network packet analysis with wireshark
DESCRIPTION
Presented @ ISA Safety & Security Symposium 2012 Aneheim, CA, April 2012 Wireshark is the de facto network packet analysis tool used in the industry today. It is an easily extensible open–source tool that provides a large number of capabilities for users. It’s not just for IT–based protocols either. Many industrial protocols have created packet decoders for Wireshark. This tutorial will provide the user with: * An introduction to protocol layering * A basic overview of packet capture and analysis * A demonstration of how Wireshark can be used for packet capture and analysis * Examples of some industrial protocol in Wireshark * An explanation of some more advanced features available in WiresharkTRANSCRIPT
![Page 1: Network Packet Analysis with Wireshark](https://reader035.vdocument.in/reader035/viewer/2022062307/554dccc5b4c905bd488b5560/html5/thumbnails/1.jpg)
Standards
Certification
Education & Training
Publishing
Conferences & Exhibits
Network Packet Analysis with Wireshark
Jim GilsinnNational Institute of Standards & Technology
Engineering Laboratory
![Page 2: Network Packet Analysis with Wireshark](https://reader035.vdocument.in/reader035/viewer/2022062307/554dccc5b4c905bd488b5560/html5/thumbnails/2.jpg)
Jim Gilsinn - Bio
• Electronics Engineer with NIST/EL for over 20 years• Cybersecurity for Factory Control Systems
– Co-Chair and General Editor, ISA99 Committee– Co-Chair, ISA99 WG2, Security Program– Co-Chair, ISA99 WG7, Safety & Security
• Factory Equipment Network Testing Framework– Co-Investigator & Main Developer, FENT software– Extension of previous IENetP project
• Education– MSEE in Controls from Johns Hopkins University– BSEE in Controls from Drexel University
2
![Page 3: Network Packet Analysis with Wireshark](https://reader035.vdocument.in/reader035/viewer/2022062307/554dccc5b4c905bd488b5560/html5/thumbnails/3.jpg)
3
What is Wireshark?
• The De-Factor Network Protocol Analyzer– Open-Source (GNU Public License)– Multi-platform– Easily extensible– Large development group
• Allows Users to…– Capture network traffic– Interactively browse that traffic– Decode packet protocols using dissectors
• Previously Named “Ethereal”
![Page 4: Network Packet Analysis with Wireshark](https://reader035.vdocument.in/reader035/viewer/2022062307/554dccc5b4c905bd488b5560/html5/thumbnails/4.jpg)
4
What is Wireshark?
• Development Version (as of last night @ 11:30pm)– 1,300+ Protocols– 112,600+ Protocol Header Fields
• Almost Every Ethernet/TCP/IP Protocol• Many Industrial Ethernet Protocols
– BACnet– EtherNet/IP & CIP, CIP Safety, CIP Motion– DNP 3.0– EtherCAT– Foundation Fieldbus– IEC 61850 & GOOSE– Modbus & Modbus/TCP– openSAFETY– Profinet– SERCOS III– TTEthernet– Zigbee
![Page 5: Network Packet Analysis with Wireshark](https://reader035.vdocument.in/reader035/viewer/2022062307/554dccc5b4c905bd488b5560/html5/thumbnails/5.jpg)
5
Network Layering
• Network Protocols Generally Have Some Header– Who sent the information– Who needs the information– Information about the payload– Other protocol specific information
• Headers Can Be Significant Part of Packet– Ethernet/IP/UDP
– Minimum 42 Bytes of Header (65%)– Minimum 64 Bytes Ethernet packet
– Many industrial Ethernet protocols only transmit a few bytes of data in real-time
EthernetHeader
IP Header
UDP/TCP Header
ProtocolHeader DataData
TCP PayloadTCP Payload
IP PayloadIP Payload
Ethernet Payload
14 Bytes
20 Bytes
8/20+ Bytes
?? Bytes
![Page 6: Network Packet Analysis with Wireshark](https://reader035.vdocument.in/reader035/viewer/2022062307/554dccc5b4c905bd488b5560/html5/thumbnails/6.jpg)
6
Wireshark Welcome Screen
![Page 7: Network Packet Analysis with Wireshark](https://reader035.vdocument.in/reader035/viewer/2022062307/554dccc5b4c905bd488b5560/html5/thumbnails/7.jpg)
7
Wireshark Packet Analysis Window
![Page 8: Network Packet Analysis with Wireshark](https://reader035.vdocument.in/reader035/viewer/2022062307/554dccc5b4c905bd488b5560/html5/thumbnails/8.jpg)
8
Wireshark Packet Analysis Demo
• Packet Decoder Window• Layering• Bytes on Wire• Protocol Filters
– Capture Filters– Display Filters
![Page 9: Network Packet Analysis with Wireshark](https://reader035.vdocument.in/reader035/viewer/2022062307/554dccc5b4c905bd488b5560/html5/thumbnails/9.jpg)
9
Wireshark Capture & Exporting Demo
• Capturing Live Traffic• Saving Packet Capture Files• Exporting Packet Capture Files• Marking Sections of Captures
![Page 10: Network Packet Analysis with Wireshark](https://reader035.vdocument.in/reader035/viewer/2022062307/554dccc5b4c905bd488b5560/html5/thumbnails/10.jpg)
10
Advanced Features of Wireshark GUI
• Statistics– Conversations– Endpoints– IO Graphs– Flow Graphs
• Firewall ACL Rules
![Page 11: Network Packet Analysis with Wireshark](https://reader035.vdocument.in/reader035/viewer/2022062307/554dccc5b4c905bd488b5560/html5/thumbnails/11.jpg)
11
Using & Interfacing With Wireshark
• Wireshark Strictly Uses GNU Public License– Any derived work with Wireshark code SHALL be open-source
• You Can Use Wireshark Hands-Off, Though– Network Socket Interface– Tshark.exe
• Network Socket Interface– Rudimentary control
• Tshark.exe– Most features available through command-line interface
![Page 12: Network Packet Analysis with Wireshark](https://reader035.vdocument.in/reader035/viewer/2022062307/554dccc5b4c905bd488b5560/html5/thumbnails/12.jpg)
12
Developing Your Own Protocol Dissectors
• Not Every Protocol Exists in Wireshark– When you need a protocol that doesn’t exist, you can relatively
easily build your own dissector
• Not Every Protocol Dissector Has Full Coverage– Open-source software allows anyone to modify the code– Protocols generally change over time– The original dissector developer may not exist any longer
• Bugs Can Exist in Dissectors– Code almost always has bugs
![Page 13: Network Packet Analysis with Wireshark](https://reader035.vdocument.in/reader035/viewer/2022062307/554dccc5b4c905bd488b5560/html5/thumbnails/13.jpg)
13
For More Information…
• Wireshark Website– http://www.wireshark.org
• Wireshark Documentation– http://www.wireshark.org/docs/
• Wireshark Wiki– http://wiki.wireshark.org