Networks are used by computers to communicate. These networks could be connected to the internet...
Networks are used by computers to communicate. These networks could be connected to the internet or a local area network (LAN). Network Sniffers are programs that capture low-level package data that is transmitted over a network. An attacker can analyze this information to discover valuable information such as user ids and passwords.
In this tutorial, you will find out how Wireshark works. We’ll walk you through where to find and how to install the Wireshark application on your PC. You will learn how to launch a packet capture and what data you might anticipate receiving from it. The Wireshark lesson will also demonstrate how to utilize the data modification tools in the interface to their full potential. You will also discover how to obtain data analysis tools that are superior to Wireshark’s built-in tools.
What is Wireshark?
Wireshark is an open-source and free network traffic inspection tool. It captures and displays packets in real-time for offline analysis in a human-readable format with microscopic details. It requires some sound knowledge of basic networking and is considered an essential tool for system administrators and network security experts.
Wireshark, formerly known as Ethereal, shows information from hundreds of different protocols across all significant network types. The analysis of data packets might be done offline or in real-time. Numerous capture and trace file types, including CAP and ERF, are supported by Wireshark. Integrated decryption tools, such as WEP and WPA/WPA2, display the encrypted packets for a number of popular protocols.
Wireshark is the de-facto go-to tool for several network problems that vary from network troubleshooting, security issue examination, inspecting network traffic of a suspicious application, debugging protocol implementations, along with network protocol learning purposes, etc.
The Wireshark project was initiated in 1998. Thanks to the global networking expert’s voluntary contribution, it continues to make updates for new technologies and encryption standards. Hence, it’s by far one of the best packet analyzer tools and is utilized as a standard commercial tool by various government agencies, educational institutes, and non-profit organizations.
History of Wireshark:
In the late 1990s, Gerald Combs, a computer science graduate of the University of Missouri-Kansas City was working for a small ISP (Internet Service Provider). The protocol at that time did not complete the primary requirements. So, he started writing Ethereal and released the first version around 1998. The network integration services own the Ethernet trademark.
Combos still held the copyright on most of the ethereal source code, and the rest of the source code was re-distributed under the GNU GPL. He did not own the Ethereal trademark, so he changed the name to Wireshark. He used the contents of the ethereal as the basis.
Wireshark has won several industry rewards over the years including eWeek, InfoWorld, PC Magazine and also as a top-rated packet sniffer. Combos continued the work and released the new version of the software. There are around 600 contributed authors for the Wireshark product website.
The functionality of Wireshark:
Wireshark is similar to tcpdump in networking. Tcpdump is a common packet analyzer that allows the user to display other packets and TCP/IP packets, being transmitted and received over a network attached to the computer. It has a graphic end and some sorting and filtering functions. Wireshark users can see all the traffic passing through the network.
Wireshark can also monitor the unicast traffic which is not sent to the network’s MAC address interface. But, the switch does not pass all the traffic to the port. Hence, the promiscuous mode is not sufficient to see all the traffic. The various network taps or port mirroring is used to extend capture at any point.
Port mirroring is a method to monitor network traffic. When it is enabled, the switch sends the copies of all the network packets present at one port to another port.
Uses of Wireshark:
Wireshark can be used in the following ways:
- It is used by network security engineers to examine security problems.
- It allows the users to see all the traffic being passed over the network.
- It is used by network engineers to troubleshoot network issues.
- It also helps to troubleshoot latency issues and malicious activities on your network.
- It can also analyze dropped packets.
- It helps us to know how all the devices like laptops, mobile phones, desktops, switches, routers, etc., communicate in a local network or the rest of the world.
