Wireshark information

From Comp519

Jump to: navigation, search

For both the software and hardware router projects, it will be invaluable to look at the actual packet data entering and leaving the router. There are two important tools that can be used for this purpose: tcpdump and wireshark. These tools can be run on a variety of unix-based systems and allow you to see either live network traffic or view previously stored network traffic.

The software router can dump a log to a file of all network traffic with the "-l <dumpfile>" option. This log can later be viewed using either tcpdump or wireshark.

Both programs have countless useful features. A few basic features are described here to get you started using them.

tcpdump

tcpdump has many options that control the amount of information that it displays about each packet and the way it displays that information. One useful set of parameters are: 

nfsudo tcpdump -xxx -v

You can (and should) experiment with other command line options to find a format that you find most useful. Note that if you are using tcpdump to capture network traffic, you will have to call it using nfsudo.

To use tcpdump to view a previously stored log (created using "-l <dumpfile>", for instance), use the "-r" option: 

tcpdump -r <dumpfile> -xxx -v

Note that since in this case you are only reading from a file, you do not need to call tcpdump using nfsudo.

Wireshark

tcpdump is a valuable command-line tool, but wireshark has a superset of tcpdump's functionality and has a graphical user interface. Wireshark can display almost all header fields in a clear, readable way. Information can be expanded/collapsed as desired, allowing you to focus on specific packets. Wireshark also displays all of the bits of the packet you are looking at, and shows you exactly where each header field is located. This can be invaluable in debugging incorrect packets generated by your router. You can accomplish the same thing with tcpdump, but you would have to determine the location of each header field yourself.

Wireshark is invoked as follows: 

nfsudo wireshark

To view live network traffic, use Capture->Interfaces... to setup wireshark to capture network traffic. To view previously stored traffic, use File->Open to open the <dumpfile>.

Much of wireshark's operation is self explanatory. Just click on the packet you are interested in, and then expand the information that you are interested in.

Retrieved from "http://comp519.cs.rice.edu/index.php/Wireshark_information"
Views
Personal tools