### :school: TEEP 2024_RT LAB_ORAN DPDK #### :book: Technology Background :::success List the essential information of this chapter. 1. Wireshark and Tshark ::: ## 1. Wireshark and Tshark ### 1.1 Wireshark  Wireshark functions as both a sniffer and a packet analyzer. A sniffer serves as a measurement tool, allowing us to inspect the content flowing through a network cable or the airwaves in the case of a wireless network. Essentially, it reveals the data observed by our network card. However, Wireshark goes beyond mere display of binary streams (comprising ones and zeroes) that the network card perceives. It operates as a comprehensive packet analyzer, presenting meaningful information about the frames it encounters. As an open-source and freely available tool, Wireshark is widely employed for the examination of network traffic. The utility of Wireshark extends to various scenarios, such as troubleshooting network issues. For instance, if connectivity problems arise between two computers, Wireshark can be instrumental in comprehending the underlying network dynamics. Additionally, Wireshark proves beneficial for programmers. For example, when developing a chat program between two clients, if issues arise, Wireshark can be utilized to inspect the transmitted data and gain insights into potential problems. **Wireshark Features** There are some features that make Wireshark an important framework for network analysis such as: 1. Packet Capture: Wireshark captures packets as they traverse a network. It can capture live data from a network interface or read saved capture files. 2. Protocol Support: Wireshark supports a vast array of protocols, including but not limited to Ethernet, IP, TCP, UDP, HTTP, DNS, DHCP, SSL/TLS, and many more. This makes it versatile for analyzing different types of network traffic. 3. User Interface: Wireshark has a user-friendly graphical interface that allows users to view and analyze captured packets. The interface is divided into three main panes: the packet list pane, packet details pane, and packet bytes pane. 4. Packet Filtering: Wireshark allows you to apply filters to focus on specific types of packets. Filters can be based on protocols, source/destination addresses, ports, and more. This helps in narrowing down the analysis to the relevant packets. 5. Colorizing and Marking Packets: Wireshark uses colorization to highlight different types of packets, making it easier to identify patterns or anomalies. Users can also mark packets for reference. 6. Packet Details: Wireshark provides detailed information about each captured packet. You can drill down into each packet to view its header and payload, helping you understand the structure of the data. 7. Statistics and Conversations: Wireshark offers various statistical tools to analyze network traffic. You can view overall statistics as well as specific statistics for protocols. Conversations and endpoints can also be analyzed to understand communication patterns. 8. Exporting Data: Wireshark allows you to export captured data in various formats, including plain text, CSV, XML, and more. This is useful for sharing or further analysis using other tools. 9. Display and Capture Filters: Display filters are used to filter packets displayed in real-time, while capture filters determine which packets are captured. These filters help in focusing on specific traffic during analysis. 10. VoIP Analysis: Wireshark includes features for analyzing Voice over IP (VoIP) traffic. It can decode and display SIP, RTP, and other VoIP protocols. 11. Expert Information: Wireshark provides expert information to highlight potential issues or anomalies in the captured traffic, helping users identify and troubleshoot problems. 12. Scripting and Automation: Wireshark supports scripting using Lua, allowing users to automate tasks and customize their analysis. 13. Community Support: Wireshark has an active community, and there are numerous online resources, forums, and documentation available for users seeking assistance or wanting to enhance their skills. **How to Download and Install Wireshark ?** Start by downloading Wireshark from its official website: https://www.wireshark.org/#download Follow the instructions on the installer and you should be good to go. **Wireshark Layout**  * **Packet List**, This tab serves as a comprehensive display of all packets within the current capture file in Wireshark. Each line in the packet list corresponds to an individual packet within the capture file. Selecting a specific line in this pane will prompt the display of more detailed information in the Packet Details and Packet Bytes panes. During the process of dissecting a packet, Wireshark extracts information from various protocol dissectors and populates the corresponding columns. Wireshark provides flexibility in column display, allowing users to choose which columns are visible based on their preferences. The options for column customization can be found in the preferences settings. By default, the packet list includes columns such as No. (Packet Number), Time, Source, Destination, Protocol, Length, and Info. These default columns offer essential details about each packet, including its sequence number, timestamps, source and destination addresses, protocol type, packet length, and additional informative details. Users can tailor the display to their specific needs by adjusting column preferences within the Wireshark settings. * **Packet Details**, Wireshark's Packet Details tab offers a hierarchical, tree-like representation of the selected packet's protocol stack, allowing users to systematically examine each layer's details. This feature enables the expansion or collapse of nodes for a more focused analysis of specific protocol layers. Additionally, the