Part 5: A practical guide to using Wireshark and tcpdump on local networks. (Additional features of Wireshark)

16 September 2023 38 minutes

Network traffic analysis: Using the advanced functions of Wireshark and tcpdump

Wireshark is a powerful network traffic analysis tool used by network security professionals, network administrators, and software developers. In addition to the basic functions of capturing and viewing packets, Wireshark also has additional capabilities that allow for deeper and more detailed network analysis. These additional features include: Filtering and Sorting: Wireshark provides a wide set of filters that allow you to select and analyze only specific traffic based on various criteria, such as IP addresses, ports, protocols, and more. Sorting data also helps you find and highlight important information.

Statistical analysis: Wireshark automatically generates a variety of statistical reports and graphs that allow you to gain insight into the performance of your network. You can analyze timing characteristics, protocol distribution, packet diagram and much more. Deep Packet Analysis: Wireshark allows you to view the contents of each individual packet, allowing you to understand exactly what is being transmitted over your network. You can uncover the packet and data headers of various protocols, and monitor changes in content. Development and Debugging: Wireshark can be used to develop and debug network applications and services. You can create your own packages for testing and interacting with your applications. Multi-Protocol Support: Wireshark supports hundreds of different network and transport protocols, allowing you to analyze traffic at different levels of the OSI model. These additional capabilities make Wireshark an indispensable tool for investigating, monitoring, and securing networks. Exploring these features gives you more insight and control over your network. Now that you’ve mastered the basics of Wireshark, you can move on to exploring its advanced packet sniffing and graphing capabilities. This section covers some of these features and tools, including endpoint and conversation windows, the more complex details of the name resolution process, protocol exploration, stream interpretation, graphical I/O, and more. These features of Wireshark as a graphical packet sniffer will prove useful at various stages of the process. So try to at least try out all of Wireshark’s advanced features discussed here before moving on, as we’ll come back to them more than once when looking at practical packet analysis examples in the rest of this book.

Endpoints and network conversations

In order for data to be transferred via s.e’gi, it must be streamed between at least two devices. Each y(:triple that transmits or receives data on the network is preceded by what is called an endpoint in the Wireshark application. And the transfer of data between endpoints is called a dialog. Endpoints and dialogs are described in Wireshark based on the properties of the data transfer and, in particular, the use concepts such as addresses used in various network protocols.

Endpoints are identified by multiple addresses that are assigned to them at different layers of the OSI model. For example, at the data link layer, an endpoint receives a MAC address, which is a unique address built into a network device, although it can be changed and then potentially become useless. And at the network level, the end point receives a 1P-address, which can be changed at any time. How to use both of these types of addresses will be discussed in the following sections.

Figure 5.1 shows two examples of how addresses can be used to identify endpoints in network conversations. In particular, dialog A consists of two endpoints exchanging data at the data link level (MAC addresses). Endpoint A has MAC address 00 0b:de while endpoint B has MAC address 00 : ff: ac : e0 : dc : 0f. Dialog B is defined by two devices,  data transmission at the network level (by IP addresses). Endpoint A has the address 1P 192 .168. 1 .25 while endpoint B has the address 1P 192 .168. 1. 30. Let’s learn how Wireshark can provide information about network traffic based on endpoints or conversations.

View endpoint statistics

Capture file: lotsofweb.pcapng

Intercept File Analyzing network traffic can detect a problem in the 10tsofweb .rsarpd network down to a specific endpoint. As an example, first open the lotsofweb intercept file. rsarpd and then the Endpoints window by selecting Statistics4Endpoints from the main menu. This window displays a number of useful statistics for each endpoint, including the address, number of packets sent and received, and bytes, as shown in Fig. 5.2.

The tabs (TCP, Ethernet, lPv4, lPv6, and UDP) at the top of this window display the number of endpoints organized by a particular network protocol. To display endpoints for a specific protocol only, click the appropriate tab. To add additional tabs to filter endpoints by individual protocols, click the Endpoint Types button in the lower right corner of the screen and select the network protocol you want to add. Also, if you need name resolution to view endpoint addresses (see the Name Resolution section below), select the Name Resolution check box at the bottom of the screen. And if you need to analyze a large intercept and want to filter the endpoints that are displayed, you can apply a display filter in the main Wireshark window and check the Limit display of the filter in the endpoints window. If this check box is selected, this window will display only endpoints that match the criteria specified in the display filter.

