Lab 1 1 8 2 Wireshark Configuration

Document Sample
Lab 1 1 8 2 Wireshark Configuration Powered By Docstoc
					                                          Lab 1 (Wireshark 1.8.2)
                                          Wireshark Configuration

Intro

(Read this page at home or in class if time permits.)

Wireshark is an open source project resulting from the combined efforts of hundreds of programmers over a
period of more than 10 years. Software, manuals and FAQs can all be downloaded for free.

Unfortunately, the manuals and FAQs haven't always kept up with the latest changes to the interface.
Furthermore, as new methods for accomplishing certain tasks have been added, support for the older
methods still remains. This combination of outdated documentation and inconsistent functionality can make
it difficult to master the operation of Wireshark.

For example, Wireshark uses two different filtering languages - the syntax for writing capture filters differs
from the syntax for writing display filters. Some syntax rules are supported by both filter types, while other
syntax rules are unique to one filter or the other.

The Wireshark interface can be confusing in that while there are only a few configuration dialog boxes that
the average user needs to be concerned with, there are multiple entry points for each of these boxes. In
other words, dialog boxes can often be accessed by more than one toolbar button and by multiple menu
selections. (Menu selections which have corresponding toolbuttons display the toolbutton icon to the left of
the menu entry.)

Wireshark is not always clear on the distinction between global and local scope for some settings. Changing
a setting in one dialog box will usually, but not always, change the same setting in other dialog boxes.

Changes to a setting do not always stick. Sometimes, a setting will only stick if a capture is started
immediately after changing a setting AND the capture actually captures at least one packet. If the capture is
stopped before the first packet is captured, then the setting may revert to it's previous state.

Also, changes made by clicking only the "Apply" button will only be in effect for the current instance of
Wireshark. When Wireshark is restarted, the settings will revert back to their original value. To make a
change permanent, the "Save" button must also be clicked. Also, one must be sure to close a dialog box by
clicking "OK" and not the titlebar's "X" close button.

In general, one should concentrate on the following sections in the Wireshark User Guide (v1.9):

    Chapters 3.16 - 3.21; 4.1 - 4.6, 4.13 - 4.14; 6; 7.1 - 7.2, 7.4, 7.7

Screen shots and descriptions of suggested settings for dialog boxes which the average user needs to be
concerned with are given on the following pages. In general, match the preference settings for your
installation of Wireshark with those shown in the following screen shots.


 Note: Wireshark can be used to display capture files saved by other packet sniffers, not just those
 generated by Wireshark itself.




Lab 1 (Wireshark 1.8.2) - Wireshark Configuration                                                   1/15 Gnall
Settings

Perform of all the settings in this lab without a live capture running.

Settings can be modified and applied to the Wireshark interface whether a live capture is running or not.
Also, a live capture can be started while the Preferences dialog box is still open.

If changes are made from either the menu, toolbar or Preferences dialog box while a live capture is running,
then the changes will usually be immediately visible in the display window. However, if Wireshark is busy
processing too many packets, it may hang when trying to update it's display in response to a change in the
display settings.




Lab 1 (Wireshark 1.8.2) - Wireshark Configuration                                                 2/15 Gnall
General Settings

(Note, letting the mouse hover over most options will cause a tooltip to appear.)

Edit Menu…Preferences…User Interface




Save window position                   - CHECK

Ask for unsaved capture files          - UNCHECK

   If this is checked, then when closing a live capture which has been stopped, Wireshark will ask if the
   captured data should be saved to a file. Since we won't be saving data, leave this unchecked.

Settings dialogs show a save button    - CHECK

   If a Wireshark Preference setting is changed, followed by a click of the Apply button, then the new
   setting will revert back to it's original value when Wireshark is restarted. To preserve the changed
   settings from run to run, the Save button must be clicked after making any changes.

Apply…
                                             Changes made by clicking the "Apply" button will only be in
                                             effect for the current instance of Wireshark. When
The "Save" button will appear
                                             Wireshark is restarted, the settings will revert back to their
                                             original value. To make a change permanent, the "Save"
Apply…Save…OK
                                             button must also be clicked. Also, be sure to close a dialog
                                             box by clicking "OK" and not the titlebar's "X" close button.



