wireshark & span lab - typepadhonim.typepad.com/files/tom-cordemans-biasc-lab-day-.pdf ·...
TRANSCRIPT
![Page 1: Wireshark & SPAN lab - TypePadhonim.typepad.com/files/tom-cordemans-biasc-lab-day-.pdf · Wireshark & SPAN lab Tom Cordemans VIVES University College (Cisco Networking Academy) tom.cordemans@vives.be](https://reader034.vdocument.in/reader034/viewer/2022051802/5aeab8b97f8b9ad73f8d8330/html5/thumbnails/1.jpg)
Wireshark & SPAN labTom Cordemans
![Page 2: Wireshark & SPAN lab - TypePadhonim.typepad.com/files/tom-cordemans-biasc-lab-day-.pdf · Wireshark & SPAN lab Tom Cordemans VIVES University College (Cisco Networking Academy) tom.cordemans@vives.be](https://reader034.vdocument.in/reader034/viewer/2022051802/5aeab8b97f8b9ad73f8d8330/html5/thumbnails/2.jpg)
Wireshark & SPAN lab
Tom Cordemans
VIVES University College (Cisco Networking Academy)[email protected] University College (Cisco Networking Academy)[email protected]
![Page 3: Wireshark & SPAN lab - TypePadhonim.typepad.com/files/tom-cordemans-biasc-lab-day-.pdf · Wireshark & SPAN lab Tom Cordemans VIVES University College (Cisco Networking Academy) tom.cordemans@vives.be](https://reader034.vdocument.in/reader034/viewer/2022051802/5aeab8b97f8b9ad73f8d8330/html5/thumbnails/3.jpg)
Wireshark & SPAN lab
• Introduction to Wireshark• SPAN overview
![Page 4: Wireshark & SPAN lab - TypePadhonim.typepad.com/files/tom-cordemans-biasc-lab-day-.pdf · Wireshark & SPAN lab Tom Cordemans VIVES University College (Cisco Networking Academy) tom.cordemans@vives.be](https://reader034.vdocument.in/reader034/viewer/2022051802/5aeab8b97f8b9ad73f8d8330/html5/thumbnails/4.jpg)
Introduction to Wireshark
What is Wireshark?Wireshark is a free andopen source packet snifferand protocol analyzer.
![Page 5: Wireshark & SPAN lab - TypePadhonim.typepad.com/files/tom-cordemans-biasc-lab-day-.pdf · Wireshark & SPAN lab Tom Cordemans VIVES University College (Cisco Networking Academy) tom.cordemans@vives.be](https://reader034.vdocument.in/reader034/viewer/2022051802/5aeab8b97f8b9ad73f8d8330/html5/thumbnails/5.jpg)
Introduction to Wireshark
What is Wireshark?
Wireshark is like an X‐ray machine. It gives you a look at what's going on inside (the network), but you need to develop the skills to interpret what you see and know what to look for.
Anders Broman, Wireshark Core Developer and System Tester, Ericsson
![Page 6: Wireshark & SPAN lab - TypePadhonim.typepad.com/files/tom-cordemans-biasc-lab-day-.pdf · Wireshark & SPAN lab Tom Cordemans VIVES University College (Cisco Networking Academy) tom.cordemans@vives.be](https://reader034.vdocument.in/reader034/viewer/2022051802/5aeab8b97f8b9ad73f8d8330/html5/thumbnails/6.jpg)
Introduction to Wireshark
Wireshark dissectorsEach dissector decodes its part of the protocol, and then hands off decoding to subsequent dissectors for an encapsulated protocol.
![Page 7: Wireshark & SPAN lab - TypePadhonim.typepad.com/files/tom-cordemans-biasc-lab-day-.pdf · Wireshark & SPAN lab Tom Cordemans VIVES University College (Cisco Networking Academy) tom.cordemans@vives.be](https://reader034.vdocument.in/reader034/viewer/2022051802/5aeab8b97f8b9ad73f8d8330/html5/thumbnails/7.jpg)
Introduction to Wireshark
Important settings!
‐ Disable IP, UDP en TCP checksum validations‐ Enable TCP Calculate conversation‐ Enable TCP track number of bytes in flight‐ Disable TCP Allow subdissector to reassemble stream
![Page 8: Wireshark & SPAN lab - TypePadhonim.typepad.com/files/tom-cordemans-biasc-lab-day-.pdf · Wireshark & SPAN lab Tom Cordemans VIVES University College (Cisco Networking Academy) tom.cordemans@vives.be](https://reader034.vdocument.in/reader034/viewer/2022051802/5aeab8b97f8b9ad73f8d8330/html5/thumbnails/8.jpg)
Introduction to Wireshark
Where to capture?
Always as close as possible to the problem or the complainer.
