==================[ Wireshark Exercises ]================== Do these exercises. Write short reports, explaining your filters and results. A useful video tutorial. The newer Mac version of Wireshark uses Mac's native GUI system rather than the ported X Window system that Linux uses, so your newly downloaded Wireshark will look slightly different, and perhaps a bit slicker, but the functionality is the same: https://www.youtube.com/watch?v=TkCSr30UojM NOTE: You need to be administrator/root for all of the exercises below. Sniffing packets is typically reserved for the system administrator, otherwise users on a multi-user machine might sniff each other's sessions. 0. Install Wireshark. On a Mac, you'll download the .dmg from https://www.wireshark.org/download.html . On Ubuntu or Debian Linux, "apt-get install wireshark" would do it. On Linux, also grab tcpdump and tshark, text-based packet analyzers ("apt-get install tcpdump", "apt-get install tshark") 1. Study Wireshark's preferences and panels. I set mine to scroll the upper pane (with packet summaries) on update. Depending on your screen, you can set the lower two panels (analysis of a packet and its bytes in hex) side-by-side instead of on top of each other. ------------[ Filtering capture & display ]------------ Wireshark has _two_ ways of filtering traffic, and (unfortunately) two different languages for specifying the filters. One language and GUI element specifies which captured packets to display in Wireshark's panes; the other specifies which packets to capture. Captured packets can be further drilled down by display filters. So why filter at the capture state at all? Because on a busy network the memory footprint of Wireshark capturing all packets grows really fast, and the reaction of the GUI grows sluggish. ============[ Display filters ]============ Display filters can be entered into the text box just under the toolbar/menu bar. Filter expressions follow a kind of object-oriented syntax, where you specify first a protocol, and then its field, like "arp.opcode", e.g.: "arp.opcode == 1" (shows only ARP requests). All protocol fields have names in this language; the list is shown when after you type a protocol name and a dot into the filter box; as you keep typing, the list of suggested legal completions grows smaller. This is handy, because no one can remember all the field names of all protocols! There are also useful expressions that are not protocol fields per se, but reduce typing. For example, "ip.addr == 8.8.8.8" will display packets _to or from_ 8.8.8.8, which is shorter than the equivalent "ip.dst == 8.8.8.8 or ip.src == 8.8.8.8". Another useful expression is ".port" for protocols that have ports, e.g., "udp.port" or "tcp.port"---that's packets to or from that port. The best way to learn the name of a field is from the Wireshark's analysis (middle) panel. Open up a protocol parse tree, right-click on a field, and select "Prepare a Filter". That will paste the filter expression into the filter box, or, if you choose options like "..and .." or "..or..", will add a logical clause to the existing filter expression. I find it very convenient. Other useful primitives: "contains" will match substrings of text fields such as hostnames in DNS queries, and even of whole protocol payloads: "udp contains "dartmouth"" or "frame contains "dartmouth"" (only the internal ""s are for typing into the filter box!) "matches" or "~" is even better, as it takes patterns to match, not just substrings. Wireshark's "Help > Manual pages > Wireshark Filter" will open a manual for this filtering language in your browser. As soon as you clear a filter expression, you get all the packets you captured (or are still capturing) displayed back again. Remember, this is only a display filter. 2. a) Start a Wireshark capture and browse to twitter.com . Use display filtering to reduce displayed packets to only those sent and received by your computer. How many sites are you actually interacting with when you interact with Twitter? What are they? b) If you use Chrome, Firefox, or Safari, your browser occasionally connects to a google.com site that you did not direct it to and tries to download something. It typically does so when you launch the browser process. Observe it do so, capture the attempts, and find out what it is. If you have an objection to using all of these browsers, talk to me. ============[ Capture filters ]============ This kind of filter is _capture filter_. It can be entered in the dialog of "Capture options" (Capture > Capture options, or the black round icon on the toolbar). A capture filter limits packets that Wireshark receives from the kernel. Filter expressions are actually compiled down to bytecode blobs, these blobs are passed to the kernel, and the kernel filters the packets it passes up to Wireshark. This is the same language that tcpdump uses; it is described in the tcpdump manpage ("man tcpdump", skip to EXAMPLES). Useful capture filters: "host 129.170.17.4" -- capture only packets to or from 129.170.17.4 "icmp" -- capture only ICMP packets "arp" -- capture only ARP packets "icmp or arp" -- capture ICMP packets or ARP packets "not arp" -- capture all packets but arp "port 22" -- capture only packets from or to port 22 (TCP or UDP) "not port 22" -- capture all packets but those from or to port 22 (TCP or UDP) "ip[9] == 0x6" -- capture all IP packets that have 0x06 as the 9th byte of their IP header (this is the same as "tcp", incidentally, because TCP's protocol # is 6) "ether[12:2] == 0x0806" -- capture only those Ethernet packets that have 0x0806 as their 13th & 14th bytes (the two-byte word). This is the same as "arp", because 0x0806 is the protocol number of ARP in the Ethernet header. see EXAMPLES in "man tcpdump" for more 3. a) Write and test capture filters that capture only your machine's ARP requests. How often are they sent (i.e., how many ARP packets your machine sends per minute, on average?) This, of course, depends on your OS and network usage pattern. b) Write and test capture filters that capture only ARP requests sent to your computer. Who sends them, and how often?