Wireshark Ebook

[Kimberly Ballas]

DHkey exchanges uses a randomly created public/private keypair to encrypt the session key in the ClientKeyExchange handshake message. As wireshark does not have the randomly created keypair, it can not decrypt the session key and therefor not decrypt the application data.

A RSA key exchange uses the public key from the certificate to encrypt the session key in the ClientKeyExchange handshake message. So when wireshark is pointed to the correct private key, it is able to decrypt the session key and then use the session key to decrypt the application data.

You are right, it is not a public/private key pair. However, both client and server generate a random value (not known to wireshark) which allows them to generate a shared secret (the session key) instead of exchanging the shared secret by encrypting it with the public key from the certificate (which can be decrypted by using the matching private key).

So, is the next question "How do I configure Tomcat to use RSA instead of DH key exchanges" or what? I realize that we're getting into off-topic things here, but it would be good if the answer also answered "Okay, so what next?", rather than just diagnose the problem.

As you did not tell us how you configured your Tomcat installation it is impossible to tell you what to change. It's either the webserver (Apache, Lighthttpd, ngnix) or Tomcat itself that handles SSL/TLS. Obviously the required changes depend on the setup.

So, is it absolutely impossible to decrypt DH key exchange using wireshark? Is there any workaround for this? Maybe like manually generate session key and force both client and server to temporarily use the known session key.

Another alternative would be to expose the session key within the server or client (see openssl client). Unfortunately there is no "standard" way of doing that in the browser or the server. At least I don't know any. So again: google is your friend...

I am currently researching on how Wiretap in Wireshark reads the files (eg. pcap). I have gone through the README and README.developer but both of them yields no result. The Wireshark and Ethereal Network Protocol Analyzer Toolkit ebook does not explicitly show which function is called.

wtap_open_offline opens a file; wtap_read reads the next sequential packet from the file; wtap_seek_read, if you've opened the file for both sequential and random access, will seek to the packet at the specified offset (where the offset is a value supplied by wtap_read for the packet in question) and read its data. wtap_sequential_close closes the sequential side of a file opened for both sequential and random access; wtap_close closes the sequential side if it hasn't already been closed, and also closes the random-access side if the file was opened for both sequential and random access, and frees up the data structure returned by wtap_open_offline.

Hi Mr Guy Harris, thanks for replying to my questions I have came across one of your mails, you have stated that winpcap/libpcap could also be used to read pcap files. May i know can i pass a file read by winpcap/libpcap directly into wireshark? or it needs to go through wiretap ? Thanks for your time

If a file can be read by libpcap/WinPcap, it's a pcap file - or, in newer versions of libpcap/WinPcap, a pcap file or a pcap-ng file - and thus can also be read by Wiretap. Wiretap is the library that Wireshark uses to read capture files, so any file that is "read ... into Wireshark" goes through Wiretap.

May i know what is your advice if i wanted to use functions to read pcap files? Would you recommend using the libpcap library or the wiretap library? The wiretap library might be more suitable since i will be working on telecommunication protocols but i couldn't find any tutorials out there. libpcap is relatively easier to find its tutorials but i remember you stated somewhere that libpcap is more suitable for TCP/IP. Thanks for your help

If you're only going to read pcap files - or, with newer versions of libpcap, pcap-ng files that have only one link-layer type - libpcap will work just fine. If you need to read other file types, you'll need wiretap.

Thanks eddie choo & Guy Harris for your posts i got much information about wiretap and Actually i am trying to find the file that wiretap is using to read(which libpcap format packet finally dumped for wiretap) but didnt find it,can you guys help me to get me out.

Today's networks are complex, and many times, when faced with issues, the only way you can solve the problem is if you can see the problem. For that very reason, packet analysis, using tools such as Wireshark, has been around for many years. In addition to manually conducting packet analysis using Wireshark, today's devices incorporate the ability to pull data from the network and examine its contents. This function helps the network administrator to troubleshoot, test, baseline, and monitor the network for threats.

This chapter will help you to recognize the many benefits of using Wireshark for packet analysis. You'll learn about its history as an exceptional open source software product, which includes many rich features. You'll discover how various groups can benefit from using packet analysis, such as network administrators, students, and security analysts. In addition, we'll cover the many places in which to conduct packet analysis, including on a Local Area Network (LAN), on a host, or in the real world. Finally, you'll learn how Wireshark has the ability to decode hundreds of different protocols and is constantly being improved, making it the optimal tool for monitoring the network.

Packet analysis examines packets to understand the characteristics and structure of the traffic flow, either during a live capture or by using a previously captured file. The analyst can complete packet analysis by either studying one packet at a time or as a complete capture.

When monitoring the network for analysis, we capture traffic using specialized software such as Wireshark or tshark. Once the data is captured and we save the file, the software stores the data in a file that is commonly called a packet capture or PCAP file.

We use packet analysis in many places, including on a LAN, on a host, or in the real world. Additionally, we use packet analysis when troubleshooting latency issues, testing Internet of Things (IoT) devices, and as a tool when baselining the network.

Today, packet analysis using Wireshark is a valuable skill. However, analyzing packets has been around in the networking world for many years. As early as the 1990s, various tools enabled analysts to carry out packet analysis on the network to troubleshoot errors and to monitor server behavior. In the next section, we'll examine some of the early tools used to monitor network activity.

Packet analysis has been around in some form for over 20 years, as a diagnostic tool, to observe data and other information traveling across the network. Packet analysis is also referred to as sniffing. The term refers to early packet sniffers, which sniffed or captured traffic as it traveled across the network. In the 1990s, Novell, a software company, developed the Novell LANalyzer, which had a graphical UI and dashboard to examine network traffic. Concurrently, Microsoft introduced its Network Monitor.

Most packet analyzers work in a similar manner. They capture data and then decode the raw bits in the field values according to the appropriate Request for Comment (RFC) or other specifications. Once done, the data is presented in a meaningful fashion.

Packet analysis and traffic sniffing are used by many devices on the network, including routers, switches, and firewall appliances. As data flows across the network, the devices gather and interpret the packet's raw bits and examine the field values in each packet to decide on what action should be taken.

To decide whether to allow or deny a packet, the firewall must check each header as it passes through the device. It will determine variables such as IP addresses, Transmission Control Protocol (TCP) flags, and port numbers that are in use. If the packet does not meet the ACL entry, the firewall will drop the packet. As shown in the following diagram, an inbound SYN packet with a destination port of 80 is blocked because it does not match the rule:

As you can see, packet sniffing and analysis have been influential for many years as elements of managing networks. However, the first step of analysis is to capture traffic, which we will explore next.

On today's networks, a Network Interface Card (NIC) will only monitor traffic that is addressed to that host. However, we can put the card into a state called promiscuous mode, which will allow the adapter to gather all the traffic that is on the network. Therefore, to capture and monitor all network traffic, the NIC must be in promiscuous mode.

We use packet analysis to understand the characteristics of the traffic flow. Although you can conduct packet analysis during a live capture, it's common to capture traffic and save it for further analysis. Common steps to capture packets for analysis include the following:

Wireshark allows us to capture, display, and filter data live from a single or multiple network interface(s). In addition, you can examine pre-captured packets, search with granular details, and follow the data stream. As a result, packet analysis is advantageous as it helps you to understand the nature of the network. The following section outlines the many different individuals who can benefit from using Wireshark for packet analysis.

Nearly everyone can benefit from using packet analysis, including developers, network administrators, students, and security analysts. Let's look at each group and explore the benefits that can be reaped through packet analysis. We'll start with developers, as they can see how their program responds to requests on the network in real time.

3a8082e126