The Endpoints window provides another handy option to filter individual packets for display in the Packet List panel. This is a quick way to Deeply sniff packets on a single endpoint. To do this, right-click on the endpoint to select the available filtering options. In the dialog that opens, you will be prompted to show or hide the packages associated with the selected endpoint. You can also select the Colorize option to export the endpoint address directly to a colorization rule (see Section H, “Introduction to Wireshark” for colorization rules). This way, you can quickly isolate packages associated with individual endpoints so you can quickly find them during analysis.

View online conversations

Capture file: lotsofweb.pcapng

Interception Phages If the lotsofweb .rsarpd interception file is still open, lotsofweb. Open the Conversations window by selecting the Statistics4Conversations command from the main menu to display all the conversations in the hook file, as shown in Fig. 5.3. The Conversations window is similar to the Endpoints window, but it displays two addresses per line to represent the network conversation and the packets and bytes transmitted and received by each device. The “Address A” column specifies the sender’s endpoint of the packets, and the “Address B” column specifies the recipient’s endpoint.

The conversation window is arranged according to separate protocols. To view network conversations for a specific protocol, click the appropriate tab at the top of this window, or enter other network protocol types by clicking the Conversation Types button at the bottom right. As with the Endpoints window, you can use name translation, limit the display of network dialogs with a display filter, and right-click on an individual dialog to create filters based on specific dialogs. Filters based on network dialogs are useful for in-depth analysis of network communication sequences of particular interest.

Identifying the most active network nodes using endpoints and conversations

Capture file: lotsofweb.pcapng

The Endpoints and Conversations Windows hook file is easy to use with a large number of web pages. RSARPD network diagnostics and especially when trying to find the source of a significant amount of network traffic. Let’s refer again to the lotsofweb.pcapng capture file for an example. As the name of this file suggests, it contains network traffic generated by the HTTP protocol by many clients browsing the Internet. In fig. Figure 5.4 shows a list of endpoints from this file, sorted by number of bytes.

Note the endpoint located at 172 .16 .16.128 and causing the heaviest (in bytes) network traffic. The address of this endpoint is the internal network address, as explained in Chapter 7, “Network Layer Protocols,” and the device that caused the most intense communication in the intercepted traffic is called the upstream node.

The second most intensive point of network traffic is located at the address 74 .125.103.163, which is an external (internet) address. If you come across an external address, you can refer to the WI IOIS database to find out the registered owner. In this case, from ARIN, the US registry of Internet addresses; https: //, it turns out that the 1P address considered here belongs to Google (Fig. 5.5).

Given this information, we can assume one of two things: the endpoints located at and are exchanging large amounts of data over the network with many other devices or with each other. In fact, endpoints tend to communicate with each other, which is very common for the most active endpoint pairs on the network. To verify this, open the Conversations window, select the Pv4 plug-in, and sort the list by the number of bytes. As a result, you should see that the two endpoints discussed here produce the dialog with the most bytes transferred. The very nature of data transfer implies a heavy load, since the number of bytes transferred from the endpoint with the external address A (74 .125 .103.163) is much greater than the number of bytes transferred from the endpoint with the external address B (172 .16 .16 .128), as shown in fig. 5.6.

This network dialog can be explored separately by applying the following display filter:

ip.addr == && ip.addr ==

Scrolling through the list of packages, you can find several  in the youtube domain. cells in the Info column of the Package List panel. This is consistent with the previously presented findings that the owner of the 1P address is Google, as it owns the company WoitYe. How to use endpoint and conversation windows in specific packet sniffing scenarios will be covered in other sections of this book.

Network protocol hierarchy statistics

Capture File When dealing with unfamiliar .rsarpd lotsofweb capture files, it is sometimes necessary to find out the distribution of network traffic by individual protocols, i.e. the percentage of TCP, IP, DHCP, etc. in the captured traffic. Instead of manually counting packets and summarizing the results, this information can be obtained automatically in Wireshark by opening the Protocol Hierarchy Statistics window.

For example, if the lotsofweb .rsardd intercept file is still open and any previously applied filters have been removed, open the Protocol Hierarchy Statistics window (see Figure 5.7) by selecting the Statistics4ProtocoI Hierarchy command from the main menu.

