Wireshark is a staple of any network administrator's toolkit, and it can be equally useful for any network solution
providers or consultants who troubleshoot business networks. Most of the readers of this tutorial have probably used Gerald Combs' open source protocol analyzer for years. In this edition of Traffic Talk, I'd like to discuss a few new features of Wireshark as present in the 1.2 version released on June 15, 2009. I use Windows XP SP3 as my test platform.
To try Wireshark 1.2, I uninstalled Wireshark 1.0.8. I had no trouble replacing 1.0.8 with 1.2, and I allowed the installer to replace my old version of WinPcap with the newer WinPcap 4.1beta5 bundled with Wireshark 1.2.
I decided to try running Wireshark as a user with no administrative privileges. I relied on manually starting the WinPcap driver called "NPF" in order to give Wireshark the privileges required to sniff traffic on my laptop's wireless NIC. To start NPF manually, I ran the following:
C:\>runas /u:administrator "net start npf"
Enter the password for administrator:
Attempting to start net start npf as user "NEELY\administrator" ...
C:\>sc query npf
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
The "net start npf" command is sufficient to launch Wireshark with sniffing capabilities. I ran the "sc query npf" to show details on the NPF driver.
Now I was ready to start Wireshark, which I did using the desktop icon added during installation. I was surprised to see the following screen.
Rather than present the user with simply a menu and three blank panes, Wireshark now provides a Web-like interface to the program.
Once you start capturing packets, it is very useful to be able to see a single packet in its own window. One way to access this feature is to highlight any packet in the Wireshark display, right click, and select "Show Packet In New Window." The following figure demonstrates what that looks like.
One advantage of this feature is the ability to open several such independent windows simultaneously, allowing the analyst to visually compare two or more packets directly.
Wireshark users are very familiar with the Follow TCP Stream feature that selects TCP segments associated with a particular conversation. Recent versions of Wireshark offer similar functionality for non-TCP protocols. For example, users can now Follow UDP Streams as shown below for DNS traffic.
Users may notice a "Follow SSL Stream" option in the Analyze menu. This is only possible if you have the right keys. For a short discussion please see my blog post from last year, "Wireshark Display Filters and SSL."
One of the most interesting, but probably underdeveloped, areas of Wireshark is its Protocol Hierarchy Statistics (PHS) feature, found in the Statistics menu.
Wireshark's PHS provides a detailed analysis of protocols that Wireshark recognizes, breaking them down as far as one might expect. However, the display is static. Users cannot click on any part of it to select packets or conversations of interest. There is no way to know more about the findings or even to export them for use in another program. One might think it could be possible to run Tshark, the command line version of Wireshark, to obtain the same information. It turns out that Tshark presents a different yet similar view of the same traffic.
C:\Program Files\Wireshark>tshark -r "c:\Documents and Settings\richard\My Documents\test1.pcap" -n -q -z io,phs
=================================================================== Protocol Hierarchy Statistics
frame frames:6353 bytes:4530917
eth frames:6353 bytes:4530917
ip frames:6290 bytes:4528163
tcp frames:6185 bytes:4511803
http frames:290 bytes:236440
image-gif frames:33 bytes:17884
image-jfif frames:1 bytes:1485
png frames:8 bytes:5477
data-text-lines frames:19 bytes:12153
media frames:12 bytes:11679
ocsp frames:5 bytes:4751
tcp.segments frames:252 bytes:202662
http frames:136 bytes:107865
data-text-lines frames:75 bytes:64660
image-gif frames:9 bytes:5881
media frames:17 bytes:12117
image-jfif frames:27 bytes:17138
ocsp frames:1 bytes:402
png frames:6 bytes:7068
xml frames:1 bytes:599
ssl frames:116 bytes:94797
ssl frames:64 bytes:83615
stun2 frames:8 bytes:744
data frames:4 bytes:504
malformed frames:4 bytes:240
nbss frames:68 bytes:11395
smb frames:68 bytes:11395
pipe frames:10 bytes:1689
lanman frames:10 bytes:1689
ssl frames:920 bytes:1044049
udp frames:105 bytes:16360
tivoconnect frames:27 bytes:5319
dns frames:68 bytes:9181
nbdgm frames:6 bytes:1468
smb frames:6 bytes:1468
mailslot frames:6 bytes:1468
browser frames:6 bytes:1468
nbns frames:4 bytes:392
arp frames:63 bytes:2754
Wireshark offers a Conversations feature under the Statistics menu as another way to learn more about a trace from the "bigger picture" perspective. Wireshark will provide summaries for the traffic at whatever level it can recognize. For example, the following screenshot shows that Wireshark has detected Ethernet, IPv4, TCP and UDP traffic in the loaded trace. I'm showing the Ethernet conversations, ordered by the Rel Start column.
Looking at the TCP Conversations list, you can see a variety of Web traffic.
Compared with a session-only program like Argus, Wireshark's session summarization is somewhat limited. TCP flags are not displayed. No state of the connection is listed. The time is depicted as "Rel Start" instead of a real date and time stamp.
It's important to remember that most people use Wireshark to focus on the details of specific packets. In this respect, Wireshark is incredibly powerful, with an amazing number of protocol dissectors ready to tear through almost any protocol found on today's networks. As the product continues to mature, I expect to see more attention paid to larger issues, such as the nature of a trace or even the network from which it was collected.
About the author:
Richard Bejtlich is the director of incident response for General Electric. Richard is also the founder of TaoSecurity, author of several books on network security monitoring (including Extrusion Detection: Security Monitoring for Internal Intrusions), and operator of the TaoSecurity blog.