Scribd
Upload
35 views

Wireshark Course Telcoma

Uploaded by

Hrvoje Eror
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
35 views

Wireshark Course Telcoma

Uploaded by

Hrvoje Eror
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 24

Wireshark

Full course at
https://telcomaglobal.com

TELCOMA
Copyright © TELCOMA. All Rights Reserved
Introduction

Copyright © TELCOMA. All Rights Reserved


Wireshark
Wireshark is a packet analyzer tool.

Wireshark is a open source software object and is released under the GNU
General public licence.

Originally named Ethereal, the project was renamed Wireshark in May


2006 due to trademark issues

Developer of wireshark was Gerald Combs.

Wireshark is cross-platform, using the Qt widget toolkit to implement user


interface, and use pcap to capture packets.
Copyright © TELCOMA. All Rights Reserved
Wireshark
It runs on Linux, macOS, Solaris, some other Unix-like operating systems,
and Microsoft Windows.

There is also a terminal-based (non-GUI) version called TShark.

Copyright © TELCOMA. All Rights Reserved


Features of Wireshark
● Wireshark can handle wide range of known and unknown protocols.
● Dissectors provide the ability to analyze packets in wireshark.
● Captures can be analyze immediately or save for future use.
● To capture all network traffic, wireshark is placed at promiscuous
mode (monitor mode).
● Numerous filters can be applied to target a specific address (or
address range), application, response code, conversation, keyword,
etc.

Copyright © TELCOMA. All Rights Reserved


Use of Wireshark
● Network Troubleshooting problem
● Examine network security
● Debug protocol implementation
● Learning network protocol
● Analyzing specific timing, protocol flags and bits on the wire

Copyright © TELCOMA. All Rights Reserved


Wireshark Graphical User Interface (GUI)

Copyright © TELCOMA. All Rights Reserved


Wireshark Graphical User Interface (GUI)

Copyright © TELCOMA. All Rights Reserved


Wireshark GUI
GUI Key Elements:

● Title Bar
● Main Menu
● Main toolbar
● Display Filter and Filter Expression area
● Wireless toolbar
● Packet List Pane
● Packet Detail Pane
● Packet Byte Pane
● Status Bar
Copyright © TELCOMA. All Rights Reserved
Wireshark Version
Wireshark runs on most of the commonly used operating systems,
including Windows, Mac OS X, and *NIX systems.

Click the Download button and the site will recognize the operating
system that you are running and highlight the version of Wireshark that is
most appropriate for that operating system.

Wireshark is easy to install in Windows and Mac OS now, as the versions of


wireshark is available with an installer program.

Copyright © TELCOMA. All Rights Reserved


Wireshark Version
Wireshark also comes pre installed on a number of forensic tool
distributions, such as Kali Linux (www.kali.org).

The complete list of operating system requirements is available at


www.wireshark.org/docs/wsug_html_chunked/ChIntroPlatforms.html.

Copyright © TELCOMA. All Rights Reserved


Wireshark
Components

Copyright © TELCOMA. All Rights Reserved


Wireshark Components

Copyright © TELCOMA. All Rights Reserved


How Wireshark capture network traffic?
Capture is done using special link layer drivers

When user computer connects to a network, it relies on a network


interface card (such as an Ethernet card) and link-layer driver (such as
an Atheros PCI-E Ethernet driver) to send and receive packets.

Wireshark also relies on network interface cards and link-layer drivers


to pass up traffic for capture and analysis.

Copyright © TELCOMA. All Rights Reserved


Capture Filter

Copyright © TELCOMA. All Rights Reserved


Capture Filter
For capturing, user can use either
WinPcap or Npcap used on Windows hosts.
Libpcap is used on *NIX hosts and Apple OS X.
USBpcap is used to capture communications to and from local USB
ports.
When user start capturing traffic with Wireshark, a tool called
Dumpcap is launched in the background to do the actual capturing.
Capture filters use Berkeley Packet Filtering (BPF) syntax.

Copyright © TELCOMA. All Rights Reserved


Capture Engine - Dumpcap

Copyright © TELCOMA. All Rights Reserved


Capture Engine - Dumpcap
Dumpcap Capture Engine

The Dumpcap capture engine defines how the capture process, runs
and the stop conditions.

For example, user can set up a capture to save frames to a set of 50


MB files and automatically stop after capturing the 50MB of files.

The current default trace file format is .pcapng.

Copyright © TELCOMA. All Rights Reserved


Capture Engine - Wiretap Library

Copyright © TELCOMA. All Rights Reserved


Capture Engine - Wiretap Library
The Wiretap Library

It is used to Open Saved Trace Files

It perform input/output functions for saved trace files.

When user open a trace file (whether captured with Wireshark or


another analysis tool), the Wiretap Library delivers the frames to the
Core Engine.

Copyright © TELCOMA. All Rights Reserved


Core Engine

Copyright © TELCOMA. All Rights Reserved


Core Engine
The Core Engine is the Goldmine

The Capture Engine passes frames up to the Core Engine.

Wireshark supports thousands of dissectors that translate the


incoming bytes into human-readable format frames.

Copyright © TELCOMA. All Rights Reserved


User Interface

Copyright © TELCOMA. All Rights Reserved


User Interface
The Qt Framework

It provides the User Interface

As of Wireshark version 2, the Qt framework is the preferred option to


provide the cross-platform interface for Wireshark.

The GTK+ Toolkit

The GTK+ (GIMP Toolkit) was the primary graphical toolkit until
Wireshark version 2 was released.

Copyright © TELCOMA. All Rights Reserved

You might also like