491 lines
17 KiB
Plaintext
491 lines
17 KiB
Plaintext
++++++++++++++++++++++++++++++++++++++
|
||
<!-- WSUG Chapter Introduction -->
|
||
++++++++++++++++++++++++++++++++++++++
|
||
|
||
[[ChapterIntroduction]]
|
||
|
||
== Introduction
|
||
|
||
[[ChIntroWhatIs]]
|
||
|
||
=== What is Wireshark?
|
||
|
||
Wireshark is a network packet analyzer. A network packet analyzer will try to
|
||
capture network packets and tries to display that packet data as detailed as
|
||
possible.
|
||
|
||
You could think of a network packet analyzer as a measuring device used to
|
||
examine what’s going on inside a network cable, just like a voltmeter is used by
|
||
an electrician to examine what’s going on inside an electric cable (but at a
|
||
higher level, of course).
|
||
|
||
In the past, such tools were either very expensive, proprietary, or both.
|
||
However, with the advent of Wireshark, all that has changed.
|
||
|
||
Wireshark is perhaps one of the best open source packet analyzers available
|
||
today.
|
||
|
||
[[ChIntroPurposes]]
|
||
|
||
==== Some intended purposes
|
||
|
||
Here are some examples people use Wireshark for:
|
||
|
||
* Network administrators use it to _troubleshoot network problems_
|
||
|
||
* Network security engineers use it to _examine security problems_
|
||
|
||
* Developers use it to _debug protocol implementations_
|
||
|
||
* People use it to _learn network protocol_ internals
|
||
|
||
Beside these examples Wireshark can be helpful in many other situations too.
|
||
|
||
[[ChIntroFeatures]]
|
||
|
||
==== Features
|
||
|
||
The following are some of the many features Wireshark provides:
|
||
|
||
* Available for _UNIX_ and _Windows_.
|
||
|
||
* _Capture_ live packet data from a network interface.
|
||
|
||
* _Open_ files containing packet data captured with tcpdump/WinDump, Wireshark, and a number of other packet capture programs.
|
||
|
||
* _Import_ packets from text files containing hex dumps of packet data.
|
||
|
||
* Display packets with _very detailed protocol information_.
|
||
|
||
* _Save_ packet data captured.
|
||
|
||
* _Export_ some or all packets in a number of capture file formats.
|
||
|
||
* _Filter packets_ on many criteria.
|
||
|
||
* _Search_ for packets on many criteria.
|
||
|
||
* _Colorize_ packet display based on filters.
|
||
|
||
* Create various _statistics_.
|
||
|
||
* ...and _a lot more!_
|
||
|
||
However, to really appreciate its power you have to start using it.
|
||
|
||
<<ChIntroFig1>> shows Wireshark having captured some packets and waiting for you
|
||
to examine them.
|
||
|
||
[[ChIntroFig1]]
|
||
.Wireshark captures packets and lets you examine their contents.
|
||
image::wsug_graphics/ws-main.png[{screenshot-attrs}]
|
||
|
||
==== Live capture from many different network media
|
||
|
||
Wireshark can capture traffic from many different network media types -
|
||
and despite its name - including wireless LAN as well. Which media types
|
||
are supported, depends on many things like the operating system you are
|
||
using. An overview of the supported media types can be found at
|
||
link:{wireshark-wiki-url}CaptureSetup/NetworkMedia[].
|
||
|
||
==== Import files from many other capture programs
|
||
|
||
Wireshark can open packets captured from a large number of other capture
|
||
programs. For a list of input formats see <<ChIOInputFormatsSection>>.
|
||
|
||
==== Export files for many other capture programs
|
||
|
||
Wireshark can save packets captured in a large number of formats of other
|
||
capture programs. For a list of output formats see <<ChIOOutputFormatsSection>>.
|
||
|
||
==== Many protocol dissectors
|
||
|
||
There are protocol dissectors (or decoders, as they are known in other products)
|
||
for a great many protocols: see <<AppProtocols>>.
