Wireshark is a network protocol analyzer. It uses the WinPcap library to collect dumps of TCP packets and presents you with a load of features to help analyze the capture.
In this series we will generate common network traffic and then attempt to make some sense of it in Wireshark. Go grab yourself a copy and start a quick capture.
Once you see the colorful lines start scrolling go try to access a network share. In my example I attempted to connect to a lan computer \\10.10.10.100\ but then failed to login.
PRO TIP: Make sure you hit stop when done capturing. Displaying all the packets in the GUI will use up all of your ram eventually. Under capture options you can save on ram by unchecking “Update list of packets in real time”. This way you are limited by space on your drive instead of in memory.
The first challenge with a packet capture is weeding out all the crap. At the top there is a filter bar. It isn’t very intuitive but it is very powerful.
If we want to take a look at only packets with a destination of 10.10.10.100 this would be the filter to apply: ip.dst eq 10.10.10.100
Another option would be to view any packets that match (source or destination) the ip 10.10.10.100: ip.addr eq 10.10.10.100
The second filter can give us a better understanding of the back and forth conversation between computers. In my particular example I have already cut through hundreds of packets. The bottom status bar shows us how many packets and what percent we are displaying.
But we are still displaying 231 packets, ain’t nobody got time for that. Let’s go up to the Analyze menu and select “Expert Info”. Two tabs over to “Notes” and we found something interesting. Fault: nca_s_fault_access_denied in the DCERPC protocol. Access denied was the fake problem I created during the capture. Expand that note and click the packet, which will navigate us to that packet number in our main screen.
If we right click on that packet and select “Follow TCP Stream” the filter will change and show us the conversation that ended in heartbreak. Also, that maneuver got me down to 15 packets.
In order to make any sense of this packet capture we’ll have to learn about the DCERPC protocol. Fortunately for us, there is a wireshark wiki article on this protocol which shows some example traffic: http://wiki.wireshark.org/DCE/RPC
So that gives us a taste of what is going on with the protocol. Then if you feel like reading yourself to sleep you can view Microsoft’s implementation of protocols over here: http://msdn.microsoft.com/en-us/library/jj712081.aspx
To review, we have installed WinPcap/Wireshark and gotten a feel for taking and filtering captures. In my next post we will take a look at a simile HTTP request.