10 Cool Things You Should Know How To Do with Wireshark
10 Cool Things You Should Know How To Do with Wireshark
10 Cool Things You Should Know How To Do with Wireshark
- No tags were found...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Skills to Master1. Perform Local/Remote Capture Like a ProLocate most active interfaceTest your interfaces (see video at wiresharkbook.com)Use rpcapd.exe for remote capture2. WLAN Graphing (Get a Wi‐Spy Adapter now… Just do it!)Graphing 802.11 retries (wlan.fc.retry == 1)3. VoIP PlaybackLook for jitter, packet loss and errorsSHARKFEST '09 | Stanford University | June 15–18, 2009
Skills to Master4. Create Sexy Hot ProfilesFree profiles online at wiresharkbook.comVideo on copying in profile info at wiresharkbook.com5. Recognize Mlii Malicious Traffic Ptt PatternsHave a baseline ready<strong>Know</strong> scanning/discovery signsColorize questionable traffic6. Analyze an ApplicationWhat is the process?SHARKFEST '09 | Stanford University | June 15–18, 2009
Skills to Master9. Add Columns Fast!Available <strong>with</strong> version. 1.4.0rc1Right click on any field and selectApply as ColumnRight click column headings to align,rename and more (yes –you canleft‐align the No. column!)SHARKFEST '09 | Stanford University | June 15–18, 2009
Let’s Go Play <strong>with</strong> <strong>Wireshark</strong>• Profile Stuff• Application Analysis Stuff• Advanced dIO Graphing Stuff• Whatever else comes to mind…SHARKFEST '09 | Stanford University | June 15–18, 2009
Remote CaptureSHARKFEST '09 | Stanford University | June 15–18, 2009
Graphing WLAN Retries(wlan.fc.retry==1) && (wlan.sa==00:24:b2:1f:27:f9)SHARKFEST '09 | Stanford University | June 15–18, 2009
Try Application Analysis <strong>You</strong>rself!• Launch First Instance of <strong>Wireshark</strong>• Clear DNS and browsing cache (ipconfig /flushdns))– Start capture– http://sharepoint.microsoft.com/?wax=offcom/?wax=off– Stop capture• Launch Second Instance of <strong>Wireshark</strong>• Clear DNS and browsing cache (ipconfig /flushdns)– Start capture– http://sharepoint.microsoft.com/?wax=on– Stop captureCapture on your local host while running <strong>Wireshark</strong>and connecting to the site.SHARKFEST '09 | Stanford University | June 15–18, 2009
Compare Conversations (Time Values)
VoIP Analysis and Playback• Telephony | VoIP Calls | [select call] | Player |Decode [Check conversation(s)] | PlaySHARKFEST '09 | Stanford University | June 15–18, 2009
Tshark Command‐Line Statistics• From <strong>Wireshark</strong> Network AnalysisSHARKFEST '09 | Stanford University | June 15–18, 2009
Tshark Command‐Line• tshark –i 3 ‐qz conv,eth ‐zz conv,ip –z conv,tcp-i 3-qz conv,eth-z conv,ip-z conv,tcpCapture on the3 rd interfacelisted bytshark -D<strong>Do</strong>n’t showpackets (-q ), butcapture EthernetconversationstatisticsOnly use -qonce. Capture IPconversationstatisticsOnly use -qonce. CaptureTCPconversationstatisticsSHARKFEST '09 | Stanford University | June 15–18, 2009
Keep Up <strong>with</strong> Me• Twitter ‐ www.twitter.com/laurachappell• Newsletter (chappellU.com)• <strong>Wireshark</strong> Weekly Tips (wiresharktraining.com)i i • Free <strong>Wireshark</strong> Webinars (chappellU.com)• Microsoft Project ‐http://facebook.com/MVPpress p// / p ‐ Search forpost “Laura Needs <strong>You</strong>r Help” and reply <strong>with</strong>your ideas and suggestionsSHARKFEST '09 | Stanford University | June 15–18, 2009