Friday, November 21, 2008

Wireshark network protocol analyzer

This article suggest how to use Wireshark network protocol analyzer. It's easy way for someone who have had beginning developed system with network such as ethernet protocol, wireshark can help you to debug/analyze system. You can download wireshark form http://www.wireshark.org/ or wireshark-setup-0.99.5.exe
After installation completed, open wireshare by click on Start->All programs->Wireshark-> Wireshark, you'll see Wireshark main windows below figure.


Wireshark main windows.


You should be set the Capture options by select Capture->Options or press Ctrl+K to open Capture options dialog before.

Options">
Capture->Options


Select interface card in interface filed and click on Start button to start capture.


Setup Capture options.


Packet capture is now started, it's show you Capture status dialog.


Capture status dialog.


Now open command line by click on Start->Run and type "cmd" on Run dialog. In a command line window, type ping [ip address] -n 1 for example 10.1.1.1 -n 1 and press Enter. Return to capture status dialog you can see captured packets as below figure.


Captured packets.


Click on stop button to stop capture, you can see packet detail separate to 3-panes are
"Packet List" pane is summary of each packets.
"Packet Details" pane is detail of each packets.
"Packet Bytes" pane is raw information (hexadecimal) of each packet.
For detail of each pane please see in Wireshark help file.



First packet.


I will explain about each captured packets, first packet are contain Ethernet II and ARP (Address Resolution Protocol) protocol. Ethernet II protocol are contain source/destination MAC address and protocol type (ARP = 0806H), look at destination MAC address you can see 0xff,0xff,0xff,0xff,0xff,0xff if MAC address is 0xff,0xff,0xff,0xff,0xff,0xff this is broadcast packet. More detail about ARP protocol please visit http://www.networksorcery.com/enp/protocol/arp.htm


Second packet.


Second packet is echo reply from AVRnet Ethernet dev board, look at ARP opcode (opcode=0x0002 is echo reply).


Third packet.


Third packet is echo request from computer to AVRnet. It's ICMP (Internet Control Message Protocol) protocol, more detail about ICMP protocol please visit http://www.networksorcery.com/enp/protocol/icmp.htm


Fourth packet.


Fourth packet is echo reply from AVRnet. It's ICMP echo reply, look at ICMP type (type=0x00 is echo reply).

If you need more detail about Wireshark you can get help from help file or http://wiki.wireshark.org/

Download : wireshark-setup-0.99.7.exe
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)