The Protocol Hierarchy Statistics window provides a snapshot of network activity. As can be seen from fig. 5.7, 100% is Ethernet network traffic, 99.7% is IPv4 traffic, 98% is TCP traffic, and HTTP traffic is used to browse web pages on the Internet. This information is useful for estimating network load, especially if you have a clear idea of what traffic typically looks like on a given network. So, if it is known in advance that the ARP protocol usually accounts for 10% of network traffic, then it follows from a recent interception that this share is 5()%, which means that something may be wrong with the network. Sometimes the presence of packets of a certain protocol in network traffic can be of interest. For example, if devices configured to use Spanning Tree Protocol (STP) are disconnected from the network, its appearance in the network protocol hierarchy may indicate that the devices in question are configured incorrectly.

Over time, you’ll find that the Protocol Hierarchy Statistics window allows you to profile users and devices on your network simply by looking at the distribution of protocols in use. For example, a large amount of HTTP network traffic may indicate heavy web browsing on the Internet. In addition, you will be able to identify individual devices on the network simply by looking at the traffic from the network segment belonging to a specific department of the organization. For example, the IT department may use additional administrative protocols such as ICMP or SNMP, the customer service department may experience a large volume of SMTP mail traffic, and a mischievous young professional may calmly flood the network with traffic while quietly enjoying the multiplayer role-playing game Warld 0fWarcraft in his corner!

Name resolution

Data is transmitted across the network between endpoints using various alphanumeric addressing systems, which are often too long and difficult to remember, for example MAC address 00 IPv4 address 192 .168 . 47 .122 or IPv6 address 2001 :d b8 :aOb: : : 1. To make it easier to remember these addresses, they are given convenient and memorable names, and the process of looking up an address by name is called name resolution. For example, remember the address of dood1e. Honeycombs are much lighter than addresses 216. 58 .217 . 238. By associating human-readable names with unreadable addresses, they are easier to remember and recognize.

Activation of the name recognition process

When displaying data from packets in Wireshark, you can use name resolution to facilitate analysis. To use Wireshark name resolution, select Edit4Preferences4Name Resolution from the main menu. As a result, a window will open (Fig. 5.8), in which the main settings of the name resolution process in Wireshark described below are available.

  • Recognition of MAC addresses. In this mode, ARP is used to attempt to translate second-level MAC addresses (eg 00:09:5b:01:02:03) to third-level addresses (eg If these attempts fail, Wireshark will select an ethers file from its directory to retry address translation. And in extreme cases, Wireshark will resort to converting the first three bytes of the MAC address into the name of the device, designated by the manufacturer according to the IEEE standard (for example, Netgear 01: 02: 03).

  • Recognition of transport names. In this mode, an attempt is made to translate the port number to its associated protocol name, for example to display port 80 as http. This is useful when an unknown port is encountered during analysis and it is not clear what service it is usually associated with.

  • Recognition of network (lP) addresses. In this mode, an attempt is made to translate a third-level address (for example, 192 .168 .1.50) into a human-readable DNS name, for example, MarketingPC1 .domain, cell. This is useful for finding out the purpose or owner of a system if it has a descriptive name.

  • Use captured DNS packet data to resolve the address. In this mode, data from intercepted DNS packets is analyzed to translate 1P addresses into DNS names.

  • Use the External Network Path Resolver. In this mode, requests to DNS-cepBepy are allowed to be generated by the machine where the packet analysis is performed to convert 1P addresses into DNS names. This is useful if you want to use DNS for name resolution, but the captured traffic being analyzed does not contain matching DNS packets.

  • The maximum number of simultaneous requests. This mode sets a limit on the number of simultaneous concurrent requests waiting to be processed. This mode is set when too much DNS-3anpocoB is generated in intercepted traffic, which can negatively affect network throughput or DNS-cepBeta performance.

  • 0nly use the “hosts” fle. In this mode, the DNS system is limited to only the hosts file associated with the active Wireshark profile. How to use this file will be discussed in the next section.

Changes made in the Preferences window persist after closing and reopening Wireshark. To quickly make changes to the name resolution process without saving them, adjust the name resolution options by selecting the View4Name Resolution command from the main menu. You have the option to enable or disable name translation for physical, transport, and network addresses.

To make file capture more readable, save a lot of time in certain cases, use a variety of name resolvers. For example, DNS name resolution helps you immediately find out the name of the computer that you are trying to identify as the sender of a particular packet.

Potential disadvantages of name translation

Given the advantages of name conversion, its use is considered quite obvious, but it also has a number of potential disadvantages. First of all, network name resolution can fail if there is no appropriate DNS-cepBep to provide the names associated with the 1P address. Name translation information is not stored in the intercept file, so the name translation process must occur each time the file is opened. If you capture packets on one network and then open the packet capture file on another network, your system will not be able to access DNS-cepBepaM from the source network and therefore name resolution will fail.