Wireshark has a rich feature set that includes the following:
- Deep inspection of hundreds of protocols, with more being added all the time
- Live capture and offline analysis
- Standard three-pane packet browser
- Multi-platform: Runs on Windows, Linux, OS X, FreeBSD, NetBSD, and many others
- Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility
- The most powerful display filters in the industry
- Rich VoIP analysis
- Read/write many different capture file formats: tcpdump (libpcap), Pcap NG, Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer® (compressed and uncompressed), Sniffer® Pro, and NetXray®, Network Instruments Observer, NetScreen snoop, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, WildPackets EtherPeek/TokenPeek/AiroPeek, and many others
- Capture files compressed with gzip can be decompressed on the fly
- Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platform)
- Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2
- Coloring rules can be applied to the packet list for quick, intuitive analysis
- Output can be exported to XML, PostScript®, CSV, or plain text
How to Download and Install Wireshark
The first thing you need to do is download and install it. You can download Wireshark for free from the company website. To have the smoothest running experience, it is advised that you download the latest version available on your platform from the “stable release” section.
Install on Windows
Once you’ve downloaded the program you can start the setup process. During installation, you may be prompted to install WinPcap. It’s important to install WinPcap as without it you will be unable to capture live network traffic. Without WinPcap you will only be able to open saved capture files. To install, simply check the Install WinPcap box.
Let’s look at this in more detail.
Select the installer for your Windows architecture (64-bit or 32-bit) and click on the link to download the package.
Once the installer is on your computer, follow these steps:
- Click on the downloaded file to run it. Click Yes in the User Account Control window.
- Click Next on the opening screen of the installer.
- In the License Agreement screen, click the Noted button.
- Leave all of the defaults in the Choose Components screen. Click the Next button.
- Leave all settings as they are in the Additional Tasks screen and click on Next.
- In Choose Install Location, just click on Next.
- In the Packet Capture screen, leave the consent box checked and click the Next button.
- In the USB Capture screen, check the Install USBPcap box and press the Install button.
- Let the installation progress. During the process, you will be presented with a consent screen for Npcap. Click on I Agree.
- In the NPcap Installation options screen check Restrict Npcap driver’s access to Administrators only, Support raw 802.11 traffic (and monitor mode) for wireless adapters, and Install Npcap in WinPcap API-compatible Mode. Click on Install.
- When the Npcap setup has finished. Click on Next and then Finish to dismiss that dialogue window. The Wireshark installation will continue.
- In the Installation Complete screen, click on Next and then Finish in the next screen.
Look in your Start menu for the Wireshark icon. Click on it to run the utility.
Install on Mac
To install Wireshark on Mac you first need to download an installer. To do this, download an installer such as exquartz. Once you’ve done this, open the Terminal and input the following command:
Then wait for Wireshark to start.
Install on Unix
In order to run Wireshark on Unix, you need a couple of other tools installed on your system first. These are:
- GTK+, The GIMP Tool Kit, and Glib, are both from the same source.
- You will also need Glib. You can get familiar with both tools at https://www.gtk.org/
- libpcap, which you get from http://www.tcpdump.org/.
After installing the above supporting software, and downloading the software for Wireshark, you need to extract it from the tar file.
gzip -d wireshark-1.2-tar.gz tar xvf wireshark-1.2-tar
Change to the Wireshark directory and then issue the following commands:
./configure make make install
You can now run the Wireshark program on your Unix computer.
How to Capture Data Packets
Capturing data packets is one of the main uses of Wireshark as a network investigation tool. For thorough network analysis, it is crucial to learn how to configure Wireshark to collect packets. It’s vital to remember that while using Wireshark for the first time, it can be challenging to capture packets. There are three steps you must do before beginning to capture packets:
- Make sure that you have the administrative privileges to start a live capture on your device
- Choose the correct network interface to capture packet data from
- Capture packet data from the correct location in your network
You are now prepared to begin the capture procedure after completing these three steps. When you use Wireshark to capture packets, they are shown to the user in a format that is easy to read. If you want to examine more detailed information, you may also segment packets using filters and color coding.
When you first open up Wireshark, you’ll be met by the following launch screen:
The first thing you need to do is look at the available interfaces to capture. To do this, select Capture > Options. The “Capture Interfaces” dialog box will then open as shown below:
To begin, select the box next to the interface you wish to record, then click the Start button. If you wish to collect data from several sources at once, you can choose different interfaces.
