http://www. Wireshark. org was accessed. Packet cardinal 1 is called in this pane. The Packet Capacity area shows the accepted packet (selected in the "Packet List" pane) in a added abundant form. This area shows the protocols and agreement fields of the called packet. The protocols and fields of the packet are displayed appliance a tree, which can be broadcast and collapsed. The Packet Bytes area shows the abstracts of the accepted packet (selected in the "Packet List" pane) in what is accepted as "hexdump" style. In this lab, this area will not be advised in detail. However, back added all-embracing assay is appropriate this displayed advice is advantageous for analytical the bifold ethics and agreeable of PDUs. The advice captured for the abstracts PDUs can be adored in a file. This book can afresh be opened in Wireshark for assay ancient in the approaching after the charge to re-capture the aforementioned abstracts cartage again. The advice displayed back a abduction book is opened is the aforementioned as the aboriginal capture. Back closing a abstracts abduction awning or departure Wireshark you are prompted to save the captured PDUs. Clicking on Abide after Extenuative closes the book or exits Wireshark after extenuative the displayed captured data. Task 1: Ping PDU Capture Step 1: After ensuring that the accepted lab cartography and agreement is correct, barrage Wireshark on a computer in a lab pod. Set the Abduction Options as declared aloft in the overview and alpha the abduction process. From the command band of the computer, ping the IP abode of addition arrangement affiliated and powered on end accessory on in the lab topology. In this case, ping the Eagle Server at appliance the command ping 192. 168. 254. 254. After accepting the acknowledged replies to the ping in the command band window, stop the packet capture. Step 2: Appraise the Packet Account pane. The Packet Account area on Wireshark should now attending article like this: Look at the packets listed above; we are absorbed in packet numbers 6, 7, 8, 9, 11, 12, 14, and 15. Locate the agnate packets on the packet account on your computer. If you performed Step 1 A aloft bout the letters displayed in the command band window back the ping was issued with the six packets captured by Wireshark. From the Wireshark Packet Account acknowledgment the following: What agreement is acclimated by ping? _icmp_____________________________ What is the abounding agreement name? _____________________________ What are the names of the two ping messages? __echo ping requet, answer ping acknowledgment _____________________________________________________________________ Are the listed antecedent and destination IP addresses what you expected? Yes / No Why? _no. frst time appliance wireshark. After-effects are amazing______________________ Step 3: Baddest (highlight) the aboriginal answer appeal packet on the account with the mouse. The Packet Detail area will now affectation article agnate to: Click on anniversary of the four "+" to aggrandize the information. The packet Detail Area will now be agnate to: As you can see, the capacity for anniversary area and agreement can be broadcast further. Spend some time scrolling through this information. At this date of the course, you may not absolutely accept the advice displayed but accomplish a agenda of the advice you do recognize. Locate the two altered types of 'Source" and "Destination". Why are there two types? __________________________________________________________________ What protocols are in the Ethernet frame? ____________________________________________________________ As you baddest a band in the Packets Detail area all or allotment of the advice in the Packet Bytes area additionally becomes highlighted. For example, if the additional band (+ Ethernet II) is accent in the Capacity area the Bytes area now highlights the agnate values. This shows the accurate bifold ethics that represent that advice in the PDU. At this date of the course, it is not all-important to accept this advice in detail. Step 4: Go to the Book card and baddest Close. Bang on Abide after Extenuative back this bulletin box appears. Task 2: FTP PDU Capture Step 1: Alpha packet capture. Assuming Wireshark is still active from the antecedent steps, alpha packet abduction by beat on the Alpha advantage on the Abduction card of Wireshark. At the command band on your computer active Wireshark, access ftp 192. 168. 254. 254 Back the affiliation is established, access bearding as the user after a password. Userid: bearding Password: You may alternatively use login with user id cisco and with countersign cisco. Back auspiciously logged in access get /pub/eagle_labs/eagle1/chapter1/gaim-1. 5. 0. exe and columnist the access key. This will alpha downloading the book from the ftp server. The achievement will attending agnate to: C:Documents and Settingsccna1>ftp eagle-server. example. com Affiliated to eagle-server. example. com. 220 Welcome to the eagle-server FTP service. User (eagle-server. example. com:(none)): bearding 331 Please specify the password. Password: 230 Login successful. ftp> get /pub/eagle_labs/eagle1/chapter1/gaim-1. 5. 0. exe 200 PORT command successful. Consider appliance PASV. 150 Opening BINARY approach abstracts affiliation for pub/eagle_labs/eagle1/chapter1/gaim-1. 5. 0. exe (6967072 bytes). 26 Book accelerate OK. ftp: 6967072 bytes accustomed in 0. 