From the course: CompTIA Network+ (N10-009) Cert Prep

Wireshark protocol analyzer

From the course: CompTIA Network+ (N10-009) Cert Prep

Start my 1-month free trial Buy for my team

Wireshark protocol analyzer

- There are certain tools that really define whether you're a network person or not a network person. And one of those tools is Wireshark. Wireshark is a protocol analyzer. It is completely free. And if you are a network person and you're not familiar with this tool, I would be very, very suspicious. It's certainly on the exam as it should be. And in this episode I want to give you a quick introduction to Wireshark so you can see how powerful this really is. Now before we get started, I want you to make sure you understand what Wireshark is. Wireshark is a protocol analyzer. We're going to have a separate tool that comes with Wireshark, that is some kind of capture tool, and this capture tool will be monitoring my network cards, all of them, or I could pick what network cards I want, and it will start grabbing frames, just grabbing them. Anything that this system sends out, it will also grab those and it will create a capture file. And after we do the capture, we'll then use Wireshark to actually analyze the different protocols, all kinds of fun stuff. So the best way to do this is let me just show you Wireshark. I've got Wireshark up and started right here. So this is what it looks like when you first open up Wireshark. So what we're going to do is we're going to tell Wireshark to light up its capture tool and go ahead and start grabbing data off of the wire. In this case it's just ethernet. So I'm going to click on start. Now I can click on options here and if I had different network cards and such, I could select them here. In this case, since I only have one, it's easy. So let's go ahead and start this. Now what you're seeing is a capture going on even as we speak and it's grabbing all kinds of frames coming in and out of the network. And I'm going to let this run for a minute and just see if there's anything interesting that pops along. Okay, so I'm going to go ahead and stop it. So what I now have is a few, I don't know a few hundreds of frames that have been going in and out of this particular ethernet card on this system. So the first thing I want us to do is be comfortable with the interface. So we look up at the top and each one of these, and you can see it's actually numbered on the left. These are individual frames that are being picked up by the capture tool itself. So they do all kinds of different stuff, lots of ARPs in there. Looks like this might be a webpage coming in. See that TLS, that might be a secure webpage. Here's some DNS information. Here's some DHCP. The bottom line is that we've got all of this data. So what I'm going to do right now is I'm going to just grab arbitrarily on this line, we'll click on this one. The moment I click on this, this second window comes into play. The second window is really important, especially if you understand your protocol data units because what Wireshark is going to do is it will show you the ethernet part, then it'll show you the IP part, then it'll show you the TCP UDP part. It'll even show you application information. So it almost kind of strips the frame apart for us. Let's march through that process. So here on this particular frame, you'll see how the first part is the ethernet frame itself. You'll see I've got a Mac address to and a Mac address from. So it tells me exactly where it's going to and from. It also tells me what kind of data type, which is IP four. This is where it's kind of important for us to be able to read an ethernet frame and an IP packet in detail. As a network person, being able to understand all these different pieces is absolutely critical. Not only really for the exam, but in the real world I've had lots of people I'll go up to and I go, well do you know TCP IP? And they'll go, yeah, I know TCP IP and maybe they're good at IP addressing, but they don't really understand the meat of this. I will tell you that the exam does not push you very hard in terms of what part of the IP packet does this. But I will tell you in the real world, this is just expected knowledge. Let's just keep marching down. So once we get to here, you'll notice that we have stripped off the ethernet frame and now we're just looking at the IP packet. So we click on here and you can see my source and destination IP addresses. There's other information in here. Here's the protocol right here. So I know this is going to be a short one, it's just UDP. So now we can then go here, we can close these back up and now we can click on UDP. And now we've stripped off the ethernet and the IP part and here's our port information. And then at the very last is whatever's working in here. The cool part about Wireshark and what it really does for us is that it allows us to dismantle everything that's going on in our system. Well, one more thing, let's look at the bottom here real quick. This is just showing the same information in the raw hexadecimal. So that's the other thing that Wireshark does really well. Not only does it actually grab