WireShark: The Packet Analyzer Formally Known as Ethereal

WireShark: The Packet Analyzer Formally Known as Ethereal

**This blog was originally published on October 13th, 2007. It was published on TypePad and can be found here.

6a00d8341c815953ef00e550085ed78834-250si.jpeg **


I have had a lot of luck introducing WireShark (formally known as Ethereal) when introducing the transport layer of the TCP/IP network stack.

I have all my students download WireShark, install it and start up a capture. I have them do a DNS lookup by hand. nslookup google.com

I have the students surf to Google using the Google IP that they found, and then stop their capturing.

I then ask them to filter out just their google.com traffic with a host 72.14.207.99

The students are able to see the entire TCP/IP + HTTP exchange with the Google web servers. The first time I saw this I thought that this was incredibly cool, but this semester they didn't seem too impressed.

I ask them to investigate the protocol exchange, and then I call their attention to:

The TCP three-way handshake. SYN packet from their computer (source IP address is their computer) SYN + ACK packet from google (source IP address not their computer, but destination IP is) ACK packet from their computer (source is one again their IP) The initial HTTP get message GET / HTTP/1.1 The HTTP packets and their payloads. I show them the HTML coming into their computers as packets of text. I point this out in WireShark's bottom hex window. To reinforce this concept I then have them startup Ethereal...I mean WireShark again, and I then have them telnet into google's web server and interact with the web server by hand. I have my students:

Open up telnet by Pressing windows button + r to open up the run window Typing in cmd then return Once in the dos prompt they type telnet 72.14.207.99 80 Once connected to google, I have them type in GET / This results in google sending back an HTTP 400 message. A URL format not supported message. I use this as an example of a bad HTTP request. I then have the students filter on the google IP address, and look at the packet results of this second telnet based HTTP interchange. To elaborate on this point, I talk about the FTP protocol. I tell them that it is a very old protocol, and was often used for transferring files to and from a remote server. Hence the File Transfer Protocol name. I startup Ethereal...I mean WireShark on my laptop, which is hooked up to the classroom projector, and I initiate a connection with the Bentley Web server web.bentley.edu via FTP. I supply my login username and password. I cd to my remote directory on the server and GET and PUT a couple of files.

I disconnect, and then tell them about how insecure FTP is. I tell them that the username and password I supplied are sent in "clear text". I tell them that my user name and password, are the same user name and password that I use to check my e-mail at Bentley, administrate my classes and grade my students. I tell them that most of the students and teachers connect to the Bentley network via Wireless, and if someone were to "sniff" (just like how we had been doing with wireshark) the wireless network, they would be able to get teacher's, dean's even the president's network password. They reacted very strongly to this. They thought it was very interesting and cool. I find that my networking students are very interested in "hacking" and react quite strongly to security issues. I have found that "hacking" at least as a concept is a very good way to catch their interest.

I then repeated my steps, but I startup another WireShark session and I filter the packet flow with:

host web.bentley.edu and ftp

I call my student's attention to FTP's use of the TCP three-way handshake. And I then demonstrate the FTP protocol's USER and PASS syntax and the resulting "clear text" user name and password.

The final thing I do is telnet into an e-mail server and send an e-mail via issuing commands on the telnet command line. The commands are as follows:

Open up a telnet session with the ben.bfit.edu email server telnet ben.bfit.edu 25 Issue the SMTP Hello Message HELO ben.bfit.edu Specify the mail from address MAIL FROM: Specify the mail to address RCPT TO: I then start the mail message by issuing DATA I specify a subject title with SUBJECT: This is a Title I then provide the actual message This is the actual Message You then stop the message creation by issuing a "." on a line of its own

.

And then of course the QUIT message to quit the SMTP connection with the server QUIT Then to finish up, I filter the previous SMTP telnet exchange with:

host ben.bfit.edu and port 25

I finish the class by going over the TCP/IP SMTP messaging in WireShark.

An excellent resource for WireShark filtering is wiki.wireshark.org/CaptureFilters. The WireShark wiki contains several excellent filter examples. I have found that I often need to rewrite and tailor some of the filters to insure that my students understand the filters as applicable to their computers and their filtering. The times that I have let my students play around with the filter examples, they didn't realize that they for example need to change the IP address in the example to the corresponding IPs that they were using.