Recomendados
Más contenido relacionado
La actualidad más candente
La actualidad más candente (20)
Similar a Wireshark
Similar a Wireshark (20)
Wireshark
- 1. An Introduction to Protocol Analysis
- 3. Gerald Combs Author Founder Developer Community Leader
- 4. Cace Technologies Where Gerald Works (for now) Home of AirPcap For wireless captures of 802.11 frames TurboCap Wireshark Appliances Pilot Reporting Software
- 5. PILOT
- 6. Laura Chappell Where to begin Is an independent Runs Wireshark University Chappell University Heads up Wireshark Certification
- 7. Wireshark University Training Materials Videos Captures Books CD/DVD
- 8. Other Tools T Shark TCPDump Included with wireshark Native to *nix Netmonitor Windows version Capsa Snoop Cain Sun Microsystems Windump Ettercap Dsniff Ngrep
- 9. OVERVIEW
- 10. Purpose Troubleshooting Slow Networks Application Problems DNS Issues Web Servers DHCP Issues
- 11. Review of OSI Layer 7 Application (Net Process to App) Layer 6 Presentation (Data Rep. & Encrypt) Layer 5 Session (Interhost Comm) Layer 4 Transport (Delivery Protocol) Layer 3 Network (Logical Addressing) Layer 2 Data Link (Physical Addressing) • MAC • LLC Layer 1 Physical (Media, signal & Bin)
- 12. Review of OSI Layer 8 Politics & Money
- 15. Review of IP
- 17. Review of TCP
- 19. Review of TCP/IP TCP IP Layer 4 Transport Layer 3 Logical RES/NONCE/CWR/ECHO Addressing Protocol URG/ACK/PSH/RST/SYN/ (10.1.0.22/24) FIN Connection Oriented UDP Layer 4 Transport Protocol Connectionless
- 20. TCP Flags • Special Flags (first one reserved) • NS = Nonce Sum • CWR = Congestion Window Reduced • ECE = ECN-Echo • URG = Urgent • ACK = Acknowledgement • PSH = Push • RST = Reset • SYN = Synchronize • FIN = Finish
- 21. See Appendix A
- 23. Basic Network Applications FTP - TCP SIP – TCP/UDP Ports 20 & 21 Port 5060 Telnet - TCP SQL - TCP Port 23 Port 1433 SMTP - TCP RDP - TCP Port 25 Port 3389 DNS - UDP PPTP - TCP Port 53 1723 & 1725 HTTP - TCP Syslog – UDP Port 80 Port 514
- 24. TCP HADNSHAKE
- 25. DATA TRANSFER
- 26. SESSION CLOSURE
- 27. LAB/BREAK
- 28. A Guided Tour
- 29. Profiles
- 30. Preferences
- 32. Personal Settings C:users<username>AppDataRoamingWireshark profiles Profiles cfilters preferences
- 33. System Settings C:program fileswireshark Dfilters – display filters Dumpcap - program Editcap – edit .pcap files Mergecap – merge .pcap files Rawshark – capture in “raw” format Text2pcap – conversion tool Tshark – cli version of wireshark Colorfilters (don’t touch!)
- 34. Ring Buffers What are they Configuring Where are they stored Single/multiple Why are they useful What size How often How many Stopping
- 35. Selecting an Interface Preferences Manually
- 36. Saving Files Where? How big? How many? What format? Speed to disk
- 37. Placement Hubbing Out -> Easy but loss of data Port Spanning -> Good on less busy net In Line Taps -> Best but pricey
- 38. CAPTURES Get as close as possible!
- 39. Captures Where to store them How much space do they take up How to store them
- 40. Display Filters Not my MAC
- 41. Capture Filters Not my MAC
- 42. Colorizing Built in scheme Change on the fly
- 43. LAB 1
- 44. LAB 2
- 45. LAB 3
- 46. LAB 4
- 47. LAB 5
- 49. Statistics Advanced Statistics Conversations Conversation lists Endpoints IP Addresses IP Endpoints IP Protocol Types UDP Multicast Streams WLAN Traffic
- 50. RESOURCES www.wireshark.org Wireshark www.cacetech.com Wireshark Certification www.chappellseminars.c Guide om Wireshark Certification www.wiresharkuniversity Exm Prep Guide .com
- 51. STAY SECURE!
Notas del editor
- Add some slides here but hide them when not needed.
- GusBrian
- Orignial Author and Developer
- Mention Turbocap,Airpcap, and Pilot
- Where to begin
- Get some more information on commercial tools available.
- Explain the outline of the day. 45 minute hours with 10 minute or longer labs and potty and snack breaks builtin.
- Show off slides of other sniffersIntroduce tcpdump and tshark and let them know we will provide more info in the advanced section after lunchTalk about how you discuss the transmission medium – wire v fiber v air
- Hide when not needed for advanced users.
- Check your NIC to see if TCP Checksum offload is available and/or turned on or off. If on it will cause your frames to be 4 bytes smaller than normal because you will not see the FCS at the end of the frame.
- Packet structureICMPAD netbiosnmap scan DirbusterSnoopNmap ||parserCpan
- Perhaps a more detailed explanation of each of these. Maybe attach and appendix with more detailed info.Mention window size and why it is importantRunts and giantsTcp flagintrduction
- See if Gus can give more on NS, CWR and ECE
- Just an example of an ACK segment
- Go to http://www.wireshark.org and download and reinstall the latest 64 bit version on your system.Install wireless USB nics.Let them do some will packet captures is they want to just mess around as we will go over the application in the next session.
- Explain
- Explain
- HubsSwtichesIn line taps
- Colorizing LabReviewthe captures provided.Explore your preferences.Create different profiles for situations like Wlan v Lan v WAN captures.Create profiles for preferred networks.Explore your directory structures.Create at least two coloring rules.Create at least two new capture filters to be applied to a capture file.Create at least two display filters to be applied to a capture file.
- Display Filter labCreate a capture of at least 2 meg that consists of 2 1 meg files.Attempt to user mergecap to combine the two files.Download windump, run and attempt to open your saved capture with Wiresharkwindump –i <interface name> > <filename>
- Capture filter labDisplay Filter labCreate a capture of at least 2 meg that consists of 2 1 meg files.Attempt to user mergecap to combine the two files.Download windump, run and attempt to open your saved capture with Wiresharkwindump –i <interface name> > <filename>
- Merge lab
- Tshark lab