the data, but it doesn't segments it and organizes it for us in a way that so we don't have to look at raw data like we see at the very bottom there. To be honest with you, this bottom part, I almost never even need it. Now what I want to do is let's go ahead and do another capture, but this time we're going to do it a little bit different. So we're going to start. Now, it says, do you want to throw all this away? And the answer is yes. Alright, so we started this. Now watch what I'm going to do. I'm going to do this really, really, really, really quick. All right, so www.totalsem.com. Just try to go someplace. Okay, so I've gone to this particular webpage, let's go ahead and close it. I'm going to stop the capture. What I've got now is I started the capture and I went out and I went to a website, got the whole website and I stopped it and then I stopped the capture. So with a little luck, we should be able to find that entire website. And what I'm doing is I'm looking for... That looks like it could very well be it. Now watch this, this is pretty cool. What I'm going to do right now is I'm going to right click and I'm going to click on follow TCP Stream. Now be careful what we're looking at here is an encrypted webpage. It was HTTPS, so it's going to be a lot of goobbledygok, but you'll see some information in there too. So what you're looking at right here is the actual webpage in its raw format as it comes down to the system. When we follow a TCP stream, what this Wireshark just did is said, ah, this one particular packet that you're looking at was part of a webpage. I'll go ahead and find all the other ones, put it together for you, and hand it to you in a nice pretty package. So we can get a lot of information in terms of what's going on. That was fun. Let's do it again. Okay, so I've got a capture started. Now watch what I'm going to do. I'm going to release my IP address and then I'm going to renew it. So those of you who have covered DHCP understand what I'm doing here. Okay, so I released and renewed, and what I'm going to do now is I'm going to stop the capture. And this time I want to actually see what happened as I released and renewed. And that's a DHCP feature. Now the downside is, is that Wireshark looks at this type of information as boot P, which is an alternative name for DHCP. You get really good on this. What we're doing is I'm filtering out anything but that DHCP release, renew, watch this. So what you're looking at right here is me filtering out everything else and what we're actually seeing here. There's my release and then here's my request as I come back in and it actually allows me to watch that process. If I was having trouble with DHCP, this would be a perfect tool for me to use to be able to zero in on what might potentially be the problem. So Wireshark is an incredible tool. And by the way, folks I might add, there are books this thick on Wireshark and they're interesting reading. Well, if you're a nerd like me, they are. In terms of the power of diagnostic tool, there is probably no better protocol analyzer out there other than Wireshark. Wireshark can work with wireless networks, it can work with Bluetooth. It is incredible, telephone, voiceover IP. It is a wildly powerful tool and it is something that you need to know. It's not even really a question mark. So all I'm trying to do with this quick little episode is get you excited about the idea of what Wireshark is. There is one thing I would like to add, and that is a lot of people aren't big fans of the capture tool that comes with Wireshark. The capture tool that comes with Wireshark is a little bit notorious for being a bit slow sometimes. Sometimes it misses packets and that bothers people. So what a lot of people do will use alternative capture tools. For example, what I've done now is I've jumped over into Linux and one of them I want to show you is called TCP Dump. Whoop, how about if we do that properly? Now just watch this for a minute. And what you're actually watching right now is pretty much the exact same type of capture that we saw with Wireshark using its built-in capture tool. Now keep in mind, Wireshark works great in Linux. It works great on Mac tools. It pretty much every operating system has a copy of Wireshark. So what we're going to be doing here is we're going to be running this particular tool, and then we're going to save it in a file, and then we'll open up Wireshark and go, don't just do a capture, just grab this file, and allow us to do that analysis. TCP Dump has a lot of features that you don't see with the built-in Wireshark. For example, I can preprogram TCP Dump to run between two and three in the morning. I can preprogram TCP Dump to only look for this particular IP address. There's a lot of features like that that make TCP Dump very attractive as an alternative to just using the built-in capture tool that comes with Windows. Well, I hope you're a little bit excited about Wireshark. It's such an amazing tool. Make sure you understand that it's a protocol analyzer, and also make sure that there's a capture tool that comes along with it that actually grabs the packets.

Contents