Wireshark/Protocol Analysis

From charlesreid1

Protocols

Another way to analyze traffic in Wireshark is to look at statistics about the protocol layer.

You can open Statistics > Protocol Hierarchy to see information about what protocols are used in what amounts.

This can be useful if you are trying to determine "normal" behavior for a network, and then trying to determine if a particular day's traffic is an outlier and why.

By looking at a network's traffic protocol statistics, you can learn a lot about that network. Example: IT department will have admin protocols like ICMP or SNMP. Ordering department will use lots of SMTP. Interns will use WoW.

Wireless Pcap

If you load a wireless pcap into Wireshark and click Statistics > Protocol Hierarchy, you might see something like this:

WirelessProtocolHierarchy.png

The first percentage shows the share of number of packets. However, packets can vary widely in their size, so the second column shows the share of total traffic. Wireless data packets thus account for 6 percent of of the number of packets, but nearly 50 percent of total traffic - a lopsided ratio.





Defcon.png
Wireshark
a Swiss-army knife for analyzing networks, network traffic, and pcap files.

Wireshark  · Category:Wireshark

Packet Analysis  · Wireshark/Advanced

Wireshark/HTTPS  · Wireshark/Traffic Analysis  · Wireshark/Conversation Analysis  · Wireshark/Protocol Analysis

Working with SSL/TLS/HTTPS:

MITM Labs/Decrypting HTTPS Traffic by Obtaining Browser SSL Session Info  · MITM Labs/Decrypting HTTPS Traffic with Private Key File


Flags  · Template:WiresharkFlag  · e



Retrieved from "https://charlesreid1.com/w/index.php?title=Wireshark/Protocol_Analysis&oldid=8978"