On Unix or Linux, the dialog box is shown in a similar style like this:
You can also start Wireshark by using the following command line:
<¢ wireshark -i eth0 —k>
You can also use the shark fin button on the toolbar as a shortcut to initiate packet capturing. Once you click this button, Wireshark will start the live capture process.
If you want to stop capturing, click the red stop button next to the shark fin.
You must switch on “promiscuous mode” if you wish to generate an overhead view of your network packet transfers. In promiscuous mode, Wireshark examines each packet it encounters as it passes across the interface. When this mode is turned off, your network is less transparent, and you only get a restricted snapshot of it (this makes it more difficult to conduct any analysis).
To activate the promiscuous mode, click on the Capture Options dialog box and click promiscuous mode. In theory, this should show you all the traffic active on your network. The promiscuous mode box is shown below:
But this frequently isn’t the case. You must visit the Wireshark website to find information about your particular hardware because many network interfaces are resistant to promiscuous mode.
On Windows, it’s useful to open Device Manager and check whether you have your settings configured to reject promiscuous mode. For example:
(Simply click on network and then make sure that your promiscuous mode setting is set to Allow All).
Promiscuous mode will be rejected if your settings are set to “reject,” which will reduce the amount of packets Wireshark may collect. Check your Device Manager to make sure that your interface isn’t preventing any data from passing through, even if promiscuous mode is active in Wireshark. By taking the time to look through your network architecture, you can make sure Wireshark gets all the data packets it needs.
How to Analyze Captured Packets
Once you’ve captured your network data, you’ll want to look at your captured packets. In the screenshot below you’ll see three panes, the packet list pane, the packet bytes pane, and the packet details pane.
The packet list pane is shown at the top of the screenshot. Each piece is broken down to a number with time, source, destination, protocol, and support information.
The middle contains packet information, which display the chosen packet’s protocols. Each segment can be made larger by clicking the arrow next to the row you want to expand. By selecting the item with the right click, you may easily add other filters.
The page’s footer displays the packet bytes pane. The internal data of the packet you choose is displayed on this page. When you select a portion of the data in this section and highlight it, the packet details pane also highlights the information that goes with it. By default, hexadecimal format is used to display all data. Right-click the pane and choose this choice from the context menu to convert it to bit format.
Basic concepts of the Network Traffic
Both a local network and the Internet were intended for use in order for the devices to connect with one another. It is employed to identify hosts or network interfaces. It offers the ability to construct a path to the host within that network as well as the host’s location. The set of predetermined guidelines or conditions under which communication should take place is known as the Internet Protocol. IPv4 and IPv6 are the different types of IP addresses.
- IPv4 is a 32-bit address in which each group represents 8 bits ranging from 0 to 255.
- IPv6 is a 128-bit address.
IP addresses: IP addresses are assigned to the host either dynamically or statically. Most private users have dynamic IP addresses, while business users or servers have static IP addresses. Dynamic IP changes whenever the device is connected to the Internet.
Computer Ports: The computer ports work in combination with the IP address directing all outgoing and incoming packets to their proper places. There are well-known ports to work with like FTP (File Transfer Protocol), which has port no. 21, etc. All the ports have the purpose of directing all packets in the predefined direction.
Protocol: The Protocol is a set of predefined rules. They are considered the standardized form of communication. One of the most used protocols is TCP/IP. It stands for Transmission Control Protocol/Internet Protocol.
OSI model: The OSI model stands for Open System Interconnect. The OSI model has seven layers, namely, the Application layer, Presentation layer, Session layer, Transport layer, Network layer, Data Link Layer, and the physical layer. The OSI model gives a detailed representation and explanation of the transmission and reception of data through the layers. The OSI model supports both connectionless and connection-oriented communication modes over the network layer. The OSI model was developed by ISO (International Standard Organization).
How to Use Wireshark Filters
Capture filters give Wireshark instructions to only record packets that satisfy specific requirements. A capture file can also have filters applied to it so that only specific packets are displayed. Display filters are the name given to this.
