Scribd Logo
Upload

Welcome to Scribd!

  • 26 views

    Wireshark.v20

    Uploaded by

    Masterson Byorn
    The document describes a hands-on lab session about using Wireshark to analyze network traffic. It discusses various Wireshark tools like the packet list, display filters, endpoint analysis, following TCP streams, and profile definitions. The lab covers TN3270 traffic analysis and decryption.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    Wireshark.v20

    Uploaded by

    Masterson Byorn
    26 views21 pages
    The document describes a hands-on lab session about using Wireshark to analyze network traffic. It discusses various Wireshark tools like the packet list, display filters, endpoint analysis, following TCP streams, and profile definitions. The lab covers TN3270 traffic analysis and decryption.

    Original Title

    16752_wireshark.V20

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The document describes a hands-on lab session about using Wireshark to analyze network traffic. It discusses various Wireshark tools like the packet list, display filters, endpoint analysis, following TCP streams, and profile definitions. The lab covers TN3270 traffic analysis and decryption.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    26 views21 pages

    Wireshark.v20

    Uploaded by

    Masterson Byorn
    The document describes a hands-on lab session about using Wireshark to analyze network traffic. It discusses various Wireshark tools like the packet list, display filters, endpoint analysis, following TCP streams, and profile definitions. The lab covers TN3270 traffic analysis and decryption.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    You are on page 1of 21

    SHARK@SHARE https://ibm.

    biz/SHARKat
    SHARK SHARE

    wireshark Hands-On Lab


    Thursday, March 5, 2015
    01:45 PM – 02:45 PM
    Sheraton Seattle, Redwood
    Session 16752
    Matthias Burkhard IBM Germany
    Wireshark Lab Demo

    • Starting wireshark: Start → Programs → wireshark


    – Updating wireshark ? No thanks, not now!

    03/06/15 2
    Wireshark Lab - Layout

    • 3 areas in wireshark: Packet List, Packet Details, Hexview

    03/06/15 3
    Wireshark Lab - Statistics → Summary

    • Overall Information about the trace file

    03/06/15 4
    Wireshark Lab - Display Filter

    • Syntax check in filter: green, yellow, red


    – Looking for unencrypted TN3270 traffic?
    – Filtering on DO TN3270E command sent by server
    – Always 3 bytes only: FFFD28

    03/06/15 5
    Wireshark Lab - Statistics → Endpoints

    • Find out how many TCP ports the TN3270 Server is using
    – Check the Limit to display filter
    – 4 TCP ports are found sending DO TN3270E commands
    – 23, 9923, 8923, 8723

    03/06/15 6
    Wireshark Lab - Statistics → Endpoints

    • Find out how many TCP ports the TN3270 Server is using
    – Check the Limit to display filter
    – 4 TCP ports are found sending DO TN3270E commands
    – 23, 9923, 8923, 8723

    03/06/15 7
    Wireshark Lab - Filter multiple ports

    • Filters can combine multiple checks


    – Use the 'or' operator to filter on all telnet ports
    – 4 TCP ports are found sending DO TN3270E commands
    – Notice the number of packets that passed the filter at the
    bottom of the screen

    03/06/15 8
    Wireshark Lab - Save filtered packets

    • File → Export specified packets


    – Creates a new trace file with a subset of packets
    – Use a name that you recognize what the contents is

    03/06/15 9
    Wireshark Lab - Comment the trace file

    • Allows to pass 'Meta Information' in the tracefile


    • Don't forget to save the commentary: File → Save

    03/06/15 10
    Wireshark Lab - Statistics – Flow Graph

    • Show all Packets over a vertical time line


    • Can use filters to draw different colored graphs

    03/06/15 11
    Wireshark Lab - Follow TCP Stream

    • Rightclick on any packet of the TCP session


    • Follow TCP stream opens a view of all data
    • Creates a filter on tcp.stream

    03/06/15 12
    Wireshark Lab - Decode AS

    • If the protocol is not what wireshark thinks it is


    • 160301 looks like a TLS Negotiation packet
    – Rightclick on any packet → Decode as “SSL”

    03/06/15 13
    Wireshark Lab - Decode AS

    • Now all port 23 traffic is mapped to SSL Protocol


    • Sessions terminate after an Encrypted Alert

    03/06/15 14
    Wireshark Lab - Conversation Filter – IP

    • Following a single client's traffic


    • Sessions terminate after an Encrypted Alert
    • And restart after 2 seconds

    03/06/15 15
    Wireshark Lab - Profile TN3270

    • Download the files to your Personal Configuration Folder


    • Help → About wireshark → Folders

    03/06/15 16
    Wireshark Lab - TN3270 Negotiation fails
    • Filter on TN3270 Negotiation

    03/06/15 17
    Wireshark Lab - TN3270 Negotiation fails
    • Filter on TN3270 Negotiation

    03/06/15 18
    Wireshark Lab - Filter on LUName
    • Filter on any ASCII string using the contains operator

    03/06/15 19
    Wireshark Lab - Filter on single Client
    • Very short lived TCP connections
    • Closing after TN3270E negotiation fails

    03/06/15 20
    Wireshark Lab Reference

    • What the TCP payload looks like

    Telnet Negotiation
    FFFD2E DO TLS
    8055010301 SSLV2 ClientHello V31
    FFFC2E WONT TLS
    14 ­­­ Change Cipher Spec ­­­
    FFFD28 DO TN3270E
    1403vv 0001 01 ChangeCipherSpec
    FFFB28 WILL TN3270E
    15 ­­­ Alert ­­­­­­­­­­­­­­­­
    FFFA28 SB TN3270E
    1603vv xxxx yy
    00 Associate
    00 SSL3.0
    01 Connect
    16 ­­­ Handshake Protocol ­­­
    02 Dev­Type
    1603vv xxxx yy
    03 Functions
    00 SSL3.0
    04 Is
    01 TLS1.0
    05 Reason
    02 TLS1.1
    06 Reject
    03 TLS1.2
    07 Request
    01 ClientHello
    08 Send
    02 ServerHello
    0B Certificate
    Keepalive Probes 0E ServerHelloDone
    FFFB06 WILL TIMEMARK 10 ClientKeyExchange
    FFFC06 WONT TIMEMARK 17 ­­­ Application Data ­­­
    FFFD06 DO TIMEMARK 1703vv xxxx yy Encrypted ApplData

    03/06/15 21

    You might also like

    pFad - Phonifier reborn

    Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

    Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


    Alternative Proxies:

    Alternative Proxy

    pFad Proxy

    pFad v3 Proxy

    pFad v4 Proxy