[Haifux] WireShark lecture - Some additional details.

Nir Abulaffio anir at research.haifa.ac.il
Tue Jun 17 18:42:39 MSD 2008 

Thank you for listening to me again. I hope I didn't bore some people too
much.
I include, below a list of very useful filters (display and capture).
Note1: display filters can be changed "on the fly" even while capturing,
if your machine is fast enough. (here "fast" depends greatly on WHAT is
being captured.
capture filters cannot be changed without stop and start.
Note2: in the capture panel there is an option "update packets in real
time". If capturing very fast traffic fails, this can be disabled.
I mentioned that real-time-display is a great option, but if all else
fails, you can try without it.
Note3: coloring rules can be saved. I strongly suggest to use coloring and
to save the rules, it helps a lot to understand (at the begining).

Look at the links I supplied last time (see below) - its worth it.

Last note, and thanks to those who send me traces of their adsl or cables
connection : Thank you all. I am going to miluim tomorrow, so, understand
my silence.
Nir.

---------- Forwarded message ----------
Date: Mon, 7 Apr 2008 18:03:22 +0300 (IDT)
From: Nir Abulaffio <anir at research.haifa.ac.il>
To: Haifux <haifux at haifux.org>
Cc: linux-il <linux-il at cs.huji.ac.il>
Subject: Re:How Ethernet works - Some more details

In my lecture, I mentioned that I cannot put in the lecture slides the
things I showed on screen. Some pages were from books that are in print.
I showed some pictures, that, I think, explain very well certain aspects
of ethernet communication.
However I supply, below, links to some of the information I talked about,
even if these are less good (in my opinion),
and some I didn't have time to talk about :-)  ...
Nir.

presentation of osi layers and other matters.
http://ws.edu.isoc.org/workshops/2004/SANOG-IV/ip-services/presentations/ip-intro/
ipbasics/sld021.htm

http://www.tcpipguide.com/free/t_OSIReferenceModelLayerSummary.htm

about : Ethernet over twisted pair
http://en.wikipedia.org/wiki/10BASE-T

History, layer description, examples, and much more: worth looking at
** everybody will find something he didn't know.
http://en.wikipedia.org/wiki/OSI_model

tcp state machine :
http://diuf.unifr.ch/people/yoois/Janus/Verifier/NewTCPState.jpg

(the next link is very long and split on 6 lines !).
http://images.google.com/imgres?imgurl=http://diuf.unifr.ch/people/yoois/Janus/Verifier/NewTCPState.jpg&imgrefu
l=http://diuf.unifr.ch/people/yoois/Janus/Verifier/index.htm&h=691&w=846&sz=97&tbnid=KrPohCO8MmvS4M:&tbnh=118&t
nw=145&prev=/images%3Fq%3Dtcp%2Bstate%2Bmachine%26um%3D1&start=3&sa=X&oi=images&ct=image&cd=3

-- Wireshark filters --
Here are a few examples of diplay filters and capture filters.
In both cases logical expressions can do wonders.

DISPLAY filters:
eth.dst == 00:0d:22:23:62:3f  (filtering based on MAC address).
ip.src == 132.74.24.200
!(ip.src == 132.74.24.200) (negation this way works, using != doesn't always)
!(ip.addr == 132.74.24.200 or ip.addr==132.74.24.201)
tcp.port==80
!(tcp.srcport == 80)
!(tcp.port == 80)
udp.port==53
tcp
udp
arp   (worth trying)

CAPTURE  filters : (spaces between keywords are important)
host 132.74.1.40
ether  host 00:0d:22:23:62:3f
net 132.74.1.0 mask 255.255.255.0  (note: non-netwok bits should be set to zero)
net 132.74.1.240 mask 255.255.255.252
tcp  port 8080
tcp
udp
arp
----

More information about the Haifux mailing list