|
||
|
||
==== Open Source Software
|
||
|
||
Wireshark is an open source software project, and is released under the
|
||
{gplv2-url}[GNU General Public License] (GPL). You can freely use
|
||
Wireshark on any number of computers you like, without worrying about license
|
||
keys or fees or such. In addition, all source code is freely available under the
|
||
GPL. Because of that, it is very easy for people to add new protocols to
|
||
Wireshark, either as plugins, or built into the source, and they often do!
|
||
|
||
[[ChIntroNoFeatures]]
|
||
|
||
==== What Wireshark is not
|
||
|
||
Here are some things Wireshark does not provide:
|
||
|
||
* Wireshark isn't an intrusion detection system. It will not warn you when
|
||
someone does strange things on your network that he/she isn't allowed to do.
|
||
However, if strange things happen, Wireshark might help you figure out what is
|
||
really going on.
|
||
|
||
* Wireshark will not manipulate things on the network, it will only "measure"
|
||
things from it. Wireshark doesn't send packets on the network or do other
|
||
active things (except for name resolutions, but even that can be disabled).
|
||
|
||
[[ChIntroPlatforms]]
|
||
|
||
=== System Requirements
|
||
|
||
The amount of resources Wireshark needs depends on your environment and on the
|
||
size of the capture file you are analyzing. The values below should be fine for
|
||
small to medium-sized capture files no more than a few hundred MB. Larger
|
||
capture files will require more memory and disk space.
|
||
|
||
[NOTE]
|
||
.Busy networks mean large captures
|
||
====
|
||
Working with a busy network can easily produce huge capture files. Capturing on
|
||
a gigabit or even 100 megabit network can produce hundreds of megabytes of
|
||
capture data in a short time. A fast processor, lots of memory and disk
|
||
space is always a good idea.
|
||
====
|
||
|
||
If Wireshark runs out of memory it will crash. See
|
||
{wireshark-wiki-url}KnownBugs/OutOfMemory for details and workarounds.
|
||
|
||
Although Wireshark captures packets using a separate process the main interface
|
||
is single-threaded and won't benefit much from multi-core systems.
|
||
|
||
==== Microsoft Windows
|
||
|
||
* The current version of Wireshark should support any version of Windows that is
|
||
still within its http://windows.microsoft.com/en-us/windows/lifecycle[extended
|
||
support lifetime]. At the time of writing this includes Windows 10, 8, 7, Vista,
|
||
Server 2016, Server 2012 R2, Server 2012, Server 2008 R2, and Server 2008.
|
||
|
||
* Any modern 64-bit AMD64/x86-64 or 32-bit x86 processor.
|
||
|
||
* 400 MB available RAM. Larger capture files require more RAM.
|
||
|
||
* 300 MB available disk space. Capture files require additional disk space.
|
||
|
||
* 1024 {multiplication} 768 (1280 {multiplication} 1024 or higher
|
||
recommended) resolution with at least 16-bit color. 8-bit color should
|
||
work but user experience will be degraded. Power users will find
|
||
multiple monitors useful.
|
||
|
||
* A supported network card for capturing
|
||
|
||
- Ethernet. Any card supported by Windows should work. See the wiki pages on
|
||
link:{wireshark-wiki-url}CaptureSetup/Ethernet[Ethernet capture] and
|
||
link:{wireshark-wiki-url}CaptureSetup/Offloading[offloading] for issues that
|
||
may affect your environment.
|
||
|
||
- 802.11. See the {wireshark-wiki-url}CaptureSetup/WLAN#Windows[Wireshark
|
||
wiki page]. Capturing raw 802.11 information may be difficult without
|
||
special equipment.
|
||
|
||
- Other media. See link:{wireshark-wiki-url}CaptureSetup/NetworkMedia[].
|
||
|
||
Older versions of Windows which are outside Microsoft’s extended lifecycle
|
||
support window are no longer supported. It is often difficult or impossible to
|
||
support these systems due to circumstances beyond our control, such as third
|
||
party libraries on which we depend or due to necessary features that are only
|
||
present in newer versions of Windows (such as hardened security or memory
|
||
management).
