Scribd
Upload
176 views40 pages

Wireshark Tips

The document discusses using Wireshark to capture and analyze network traffic. It covers capture methods like using an Ethernet hub or switched Ethernet, and how to set capture filters. It also discusses analyzing captures using tools in Wireshark like the protocol hierarchy, conversations, and exporting data to text, CSV or JSON files. Additional tools mentioned are Capinfos, Dumpcap, Editcap, Mergecap and Tshark for tasks like capturing packets, filtering PCAP files and exporting fields for further processing. The document encourages practicing these skills using the EVE network simulator.

Uploaded by

An Tran
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
176 views40 pages

Wireshark Tips

The document discusses using Wireshark to capture and analyze network traffic. It covers capture methods like using an Ethernet hub or switched Ethernet, and how to set capture filters. It also discusses analyzing captures using tools in Wireshark like the protocol hierarchy, conversations, and exporting data to text, CSV or JSON files. Additional tools mentioned are Capinfos, Dumpcap, Editcap, Mergecap and Tshark for tasks like capturing packets, filtering PCAP files and exporting fields for further processing. The document encourages practicing these skills using the EVE network simulator.

Uploaded by

An Tran
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 40

Nghệ thuật sử dụng Wireshark

Presenter : Hoàng Trường Nguyên


Presenter: Trương Công Định Co-founder: ccie4career.com (C4C).
Co-founder : C4C-Telecoms. Co-founder: eve-nglab.com.
Co-founder:C4C-Telecoms.
Kỹ sư viễn thông tại Mobifone. CCIE #56102.
Kỹ sư viễn thông tại Mobifone.
Giảng viên tại Vnpro.
Nội dung
01 Capture

02 Capture Analysis

03 Other tools
Capture
Capture method
Capture filters

Capture tip
Capture method
Ethernet hub

01

0 04
Capture method
Switched Ethernet

01

0 04
Capture method
Switched Ethernet

01

0 04
Advantage: Easy to use if such a switch available
Disadvantage: More expensive switch needed (though not as expensive as they
once were), capture packet loss at high traffic
Capture method
Switched Ethernet

01

0 04
Advantage: All packets of traffic can be captured, won't affect Ethernet traffic
Disadvantage: Costly, uncomfortable to work with
Capture filters

01

0 04
Capture filters

01

0 04
Capture filters

01

0 04
Capture filters
Byte offset
- Capture HTTP GET requests. This looks for the bytes 'G', 'E', 'T', and ' ' (hex value
47, 45, 54, and 20) just after the TCP header
01

Ref:
0 04
https://www.packetlevel.ch/html/tcpdumpf.html
https://wiki.wireshark.org/CaptureFilters
Capture tip
1. Setup capture sytem
- Tại mỗi điểm đo báo hiệu, cài đặt phần mềm sau:
No Phần mềm Chức năng
1 Telnet server phục vụ việc điều khiển các probe từ xa
2 FTP server phục vụ việc lưu trữ và quản lý file đo
3 Wireshark phục vụ đo, xử lý và phân tích báo hiệu

-Tại site tập trung, cài đặt phần mềm telnet:


+ tạo các session probe báo hiệu để thực hiện đo nhanh chóng
+ tự động
0 hoá việc đo báo hiệu khi có yêu cầu
+ tự động lấy file báo hiệu về lưu trữ tập trung
Capture tip
2. Capture filter syntax

0
Ref:
https://wiki.wireshark.org/Performance
Capture
Analysis
Pre analysis
Protocol analysis

Extend analysis
Graph
Pre analysis
Protocol Hierarchy

01

0 04
Pre analysis
Conversations

01

0 04
Protocol analysis

01

0 04
Protocol analysis

01

0 04
Protocol analysis

01

0 04
Protocol analysis

01

0 04
Protocol analysis

01

0 04
Extend analysis
export to text file

01
- Xử lý tùy biến bằng cách viết chương trình
(python, perl, C#...)
- Troubleshoot bằng cách so sánh bản tin

0
Extend analysis
export to csv file

01
- Import vào Excel, tận dụng các hàm Excel để
làm báo cáo: thống kê, đồ thị…
- Import vào database SQL

0
Extend analysis
export to json file

01

0
Graph

01

0
Other tools
Capinfos
Dumpcap

Editcap
Mergecap
Tshark
Capinfos
Capinfos is a program that reads one or more capture files and returns some or all
available statistics (infos) of each <infile> in one of two types of output formats: long
or table

0
Ref:
file:///C:/Program%20Files/Wireshark/capinfos.html
Dumpcap
Dumpcap is used as the capture engine for Tshark. Dumpcap uses fewer resources
than Tshark => better performance

Ref:
file:///C:/Program%20Files/Wireshark/dumpcap.html

0
Editcap
Editcap is a program that reads some or all of the captured packets from the infile, o
ptionally converts them in various ways and writes the resulting packets to the captu
re outfile (or outfiles)

Ref:
file:///C:/Program%20Files/Wireshark/editcap.html

0
Editcap
Split large pcap to small ones

0
Editcap
Remove duplicate packets

0
Editcap
Edit timestamp packet

0
Mergecap
Mergecap is a program that combines multiple saved capture files into a single outp
ut file specified by the -w argument

0
Ref:
file:///C:/Program%20Files/Wireshark/mergecap.html
Tshark
TShark is a network protocol analyzer. It lets you capture packet data from a live net
work, or read packets from a previously saved capture file, either printing a decoded
form of those packets to the standard output or writing the packets to a file

Ref:
file:///C:/Program%20Files/Wireshark/tshark.html

0
Tshark
Capture packet

0
Tshark
Filter pcap files

0
Tshark
Export fields for more processing

0
Thực hành trên EVE
Thank you
Q&A

You might also like