Wireshark provides a large number of predefined filters by default. To use one of these existing filters, enter its name in the Apply a display filter entry field located below the Wireshark toolbar or in the Enter a capture filter field located in the center of the welcome screen.
For example, if you want to display TCP packets, type TCP. The Wireshark autocomplete feature shows suggested names as you begin typing, making it easier to find the correct moniker for the filter you’re seeking.
Another way to choose a filter is to select the bookmark on the left side of the entry field. Choose Manage Filter Expressions or Manage Display Filters to add, remove, or edit filters.
You can also access previously used filters by selecting the down arrow on the right side of the entry field to display a history drop-down list.
Capture filters are applied as soon as you begin recording network traffic. To apply a display filter, select the right arrow on the right side of the entry field.
Below is the list of filters used in Wireshark:
What is network sniffing?
Computers communicate by broadcasting messages on a network using IP addresses. Once a message has been sent on a network, the recipient computer with the matching IP address responds with its MAC address.
Network sniffing is the process of intercepting data packets sent over a network. This can be done by a specialized software program or hardware equipment. Sniffing can be used to
- Capture sensitive data such as login credentials
- Eavesdrop on chat messages
- Capture files have been transmitted over a network
The following are protocols that are vulnerable to sniffing
The above protocols are vulnerable if login details are sent in plain text
Before we look at passive and active sniffing, let’s look at two major devices used to network computers; hubs and switches.
A hub works by sending broadcast messages to all output ports on it except the one that has sent the broadcast. If the IP address matches, the broadcast message is responded to by the recipient computer. Therefore, while using a hub, the broadcast message is visible to every computer connected to the network. It functions at the OSI Model’s physical layer, or layer 1.
The diagram below illustrates how the hub works.
A switch works differently; it maps IP/MAC addresses to physical ports on it. Broadcast messages are transmitted to the physical ports that correspond to the receiver computer’s IP/MAC address settings. This implies that only the receiving machine can see broadcast messages. Switches function at the network layer and the data connection layer (layer 2). (layer 3).
The diagram below illustrates how the switch works.
Passive sniffing is intercepting packages transmitted over a network that uses a hub. It is called passive sniffing because it is difficult to detect. It is also easy to perform as the hub sends broadcast messages to all the computers on the network.
Active sniffing is intercepting of packages transmitted over a network that uses a switch. There are two main methods used to sniff switch-linked networks, ARP poisoning, and MAC flooding.
In this practical scenario, we are going to use Wireshark to sniff data packets as they are transmitted over the HTTP protocol. For this example, we will sniff the network using Wireshark, then log in to a web application that does not use secure communication. We will log in to a web application on http://www.techpanda.org/
The login address is firstname.lastname@example.org, and the password is Password2010.
Note: In order to demonstrate the online application, we will log in. The method can also be used to sniff data packets from machines connected to the same network as the one you are now using. The sniffer includes all HTTP and other protocol data packets in addition to just techpanda.org.
Sniffing the network using Wireshark
The illustration below shows you the steps that you will carry out to complete this exercise without confusion
Download Wireshark from this link http://www.wireshark.org/download.html
- Open Wireshark
- You will get the following screen
- Select the network interface you want to sniff. Note for this demonstration, we are using a wireless network connection. If you are on a local area network, then you should select the local area network interface.
- Click on the start button as shown above
- Open your web browser and type in http://www.techpanda.org/
- The login email is email@example.com and the password is Password2010
- Click on submit button
- A successful logon should give you the following dashboard
- Go back to Wireshark and stop the live capture
- Filter for HTTP protocol results only using the filter textbox
- Locate the Info column and look for entries with the HTTP verb POST and click on it
- Just below the log entries, there is a panel with a summary of captured data. Look for the summary that says Line-based text data: application/x-www-form-urlencoded
- You should be able to view the plaintext values of all the POST variables submitted to the server via HTTP protocol.
