Julia Evans, the author of the material, the translation of which we are publishing today, decided to tell about one of her favorite network tools, which is called
Wireshark . This is a powerful and complex program equipped with a graphical interface, designed to analyze traffic on computer networks. Julia says that in practice, only a few Wireshark features are used, but they usually turn out to be very useful. Here she wants to share with everyone the story about the most useful methods of working with the program and hopes that they will be useful not only for her, but for everyone who has to solve network problems.
Install Wireshark
Wireshark distributions for various operating systems can be found
here . To install the program, you can download and install the appropriate file. In addition, if you are using Debian-based Linux distributions, you can use the
sudo apt install wireshark command. If you wish, in order to find the latest version of the program, you can refer to the personal archive of packages
wireshark-dev .
This is what the program interface looks like.
Wireshark interfaceAt first glance, all this may seem too complicated: a long list of packets, a mysterious field for entering some requests ... How to work with Wireshark?
Parsing pcap files
I usually use Wireshark to find out the causes of network problems. The sequence of actions performed in the course of solving such problems is as follows:
- Packet capture with
tcpdump (usually with a command like sudo tcpdump port 443 -w output.pcap ). - Copy the pcap file to the working laptop (
scp host:~/output.pcap . ). - Opening a pcap file with Wireshark (
wireshark output.pcap ).
As you can see, everything is very simple. However, after the pcap file is open in the program, you may have a logical question about what to do with all this. Let's talk about it.
TCP connection analysis
Often, when I analyze a situation in Wireshark, I need to check for a specific TCP connection with which, for some reason, something is wrong. Thanks to Wireshark, you can analyze the entire life cycle of a single TCP connection and find out the reasons for incorrect system behavior.
This can be done by right-clicking on the packet of interest to you and selecting
Conversation filter > TCP from the context menu.
Begin TCP Connectivity AnalysisAfter that, Wireshark will show other packets from the same TCP connection to which the packet you clicked belongs to. In the figure below you can see an example of a successful SSL connection - there are
client hello ,
service hello ,
certificate ,
server key exchange packages, which are used to establish SSL connections.
TCP connection analysisI had to use the TCP packet analysis method considered here on the day of this writing, at work. Some connections were reset, and I noticed that after sending the
client hello packet, the
client hello sent a
FIN ACK packet that ended the TLS connection. What I found out turned out to be useful, since it became clear that the client is terminating the connections, not the server. As a result, I immediately learned that the problem lies with the client, and I need to pay attention to him.
The above is a very typical pattern of working with Wireshark. Usually the client and the server are involved in the connection, and something goes wrong either on the client or on the server. This may be, for example, some kind of failure or an error in the system settings. As a result, Wireshark just gives me invaluable help in identifying the culprit of the problems, helping me to find out whether this is a client or a server.
Team Decode as
To understand exactly what a particular packet is, Wireshark uses port numbers, and usually this approach works. For example, if a program sees some traffic on port 80, it decides that it is HTTP traffic and usually it is.
However, sometimes HTTP connections use unusual ports, and as a result, Wireshark needs prompts to recognize them. Such prompts can be given to the program by calling the context menu of the package and selecting the
Decode as command there. Further, you can tell Wireshark which protocol is used to transfer packets using a certain port. These tips simplify data analysis.
View package contents
In Wireshark there is just a delightful view of the details of the package, with which you can understand the contents of any package. Take, for example, the
client hello packet from the previous example. This is the first packet of the SSL connection, the client says: “Hello! Here I am!".
Wireshark gives the network administrator two incredibly useful tools for examining the contents of packets. The first is the browse mode in which you can open the headers of the packet (for example, the Ethernet header, IP header, TCP header) and view their contents.
Batch Header AnalysisThe second mode of viewing packages is a real miracle. Here you can see the raw packet data as a sequence of bytes. And, which is especially nice if you hover the mouse over any byte (for example, in the figure below, the pointer is pointed at the byte included in
tiles.services.mozilla.com ), the program in the status bar will inform you of which field this byte (in this case, it is the
Server Name field), and the code name used by Wireshark for this field (in this case,
ssl.handshake.extensions_server_name )
Analysis of raw packet dataSearch for packages
Wireshark supports powerful query language. This makes it much easier to find specific packages in lists. Usually, when working with a program, I use very simple queries. Here are some examples:
- The query
frame contains "mozilla" allows you to search for the string mozilla anywhere in the package and display a list of found packages. - The
tcp.port == 443 request displays packets using TCP port 443. - Query
dns.resp.len > 0 displays all DNS responses - The
ip.addr == 52.7.23.87 request ip.addr == 52.7.23.87 packets whose source or destination IP address is 52.7.23.87.
The query language Wireshark has much greater capabilities than the query language
tcpdump (and, in addition, supports auto-completion by pressing the TAB key). As a result, I often use the following sequence of actions: I capture a large amount of packets with
tcpdump (say, something like all packets from port 443), and then carefully study them using Wireshark.
View the duration of TCP connections
Sometimes I need to pay special attention to the study of slow TCP connections. How to do this, provided that in my file there are records of thousands of packages? How to find slow TCP connections?
If you select the
Statistics item in the main menu of the program, and the
Conversations command in it, Wireshark will provide us with a wonderful set of statistical information.
Statistical informationIn particular, here, in the
Duration column, you can see the duration of TCP connections, identify the longest of them, and study them carefully. This is a very useful feature.
Wireshark Update
If you haven’t updated Wireshark for a long time, it’s worth it. For example, recently I, on a working laptop, was engaged in the study of HTTP / 2 packets. I then had a hard time, and I decided to see the documentation. As it turned out, I had an old version of the program. In the update I installed, HTTP / 2 support was seriously improved, that is, there was just what I needed then.
Using Wireshark to study network protocols
In this material there are some terms that can be attributed to something like a jargon of network specialists. For example, frame (frame), TCP port (TCP port), DNS response (DNS response), source IP address,
client hello SSL connection packet (SSL client hello). One of the reasons for their use is the fact that Wireshark is definitely not trying to protect the user from the intricacies of the internal design of network technologies. For a beginner, this state of affairs can, at first, make one think that Wireshark is not a program for it, but only for experienced network specialists.
Such orientation of Wireshark to low-level network mechanisms, however, has a serious plus. The fact is that by working with this program, you can learn something new about network protocols. For example, I do not know much about the internal mechanisms of the TLS / SSL protocol. However, analyzing the traffic in Wireshark, I noticed that the first two SSL connection packets are
client hello and
server hello . As a result, the protocol, which, if not to delve into the details of his work, seems to be something mysterious and inaccessible for understanding, begins to take a more understandable form, turns into something that can be understood and analyzed.
Results
Wireshark has great features. Here we told only about some of them. However, those methods of work that are considered here, according to the author of the material, are used in about 95% of situations when the need for Wireshark arises. Therefore, we hope that even the little that you have learned today will be useful to you.
Dear readers! Do you use Wireshark?
