Analyse Linux networks through the ethereal world of Wireshark

by David M Williams

Monday, 29 October 2007

Page 2 of 3 Wireshark’s GUI is dead simple, with a three-pane window similar to most all products of its ilk. The upper pane displays summary details giving a quick handle on what’s going on; this includes the time and source and destination addresses of packets as well as the name of the highest-layer protocol encoded within it. The bottom pane displays raw packet data in hexadecimal and ASCII formats. The middle pane provides far more details on the protocol of any specific packet selected. Each layer in the network hierarchy is shown, in a tree-like structure. Clicking on parts of this protocol tree highlights the corresponding bytes in the bottom window; this can aid with understanding the structure of data packets. One of Wireshark’s most outstanding features is its facility to reassemble all the packets that make up a network “conversation”, so to speak, and display the data in an easily-digested format. Here’s where Wireshark comes into its own over any network sniffer. Using this feature, the software will find all the packets of data which relate to the conversation you’re tracking. This makes it an absolute doddle to reconstruct an entire SMTP session, or web browsing session, or any other networking session using a specific protocol or application by a specific user. Similarly, Wireshark will allow you to filter packets to reduce the amount of on-screen data. You may filter by any combination of a suite of fields which include the source or destination IP addresses, the type of protocol, or even many low-level items like TCP/IP flag settings in the packet, whether the packet has an error condition or many other such things. Once a criterion has been set, Wireshark will filter out the packets which don’t meet these requirements. To install Wireshark, you will first require a packet capture driver. This is a software component that gives straight, unfettered access to the raw network data itself without any interference from protocol stacks (which turn this raw data into more meaningful sockets and higher-level data structures, ordinarily used by most application programs when they perform network communication.) Additionally, a packet capture driver can capture all data on a network segment, irrespective of the intended receiver. It’s due to think component that software like Wireshark – or tcpdump or snort or nmap or anything else – can passively monitor a network. For Linux systems, the most well-known and widely-used packet capture driver is libpcap, which is maintained as part of the tcpdump project. Fortunately, libpcap is almost assured of being installed as part of any distro. Even if not, a package manager like yum will install libpcap as a necessary dependency when installing Wireshark. << First page <   1 2 3 Next page > Last page - Post your comment >>

 

< Next story in category		Previous story in the category >

Visitors last 30 days Suscribers

904,266 13,751