|
||
|
||
Wireshark 1.12 was the last release branch to support Windows Server
|
||
2003. Wireshark 1.10 was the last branch to officially support Windows
|
||
XP. See the link:{wireshark-wiki-url}Development/LifeCycle[Wireshark
|
||
release lifecycle] page for more details.
|
||
|
||
==== UNIX / Linux
|
||
|
||
Wireshark runs on most UNIX and UNIX-like platforms including macOS and
|
||
Linux. The system requirements should be comparable to the Windows
|
||
values listed above.
|
||
|
||
Binary packages are available for most Unices and Linux distributions
|
||
including the following platforms:
|
||
|
||
* Apple macOS
|
||
|
||
* Debian GNU/Linux
|
||
|
||
* FreeBSD
|
||
|
||
* Gentoo Linux
|
||
|
||
* HP-UX
|
||
|
||
* Mandriva Linux
|
||
|
||
* NetBSD
|
||
|
||
* OpenPKG
|
||
|
||
* Red Hat Enterprise/Fedora Linux
|
||
|
||
* Sun Solaris/i386
|
||
|
||
* Sun Solaris/SPARC
|
||
|
||
* Canonical Ubuntu
|
||
|
||
If a binary package is not available for your platform you can download
|
||
the source and try to build it. Please report your experiences to
|
||
mailto:{wireshark-dev-list-email}[].
|
||
|
||
[[ChIntroDownload]]
|
||
|
||
=== Where to get Wireshark
|
||
|
||
You can get the latest copy of the program from the Wireshark website at
|
||
{wireshark-download-url}. The download page should automatically
|
||
highlight the appropriate download for your platform and direct you to
|
||
the nearest mirror. Official Windows and macOS installers are signed by
|
||
the *Wireshark Foundation*.
|
||
|
||
A new Wireshark version typically becomes available each month or two.
|
||
|
||
If you want to be notified about new Wireshark releases you should subscribe to
|
||
the wireshark-announce mailing list. You will find more details in
|
||
<<ChIntroMailingLists>>.
|
||
|
||
[[ChIntroHistory]]
|
||
|
||
|
||
=== A brief history of Wireshark
|
||
|
||
In late 1997 Gerald Combs needed a tool for tracking down network problems
|
||
and wanted to learn more about networking so he started writing Ethereal (the
|
||
original name of the Wireshark project) as a way to solve both problems.
|
||
|
||
Ethereal was initially released after several pauses in development in July
|
||
1998 as version 0.2.0. Within days patches, bug reports, and words of
|
||
encouragement started arriving and Ethereal was on its way to success.
|
||
|
||
Not long after that Gilbert Ramirez saw its potential and contributed a
|
||
low-level dissector to it.
|
||
|
||
In October, 1998 Guy Harris was looking for something better than tcpview so he
|
||
started applying patches and contributing dissectors to Ethereal.
|
||
|
||
In late 1998 Richard Sharpe, who was giving TCP/IP courses, saw its potential
|
||
on such courses and started looking at it to see if it supported the protocols
|
||
he needed. While it didn't at that point new protocols could be easily added.
|
||
So he started contributing dissectors and contributing patches.
|
||
|
||
The list of people who have contributed to the project has become very long
|
||
since then, and almost all of them started with a protocol that they needed that
|
||
Wireshark or did not already handle. So they copied an existing dissector and
|
||
contributed the code back to the team.
|
||
|
||
In 2006 the project moved house and re-emerged under a new name: Wireshark.
|
||
|
||
In 2008, after ten years of development, Wireshark finally arrived at version
|
||
1.0. This release was the first deemed complete, with the minimum features
|
||
implemented. Its release coincided with the first Wireshark Developer and User
|
||
Conference, called Sharkfest.
|
||
|
||
In 2015 Wireshark 2.0 was released, which featured a new user interface.
|
||
|
||
[[ChIntroMaintenance]]
|
||
|
||
=== Development and maintenance of Wireshark
|
||
|
||
Wireshark was initially developed by Gerald Combs. Ongoing development and
|
||
maintenance of Wireshark is handled by the Wireshark team, a loose group of
|
||
individuals who fix bugs and provide new functionality.
