Wireshark 1.2 tutorial: Open source network analyzer's new features

Wireshark, the open source network analyzer, is useful for network solution providers or consultants who troubleshoot business networks. Find out about new features of Wireshark 1.2 in this tutorial.

Wireshark is a staple of any network administrator's toolkit, and it can be equally useful for any network solution providers or consultants who troubleshoot business networks. Most of the readers of this tutorial have probably used Gerald Combs' open source protocol analyzer for years. In this edition of Traffic Talk, I'd like to discuss a few new features of Wireshark as present in the 1.2 version released on June 15, 2009. I use Windows XP SP3 as my test platform.

To try Wireshark 1.2, I uninstalled Wireshark 1.0.8. I had no trouble replacing 1.0.8 with 1.2, and I allowed the installer to replace my old version of WinPcap with the newer WinPcap 4.1beta5 bundled with Wireshark 1.2.

I decided to try running Wireshark as a user with no administrative privileges. I relied on manually starting the WinPcap driver called "NPF" in order to give Wireshark the privileges required to sniff traffic on my laptop's wireless NIC. To start NPF manually, I ran the following:

 C:\>runas /u:administrator "net start npf"
Enter the password for administrator:
Attempting to start net start npf as user "NEELY\administrator" ...

C:\>sc query npf

    STATE     : 4 RUNNING
    WIN32_EXIT_CODE : 0 (0x0)
    SERVICE_EXIT_CODE : 0 (0x0)
    CHECKPOINT : 0x0
    WAIT_HINT : 0x0

The "net start npf" command is sufficient to launch Wireshark with sniffing capabilities. I ran the "sc query npf" to show details on the NPF driver.

Now I was ready to start Wireshark, which I did using the desktop icon added during installation. I was surprised to see the following screen.

Figure 1. Wireshark Start Screen (click image to enlarge)

Rather than present the user with simply a menu and three blank panes, Wireshark now provides a Web-like interface to the program.

Once you start capturing packets, it is very useful to be able to see a single packet in its own window. One way to access this feature is to highlight any packet in the Wireshark display, right click, and select "Show Packet In New Window." The following figure demonstrates what that looks like.

Figure 2. Single Packet Window (click image to enlarge)

One advantage of this feature is the ability to open several such independent windows simultaneously, allowing the analyst to visually compare two or more packets directly.

Wireshark users are very familiar with the Follow TCP Stream feature that selects TCP segments associated with a particular conversation. Recent versions of Wireshark offer similar functionality for non-TCP protocols. For example, users can now Follow UDP Streams as shown below for DNS traffic.

Figure 3. Follow UDP Stream (click image to enlarge)

Users may notice a "Follow SSL Stream" option in the Analyze menu. This is only possible if you have the right keys. For a short discussion please see my blog post from last year, "Wireshark Display Filters and SSL."

One of the most interesting, but probably underdeveloped, areas of Wireshark is its Protocol Hierarchy Statistics (PHS) feature, found in the Statistics menu.

Figure 4. Wireshark Protocol Hierarchy Statistics (click image to enlarge)

Wireshark's PHS provides a detailed analysis of protocols that Wireshark recognizes, breaking them down as far as one might expect. However, the display is static. Users cannot click on any part of it to select packets or conversations of interest. There is no way to know more about the findings or even to export them for use in another program. One might think it could be possible to run Tshark, the command line version of Wireshark, to obtain the same information. It turns out that Tshark presents a different yet similar view of the same traffic.

 C:\Program Files\Wireshark>tshark -r "c:\Documents and Settings\richard\My Documents\test1.pcap" -n -q -z io,phs

=================================================================== Protocol Hierarchy Statistics
Filter: frame

frame     frames:6353 bytes:4530917
eth     frames:6353 bytes:4530917
ip     frames:6290 bytes:4528163
tcp     frames:6185 bytes:4511803
http     frames:290 bytes:236440
image-gif     frames:33 bytes:17884
image-jfif     frames:1 bytes:1485
png     frames:8 bytes:5477
data-text-lines     frames:19 bytes:12153
media     frames:12 bytes:11679
ocsp     frames:5 bytes:4751
tcp.segments     frames:252 bytes:202662
http     frames:136 bytes:107865
data-text-lines     frames:75 bytes:64660
image-gif     frames:9 bytes:5881
media     frames:17 bytes:12117
image-jfif     frames:27 bytes:17138
ocsp     frames:1 bytes:402
png     frames:6 bytes:7068
xml     frames:1 bytes:599
ssl     frames:116 bytes:94797
ssl     frames:64 bytes:83615
stun2     frames:8 bytes:744
data     frames:4 bytes:504
malformed     frames:4 bytes:240
nbss     frames:68 bytes:11395
smb     frames:68 bytes:11395
pipe     frames:10 bytes:1689
lanman     frames:10 bytes:1689
ssl     frames:920 bytes:1044049
udp     frames:105 bytes:16360
tivoconnect     frames:27 bytes:5319
dns     frames:68 bytes:9181
nbdgm     frames:6 bytes:1468
smb     frames:6 bytes:1468
mailslot     frames:6 bytes:1468
browser     frames:6 bytes:1468
nbns     frames:4 bytes:392
arp     frames:63 bytes:2754

Wireshark offers a Conversations feature under the Statistics menu as another way to learn more about a trace from the "bigger picture" perspective. Wireshark will provide summaries for the traffic at whatever level it can recognize. For example, the following screenshot shows that Wireshark has detected Ethernet, IPv4, TCP and UDP traffic in the loaded trace. I'm showing the Ethernet conversations, ordered by the Rel Start column.

Figure 5. Wireshark Conversations Showing Ethernet (click image to enlarge)

Looking at the TCP Conversations list, you can see a variety of Web traffic.

Figure 6. Wireshark Conversations Showing TCP (click image to enlarge)

Compared with a session-only program like Argus, Wireshark's session summarization is somewhat limited. TCP flags are not displayed. No state of the connection is listed. The time is depicted as "Rel Start" instead of a real date and time stamp.

It's important to remember that most people use Wireshark to focus on the details of specific packets. In this respect, Wireshark is incredibly powerful, with an amazing number of protocol dissectors ready to tear through almost any protocol found on today's networks. As the product continues to mature, I expect to see more attention paid to larger issues, such as the nature of a trace or even the network from which it was collected.

For more information on Wireshark features, I recommend reading the Wireshark online users guide and Wireshark Wiki.

About the author:
Richard Bejtlich is the director of incident response for General Electric. Richard is also the founder of TaoSecurity, author of several books on network security monitoring (including Extrusion Detection: Security Monitoring for Internal Intrusions), and operator of the TaoSecurity blog.

Dig Deeper on Managed network services technology