Scribd
Upload
96 views32 pages

04 Wireshark

The document describes Wireshark, a network protocol analyzer tool. It can capture and analyze traffic from wired and wireless network interfaces. Wireshark can decode protocols like IP, TCP, UDP and DICOM. It can filter traffic by IP address, MAC address, protocol and other fields. The document provides examples of using Wireshark to analyze DICOM imaging transfers and troubleshoot communication issues.

Uploaded by

José Manuel Valdez Revilla
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
96 views32 pages

04 Wireshark

The document describes Wireshark, a network protocol analyzer tool. It can capture and analyze traffic from wired and wireless network interfaces. Wireshark can decode protocols like IP, TCP, UDP and DICOM. It can filter traffic by IP address, MAC address, protocol and other fields. The document provides examples of using Wireshark to analyze DICOM imaging transfers and troubleshoot communication issues.

Uploaded by

José Manuel Valdez Revilla
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 32

Network Protocol Analyzer

Wireshark
Network Protocol Analyzer

URL: http://www.wireshark.org

Training: http://www.wiresharktraining.com
Network Protocol Analyzer
Computer with single wired Network Interface Card

2
Network Protocol Analyzer
Computer with wired Network Interface Card and Wireless Interface

3
Network Protocol Analyzer
In Web Browser (Internet Explorer) the hitachimed.com URL was entered

4
Network Protocol Analyzer
In the DOS emulator window (DOS Prompt Window) a ping was executed to 4.2.2.2.2

5
Network Protocol Analyzer
In the DOS emulator window (DOS Prompt Window) a ping was executed to 10.2.4.154

6
Network Protocol Analyzer

Computer A Computer B
I.P. Address = 10.2.4.153 I.P. Address = 10.2.4.154
MAC Address: D4-BE-D9-18-3C-EA MAC Address: 00-0F-1F-D6 -9B-4F

Wireshark will display : Wireshark will display :

Source I.P. Address = 10.2.4.153 Source I.P. Address = 10.2.4.154


Source MAC Address: D4-BE-D9-18-3C-EA Source MAC Address: 00-0F-1F-D6 -9B-4F

Destination I.P. Address = 10.2.4.154 Destination I.P. Address = 10.2.4.153


Destination MAC Address: 00-0F-1F-D6 -9B-4F Destination MAC Address: D4-BE-D9-18-3C-EA
Network Protocol Analyzer

Computer A Firewall LAN Firewall LAN Computer B


I.P. Address = 172.22.16.2 I.P. Address = 172.22.16.1 I.P. Address = 172.22.16.1 I.P. Address = 172.22.16.2
MAC Address: D4-BE-D9-18-3C-EA MAC Address: 00-17-C5-3E-10-24 MAC Address: 00-17-C5-80-FD-E6 MAC Address: 00-0F-1F-D6 -9B-4F

Firewall WAN Firewall WAN


I.P. Address = 10.2.4.153 I.P. Address = 10.2.4.154
MAC Address: 00-17-C5-3E-10-25 MAC Address: 00-17-C5-80-FD-E7

Wireshark will display :


Wireshark will display :
Source I.P. Address = 172.22.16.2
Source MAC Address: D4-BE-D9-18-3C-EA Source I.P. Address = 172.22.16.2
Source MAC Address: 00-0F-1F-D6 -9B-4F
Destination I.P. Address = 10.2.4.154
Destination MAC Address: 00-17-C5-3E-10-24 Destination I.P. Address = 10.2.4.153
Destination MAC Address: 00-17-C5-80-FD-E6
Network Protocol Analyzer

Firewall WAN Firewall WAN


I.P. Address = 10.2.4.153 I.P. Address = 10.2.4.154
MAC Address: 00-17-C5-3E-10-25 MAC Address: 00-17-C5-80-FD-E7

Wireshark will display :

Source I.P. Address = 10.2.4.153 or 10.2.4.154


Source MAC Address: 00-17-C5-80-FD-E7 or 00-17-C5-3E-10-25

Destination I.P. Address = 10.2.4.153 or 10.2.4.154


Destination MAC Address: 00-17-C5-80-FD-E7 or 00-17-C5-3E-10-25
9
Network Protocol Analyzer
DICOM ping to a DICOM Server on I.P. 10.2.4.154 listening on port 5000

10
Network Protocol Analyzer
DICOM ping to a DICOM Server on I.P. 10.2.4.154 NOT listening on port 5000
The Client tries to connect on TCP level first, but receives a Reset (RST) from the Server

11
Network Protocol Analyzer
DICOM ping to a DICOM Server on I.P. 10.2.4.154 / Port 5000 – Firewall blocks the port on the Server.
The Client tries to connect on TCP level first, but receives a Reset (RST) from the Server

12
Network Protocol Analyzer
DICOM ping to a DICOM Server on I.P. 10.2.4.154 / Port 5000 – Firewall blocks the port on the Client.
The Client tries to connect on TCP level first, but receives a Reset (RST) from the Server

13
Network Protocol Analyzer

Wireshark has many commands/filters that can be executed from the GUI or via the executable
files in the Wireshark Folder.
Wireshark is very sensitive with proper formatting and capital / lower cases.