![Page 9: Wireshark & SPAN lab - TypePadhonim.typepad.com/files/tom-cordemans-biasc-lab-day-.pdf · Wireshark & SPAN lab Tom Cordemans VIVES University College (Cisco Networking Academy) tom.cordemans@vives.be](https://reader034.vdocument.in/reader034/viewer/2022051802/5aeab8b97f8b9ad73f8d8330/html5/thumbnails/9.jpg)
Introduction to Wireshark
How to capture?Method 1:
![Page 10: Wireshark & SPAN lab - TypePadhonim.typepad.com/files/tom-cordemans-biasc-lab-day-.pdf · Wireshark & SPAN lab Tom Cordemans VIVES University College (Cisco Networking Academy) tom.cordemans@vives.be](https://reader034.vdocument.in/reader034/viewer/2022051802/5aeab8b97f8b9ad73f8d8330/html5/thumbnails/10.jpg)
Introduction to Wireshark
How to capture?Method 2:
![Page 11: Wireshark & SPAN lab - TypePadhonim.typepad.com/files/tom-cordemans-biasc-lab-day-.pdf · Wireshark & SPAN lab Tom Cordemans VIVES University College (Cisco Networking Academy) tom.cordemans@vives.be](https://reader034.vdocument.in/reader034/viewer/2022051802/5aeab8b97f8b9ad73f8d8330/html5/thumbnails/11.jpg)
Introduction to Wireshark
How to capture?Method 3:
![Page 12: Wireshark & SPAN lab - TypePadhonim.typepad.com/files/tom-cordemans-biasc-lab-day-.pdf · Wireshark & SPAN lab Tom Cordemans VIVES University College (Cisco Networking Academy) tom.cordemans@vives.be](https://reader034.vdocument.in/reader034/viewer/2022051802/5aeab8b97f8b9ad73f8d8330/html5/thumbnails/12.jpg)
Introduction to Wireshark
How to capture?Method 4:
![Page 13: Wireshark & SPAN lab - TypePadhonim.typepad.com/files/tom-cordemans-biasc-lab-day-.pdf · Wireshark & SPAN lab Tom Cordemans VIVES University College (Cisco Networking Academy) tom.cordemans@vives.be](https://reader034.vdocument.in/reader034/viewer/2022051802/5aeab8b97f8b9ad73f8d8330/html5/thumbnails/13.jpg)
Introduction to Wireshark
How to capture without being found?
![Page 14: Wireshark & SPAN lab - TypePadhonim.typepad.com/files/tom-cordemans-biasc-lab-day-.pdf · Wireshark & SPAN lab Tom Cordemans VIVES University College (Cisco Networking Academy) tom.cordemans@vives.be](https://reader034.vdocument.in/reader034/viewer/2022051802/5aeab8b97f8b9ad73f8d8330/html5/thumbnails/14.jpg)
Introduction to Wireshark
Capture filters versus display filters
Capture filters are placed on incoming traffic to reduce the amount of traffic that flows into the buffer.
Display filters are placed on traffic in the trace buffer so that you can view specific types of packets as a subset of the buffer.
![Page 15: Wireshark & SPAN lab - TypePadhonim.typepad.com/files/tom-cordemans-biasc-lab-day-.pdf · Wireshark & SPAN lab Tom Cordemans VIVES University College (Cisco Networking Academy) tom.cordemans@vives.be](https://reader034.vdocument.in/reader034/viewer/2022051802/5aeab8b97f8b9ad73f8d8330/html5/thumbnails/15.jpg)
Introduction to Wireshark
Capture a trunk link.
![Page 16: Wireshark & SPAN lab - TypePadhonim.typepad.com/files/tom-cordemans-biasc-lab-day-.pdf · Wireshark & SPAN lab Tom Cordemans VIVES University College (Cisco Networking Academy) tom.cordemans@vives.be](https://reader034.vdocument.in/reader034/viewer/2022051802/5aeab8b97f8b9ad73f8d8330/html5/thumbnails/16.jpg)
Introduction to Wireshark
Capture a trunk link.
![Page 17: Wireshark & SPAN lab - TypePadhonim.typepad.com/files/tom-cordemans-biasc-lab-day-.pdf · Wireshark & SPAN lab Tom Cordemans VIVES University College (Cisco Networking Academy) tom.cordemans@vives.be](https://reader034.vdocument.in/reader034/viewer/2022051802/5aeab8b97f8b9ad73f8d8330/html5/thumbnails/17.jpg)
Introduction to Wireshark
Capture a trunk link.