In addition, name translation incurs additional processing overhead. If you have to deal with a very large intercept file, you may not want to translate the names to save system resources. If you try to open a large capture file and the system cannot cope with the load, or the Wireshark application crashes completely, then canceling the name conversion can help.

Another problem arises when the DNS service is used to resolve network names. In this case, additional packets can be generated that can clog the intercept file with network traffic sent by DNS-cepBepaM for address translation. The matter is further complicated by the fact that if the analyzed intercept file contains malicious IP addresses, attempts to convert them into names can lead to requests to the infrastructure controlled by the attacker and can alert him that his malicious intentions to target this system are known . To reduce the risk of packet sniffing or accidental communication with an attacker, clear the Use external network path resotver check box in the Name Resolution section of the Preferences window.

Using a special hosts

Monitoring traffic from many network sites in large capture files can be quite a chore, especially when name resolution is not available. In this case, manual marking of systems based on their 1P addresses using a special hosts file created for network nodes (or hosts) in Wireshark can help. This is a text file that contains a list of 1P addresses and their corresponding names. The hosts file can be used to assign appropriate names in Wireshark to addresses for quick reference. These names will be displayed in the Package List panel.

To use the hosts file, do the following:

  1. Select the command Edit4Preferences4Name Resolution in the main menu and put a checkmark opposite the item 0nly use the “hosts” profile Those

  2. Create a new file using Notepad in a Windows file or similar text editor. This file should contain one entry per line with the address of 1P and the name to which it is converted (Figure 5.9). The name selected on the right side of each line will appear in the packet list whenever Wireshark encounters the 1P address on the left.

  3. Save the generated file as a plain text file named hosts in the appropriate directory as shown below. Note that the hosts file has no extension!

Open the intercept file and then any 1P addresses from the hosts file should be labeled with the appropriate names as shown in Fig. 5.10. Instead of 1P addresses, more descriptive names will appear in the Source and Destination columns of the Packet List panel.

This use of special hosts files can greatly improve your ability to identify specific network nodes (or hosts) when sniffing packets. If you work as part of a group of network analysts, we recommend that you share a hosts file that contains known resources with colleagues. This will help your team quickly recognize systems with static addresses, including stackers and routers.

Manually initiated name recognition

The Wireshark app also has the ability to temporarily enable name translation on demand. To do this, right-click on a package in the “Package List” panel and select “Edit allowed name” from the context menu. In the window, you can specify a name corresponding to a specific address as a shortcut. Such a conversion will be deferred once the intercept file is closed, although it is a short way to mark the address without making any permanent changes that will have to be reverted later. I use this method a lot because it’s a bit easier than manually editing the hosts file when analyzing each captured packet file.

Deciphering network protocols

One of Wireshark’s greatest strengths is its support for analyzing thousands of network protocols. And this possibility is explained by the fact that Wireshark is an open source application, and therefore serves as a basis for creating protocol decryptors. They provide the ability to recognize and decode various network protocol fields in Wireshark to display the network protocol in the user interface. Wireshark uses multiple decoders to interpret each packet. For example, the ICMP network protocol decoder allows Wireshark to recognize that a 1P packet contains 1CMP data, extract the ICMP protocol type and code, and format its fields for display in the Info column of the Packet List panel.

The decoder can be thought of as an interpreter of the raw data in the Wireshark application. In order for the network protocol to be supported in Wireshark, there must be a separate decoder for it in this application, otherwise you will have to write your own network protocol decoder.

Changing the decoder

Capture file: vrongdissector.pcapng

File interceptors are used in Wireshark in order to do illegal dissecting. RSARPD to detect individual protocols and figure out how to display network information. Unfortunately, Wireshark does not always make the correct choice of decryptor to apply to packets. This is especially true when the network protocol uses a non-standard configuration, including a non-standard port, which is often configured by network administrators for security reasons or by organizational staff trying to bypass access controls.

If the decoders are not correctly applied in Wireshark, their selection may be changed. For example, open a bad sector trace file. RSARPD, which contains a lot of information about communication between two computers using the SSL (Secure Socket Layer) network protocol, which is used for encrypted data exchange between hosts. Under normal circumstances, viewing SSL network traffic in Wireshark will not provide much useful information due to the fact that it is encrypted. But something is definitely wrong here. If you look at the contents of several such packets by clicking on them and examining the contents of the Packet Bytes panel, you can detect network traffic represented by plain text. So, if you analyze package 4, you can find a mention of the FileZilla application for working with the FTF server. And in a number of the following packages, the request and response of both the username and password are clearly shown.