MAC flooding is a network sniffing technique that floods the switch MAC table with fake MAC addresses. This causes the switch memory to become overloaded and causes it to function as a hub. All computers connected to a network receive the broadcast messages once the switch has been compromised. This enables the sniffing of data packets as they travel across the network.
Counter Measures against MAC flooding
- Some switches have a port security feature. This feature can be used to limit the number of MAC addresses on the ports. It can also be used to maintain a secure MAC address table in addition to the one provided by the switch.
- Authentication, authorization, and accounting servers can be used to filter discovered MAC addresses.
Sniffing Counter Measures
- Restriction of network physical media highly reduces the chances of a network sniffer being installed.
- Encrypting messages as they are transmitted over the network greatly reduces their value, as they are difficult to decrypt.
- Changing the network to a Secure Shell (SSH)network also reduces the chances of the network being sniffed.
Wireshark Color Rules
While Wireshark’s capture and display filters restrict the packets that are captured or displayed on the screen, its colorization feature goes a step further by being able to discern between various packet types based on their distinct hue. By using their row color in the packet list window, this rapidly identifies specific packets within a saved set.
Wireshark comes with about 20 default coloring rules, each can be edited, disabled, or deleted. Select View > Coloring Rules for an overview of what each color means. You can also add your own color-based filters.
Select View > Colorize Packet List to toggle packet colorization on and off.
The Wireshark provides a wide domain of statistics. They are listed below:
Below is the list of statistics of Wireshark along with the description:
|Capture file properties||It includes file, time, capture, interfaces (current interface in use), and Statistics (measurements).|
|Resolved addresses||This option includes all the types of the Top IP addresses and DNS that were resolved in your packet capture. It gives the idea of the different accessed resources during the packet capture process. It is shown in fig (b).|
|Protocol hierarchy||It is named as the tree of all the protocols listed in the capture process. The image is shown above in fig (c).|
|Conversations||Each row of the list gives the statistical value of a particular conversation.|
|Endpoints||It is defined as a logical endpoint of the separate protocol traffic of the specified protocol layer.
For example0 IP address will send and receive all types of packets to the particular IP addresses.
|Packet lengths||It simply displays the characteristics of different packet lengths determined in the network.
|I/O Graphs||It is the term used to display the graph of the captured packets. You can also apply filters during this process.
The process is explained below in detail.
|Service Response Time||It is the type of information that is available for many protocols. It is defined as the time it takes between the request and the response time. The protocol for which this service is available are:
AFP (Apple Filing Protocol)
FC (Fiber Channel)
GTP (GPRS Tunneling Protocol)
LDAP (Lightweight Directory Access Protocol)
MGCP (Media Gateway Control Protocol)
NCP (NetWare Core Protocol)
SMB (Server Message Block Protocol)
SMB2 (Server Message Block Protocol version 2)
|DHCP (BOOTP) Statistics||It is utilized as a BOOTP option. DHCP is a client/server protocol that assigns IP addresses to DHCP clients on the fly. When DHCP fails to assign IP addresses, certain computer systems fall back on APIPA (Automatic Private IP Address).|
|ONC-RPC Programs||It stands for Open Network Computing- Remote Procedure Call. It can use TCP and UDP as its transport protocol. ONC-RPC cannot be applied directly to filter in a capture process, but you can use TCP or UDP to filter on that one. It is shown in fig (d).|
|29West||It is defined as ULLM technology. It stands for Ultra-Low Latency Messaging.|
|ANCP||It stands for Access Node Control Protocol. It is an L2CP (Layer 2 Control Protocol) and a TCP-based one. It has its adjacency layer which decides the messages exchanged by the ANCP endpoints with the use of ‘Capabilities.’|
|BACnet||It was specifically created to suit the communication requirements of building automation and control systems. Applications include light control, fire detection systems, and other things. Regardless of the specific building service it delivers, it offers the framework for information sharing.|
|Collected||It is used to monitor the traffic on the specific TCP port.|