Lab 1 (Wireshark 1.8.2) - Wireshark Configuration                                                   3/15 Gnall
Packet List Time Column (chapter 3.7, 6.11, 7.4)

Edit Menu…Preferences…User Interface…Columns…Time




If Time (format as specified) is selected in the Format drop down box, then the time format can be set via
the menu bar, as shown in the screenshot on the next page:




Lab 1 (Wireshark 1.8.2) - Wireshark Configuration                                                4/15 Gnall
View Menu…Time Display Format…



                                                    I recommend choosing "Time of
                                                    Day", which will display the system
                                                    time. This will facilitate correlating
                                                    network events with the packets as
                                                    they appear in Wireshark.

                                                    I usually set the precision level to
                                                    whole seconds, as Windows tool
                                                    tray clocks do not display fractional
                                                    seconds. However, occasionally the
                                                    Deciseconds level will be useful for
                                                    some labs, such as timing short
                                                    DHCP leases.




Lab 1 (Wireshark 1.8.2) - Wireshark Configuration                                5/15 Gnall
Packet List Source and Destination Columns and Name Resolution

Which information appears in the Source and Destination columns in the Packet List pane and how that
information is formatted is determined by two separate preference settings:

1) Edit Menu…Preferences…User Interface…Columns…Source/Destination




Set the Source      column to display: Src addr (resolved)

Set the Destination column to display: Dest addr (resolved)

2) Edit Menu…Preferences…Name Resolution                             OR View…Name Resolution…
   Uncheck "Enable network name resolution"
   Uncheck "Enable concurrent DNS name resolution"




(32-bit Wireshark and 64-bit Wireshark have different versions of this dialog box.)

Both of these settings provide some control over whether MAC, IP and Port numbers will be resolved or not.
However, it is difficult to understand how these two settings work together to ultimately determine whether
an address is resolved or not. (For more information, see the Wireshark Lab 3 - Address Resolution in Detail)




Lab 1 (Wireshark 1.8.2) - Wireshark Configuration                                                6/15 Gnall
Name Resolution Settings Explained

(Read this page at home or in class if time permits.)

Enable MAC name resolution                  - CHECKED

    If checked, Wireshark will employ up to three different techniques to try to resolve a MAC address into a
    more human readable form. It will start with the first method listed below, then continue on to the
    second and then the third if necessary.

        1. ARP: Convert the MAC address into an IP address

        2. Ethers File: If ARP fails, employ a user created file to convert the MAC address into a machine
           name.

        3. Manuf File: If ARP and Ethers fail, use a file to convert the first three bytes of the MAC address
           into the IEEE assigned manufacturers code.


Enable network name resolution              - UNCHECKED

    If checked, Wireshark first consults the operating system's host file for a name, and then issues a DNS
    query. However, Wireshark may hang while waiting for a response from a DNS server, so this should be
    left unchecked.


Enable transport name resolution            - CHECKED

    If checked, Wireshark will try to resolve a port number into the corresponding protocol.


Enable concurrent DNS name resolution       - UNCHECKED

    Only has an effect if "Enable network name resolution" is checked.

    Wireshark will issue multiple DNS queries in parallel, rather than sequentially.



(Need to research Wireshark ADNS library.)




Lab 1 (Wireshark 1.8.2) - Wireshark Configuration                                                   7/15 Gnall
Font and Font Size

Edit Menu…Preferences…User Interface…Font




(Different fonts may be available on different operating systems.)

Verdana is an easier to read font than the default font - Lucida Console.

A smaller font size of 7 or 8 (default is 10) will allow a full line of capture data to fit more easily within the
Wireshark window.

Apply…Save…


Resizing Columns

The smaller font size set in the previous step will make it easier to squeeze more information into the width
of the Wireshark window.

For future reference, note that columns can be resized one-by-one by manually dragging the column
separators or by clicking the "Resize All Columns" toolbutton     . This will minimize all of the column
widths at once.




Lab 1 (Wireshark 1.8.2) - Wireshark Configuration                                                        8/15 Gnall
Capture Settings

Edit Menu…Preferences…Capture (these options also appear in the Capture Options dialog box)




                                                                                     May be different on
                                                                                     different operating systems.




Capture packets in promiscuous mode - CHECKED

    Checking Promiscuous Mode will instruct the NIC to NOT filter out packets based on their destination
    MAC address. All packets hitting the NIC will be passed up the TCP/IP stack, and not just the packets
    targeting/leaving the NIC which Wireshark is monitoring.

Capture packets in pcap-ng format       - UNCHECKED

Update list of packets in real time     - CHECKED

    If unchecked, packets will not be displayed until the live capture has been stopped.

