Wireshark Tutorial

Note: Wireshark and Ethereal are closely related. Check out www.wireshark.org and www.ethereal.com for more details.

01 - Go to www.wireshark.org --> Download. Select the Windows Installer file and save the file to your hard drive. Start the installation and go with all the default values. Make sure that the WinPcap option is included during the installation process.

02 - Open up a command prompt by Start --> Programs --> Accessories --> Command Prompt and type ipconfig /all Write down you current IP address, your physical address (also called a MAC or Network address) and your Primary DNS Server.

03 - Start Wireshark and select Capture --> Interfaces. Select Details for the interface of interest, then select the 802.3 Ethernet tab. Verify the hardware address matches the one you wrote down in Step 2. Close this box.

04 - Select Options for the interface of interest. Clear out any messages which may appear in the Capture Filter dialog box. Prepare to switch between Wireshark and the Command Prompt window. Click Start in Wireshark, then type the following into the command prompt window.

ping 204.77.53.33

Wait for 4 responses and then Click the Red Stop Sign icon in Wireshark.

05 - Wireshark will display 3 different sections after capturing packets.

Window#1 displays a one line summary of each packet captured
Window#2 gives more details about the packet selected in Window#1
Window#3 shows the contents of the packet in hexidecimal and ASCII

Window#1 sorts all packets based on capture time by default. Time 0.00 corresponds with the moment you Clicked Start in Step 4. Click on the Source column header to sort all packets by source address, then click the Destination column header to sort all packets by destination address, then click the Protocol column header to sort all packets by protocol type. Clicking the Protocol header multiple times toggles the packets from being sorted in alphabetical decending order to alphabetical ascending order.

06 - Find the section in Window#1 for all ICMP packets. These are the ping requests. Select the first ICMP packet. Resize Window#2 and Window#3 to display all information presented.

07 - In Window#2, click the "+" sign on Frame and write down the packet length. Ping packets usually are 74 bytes long. Window#3 is divided into 5 columns.

Column #1 is an index
Columns #2 & 3 are the packet displayed in hexidecimal
Columns #4 & 5 are the packet displayed in ASCII

Count the total number of entries in the hexadecimal columns and verify there are 74 entries. Click the "-" sign in Window#2 to collapse the Frame entry.

08 - Click the "+" sign by Ethernet II in Window#2. Note the first 14 bytes in Window#3 are highlighted.

The first 6 entries in Window#3 represent the destination MAC address
The second 6 entries represent the source MAC address
The 13th and 14th bytes identify the packet type

Verify the source MAC address matches the one in Step 2. Click the "-" sign in Window#2 to collapse the Ethernet II entry.

09 - Click the "+" sign for Internet Protocol in Window#2. Note that bytes 15 through 34 are highlighted in Window#3. For now, ignore bytes 15 through 26.

Bytes 27 through 30 represent the source IP address in hexidecimal
Bytes 31 through 34 represent the destination IP address in hexidecimal

In Window#2, select your IP address under Source and write down the bytes highlighted in Window#3. Open the Calculator tool (Start --> Programs --> Accessories --> Calculator) and select View --> Scientific.

Click Hex and enter the value of byte 27, then select Dec
Verify this is the first octet of your IP address. Click Clear.
Click Hex and enter the value of byte 28, then select Dec
Verify this is the second octet of your IP address. Click Clear.
Click Hex and enter the value of byte 29, then select Dec
Verify this is the third octet of your IP address. Click Clear.
Click Hex and enter the value of byte 30, then select Dec
Verify this is the fourth octet of your IP address. Click Clear.

Click on the "-" sign in Windows#2 to collapse the Internet Protocol section.

10 - Click the "+" sign for ICMP in Window#2. Bytes 35 through 74 should be highlighted in Window#3. For now, ignore bytes 35 through 42. Bytes 43 through 74 represent the payload or actual data of the packet. Using the chart found at www.asciitable.com, verify the hexidecimal values in the second and third columns correspond to the ascii values in the fourth and fifth columns. Click the "-" sign to collapse the ICMP section.

11 - Select File --> Close --> Continue without Saving, then Capture --> Interface à Options. Click Capture Filter --> New. Enter

Filter Name: icmp only
Filter String: icmp.

Click OK. This procedure will filter out “unwanted” packets and only display ICMP packets.