|
||
|
||
There have also been a large number of people who have contributed
|
||
protocol dissectors to Wireshark, and it is expected that this will
|
||
continue. You can find a list of the people who have contributed code to
|
||
Wireshark by checking the about dialog box of Wireshark, or at the
|
||
link:{wireshark-authors-url}[authors] page on the Wireshark web site.
|
||
|
||
Wireshark is an open source software project, and is released under the
|
||
{gplv2-url}[GNU General Public License] (GPL) version 2. All source code is
|
||
freely available under the GPL. You are welcome to modify Wireshark to suit your
|
||
own needs, and it would be appreciated if you contribute your improvements back
|
||
to the Wireshark team.
|
||
|
||
You gain three benefits by contributing your improvements back to the community:
|
||
|
||
. Other people who find your contributions useful will appreciate them, and you
|
||
will know that you have helped people in the same way that the developers of
|
||
Wireshark have helped people.
|
||
|
||
. The developers of Wireshark might improve your changes even more, as there’s
|
||
always room for improvement. Or they may implement some advanced things on top
|
||
of your code, which can be useful for yourself too.
|
||
|
||
. The maintainers and developers of Wireshark will maintain your code as well,
|
||
fixing it when API changes or other changes are made, and generally keeping it
|
||
in tune with what is happening with Wireshark. So if Wireshark is updated
|
||
(which is done often), you can get a new Wireshark version from the website
|
||
and your changes will already be included without any effort for you.
|
||
|
||
The Wireshark source code and binary kits for some platforms are all
|
||
available on the download page of the Wireshark website:
|
||
{wireshark-download-url}.
|
||
|
||
[[ChIntroHelp]]
|
||
|
||
=== Reporting problems and getting help
|
||
|
||
If you have problems or need help with Wireshark there are several places that
|
||
may be of interest to you (well, besides this guide of course).
|
||
|
||
[[ChIntroHomepage]]
|
||
|
||
==== Website
|
||
|
||
You will find lots of useful information on the Wireshark homepage at
|
||
{wireshark-main-url}.
|
||
|
||
[[ChIntroWiki]]
|
||
|
||
==== Wiki
|
||
|
||
The Wireshark Wiki at {wireshark-wiki-url} provides a
|
||
wide range of information related to Wireshark and packet capture in general.
|
||
You will find a lot of information not part of this user’s guide. For example,
|
||
there is an explanation how to capture on a switched network, an ongoing effort
|
||
to build a protocol reference and a lot more.
|
||
|
||
And best of all, if you would like to contribute your knowledge on a specific
|
||
topic (maybe a network protocol you know well) you can edit the wiki pages by
|
||
simply using your web browser.
|
||
|
||
[[ChIntroQA]]
|
||
|
||
==== Q&A Site
|
||
|
||
The Wireshark Q&A site at {wireshark-qa-url} offers a resource where
|
||
questions and answers come together. You have the option to search what
|
||
questions were asked before and what answers were given by people who
|
||
knew about the issue. Answers are graded, so you can pick out the best
|
||
ones easily. If your question hasn't been discussed before you can post
|
||
one yourself.
|
||
|
||
[[ChIntroFAQ]]
|
||
|
||
==== FAQ
|
||
|
||
The Frequently Asked Questions lists often asked questions and their
|
||
corresponding answers.
|
||
|
||
[NOTE]
|
||
.Read the FAQ
|
||
====
|
||
Before sending any mail to the mailing lists below, be sure to read the FAQ. It
|
||
will often answer any questions you might have. This will save yourself and
|
||
others a lot of time. Keep in mind that a lot of people are subscribed to the
|
||
mailing lists.
|
||
====
|
||
|
||
You will find the FAQ inside Wireshark by clicking the menu item Help/Contents
|
||
and selecting the FAQ page in the dialog shown.
|
||
|
||
An online version is available at the Wireshark website at
|
||
{wireshark-faq-url}. You might prefer this online version, as it’s
|
||
typically more up to date and the HTML format is easier to use.
