Wireshark is a FLOSS (Free Libre Open Source Software)
package for network troubleshooting and analysis which runs on Linux, Windows,
MacOS, BSD, Solaris and Unix type systems. With this tool home users,
governments, and multinational corporations have the ability to view minute
details of their network traffic.
You can obtain Wireshark for your operating system through
normal channels or through Linux distro repos. While obtaining Wireshark is
quite simple, running it on a network such as at work is most assuredly
forbidden unless you have written permission. Insure you protect yourself from prosecution
for using a network scanner and verify you have said document in hand before
proceeding. You have been warned!
Capturing Packets
Launching the program is quite simple and you can start
capturing packets provided you have permission to do so within your operating
system. On most Linux distributions you will need to add your user account to
the wireshark user group. Completing this task is relatively simple:
$sudo
gpasswd -a username wireshark
Once this task has been accomplished, you can capture
packets on any interface you have on your system whether you wish to analyze wired
or wireless networks. Simply click the interface listed on the front splash
page to begin capture. Normally Wireshark will capture any packets sent to or
from your system, but often the preferred analyst method is to enable
promiscuous mode and capture all packets which appear on the network.
Wireshark will colorize the capture data to allow you to
better visualize potential problems on your network. By default TCP is a light
purple, UDP a light blue, HTTP a light green, errors and bad traffic black. You
can customize the parameters and colors using the View, Coloring Rules… menu
option.
Wireshark Filters
When you first start up Wireshark you’ll notice (unless your
network is very quiet) plenty of traffic which quickly becomes far too vast an
amount to analyze by any reasonable human capacity. Fortunately Wireshark has
Filters to allow you to search the packet capture and find exactly what you
want to review. You can access example filters at https://wiki.wireshark.org/DisplayFilters
TIP: Pause or stop the capture scrolling to better view
packets (dropdown button arrow on toolbar).
Click the bookmark/filter symbol on the left of the filter
dialog above the capture window. You can choose from multiple filter types such
as TCP only:tcp, UDP only:udp, HTTP:http, etc. This will narrow the window to
the specifics you choose. You can also generate your own filters and use the
examples Wireshark provides to learn and expand your knowledge of filters.
To build your own filter, you can simply type in the
parameter such as tcp, udp, dns or http in the dialog box. You’ll only see the
type of packets you specify in the capture window.
Wireshark has done an exceptional job of creating a user
friendly method of filtering. Clicking the Analyze, Display Filters to choose
from the default filters. You can add your own custom filters to this list and
use them at any future date. You can review Wireshark’s display filtering
language on their building
display filter expressions page
Stepping through the packets in stream mode is a top feature
of Wireshark. Simply right-click any packet and select the menu item Follow,
TCP Stream. You’ll see the TCP (or UDP) conversation between the server and the
client or attacker and target. Often this information will be encrypted, but
some amount of information can be gleaned to help in your analysis.
Click any single packet to view the details of that packet.
For example, search for http packets by entering http in the filter dialog box
and click the Apply button.
This filtered traffic can be drilled down further
by IP address. In this example, assuming you have an IP network of
192.168.1.0/24 and you want to evaluate only traffic only originating from host
192.168.1.5, enter:
ip.src==192.168.1.5&&http
You are presented with a nice view of just that traffic. When
you want to inspect the same traffic, but to a destination address such as
google, enter the following:
ip.dst==74.125.197.100&&http
Assuming you have a MySQL server or service running on your
computer, server, or network, you could review that traffic and potentially
associated https (TCP port 8080) traffic with the following filter:
tcp.port==8080||tcp.port==3306
Another useful filter is to exclude packets you may not wish
to see. In the example above, you may not want to see all MySQL traffic on your
network should you have multiple servers. In this case, you would enter the
following assuming your other server is at 192.168.1.10.
!(ip.src==192.168.1.10)||tcp.port==3306
Eventually you will realize you have far too much traffic on
your network to analyze and further filtering will be necessary. Given the
plethora of IoT devices, smartphones, smart light bulbs and computers everyone
has in their homes, filtering out all
Internet destined traffic can be a useful tool. Here I’ve outlined how to
create such a filter.
ip.src==192.168.1.0/24
and ip.dst==192.168.1.0/24
This filters for only traffic on the local network and
excludes all other traffic.
Note: All filters can be combined or joined to create the
ideal filtering structure for analysis of your traffic. The choices are yours
to make with this powerful tool.
Following at TCP
Stream:
Assuming you have been keeping up with the information
above, you can also trace down traffic between hosts with the Follow TCP Stream
option. This allows investigation of packet or data exchange.
Simply right-click on a packet and pick the Follow TCP
Stream to view the event data contents in a dialog window. All HTTP headers
will be present if viewing web traffic and any plain-text passwords or logins.
Quite useful tool in the old days of unencrypted internet traffic.
Wireshark Packet
Capture Files
Given the massive amount of data you can collect, it will be
necessary to save the packet capture for future evaluation. Fortunately
Wireshark provides a tool to do so along with the ability to import and
manipulate your collected date. Chose File, Export to save a file and File,
Import menu options to import and view, filter and analyze.
Notes:
Wireshark is not designed to be an Intrusion Detection
System as it doesn’t provide any warning of misbehavior on your network. That
said, you can use it to determine if something amiss is going on within your
network.
Some concerns regarding data or traffic leaks: Wireshark
does perform DNS lookups on the data it captures and could potentially cause
red-flags within IDS software. Fortunately, this feature can be disabled to
protect your activity.
Warning:
Insure you protect yourself from prosecution
for using a network scanner and verify you have said document in hand before
proceeding. You have been warned!
No comments:
Post a Comment