Some examples are:

ip.addr==10.2.4.154 This filter will only display traffic to and from I.P. Address 10.2.4.154

ip.addr==10.2.4.154 && 10.2.4.153 This filter will only display traffic to and from I.P. Address 10.2.4.154 and 10.2.4.153

!ip.addr==10.2.4.154 This filter will display everything except traffic to and from I.P. Address 10.2.4.154

dicom This filter will only display traffic using the DICOM protocol

!dicom This filter will display traffic except the DICOM protocol

ip.addr==10.2.4.154 && dicom This filter will display traffic to and from I.P. Address 10.2.4.154 using the DICOM protocol

tcp This filter will only display TCP traffic

14
Network Protocol Analyzer
DICOM Single Ultrasound Image Storage by client 172.22.16.2 to PACS Server 10.2.4.154.
For this session, 376 packets are needed.

15
Network Protocol Analyzer
DICOM Single Ultrasound Image Storage by client 172.22.16.2 to PACS Server 10.2.4.154.
For this session, a total of 376 packets are used.

16
Network Protocol Analyzer
DICOM Single Ultrasound Image Storage by client 172.22.16.2 to PACS Server 10.2.4.154.
Packet # 355 the DICOM Header Information

17
Network Protocol Analyzer
DICOM Single Ultrasound Image Storage by client 172.22.16.2 to PACS Server 10.2.4.154.
Packet # 366 the actual successful storage of the Ultrasound Image (i.e. DICOM Object)

18
Network Protocol Analyzer

The following situation will demonstrate a problem with the DICOM Abstract Syntax.

The PACS Server has I.P. Address 172.22.16.2 and the Ultrasound System10.2.4.154.
The problem is that in the Presentation Context, the SOP Class UID Ultrasound Image
Storage (Abstract Syntax) is not accepted by the Server and will reject the DICOM association.

With other words; the PACS server accepts all kinds of formats, but no Ultrasound Images.

Ultrasound System PACS Server


I.P. Address = 10.2.4.154 I.P. Address = 172.22.16.2
AET: CLIENT AET: SERVER

Sends: Ultrasound Image Store Request Stores all kind of images except Ultrasound Images
19
Network Protocol Analyzer
Frame Number 8 shows the A-Associate Request from the Client to the Server.
In the Packet Details field you can see the Abstract Syntax Ultrasound Image Storage in the Presentation Context.

20
Network Protocol Analyzer
Frame Number 16 shows the A-Associate Accept by the Server.
The Packet Details field shows the reject of the Abstract Syntax in the Presentation Context. Result: Syntax not supported.

21
Network Protocol Analyzer

Frame Number 120 shows the Abort from the Client and the DICOM session ends.

22
Network Protocol Analyzer

The following situation will demonstrate a problem with the DICOM Transfer Syntax.

The PACS Server has I.P. Address 172.22.16.2 and the Ultrasound System10.2.4.154.
The problem is that in the Presentation Context, the Implicit VR Little Endian and Explicit Little
Endian (Transfer Syntaxes) are offered by the Client but both are not supported by the Server
who will reject the DICOM association. This is a very unusual situation as every DICOM
Modality MUST at least support the Implicit VR Little Endian.

In our example, the Transfer Syntax will be displayed in the session as being the fall back
Syntax that is not supported.

Ultrasound System PACS Server


I.P. Address = 10.2.4.154 I.P. Address = 172.22.16.2
AET: CLIENT AET: SERVER

Rejects both and tells that it also does not support


Sends: Two Transfer Syntax methods
the fall back VR Little Endian Implicit Transfer 23
Syntax
Network Protocol Analyzer
Frame Number 6 shows the A-Associate Request by the Client.
The Packet Details field shows the two Transfer Syntaxes in the Presentation Context which the Client supports.

24
Network Protocol Analyzer
Frame Number 12 shows the A-Associate Reject by the Server.
The Packet Details field shows the reject of the Transfer Syntax in the Presentation Context. Result: Transfer Syntax not supported.

25
Network Protocol Analyzer

The following situation will demonstrate a problem with DICOM Transfers.


It seems the image is going to the PACS Server, but it fails and the session “hangs”.

It may be that the Client displays a DICOM timeout error, but this may also be the case on the
Server end.
After rebooting the Modality, the session starts over again and the problem remains.
After rebooting the Server, the problem is fixed, but re-occurs again after a while.

Ultrasound System PACS Server


I.P. Address = 10.2.4.154 I.P. Address = 172.22.16.2
AET: CLIENT AET: SERVER

This is a PACS Server that performs multi-tasking and is


All DICOM Syntaxes are OK
implemented in a very busy environment for multiple locations

26
Network Protocol Analyzer
Find the culprit

27
Network Protocol Analyzer
Find the culprit

28
Network Protocol Analyzer

The next scenario demonstrates a problem with the DICOM Application Entity Title (AET)

The Client tries to send to the Server by using a wrong name (SERVOR instead of SERVER)

The Server immediately responds with a Called AET not recognized and rejects the Client.

Ultrasound System PACS Server


I.P. Address = 10.2.4.154 I.P. Address = 172.22.16.2
AET: CLIENT AET: SERVER

The Server responds: Called AET is not recognized and rejects


Tries to communicate with SERVOR
the Association.

29
Network Protocol Analyzer
Association reject by the Server due to wrong called AET by the calling AET CLIENT

30
Network Protocol Analyzer

The next scenario demonstrates a problem with an unknown device trying to connect.

The Client tries to perform a DICOM Ping with the Server who has no record of the device
and rejects the Association.

Client AET: CLIENTT


Server AET: SERVER

Ultrasound System PACS Server


I.P. Address = 10.2.4.154 I.P. Address = 172.22.16.2
AET: CLIENTT AET: SERVER
Who is
that guy ?

The Server does not know this device and aborts the session
Tries to communicate with SERVER

31
Network Protocol Analyzer
Association reject by the Server due to wrong calling AET (unknown).

32

You might also like