If it were SSL network traffic, you wouldn’t be able to read any of the data contained in the files, and you’d be unlikely to see all the usernames and passwords transmitted in clear text (Figure 5.11). Based on the information provided here, it is safe to assume that this is FTP traffic and not SSL. This traffic, rather in(:its), will be interpreted by Wireshark as referring to SSL, since it uses port 443, as indicated in the Details column. But this is the standard port used in the HTTPS network protocol (ie HTTP over SSL).

To resolve this issue, you can force Wireshark to use the FTP decryptor for analyzed packets by doing the following:

  1. Right-click on your favorite SSL packet (for example, packet 30) in the Protocol column and select Decode As from the context menu to open a new dialog box.

  2. Instruct Wireshark to decode all TCP traffic passing through port 443 as FTP by selecting the TCP port from the list in the Field column, entering the port number 443 in the Value column, and selecting RTR from the list in the Current column, as shown in Figure 1. 5.12.

  3. Click OK to see the changes made to the capture file immediately.

The data will be decoded in the form of FTP traffic, which will make it possible to analyze them on the Packet List panel, especially without going into individual bytes (Fig. 5.13).

The force decryption function can be used multiple times in a single capture file. Force decryptions set in Decode as. will be automatically traced in Wireshark. In this window, you can view and change all forced decryptions created so far.

By default, forced decryptions are not saved when the intercept file is closed. But this situation can be corrected by clicking the button Save in Decode as…. As a result, the budug protocol decoding rules are stored in the current Wireshark user’s profile. They will be used from this profile when opening any intercept file. Saved decryption rules can be deleted by clicking on the minus sign (-) button in this window.

Saved decryption rules can be easily forgotten, which can lead to a lot of confusion for the unprepared, so handle decryption rules with care. To protect yourself from such an error, it is not recommended to save forced decryptions in the main Wireshark user profile.

Viewing the source code of decryptors

The beauty of working in an open source application is that if there are any misunderstandings, you can always look at the source code and find out the reason. And this is especially useful when trying to find out the reasons why a particular protocol is interpreted incorrectly. After all, it is enough to analyze the source code of the corresponding decoder.

You can view and analyze the source code of the network protocol decoders directly from the Wireshark website by clicking the DeveIop link and then the View Code link. This link will take you to the Wireshark source code repository, where you can view the release code for the latest Wireshark versions. In particular, the source files for network protocol dissectors are located in the epan/dissectors directory, where each dissector’s source file is identified by the protocol name> . c.

These moput source files are quite complex, but they all follow a general pattern and are provided with fairly detailed comments. It is not necessary to have C programming experience to understand how each decoder works. If you want to thoroughly understand what is displayed in Wireshark, it is recommended to start viewing and analyzing with decoders of the simplest network protocols.

Flow tracking

Capture file: http_google.pcapng

Eliminates the need to review data sent from the client to the server in small chunks when switching from one packet to another. With current tracking, the data is sorted for easy viewing.

The following are the types of streams that can be monitored:

A TCP stream. This stream collects data from protocols that use TCP, such as the HTTP and FTP network protocols.

UDP stream. This stream collects data from those protocols that use the UDP protocol, such as the DNS network protocol.

SSL thread. This stream collects data from protocols where it is encrypted. To decrypt network traffic, you must provide the appropriate passwords.

HTTP stream. This thread collects data from the HTTP protocol. This is useful for tracing HTTP data through a TCP stream without fully decoding the payload from the HTTP protocol.

As an example, consider a simple transaction using the NTGR protocol in the http hook file dood1e .rsardpd. To do this, first click on any of the TCP or HTTP packets in this file, then right-click on the selected packet and select FolIow4TCP Stream from the context menu. As a result, a single TCP stream will be obtained and the extract from the dialog box will be opened in a separate window, as shown in Fig. 5.14.

The text displayed in the TCP Stream Follow window is highlighted in two colors: red (a lighter shade of s.erogo in Fig. 5.14) – text indicating the passage of network traffic from the sender to the recipient, and blue (in a darker shade of gray in Fig. 5.14) – text indicating network traffic passing in the reverse direction: from the recipient to the sender. The color is associated with the party that initiated the data exchange. In this example, the client initiated the establishment of a network connection to the web server, due to which its traffic is highlighted in red.