pane includes a hex dump of the packet data, providing a detailed, hexadecimal view of the raw information for thorough inspection and troubleshooting. * **Packet Bytes**, The Packet Bytes tab in Wireshark displays the data of the currently selected packet in a hexdump format. Each line includes the data offset, sixteen hexadecimal bytes, and sixteen ASCII bytes, allowing for a detailed and comprehensive view of the packet's raw content. This tab is instrumental for analyzing the binary representation of the packet data and can be particularly useful for troubleshooting and understanding the exact contents of the transmitted information. **How to Sniff Traffic with Wireshark** Launch Wireshark, and start by sniffing some data. For that, you can hit `Ctrl+K` (PC) or `Cmd+K` (Mac) to get the `Capture Options` window. Notice that you can reach this window in other ways. You can go to `Capture->Options`. Alternatively, you can click the `Capture Options` icon. I encourage you to use keyboard shortcuts and get comfortable with them right from the start, as they'll allow you to save time and work more efficiently. So, again, I’ve used `Ctrl+K (or Cmd+K)` and got this screen:  Here we can see a list of interfaces, and I happen to have quite a few. Which one is relevant? If you’re not sure at this point, you can look at the Traffic column, and see which interfaces currently have traffic. Here we can see that `Wi-Fi` has got traffic going through it, as the line is high. Select the relevant network interface, and then hit Enter, or click the button Start. Let Wireshark sniff the network for a bit, and then stop the sniff using Ctrl+E / Cmd+E. Again, this can be achieved in other ways – such as going to Capture->Stop or clicking the Stop icon. Consider the different sections:  * The section marked in red includes Wireshark’s menu, with all kinds of interesting options. * The main toolbar is marked in blue, providing quick access to some items from the menu. * Next, marked in green, is the display filter. * The packet list pane is marked in orange. It displays a short summary of each packet captured. As you can see in the image above, we have a few columns here: * **NUMBER (No.)** – The number of the packet in the capture file. This number won’t change, even if we use filters. This is just a sequential number – the first frame that you have sniffed gets the number 1, the second frame gets the number 2, and so on. * **Time** – The timestamp of the packet. It shows how much time has passed from the very first packet we have sniffed until we sniffed the packet in question. Therefore, the time for packet number 1 is always 0. * **Source** – The address where this packet is coming from. Don’t worry if you don’t understand the format of the addresses just yet, we will cover different addresses in future tutorials. * **Destination** – The address where this packet is going. * **Protocol** – The protocol name in a short version. This will be the top protocol – that is, the protocol of the highest layer. * **Length** – The length of each packet, in bytes. * **Info** – Additional information about the packet content. This changes according to the protocol. By clicking on packets in this pane, you control what is displayed in the other two panes which I will now describe. --- ### 1.2 Tshark Tshark is a command-line-based protocol analyzer tool used to capture and analyze network traffic from a live network. This can be used as a substitute for Wireshark if you enjoy working on a black screen. This guide is for beginners who want to start analyzing protocols and use some basic commands of tshark. Here, I am listing some basic commands with example usage that help capture and analyze the network traffic. **Installation on Linux-based OS** You can install tshark just typing the below command for installation: `sudo apt-get install tshark` **Usage of tshark command** 1. All tshark commands displayed on your machine If the user wants to see the different options available with tshark, just type the below command. Remember to use sudo while using tshark. `sudo tshark -h`  2. Capture network traffic with tshark by providing an interface Just type the interface name in from of -i option to display traffic dedicated to a specific interface. This option displays the clean output of a single interface. `sudo tshark -i <interface>`  3. Capture network packets and copy them in file traffic-capture.pcap By using -w options, the user can easily copy all output of tshark tool into a single file of format pcap. `tshark -i <interface> -w <file-name>.pcap` 4. Read captured packets with tshark by providing input pcap file By using option -r with tshark, the user can read saved pcap file easily. `tshark -r <file-name>.pcap` 5. Capture packets and copy traffic into .pcap file for the particular duration If user wants to capture network traffic from the live network for a specific period of time, just use -a option. The below command helps you to capture traffic for a particular duration. `tshark -i <interface> -a duration:<time>` Note: `<time> `is in seconds 6. Check the version of tshark Just check the version of tshark tool by using the -v options `tshark -v` 7. Capture the specific number of packets tshark tool provides flexibility to the user to display the specific number of captured packets. `tshark -c <number> -i <interface>` 8. List out all the interfaces available to capture the network traffic If you have a doubt about the number of available interfaces, use -D option. `tshark -D`  9. Capture only specific protocol network packets The below example shows how you can filter specific protocols while displaying the results of the tool tshark. `tshark -i <interface> -f "<protocol>"` Note: `<protocol>` may be tcp, udp, dns etc.