Automatic scrolling in live capture     - CHECKED INITIALLY

    If checked, old packets will scroll up in the Packet List pane, making room to display the most recently
    captured packets at the bottom of the pane. Check according to preference.
    This setting can also be toggled via the toolbar.

Hide capture info dialog                - CHECKED

    The Capture Info Dialog box is rarely used in class and is more annoying than useful, so it should be
    hidden. It displays packet statistics for the more common protocols:

        SCTP, TCP, UDP, ICMP, ARP, OSPF, GRE, NetBIOS, IPX, VINES, …




Lab 1 (Wireshark 1.8.2) - Wireshark Configuration                                                  9/15 Gnall
Capture Settings - Default Interface

Wireshark may detect more than one network interface in the operating system in which it is installed. If
more than one network interface is present, then the default interface from which Wireshark captures
packets is usually not the adapter which one is interested in.

If Wireshark detects more than one interface, then follow the directions in this section to set the default
interface from which to capture packets.

The set of network interfaces which VMware automatically installs in a VM varies from one version of VMware
to another. For instance, older versions of VMware installed a dialup adapter:

    Adapter for generic dialup and VPN capture: \Device\NPF_GenericDialupAdapter

Newer versions of VMware may install other interfaces.

As shown in the screenshot on the previous page, use the drop down box to set the VMware adapter as the
default interface:

    VMware Accelerated AMD PCNet Adapter (Microsoft's Packet Scheduler)

Hiding Interfaces

It is easy when using VMware to accidentally start a live capture with the wrong interface. The easiest way
to prevent this is to hide the interfaces which will never be used. This will prevent unwanted interfaces from
appearing in some dialog boxes, such as the Capture Interfaces or Capture Options dialog box.

Edit Menu…Preferences…Capture…Edit…




Select the unwanted interface.

Check "Hide interface?" (at the bottom of the window)

OK…Apply…Save…

NOTE: This option sometimes resets when Wireshark is shutdown and restarted. So always be careful to
select the correct interface when starting a capture.




Lab 1 (Wireshark 1.8.2) - Wireshark Configuration                                                  10/15 Gnall
          Hide the Packet Bytes Pane

          The screenshot below shows a typical live capture.

          Starting from the top, there are three display panes:

             Packet List
             Packet Details
             Packet Bytes




   List




Details


 Bytes




          The bottom most Packet Bytes pane shown in the above screen shot will be of little use in this course and
          can be hidden from view. Hiding the Packet Bytes Pane will allow more room for displaying the list of packets
          and for displaying details about the contents of individual packets. Hide the Packet Bytes Pane to make
          Wireshark look more like the screenshot below.

          View Menu…Packet Bytes     UNCHECKED




          Lab 1 (Wireshark 1.8.2) - Wireshark Configuration                                               11/15 Gnall
Double-check Settings

Capture Menu…Interfaces…

If unwanted interfaces were successfully hidden, then you should see:




                                  May be different on different
                                  operating systems.


and not:




Lab 1 (Wireshark 1.8.2) - Wireshark Configuration                       12/15 Gnall
Other settings are reflected in Capture Menu…Options…




Lab 1 (Wireshark 1.8.2) - Wireshark Configuration       13/15 Gnall
Main Toolbar - Most Frequently Used Buttons




                                                                                                     Show some help…
        List the Available Capture Interfaces…

             Show the Capture Options…                                                        Edit Preferences…

                 Start a New Live Capture                                  Edit/apply Display Filter…

                       Stop the Running Live Capture                          Edit Capture Filter…

                          Restart the Running Live Capture               Resize All Columns




     Close this Capture File                                                      Auto Scroll Packet List in Live Capture

       Reload this Capture File
                                                                     Go to the First Packet

                                                                Go to the Packet with Number…

                                                    Find a Packet…




Lab 1 (Wireshark 1.8.2) - Wireshark Configuration                                                                   14/15 Gnall
         Capture Interfaces



         Capture Options



         Start a Live Capture



         Stop Running Live Capture



         Restart the Running Live Capture
------

         Close Capture File



         Reload Capture File
------

         Auto Scroll Packet List in Live Capture

------

         Resize All Columns

------

         Capture Filters


         Display Filters


         Preferences

With the exception of "Reload Capture File", all of the above toolbuttons have corresponding
menu entries.




Lab 1 (Wireshark 1.8.2) - Wireshark Configuration                                     15/15 Gnall

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:25
posted:11/5/2012
language:Unknown
pages:15