Transcription
Computer NetworkingìCOMP 177 Fall 2020 University of the Pacific Jeff ShaferIntroducing Wireshark
2RecapPast Topicsì An overview of computernetworkingComputer NetworkingToday’s Topicì Introduce WiresharkìGeneral architectureìGUIFall 2020
3Why are we learning about Wireshark?ì To understand how protocols work, it is helpful toì Observe the sequence of packets communicatedbetween network nodesì Study the packet details and how protocols work inpracticeì Cause the protocol to do a specific action and checkout the resultì Wireshark is a free tool that provides such servicesì Supports all major operating systemshttps://www.wireshark.org/Computer NetworkingFall 2020
4Reading & Parsing Packetsì Wireshark is capable of reading a packet andparsing it intoì Different protocols headersì Different fields in each protocol headerì plus reporting some meta-data about the fieldsì This does not appear directly in the packet header butis based on Wireshark analysis of this packet or even asequence of packetsComputer NetworkingFall 2020
5Reading & Parsing PacketsHTTPHTTP messageTCPheaderTCPHTTP messageTCP payloadIPIP headerTCPheaderHTTP messageIP payloadEthernetEthernetIP headerheaderTCPheaderHTTP messageEthernettrailerEthernet payloadPhysicalComputer NetworkingA collection of bitsFall 2020
6Reading PacketsìTwo major ways to obtain packets for analysis:ìWireshark can read a collection of already-captured packets in afile.File with suffix: .cap, .pcap, .pcapngì Such a file may include packets from a remote networkììWireshark can capture packets from a given network interfaceThis is called packet sniffingì A packet sniffer collects copies of the sent/received packets, parses,and reports them to the userì A packet sniffer acts passively, i.e.,ììììThere are many other packet sniffers beside WiresharkìComputer NetworkingIt does not send packets to other machines by itselfIt does not spoof the packetstshark, tcpdump, dumpcap, ettercap, etc.Fall 2020
7Packet Sniffer ArchitecturePacket Sni erUser levelPacketAnalyzerì A packet sniffer consists of twomajor components:ìPacket capture libraryì Runs in system level (operatingSystem levelsystem)ì Reads the packets from networkPacketCaptureinterface of the machineìPacket analyzer libraryì Runs in user levelì Parses and reports the packetsto the userComputer NetworkingFall 2020
8Packet Capturingì To capture a packet with all encapsulated headers, it suffices toget a copy of the data link layer framePacket SnifferPacketAnalyzerApplicationApplication layer messageUser levelSystem levelTransportlayer headerTransportApplication layer messageTransport layer payloadPacketCaptureReadsLinklayer headerNetworklayer headerTransportlayer headerNetworkApplication layer messageNetwork layer payloadNetworklayer headerTransportlayer headerApplication layer messageLinklayer trailerData LinkData link layer payloadComputer NetworkingFall 2020
9Running Wireshark (Linux)ìInstallììConfigure so non-root users have permission to capturepackets (insert your Linux username into the secondcommand)ììComputer Networking sudo dpkg-reconfigure wireshark-common sudo usermod -a -G wireshark USERNAMERun Wiresharkìì sudo apt-get install wireshark wiresharkNext, interfaces are listed. Selecting one of the interfaces willstart capturing packets on that interface.Fall 2020
10Running WiresharkComputer NetworkingFall 2020
ToolbarDisplay Filter11Packet ListPacket DetailsPacket BytesComputer NetworkingFall 2020
12WrapupRecapì Today we discussedNext Classì Start discussing data linkWhy we need to learnabout a packet snifferlayer protocolsìEthernet (802.3)ìThe architecture of packetsniffersìWiFi (802.11)ìWireshark and its GUIìComputer NetworkingFall 2020
13Class ActivityCA.1 – Introducing WiresharkDue tonight at 11:59pmComputer NetworkingFall 2020
Reading Packets ì Two major ways to obtain packets for analysis: ì Wireshark can read a collection of already-captured packets in a file. ì File with suffix: .cap, .pcap, .pcapng ì Such a file may include packets from a remote network ì Wireshark can capture packets from a given network interface ì This is called pa
