RH342 - ch07s05

Wireshark, formerly Ethereal, is an open source, graphical application for capturing, filtering, and inspecting network packets. Wireshark can perform promiscuous packet sniffing when network interface controllers support it. Packets are colorized for easy identification.

Protocol	Color
HTTP	Light green
TCP	Gray
UDP	Light blue
ARP	Light yellow
ICMP	Pink
Errors	Black

Red Hat Enterprise Linux 8 includes the wireshark package. This package provides Wireshark functionality on a system where X Windows is installed.

[root@host ~]# yum install wireshark

When Wireshark is installed, start it by selecting Activities > Show Applications > Wireshark from the GNOME desktop. You can also start Wireshark from the command line.

[root@host ~]# wireshark

Capturing Packets with Wireshark

Wireshark can capture network packets. Wireshark requires privileged user access to capture packets, because direct access to the network interfaces requires root privilege. On the Capture top-level menu, you can start and stop packet captures. Administrators select the interfaces to capture packets on. The any interface matches and captures on all of the network interfaces.

Wireshark can write captured packets to a file for sharing or later analysis. Use the File > Save or File > Save as menu items to specify a file to save the packets to. Wireshark supports multiple file formats.

Wireshark can read from a previously saved file to analyze captured packets. Analyzing packets from existing capture files does not require root privilege. The File > Open menu item selects the file to open, or the user can specify the file as an option when starting wireshark from the command line.

[user@host ~]$ wireshark -r yesterday-eth0.pcapng &

Inspecting Packets with Wireshark

Use the Filter field to enter expressions to limit which packets display in Wireshark. Wireshark recognizes and parses numerous network protocols. Enter http to filter the captured packets to display only HTTP TCP packets. Enter ip or ipv6 to filter packets to display only IPv4 or IPv6 packets.

Use the Expression button to open a window to create more robust filtering expressions. The ip.src == 192.168.10.23 expression filters the packets so that only packets that originate from the 192.168.10.23 IP address are displayed.

Use the panes in the Wireshark main display to inspect packet contents. The top pane displays the list of captured packet headers that are selected with the current filter. The highlighted packet is currently displayed in the middle and bottom panes. The bottom pane displays the whole packet, both headers and data, in hexadecimal and ASCII format.

The middle pane displays the packet as Wireshark parsed it. Each network layer header is displayed in a brief human-readable format. You can expand each header to inspect more detailed information about that network layer data. Each line starts with the header field name followed by its value. Wireshark translates recognized values to strings. For example, when 22 is the value of a TCP port address, it is displayed as ssh with the raw value of 22 in parentheses. As each field is selected, the corresponding raw data is highlighted in the bottom pane.

Wireshark can display related packets between a protocol client and server in a more readable format. To view this format, right-click a packet, and then select Follow > TCP Stream. Client messages are displayed in one color and server responses are displayed in a different color.

Capturing Packets with the CLI

The tcpdump command captures and displays packets in a nongraphical environment. It is in the tcpdump package and is installed by default on RHEL 8 systems that are purposed as servers.

When started without arguments, the tcpdump command captures and displays brief information about all of the departing and arriving packets on the primary network interface. Packet capture continues until the user interrupts the capture by typing Ctrl+C. Add the -c COUNT option to stop the capture after COUNT packets are captured. When the program exits, the packet capture summary for this session is displayed.

[root@host ~]# tcpdump -c 3
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
22:40:57.581470 IP workstation.lab.example.com.ssh > bastion.lab.example.com.52100: Flags [P.], seq 3763069044:3763069256, ack 272296579, win 316, options [nop,nop,TS val 3466052426 ecr 3699108528], length 212
22:40:57.581671 IP bastion.lab.example.com.52100 > workstation.lab.example.com.ssh: Flags [.], ack 212, win 1424, options [nop,nop,TS val 3699108558 ecr 3466052426], length 0
22:40:57.581766 IP workstation.lab.example.com.ssh > bastion.lab.example.com.52100: Flags [P.], seq 212:648, ack 1, win 316, options [nop,nop,TS val 3466052426 ecr 3699108558], length 436
3 packets captured
4 packets received by filter
0 packets dropped by kernel