12 - Click Start in Wireshark, then ping 204.77.53.33 at the command prompt. After 4 ping responses, Click Stop. See wiki.wireshark.org/CaptureFilters for more details on Filter Options. 13 - Select File --> Close --> Continue without saving, then Capture --> Interface --> Options. Click Capture Filter à New. Enter:

Filter Name: dns only
Filter String: port 53

Click OK. In the command prompt, type ipconfig /flushdns then Start Wireshark. In the command prompt window, type ping www.saintpaul.edu, wait for 4 responses, then Stop Wireshark. You should have only captured two packets, a DNS query and a DNS query response.

14 - Verify the destination matches the IP address of your Primary DNS Server found in Step 3. Highlight the first packet in Window#1 and then select Domain Name System --> Query in Window#2. Verify that www.saintpaul.edu was sent and that it was a Type A DNS record. Highlight the second packet in Window#1 and then select Domain Name System --> Answers in Window#2. Verify that the IP address 204.77.53.33 was returned.

15 - Select File --> Close --> Continue without saving, then Capture --> Interface --> Options. Click Capture Filter --> HTTP TCP Port 80 --> OK. This procedure will only capture HTTP and TCP traffic.

16 - Open Firefox and select Tools --> Options --> Clear Now --> OK. Start capturing in Wireshark, then in Firefox, type in www.dnpconsulting.com/spc.htm. Click Stop Wireshark after the page finishes loading. Both HTTP and TCP traffic was captured.

17 - Further filter the results by selecting Analyze --> Display Filters --> HTTP --> OK. Sort the packets by Source. Click on the Reply in Window#1 that ends with (GIF89a). In Windows#2, write down the total size in Reassembled TCP Segments. Click the "+" sign and count the number of frames. Each frame contain 1380 bytes of information in the payload, except for the last frame. Add up the total number of bytes in each frame and verify it matches the total size you just calculated.

18 - Write down the first three frame number packets listed. Click Clear just to the right of the Filter Expression button in Wireshark and sort all packets by Time.

Select the first frame you wrote down in Window#1,
In Window#2, write down the Sequence number and the Next Sequence Number.
Select the second frame you wrote down in Window#1,
In Window#2, write down the Sequence number and the Next Sequence Number.
Select the third frame you wrote down in Window#1,
In Window#2, write down the Sequence number and the Next Sequence Number.

The sequence numbers are used to reassemble the gif file in the proper order when received by the client. The confirmation that the packet was reassembled correctly (the HTTP request with the total size of the Reassembled TCP Segments) comes after all the segments.










