Wireshark

From Dave-Wiki
Revision as of 21:38, 2 February 2025 by Tlyle (talk | contribs) (Created page with "'''Wireshark Deep Dive''' == Introduction == Wireshark is a powerful open-source network protocol analyzer used for troubleshooting, network analysis, and security auditing. It captures and inspects network traffic in real-time, allowing users to analyze packets in-depth. == Installing Wireshark == Wireshark can be installed on Linux, Windows, and macOS using the following methods: * **Linux:** `sudo apt install wireshark` (Debian-based) or `sudo yum install wireshark`...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Wireshark Deep Dive

Introduction

Wireshark is a powerful open-source network protocol analyzer used for troubleshooting, network analysis, and security auditing. It captures and inspects network traffic in real-time, allowing users to analyze packets in-depth.

Installing Wireshark

Wireshark can be installed on Linux, Windows, and macOS using the following methods:

  • **Linux:** `sudo apt install wireshark` (Debian-based) or `sudo yum install wireshark` (RHEL-based).
  • **Windows:** Download the installer from [Wireshark.org](https://www.wireshark.org/).
  • **macOS:** `brew install wireshark`.

Capturing Packets

1. Launch Wireshark. 2. Select the desired network interface. 3. Click "Start" to begin capturing packets. 4. Stop the capture when needed and analyze the captured packets.

Finding Dropped Packets

Dropped packets indicate network issues such as congestion or hardware failures. To find dropped packets: 1. Use the filter `tcp.analysis.lost_segment` to identify lost TCP segments. 2. Check for `tcp.analysis.retransmission`, which shows packets being resent due to potential drops. 3. Review `icmp` packets indicating destination unreachable errors. 4. Use "Statistics" > "TCP Stream Graphs" > "Time-Sequence Graph (Stevens)" to visualize gaps in packet sequences.

Analyzing TCP Handshakes

A proper TCP handshake consists of: 1. **SYN:** Client initiates a connection. 2. **SYN-ACK:** Server acknowledges. 3. **ACK:** Client completes handshake.

To analyze TCP handshakes: 1. Use filter `tcp.flags.syn == 1 and tcp.flags.ack == 0` to locate SYN packets. 2. Follow the packet conversation using "Follow TCP Stream" to see if the handshake completes. 3. Identify failed handshakes by checking for retransmissions or RST (reset) packets.

Essential Wireshark Filters

  • **General Filters:**
 * `ip.addr == 192.168.1.1` (Show packets to/from specific IP)
 * `tcp.port == 443` (Show only HTTPS traffic)
 * `udp.port == 53` (Show only DNS traffic)
 * `icmp` (Show only ICMP messages like pings)
  • **TCP Filters:**
 * `tcp.flags.syn == 1` (Find TCP SYN packets)
 * `tcp.flags.reset == 1` (Find connection resets)
 * `tcp.analysis.retransmission` (Identify retransmitted packets)
  • **HTTP & DNS Filters:**
 * `http.request.method == "GET"` (Find HTTP GET requests)
 * `http contains "password"` (Look for sensitive data in HTTP traffic)
 * `dns.qry.name == "example.com"` (Find DNS queries for a domain)

Performance Optimization

  • Use capture filters to reduce packet noise (`tcp port 80` for only HTTP traffic).
  • Save captures for later analysis (`File > Save As`).
  • Use "Statistics" tools like "Endpoints" and "Conversations" to identify heavy network users.

Conclusion

Wireshark is an invaluable tool for network engineers and security professionals. By mastering key filters and packet analysis techniques, users can effectively diagnose and resolve network issues.

Retrieved from "https://davehome.net/wiki/index.php?title=Wireshark&oldid=519"