Data exchange in the GSR flow begins with the initial request using the GET method of the root directory (7) on the web server and continues with the server’s response in the form of NTTR/1.1 200 OK about the successful processing of the request. The same scheme is used to exchange data in other streams of intercepted packets, as the client requests individual files and the server sends them back. In this example, you can see that the user is viewing the start page of the Google website. But instead of looking at the packages one by one, you can easily scroll through the package statement. In essence, you see the same as the end user, but only from the inside.

In addition to viewing the output data, this window allows you to search for text, save it to a file, print it, or select ASCII, EBCDIC, hexadecimal, or C-array representation.

SSL Flow Tracing

Tracking TCP and UDP streams requires just a couple of clicks, but viewing SSL streams in a human-readable format requires a number of additional steps. SSL network traffic is encrypted, so you must provide the secret key associated with the server responsible for the encrypted traffic. The method of obtaining such a key depends on the specific server technology, and therefore is beyond the scope of this book. But once you get the secret key, upload it to Wireshark.

By following the steps below.

  1. Access Wireshark’s global preferences by selecting the Edit4Preferences command from the main menu.

  2. Expand the Protocols section in the window, and click on the SSL protocol header, as shown in Fig. 5.15. Click the Edit button next to the RSA keylist label.

  3. Click the plus (+) button.

  4. Provide the required information. These include the 1P address of the server responsible for encryption, the port number, the network protocol, the location of the key file, and the password for this file, if used.

  5. Restart Wireshark.

As a result, you will be able to intercept encrypted network traffic passing between the client and the server. Right-click the HTTPS packet and select Followc>SSL Stream to see an extract of the decrypted packet.

The ability to view packet extracts is one of the most common features of Wireshark’s packet analysis, and you’ll need to use it often to quickly learn what network protocols are being used. In the following chapters of the book, we will look at a number of other scenarios based on viewing excerpts from packages.

Package length

Capture file: download-slow.pcapnq

Capture file The size of a single packet or group of packets can be 10 W. RSARPD has a lot to say about the current state of the web. Under normal circumstances, the maximum frame size on an Ethernet network is 1518 bytes. If you subtract the Ethernet, IP, and TCP headers from this number, you’re left with 1,460 bytes dedicated to carrying the Layer 7 protocol header or data. If you know the minimum packet transmission requirements, you can start by analyzing the distribution of packet lengths in the intercepted traffic to make an educated guess about the composition of the traffic. This is very helpful when trying to understand the composition of large intercept files. To view the distribution of packets by length, Wireshark provides a Packet Lengths dialog box.

Let’s turn to a specific example from the download-slow capture file. pcapng. After opening it, select the Statistics Packet Lengths command from the main menu. As a result, the Packet Lengths dialog box shown in Fig. 5.16.

Pay particular attention to the s.taticess.kimi data line for packets between 1280 and 2559 bytes long. Such large packets usually indicate data transmission, while smaller packets indicate protocol control sequences. At the same time, a considerable share of large packages (66.43%) is observed. Even without looking at the packets in the capture file, it is reasonable to assume that the intercepted traffic contains one or more data transmissions, which may take the form of an NTT P download, an FTP upload, any other network operation that transmits data between hosts.

Most of the remaining packets (33.44%) are between 40 and 79 bytes long. This category usually includes TCP control packets that do not carry useful information. Let’s look at the typical size of protocol headers. For example, an Ethernet header is 14 bytes (plus 4 bytes per cyclic redundancy code CRC), an IP header is at least 20 bytes, and a TCP packet without data or parameters is the same 20 bytes. This means that the length of standard TCP control packets (for example, SYN, ASC, RS’L’ and FIN packets) will be about 54 bytes and is within the limits considered here. Of course, this length will increase if you add IP or TCP settings. The R&D and TCP network protocols are discussed in more detail in Chapters 7 “Network Layer Protocols” and 8 “Transport Layer Protocols” respectively.

Packet length analysis gives a general idea of the large amount of traffic that was intercepted. If there are many large packets in it, it can be safely assumed that a large amount of data is being transmitted over the network. If the length of most packets is short, this means that little data is being transmitted, and it can be assumed that the intercepted traffic consists of network protocol control commands. But these are not rules that should be considered immutable, but only assumptions that help begin a deeper analysis.


Graphs serve as the basis for batch analysis and are one of the best ways to get a definitive view of a data set. Wireshark includes several charting tools to help you better understand the captured data. And above all, these are the possibilities of graphical representation of input-output.