![Page 18: Wireshark & SPAN lab - TypePadhonim.typepad.com/files/tom-cordemans-biasc-lab-day-.pdf · Wireshark & SPAN lab Tom Cordemans VIVES University College (Cisco Networking Academy) tom.cordemans@vives.be](https://reader034.vdocument.in/reader034/viewer/2022051802/5aeab8b97f8b9ad73f8d8330/html5/thumbnails/18.jpg)
Introduction to Wireshark
Capture a trunk link. Reason? Microsoft!
https://wiki.wireshark.org/CaptureSetup/VLAN
![Page 19: Wireshark & SPAN lab - TypePadhonim.typepad.com/files/tom-cordemans-biasc-lab-day-.pdf · Wireshark & SPAN lab Tom Cordemans VIVES University College (Cisco Networking Academy) tom.cordemans@vives.be](https://reader034.vdocument.in/reader034/viewer/2022051802/5aeab8b97f8b9ad73f8d8330/html5/thumbnails/19.jpg)
SPAN Overview
SPAN = Switch Port Analyzer
![Page 20: Wireshark & SPAN lab - TypePadhonim.typepad.com/files/tom-cordemans-biasc-lab-day-.pdf · Wireshark & SPAN lab Tom Cordemans VIVES University College (Cisco Networking Academy) tom.cordemans@vives.be](https://reader034.vdocument.in/reader034/viewer/2022051802/5aeab8b97f8b9ad73f8d8330/html5/thumbnails/20.jpg)
SPAN Overview
SPAN terminology
![Page 21: Wireshark & SPAN lab - TypePadhonim.typepad.com/files/tom-cordemans-biasc-lab-day-.pdf · Wireshark & SPAN lab Tom Cordemans VIVES University College (Cisco Networking Academy) tom.cordemans@vives.be](https://reader034.vdocument.in/reader034/viewer/2022051802/5aeab8b97f8b9ad73f8d8330/html5/thumbnails/21.jpg)
SPAN Overview
There are three important things to consider when configuring SPAN:
1) The destination port cannot be a source port, and the source port cannot be a destination port.
2) The number of destination ports is platform‐dependent. Some platforms allow for more than one destination port.
3) The destination port is no longer a normal switch port. Only monitored traffic passes through that port.
![Page 22: Wireshark & SPAN lab - TypePadhonim.typepad.com/files/tom-cordemans-biasc-lab-day-.pdf · Wireshark & SPAN lab Tom Cordemans VIVES University College (Cisco Networking Academy) tom.cordemans@vives.be](https://reader034.vdocument.in/reader034/viewer/2022051802/5aeab8b97f8b9ad73f8d8330/html5/thumbnails/22.jpg)
SPAN Overview
RSPAN = Remote SPAN
![Page 23: Wireshark & SPAN lab - TypePadhonim.typepad.com/files/tom-cordemans-biasc-lab-day-.pdf · Wireshark & SPAN lab Tom Cordemans VIVES University College (Cisco Networking Academy) tom.cordemans@vives.be](https://reader034.vdocument.in/reader034/viewer/2022051802/5aeab8b97f8b9ad73f8d8330/html5/thumbnails/23.jpg)
SPAN Overview
RSPAN terminology
![Page 24: Wireshark & SPAN lab - TypePadhonim.typepad.com/files/tom-cordemans-biasc-lab-day-.pdf · Wireshark & SPAN lab Tom Cordemans VIVES University College (Cisco Networking Academy) tom.cordemans@vives.be](https://reader034.vdocument.in/reader034/viewer/2022051802/5aeab8b97f8b9ad73f8d8330/html5/thumbnails/24.jpg)
SPAN Overview
Basic configuration of SPAN
![Page 25: Wireshark & SPAN lab - TypePadhonim.typepad.com/files/tom-cordemans-biasc-lab-day-.pdf · Wireshark & SPAN lab Tom Cordemans VIVES University College (Cisco Networking Academy) tom.cordemans@vives.be](https://reader034.vdocument.in/reader034/viewer/2022051802/5aeab8b97f8b9ad73f8d8330/html5/thumbnails/25.jpg)
SPAN Overview
Attention!
The port speed of the destination should be at least 2 times higher than the port speed of the source (Why? Ingress and egress traffic).
Capturing a trunk port?monitor session 1 source interface Gi0/1monitor session 1 destination interface Gi0/2 encapsulation replicate
![Page 26: Wireshark & SPAN lab - TypePadhonim.typepad.com/files/tom-cordemans-biasc-lab-day-.pdf · Wireshark & SPAN lab Tom Cordemans VIVES University College (Cisco Networking Academy) tom.cordemans@vives.be](https://reader034.vdocument.in/reader034/viewer/2022051802/5aeab8b97f8b9ad73f8d8330/html5/thumbnails/26.jpg)
SPAN Overview
Labs delivered by Cisco NetAcad
4.8.2.2 Lab ‐ Implement Local SPAN4.8.3.2 Lab ‐ Troubleshoot LAN Traffic Using SPAN
![Page 27: Wireshark & SPAN lab - TypePadhonim.typepad.com/files/tom-cordemans-biasc-lab-day-.pdf · Wireshark & SPAN lab Tom Cordemans VIVES University College (Cisco Networking Academy) tom.cordemans@vives.be](https://reader034.vdocument.in/reader034/viewer/2022051802/5aeab8b97f8b9ad73f8d8330/html5/thumbnails/27.jpg)
SPAN Overview
Todays lab