|
||
|
||
[[ChIntroMailingLists]]
|
||
|
||
==== Mailing Lists
|
||
|
||
There are several mailing lists of specific Wireshark topics available:
|
||
|
||
_wireshark-announce_::
|
||
This mailing list will inform you about new program releases, which usually
|
||
appear about every 4-8 weeks.
|
||
|
||
_wireshark-users_::
|
||
This list is for users of Wireshark. People post questions about building
|
||
and using Wireshark, others (hopefully) provide answers.
|
||
|
||
_wireshark-dev_::
|
||
This list is for Wireshark developers. If you want to start
|
||
developing a protocol dissector, join this list.
|
||
|
||
You can subscribe to each of these lists from the Wireshark web site:
|
||
{wireshark-mailing-lists-url}. From there, you can choose which mailing
|
||
list you want to subscribe to by clicking on the
|
||
Subscribe/Unsubscribe/Options button under the title of the relevant
|
||
list. The links to the archives are included on that page as well.
|
||
|
||
[TIP]
|
||
.The lists are archived
|
||
====
|
||
You can search in the list archives to see if someone asked the same question
|
||
some time before and maybe already got an answer. That way you don't have to
|
||
wait until someone answers your question.
|
||
====
|
||
|
||
==== Reporting Problems
|
||
|
||
[NOTE]
|
||
====
|
||
Before reporting any problems, please make sure you have installed the latest
|
||
version of Wireshark.
|
||
====
|
||
|
||
|
||
When reporting problems with Wireshark please supply the following information:
|
||
|
||
. The version number of Wireshark and the dependent libraries linked with it,
|
||
such as Qt or GLib. You can obtain this from Wireshark’s about box or the
|
||
command _wireshark -v_.
|
||
|
||
. Information about the platform you run Wireshark on.
|
||
|
||
. A detailed description of your problem.
|
||
|
||
. If you get an error/warning message, copy the text of that message (and also a
|
||
few lines before and after it, if there are some) so others may find the
|
||
place where things go wrong. Please don't give something like: "I get a
|
||
warning while doing x" as this won't give a good idea where to look.
|
||
|
||
[NOTE]
|
||
.Don't send large files
|
||
====
|
||
Do not send large files (> 1 MB) to the mailing lists. Just place a note that
|
||
further data is available on request. Large files will only annoy a lot of
|
||
people on the list who are not interested in your specific problem. If required
|
||
you will be asked for further data by the persons who really can help you.
|
||
====
|
||
|
||
[WARNING]
|
||
.Don't send confidential information!
|
||
====
|
||
If you send capture files to the mailing lists be sure they don't contain any
|
||
sensitive or confidential information like passwords or personally identifiable
|
||
information (PII).
|
||
====
|
||
|
||
==== Reporting Crashes on UNIX/Linux platforms
|
||
|
||
When reporting crashes with Wireshark it is helpful if you supply the traceback
|
||
information along with the information mentioned in "Reporting Problems".
|
||
|
||
You can obtain this traceback information with the following commands on UNIX or
|
||
Linux (note the backticks):
|
||
|
||
----
|
||
$ gdb `whereis wireshark | cut -f2 -d: | cut -d' ' -f2` core >& backtrace.txt
|
||
backtrace
|
||
^D
|
||
----
|
||
|
||
If you do not have _gdb_ available, you will have to check out your operating system’s debugger.
|
||
|
||
Mail _backtrace.txt_ to mailto:{wireshark-dev-list-email}[].
|
||
|
||
==== Reporting Crashes on Windows platforms
|
||
|
||
The Windows distributions don't contain the symbol files (.pdb) because they are
|
||
very large. You can download them separately at
|
||
{wireshark-main-url}download/win32/all-versions/ and
|
||
{wireshark-main-url}download/win64/all-versions/ .
|
||
|
||
++++++++++++++++++++++++++++++++++++++
|
||
<!-- End of WSUG Chapter 1 -->
|
||
++++++++++++++++++++++++++++++++++++++
|