|DNS||It stands for Domain Name Server, which gives a detailed analysis of the DNS traffic. It provides the list of the codes returned in DNS. You can also view the errors through the traffic.|
|Flow-graph||It is a method to check connections between the client and the server. It is an efficient way to verify the connections between two endpoints. It also assists us with troubleshooting capabilities.|
|HART-IP||It gives the detail for the response, request, publishes, and error packets. It stands for Highway Addressable Remote Transducer over IP stats.|
|HPFEEDS||It determines the ‘payload size per channel and Opcodes.’|
|HTTP||It has four options: Packet counter (request types and response codes)Requests (based on URL and the host)Load distribution (based on server address and host)Request sequences (sequences of the HTTP’s capture request as a tree)|
|HTTP2||It is HTTP version 2.|
|Sametime||It is used to analyze the slow network traffic when the server and client have the same time.|
|TCP Stream Graphs||It is explained below in detail:|
|UDP Multicast Streams||Through this command, stream parameters and burst parameters can be set. It includes OSPF, IGMP, and video streams.|
|F5||It includes the virtual server distribution and the tmm distribution. It specifies the tcpdump commands.|
|These options determine all addresses, destination and ports, IP protocol types, and the source and destination address.|
It shows the graph for the network traffic. The graph will look similar but changes as per the traffic involved. There is a table below the figure, which has some filters. Using the ‘+’ sign, you can add more filters, and using ‘-sign you can remove the existing filters. You can also change the color. For every particular filter, you can add a colored layer, which increases the visibility of the graph.
The tick option under the ‘Enabled,’ displays the layer according to your requirements.
For example, we have applied the filter ‘TCP errors’ and the changes can be viewed easily. The image is shown below:
If you click on a certain area of the graph, the corresponding network traffic packet will be shown on the screen. A filter can also be applied to a particular port.
Another category of the graph comes under the option ‘TCP Stream graphs.’
It gives the visualization of the TCP sequence number with time.
Below are the steps to understand the TCP Stream graphs:
- Open the wireshark. Click on the interface to watch the network traffic.
- Apply the filter as ‘TCP.’
- Click on the option ‘Statistics’ on the menu bar and select ‘TCP Stream graphs‘ and select ‘Time sequence (tcptrace). You can also choose other options in the ‘TCP Stream graphs’ category depending on your requirements. Now the screen will look as:
You can now see the points on the graph in more detail because you have zoomed in. Lines are used to represent the packets. The length along the Y-axis displays the packet’s size. Additionally, the green line may be seen ascending before leveling out. This shows that the data was acknowledged (Acknowledged). This value’s increase suggests that more data is being sent.
The data is being sent and then ACK, this is the proper use of the TCP. The flat line here signifies that nothing is happening.
The green line above is called ‘received window.’ The gap between the received window and the packet defines how much space is in the received buffer.
Want to learn more about Wireshark?
Check out the following hour-long webinar titled “Using Wireshark” if you want to go a little bit deeper: An Interactive Demonstration You can watch the video on demand after registering; it is available.
And the table below contains links to Wireshark, as well as actual packet, captures that you can use to learn more. You can even download a quick “cheat sheet” in PDF form from packetlife.net.
- Network sniffing is intercepting packages as they are transmitted over the network
- Passive sniffing is done on a network that uses a hub. It is difficult to detect.
- Active sniffing is done on a network that uses a switch. It is easy to detect.
- MAC flooding works by flooding the MAC table address list with fake MAC addresses. This makes the switch to operate like a HUB
- Security measures as outlined above can help protect the network against sniffing.
- SQLmap Tutorial
- Pentesting: What It Is, Why You Need It, and How to Get Started
- 121 of the Best Places to Learn to Code For Free
- Top 9 Popular Languages For Backend Web Development
- Full Stack Web Developer Roadmap
- What Is The Dark Web? How To Access It And What You Will Discover
- What Is Cryptocurrency? Everything You Need To Know
- Blockchain Developer Roadmap
- IOS Developers Roadmap 2022
- Game Development Roadmap 2022
- Ethical Hacking Roadmap – A Beginners Guide
- Backend Developer Roadmap – A Beginners Guide
- Best Web Hosting For Developers