59Seconds 11729. 08Kbytes/sec. Back the book download is complete access abdicate ftp> abdicate 221 Goodbye. C:Documents and Settingsccna1> Back the book has auspiciously downloaded, stop the PDU abduction in Wireshark. Step 2: Increase the admeasurement of the Wireshark Packet Account area and annal through the PDUs listed. Locate and agenda those PDUs associated with the book download. These will be the PDUs from the Band 4 agreement TCP and the Band 7 agreement FTP. Analyze the three groups of PDUs associated with the book transfer. If you performed the footfall above, bout the packets with the letters and prompts in the FTP command band window. The aboriginal accumulation is associated with the "connection" appearance and logging into the server. List examples of letters exchanged in this phase. ___________________________________________________________________ Locate and account examples of letters exchanged in the additional appearance that is the absolute download appeal and the abstracts transfer. __________________________________________________________________ ___________________________________________________________________ The third accumulation of PDUs chronicle to logging out and "breaking the connection". Account examples of letters exchanged during this process. __________________________________________________________________ ___________________________________________________________________ Locate alternating TCP exchanges throughout the FTP process. What affection of TCP does this indicate? ___________________________________________________________________ ___________________________________________________________________ Step 3: Appraise Packet Details. Select (highlight) a packet on the account associated with the aboriginal appearance of the FTP process. View the packet capacity in the Capacity pane. What are the protocols encapsulated in the frame? ___________________________________________________________________ Highlight the packets absolute the user name and password. Appraise the accent allocation in the Packet Byte pane. What does this say about the aegis of this FTP login process? ___________________________________________________________________ Highlight a packet associated with the additional phase. From any pane, locate the packet absolute the book name. The filename is: ______________________________ Highlight a packet absolute the absolute book agreeable - agenda the apparent argument arresting in the Byte pane. Highlight and examine, in the Capacity and Byte panes, some packets exchanged in the third appearance of the book download. What appearance analyze the agreeable of these packets? ___________________________________________________________________ When finished, abutting the Wireshark book and abide after saving Task 3: HTTP PDU Capture Step 1: Alpha packet capture. Assuming Wireshark is still active from the antecedent steps, alpha packet abduction by beat on the Alpha advantage on the Abduction card of Wireshark. Note: Abduction Options do not accept to be set if continuing from antecedent accomplish of this lab. Barrage a web browser on the computer that is active Wireshark. Access the URL of the Eagle Server of example. com or access the IP address-192. 168. 254. 254. Back the webpage has absolutely downloaded, stop the Wireshark packet capture. Step 2: Increase the admeasurement of the Wireshark Packet Account area and annal through the PDUs listed. Locate and analyze the TCP and HTTP packets associated with the webpage download. Agenda the affinity amid this bulletin barter and the FTP exchange. Step 3: In the Packet Account pane, highlight an HTTP packet that has the characters "(text/html)" in the Info column. In the Packet Detail area bang on the "+" abutting to "Line-based argument data: html" Back this advice expands what is displayed? ___________________________________________________________________ Examine the accent allocation of the Byte Panel. This shows the HTML abstracts agitated by the packet. Back accomplished abutting the Wireshark book and abide after saving Task 4: Reflection Consider the encapsulation advice pertaining to captured arrangement abstracts Wireshark can provide. Relate this to the OSI and TCP/IP band models. It is important that you can admit and articulation both the protocols represented and the agreement band and encapsulation types of the models with the advice provided by Wireshark. Task 5: Challenge Discuss how you could use a agreement analyzer such as Wireshark to: (1)Troubleshoot the abortion of a webpage to download auspiciously to a browser on a computer. and (2)Identify abstracts cartage on a arrangement that is requested by users. _____________________________________________________________________________ _____________________________________________________________________________ ____________________________________________________________________________ _____________________________________________________________________________ _____________________________________________________________________________ _____________________________________________________________________________ _____________________________________________________________________________ Task 6: Cleanup Unless instructed contrarily by your instructor, avenue Wireshark and appropriately shut bottomward the computer. Packet Account Area Packet Capacity Area Packets Bytes Pane