View I/O graphs

Capture files: download-fast.pcapng Download-slov.pcapng, http_espn.pcapng

Such graphs allow you to quickly detect spikes and drops in the communication channel, detect delays in the operation of individual protocols, and compare parallel data streams.

As an example of constructing an input-output graph when downloading a file to a computer from the Internet, let’s turn to the download-fast interception file. pcapng. Open the file, click on any TCP packet to select it, and select Plot Statistics410 from the main menu.

In window 10 Graph, you will see a graphical representation of the flow of data over time. As follows from the example shown in fig. 5.17, in this file download graph, about 500 packets per second are transferred. And this indicator remains constant almost until the end of the graph, where it sharply decreases.

Now let’s look at an example of slower file downloads for comparison. With the current capture file open, open the download-slow.pcapng capture file in another instance of Wireshark. If you plot the I/O for this file download example as described above, you will see a very different picture as shown in Fig. 5.18.

The download considered here occurs at a rate of 15 to 100 packets per second, and this rate is far from constant, and sometimes Duke drops to zero packets per second. This discrepancy can be better seen by placing the I/O graphs of both files side by side, as shown in Fig. 5.19. When comparing the two graphs, pay special attention to the values plotted along the X and Y axes to compare relative values. The scale in both cases is automatically adjusted depending on the number of packets and/or the amount of data transferred, which is the main difference between the compared graphs. For example, slow file downloads range from 0 to 100 packets per second, while fast downloads range from 0 to 700 packets per second.

The options configured at the bottom of the Chart 10 window allow you to apply a number of custom filters that use the same syntax as the display filters, and to choose the colors to display the data from those filters. For example, you can create filters for specific IP addresses and assign them specific colors to see the difference in bandwidth between each device.

Test this feature by opening the http espn .rsardd intercept file that was obtained when visiting the home page of the US cable sports channel ESPN from the device under analysis. In the Conversations window, you will see that the network node with the external IP address 205 .234.218 .129 is the most active. From this it can be concluded that this network site is most likely the main provider of the content that you get when you visit the web page on espn . Hundred. But network nodes at other 1P addresses also participate in the dialogue, most likely because additional content is downloaded from external providers and advertisers. The differences between direct and third-party content delivery can be illustrated using the I/O graph shown in Fig. 5.2.

Both filters applied in this graph are represented by separate lines at the bottom of the graph window 10. In particular, the Tor Talker (Most Active Network Node) filter shows I/O only to the IP address 205 .234 .218 .129 of the main content provider in this case. The magnitude of this I/O is displayed on the graph in black, filling the top of the histogram. And the Everything Else filter shows I/O for all other IP addresses in the capture file except 205 .234 .218 .129. Therefore, it includes all third-party content providers.

The amount of this I/O is displayed on the graph in red (light gray in Figure 5.20), which fills the lower part of the histogram. Note that the units on the Y-axis of this graph have been changed to bytes per second. With these changes, it’s very easy to see the difference in traffic between major and third-party content providers, and to see how much content is coming from a third-party source. You’ll probably find it interesting to repeat this exercise on websites you visit frequently and use this useful strategy to compare I/O levels across different hosts.

Round-trip packet timing

Capture file: download-fast.pcapng

Capture File The Wireshark app also has the ability to quickly downgrade 10ad. RSARPD compiles and reviews round-trip packet times from a given capture file. Round trip time (RTT) is the time required to receive confirmation that a packet has been delivered to its destination. Basically, it is the time required for the packet to reach the recipient and the confirmation of receipt sent back to the sender of the packet. Round-trip time analysis is often performed to identify slowdowns or bottlenecks in data transmission, and any associated delays.

To try this feature on a concrete example, open the down10ad-fast .rsarpd hook file. To view a timeline of packets from this file, first select any TCP packet and then the Statistics c>TCP Stream Graphs4Round Trip Time Graph command from the main menu.

As a result, the graph shown in fig. 5.21

Each point on this graph represents the transmission and acknowledgment time of a packet. By default, these values are sorted by packet sequence numbers. To jump to a package in the Package List panel, simply click on the corresponding point in the diagram.

And only at some points they are in the range from 0.10 to 0.25 s. And despite a considerable number of large values, they mostly indicate a perfectly acceptable time to download a file for transmission and confirmation of reception. Analyzing the round-trip timeline in terms of network bandwidth should reveal large latency values, marked by a set of large-valued points plotted on the Y-axis.