		Wireshark Tutorial Note: Wireshark and Ethereal are closely related. Check out www.wireshark.org and www.ethereal.com for more details. 01 - Go to www.wireshark.org --> Download. Select the Windows Installer file and save the file to your hard drive. Start the installation and go with all the default values. Make sure that the WinPcap option is included during the installation process. 02 - Open up a command prompt by Start --> Programs --> Accessories --> Command Prompt and type ipconfig /all Write down you current IP address, your physical address (also called a MAC or Network address) and your Primary DNS Server. 03 - Start Wireshark and select Capture --> Interfaces. Select Details for the interface of interest, then select the 802.3 Ethernet tab. Verify the hardware address matches the one you wrote down in Step 2. Close this box. 04 - Select Options for the interface of interest. Clear out any messages which may appear in the Capture Filter dialog box. Prepare to switch between Wireshark and the Command Prompt window. Click Start in Wireshark, then type the following into the command prompt window. ping 204.77.53.33 Wait for 4 responses and then Click the Red Stop Sign icon in Wireshark. 05 - Wireshark will display 3 different sections after capturing packets. Window#1 displays a one line summary of each packet captured Window#2 gives more details about the packet selected in Window#1 Window#3 shows the contents of the packet in hexidecimal and ASCII Window#1 sorts all packets based on capture time by default. Time 0.00 corresponds with the moment you Clicked Start in Step 4. Click on the Source column header to sort all packets by source address, then click the Destination column header to sort all packets by destination address, then click the Protocol column header to sort all packets by protocol type. Clicking the Protocol header multiple times toggles the packets from being sorted in alphabetical decending order to alphabetical ascending order. 06 - Find the section in Window#1 for all ICMP packets. These are the ping requests. Select the first ICMP packet. Resize Window#2 and Window#3 to display all information presented. 07 - In Window#2, click the "+" sign on Frame and write down the packet length. Ping packets usually are 74 bytes long. Window#3 is divided into 5 columns. Column #1 is an index Columns #2 & 3 are the packet displayed in hexidecimal Columns #4 & 5 are the packet displayed in ASCII Count the total number of entries in the hexadecimal columns and verify there are 74 entries. Click the "-" sign in Window#2 to collapse the Frame entry. 08 - Click the "+" sign by Ethernet II in Window#2. Note the first 14 bytes in Window#3 are highlighted. The first 6 entries in Window#3 represent the destination MAC address The second 6 entries represent the source MAC address The 13th and 14th bytes identify the packet type Verify the source MAC address matches the one in Step 2. Click the "-" sign in Window#2 to collapse the Ethernet II entry. 09 - Click the "+" sign for Internet Protocol in Window#2. Note that bytes 15 through 34 are highlighted in Window#3. For now, ignore bytes 15 through 26. Bytes 27 through 30 represent the source IP address in hexidecimal Bytes 31 through 34 represent the destination IP address in hexidecimal In Window#2, select your IP address under Source and write down the bytes highlighted in Window#3. Open the Calculator tool (Start --> Programs --> Accessories --> Calculator) and select View --> Scientific. Click Hex and enter the value of byte 27, then select Dec Verify this is the first octet of your IP address. Click Clear. Click Hex and enter the value of byte 28, then select Dec Verify this is the second octet of your IP address. Click Clear. Click Hex and enter the value of byte 29, then select Dec Verify this is the third octet of your IP address. Click Clear. Click Hex and enter the value of byte 30, then select Dec Verify this is the fourth octet of your IP address. Click Clear. Click on the "-" sign in Windows#2 to collapse the Internet Protocol section. 10 - Click the "+" sign for ICMP in Window#2. Bytes 35 through 74 should be highlighted in Window#3. For now, ignore bytes 35 through 42. Bytes 43 through 74 represent the payload or actual data of the packet. Using the chart found at www.asciitable.com, verify the hexidecimal values in the second and third columns correspond to the ascii values in the fourth and fifth columns. Click the "-" sign to collapse the ICMP section. 11 - Select File --> Close --> Continue without Saving, then Capture --> Interface à Options. Click Capture Filter --> New. Enter Filter Name: icmp only Filter String: icmp. Click OK. This procedure will filter out “unwanted” packets and only display ICMP packets. 12 - Click Start in Wireshark, then ping 204.77.53.33 at the command prompt. After 4 ping responses, Click Stop. See wiki.wireshark.org/CaptureFilters for more details on Filter Options. 13 - Select File --> Close --> Continue without saving, then Capture --> Interface --> Options. Click Capture Filter à New. Enter: Filter Name: dns only Filter String: port 53 Click OK. In the command prompt, type ipconfig /flushdns then Start Wireshark. In the command prompt window, type ping www.saintpaul.edu, wait for 4 responses, then Stop Wireshark. You should have only captured two packets, a DNS query and a DNS query response. 14 - Verify the destination matches the IP address of your Primary DNS Server found in Step 3. Highlight the first packet in Window#1 and then select Domain Name System --> Query in Window#2. Verify that www.saintpaul.edu was sent and that it was a Type A DNS record. Highlight the second packet in Window#1 and then select Domain Name System --> Answers in Window#2. Verify that the IP address 204.77.53.33 was returned. 15 - Select File --> Close --> Continue without saving, then Capture --> Interface --> Options. Click Capture Filter --> HTTP TCP Port 80 --> OK. This procedure will only capture HTTP and TCP traffic. 16 - Open Firefox and select Tools --> Options --> Clear Now --> OK. Start capturing in Wireshark, then in Firefox, type in www.dnpconsulting.com/spc.htm. Click Stop Wireshark after the page finishes loading. Both HTTP and TCP traffic was captured. 17 - Further filter the results by selecting Analyze --> Display Filters --> HTTP --> OK. Sort the packets by Source. Click on the Reply in Window#1 that ends with (GIF89a). In Windows#2, write down the total size in Reassembled TCP Segments. Click the "+" sign and count the number of frames. Each frame contain 1380 bytes of information in the payload, except for the last frame. Add up the total number of bytes in each frame and verify it matches the total size you just calculated. 18 - Write down the first three frame number packets listed. Click Clear just to the right of the Filter Expression button in Wireshark and sort all packets by Time. Select the first frame you wrote down in Window#1, In Window#2, write down the Sequence number and the Next Sequence Number. Select the second frame you wrote down in Window#1, In Window#2, write down the Sequence number and the Next Sequence Number. Select the third frame you wrote down in Window#1, In Window#2, write down the Sequence number and the Next Sequence Number. The sequence numbers are used to reassemble the gif file in the proper order when received by the client. The confirmation that the packet was reassembled correctly (the HTTP request with the total size of the Reassembled TCP Segments) comes after all the segments. BACK


	Home \| Portfolio \| Blog \| Podcast \| Misc \| Contact \| Sitemap

Wireshark Tutorial

BACK