The tcpdump command sends packet information to standard output, unless the -w FILE option is used. Use the -w option to write packet details to the specified file as raw data for later analysis. Recommended practice is to name packet capture files with a .pcap extension for human recognition, although the tcpdump command does not require it. Start the tcpdump command with the -r FILE option to read from a capture file, instead of listening to network interfaces. Using the tcpdump command to process existing capture files does not require root privileges.

[user@host ~]$ tcpdump -r http-test.pcap
reading from file http-test.pcap, link-type EN10MB (Ethernet)
11:52:54.699448 IP servera.lab.example.com.51091 >
 serverb.lab.example.com.http: Flags [S], seq 981393578, win 29200,
 options [mss 1460,sackOK,TS val 103035086 ecr 0,nop,wscale 7], length 0
11:52:54.699499 IP serverb.lab.example.com.http >
...output omitted...

The tcpdump command can filter captured packets based on an expression that is passed as the argument. The following example captures only packets to or from the ntpserver host.

[root@host ~]# tcpdump 'host ntpserver'

The following example captures ICMP packets to and from the host at the 192.168.32.7 IP address.

[root@host ~]# tcpdump 'icmp and host 192.168.32.7'

Logical operators support complex expressions. The following example filters all IP packets between the matrix host and any other host except server175.

[root@host ~]# tcpdump 'ip host matrix and not server175'

More syntax details and examples for tcpdump filter expressions can be found in the pcap-filter(7) man page.

The tcpdump command has options to control the information that it displays about each captured packet. Use the lowercase -x option to display all packet header and data as hexadecimal values. Use the uppercase -X option to display data as hexadecimal and ASCII values. The uppercase -X option is useful if the network protocol includes text commands.

For analysis, Wireshark can read and parse packet capture files that the tcpdump command created.

Note

Wireshark also has a text-based version, named tshark. This text version is included in the wireshark package.

References

pcap-filter(7), tcpdump(8), tcpslice(8), tshark(1), wireshark (1), and wireshark-filter(4) man pages

Discuss Red Hat Enterprise Linux Diagnostics and Troubleshooting

Go to community

Welcome to the Red Hat Enterprise Linux Diagnostics and Troubleshooting (RH342) group!

cschunke

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Enterprise Linux Diagnostics and Troubleshooting! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH342.Read more about Red Hat Enterprise Linux Diagnostics and Troubleshooting here.

445

Revision: rh342-8.4-6dd89bd

Click Create to build all of the virtual machines needed for the classroom lab environment. This may take several minutes to complete. Once created the environment can then be stopped and restarted to pause your experience.
When a lab is created, click Start to run all of the virtual machines in the classroom.
Click Stop to stop all the virtual machines from running. This will not delete your lab.
If you Delete your lab, you will remove all of the virtual machines in your classroom and lose all of your progress.

Virtual machine actions

Click Start to power on the virtual machine.
Click Shutdown to gracefully shut down the virtual machine, preserving disk contents.
Click Power off to forcefully shut down the virtual machine, while still preserving disk contents.
Click Open console to connect to the system console of the virtual machine in a new browser.

Auto-stop timer

The Red Hat Learning Subscription entitles you to set allotment of lab time.
To help conserving your allotted time, the lab environment uses automatic timers to stop or destroy your lab environment when the timer expires.

Click the Auto-stop button [+] to extend the time you would like to spend with the labs.
Click the Auto-destroy button [+] to add day(s) to the auto-destroy timer.

Auto-stop has a maximum of 11 hours, and auto-destroy has a maximum of 14 days.
Be careful to keep the timers set while you are working, so that your environment doesn't shut down unexpectedly.
We also suggest not to set the auto-timers unnecessarily high, which could waste your lab time allotment