Flow planning

Intercept file: dns _ recursivequery_ server. pcapng

DNS interception recursion — the ability to graph autoquery server flows. RSARPD is useful for visualizing network connections and data flows over time. Such information makes it easier to understand the nature of data exchange between devices on the network. A block diagram consists of bars that indicate communication between hosts, visually representing network traffic for ease of interpretation.

To create a block graph, open the dns recursivequery .rsarpd intercept file and from the main menu select Statistics c>Flow Graph. The resulting graph is shown in fig. 5.22.

This flow diagram illustrates a recursion received by one host and forwarded to another host (for more on the DNS protocol, see Chapter 9, “General High-Level Protocols”). Each vertical line in this graph represents a different host. The block diagram allows you to visualize two-way data exchange between two devices on the network, and in this example, the ratio of data exchange between several devices. Such a graph is also useful for understanding the normal flow of data transmitted over network protocols that are less familiar in your experience.

Information about experts

Capture file: Download-slov.pcapng

Capture file In the decoders of each protocol in Wireshark download-slow.pcapng, expert information is defined that warns about specific states in the packets of this protocol.

These states are divided into the following categories:

  1. Chat. Understanding communication.

  2. Note. Unusual packets that may be part of a normal data exchange.

  3. Warning. Unusual packets that are most likely not part of normal communication.

  4. Error. There is an error in the package or the decoder that interprets it.

As an example, open the slow capture file .rsarpd and select Analyze c>Expert lnformation from the main menu to open the lnformation Exper1 window. In this window, set the Group by summary check box to organize the output of expert information by the degree of its importance (Fig. 5.23).

This window has sections for each category of expert information. In this case, errors are rejected, warnings 3,19 messages and dialogs with text 3 appear.

Most of the messages in this intercept file refer to the TCP network protocol simply because this protocol is traditionally used by an expert information system. At the same time, this window displays 29 messages with expert information configured for the TCP protocol, which can be useful for diagnosing intercept files. These messages flag individual packages if they meet certain criteria as outlined below. (This means that such messages will become more understandable when you study the TCP network protocol in Chapter 8, “Transport Layer Protocols,” and diagnosing slow networks in Chapter 1, “Measures to Combat a Slow Network.”)

  • Text dialog message. A “Window Update” message sent by the receiver to notify the sender of a change in the receive window size in the TSR protocol.

  • Message with messages. TSR Retransmission message sent due to packet loss. It appears when a duplicate acknowledgment of receipt of a packet has been received or a packet retransmission timer has been triggered. The message “Duplicate АСК” (Duplicate confirmation), which is sent if the host does not receive a packet with the expected next sequence number and forms a duplicate confirmation of the last received data. A “Zero Window Probe” message sent as part of the ongoing monitoring of the receive window status in the TSR protocol after a zero-window packet has been transmitted, as explained in Section 11, “Measures to Combat Slow Networks”. The message “Keier Ali ve АСК” (Confirmation of connection activity), which is sent in response to support packets for an active connection. “Zero Window Probe АСК” message (Confirmation of Zero Window Probe), which is sent in response to packets with a zero window probe. The “Window Is Full” message is sent to notify the receiving side that the receive window is full in the TSR protocol.

  • Warning messages. The “Previous Segment Lost” message is sent if a packet with the expected sequence number in the data stream is missed. The message “ACKed Lost Packet” (Acknowledgment of the loss of the packet), which is sent in the event that a lek acknowledgment packet is detected, but not the packet that it acknowledges. “Keep Alive” message sent when a keep-alive packet is detected. A “Zero Window” message is sent when the TCP receive window size has been reached and a zero window message has been sent, asking the sender to stop data transmission. The message “Out-of-Order” (Violation of routing order), which is sent in the event that, based on the sequence numbers, it is found that packets are not sent according to the order of routing of their numbers. The “Fast Retransmission” message is sent if the retransmission of the packet occurs within 20 ms after receiving the duplicate confirmation.

  • Error messages. The message “No Error Messages” (There are no error messages).

At first glance, some of the Wireshark features discussed in this section may seem like they are only suitable for special, obscure situations, but in reality, you will find yourself using them more often than you might expect. It is very important to familiarize yourself with the functions and windows that are available here, because you will have to refer to them more than once in a number of subsequent chapters.

We used materials from the book “PRACTICAL RACKET ANALYSIS” written by Chris Sanders.

Found an error?
If you find an error, take a screenshot and send it to the bot.