How to get started with Wireshark

This walk through constitutes a short Wireshark demo to show TCP and UDP in action.

Introduction

Using Packet Tracer’s simulation mode you can analyze packets to some extent, but not at the same level as Wireshark. Packet Tracer is a network simulator but Wireshark is a packet capture program that lets you analyze network traffic. Wireshark is useful for education and training and is also a very useful network analysis and troubleshooting tool.

Although there is a lot you can learn about Wireshark, it’s quite easy to get started using it.

Up here you can see the packets as they are sent or received by the network interface you are capturing traffic from:

If you click on a packet you can see more details.

Note that this kind of software is called packet capture software. Packet is just a general term we use, it does not mean it only captures the Layer 3 PDU.

As you can see here, the entire frame is indeed captured.

>Frame 1 here is not a L2 frame as we know it but rather the Physical Layer metadata

>Ethernet II is the Layer 2 frame

>Internet Protocol v4 is the Layer 3 network packet

>Transmission Control Protocol (TCP) is the Layer 4 segment

At the end of this demonstration you will be asked to do a few basic tasks to try out in Wireshark, so you will need to download Wireshark if you want to do them.

To download Wireshark, go to wireshark.org. It’s totally free.

Download Wireshark: https://www.wireshark.org/download.html

Wireshark demo

This is a walk through of an actual analysis of some of the traffic being sent and received by the network interface of a PC.

Open Wireshark and then head over to YouTube and play a video for a brief while (e.g., 45 seconds). We will look at how Wireshark captures the traffic being sent and received by the network interface of a PC.

When the capture starts you will see there is already a lot of network traffic going through the interface. When you start watching the video you will see some more traffic.

Wireshark analysis

In fact, a lot of traffic went passing by when the video was played. Let’s analyze some of it.

Note that in Wireshark you are able to filter output. There are many ways you can do so.

Wireshark are decent people. They will let you know when you enter the wrong syntax for a filter. For example, to filter by IP address use ip.addr == ip address in dotted decimal (i.e., use two equal signs, not only one - the red code signals that the syntax is wrong).

Here are some operators you can use to construct a filter. The top row and bottom row symbols are identical operators (they mean/do the same thing in a filter string):

This tutorial is not about how to master Wireshark. Here we focus on getting a basic understanding of how Wireshark works.

If you want to learn how to use Wireshark at an advanced/professional level, check out the training resources at the end of this demo.

Back to our Wireshark analysis discussion.

Again, there are many ways you can filter output. Just notice that we filtered by the TCP port number, using the display filter: tcp.port==62652.

In the first message under Protocol in the output, you can see that TCP is the Layer 4 protocol being used.

Under Info you can see the source and destination ports. From 62652 to 443 in the first message, and reversed in the second message, which is the reply.

62652 is the random source port our PC selected from the ephemeral port range.

443 is the TCP port used by HTTPS (Hypertext Transfer Protocol Secure) to access webpages.

Look here, do you recognize this series of messages? SYN, SYN-ACK, followed by ACK.

That’s the TCP 3-way handshake.

So, in these first three messages our PC and the remote server established a TCP connection.

You can also see the sequence number, acknowledgment number, and window length.

We learned in the previous lesson on TCP and UDP (Comparing TCP to UDP) that the initial sequence number is randomly selected. So you may be thinking it is a big coincidence that 0 was randomly selected as the sequence number.

In Wireshark it is displayed as 0 here to make it easier to look at and understand, but that’s not the actual sequence number.

When we look further at the details of the segment you will see the real sequence number.

So sequence number 0 is acknowledged with 1, there’s the forward acknowledgment. Then our PC sends sequence number 1. Once again, these are not the real sequence numbers, Wireshark just displays them like this to make it easier to look at and analyze the data exchange.

Then there is the actual exchange of data here. Notice that most of these display SSL in the protocol column.

SSL is what gives the security to HTTPS, Hypertext Transfer Protocol Secure. TCP is still being used, but Wireshark displays SSL in the column here.

Finally, you can see the exchange of FINs and ACKs to terminate the connection at the end.

You probably noticed that the flags are a little different than as introduced in the TCP and UDP lesson - there is an extra ACK in the first and third messages. There are some nuances to the connection termination process which you don’t need to worry about at the CCNA level. But remember the basic FIN, ACK, FIN, ACK sequence.

TCP SYN message

Now let’s briefly look inside one of those segments.

This is the very first SYN message at the beginning of the three-way handshake. First up, notice that the segment is of course encapsulated in an Ethernet frame and IP packet.

We’re just looking deeper than we did before, but don’t forget about Layers 2 and 3.

Notice the sequence number here.

Notice that 0 is the relative sequence number. Wireshark does this to make it easier to analyze the traffic. Below you can see the real sequence number. As you can probably imagine, it is much harder to analyze when using sequence and acknowledgment numbers like 1 billion 224 million 315 thousand 781.

Because this is a SYN message, under the flags section you can see that the SYN bit is set, it’s 1.

All of the other flags are not set, they are 0.

Finally, you can see the TCP window size down below, i.e., “Window size value: 64240”.

UDP message

Before wrapping up this brief demonstration let’s look at a UDP segment.

First up, notice under Protocol, DNS (Domain Name System). This is a DNS message from our PC to a DNS server.

So, what will the destination port be? As you can see, our PC selected a random source port from the ephemeral range, and used 53 as the destination port, because that’s the port number DNS uses.

Within the segment you can indeed see that a DNS message is encapsulated inside. This is a DNS query message. We will learn more about DNS later in the course.

Getting started with Wireshark exercise

Here is a practice exercise for you to get familiar with Wireshark. Look inside some packet captures and see some of the things we studied in the TCP and UDP lesson.

1) Download Wireshark from wireshark.org.

2) Use it to capture network traffic sent and received by your PC.

3) Visit some websites while Wireshark is running.

4) Stop the Wireshark capture.

5) Check out the packet captures, and find a TCP three-way handshake, a TCP connection establishment.

6) Then find a TCP four-way handshake, a TCP connection termination.

Last updated 1 month ago

Introduction

Wireshark demo

Wireshark analysis

TCP SYN message

UDP message

Getting started with Wireshark exercise

Resources for getting started with Wireshark/network troubleshooting

References

Other references/resources