It doesn’t matter if you are a security engineer, a network administrator or even a cyber-criminal, the tools to monitor network traffic are the key to your success. By having a detailed view of the numerous packets traversing the network it is possible to ascertain a lot about the security condition of that network. It is also a great asset when you need to troubleshoot network load. One of the most common tools for all of that is Wireshark.
Wireshark is the world’s foremost and widely-used network protocol analyzer. It lets you see what’s happening on your network at a microscopic level and is the de facto (and often de jure) standard across many commercial and non-profit enterprises, government agencies, and educational institutions. Wireshark development thrives thanks to the volunteer contributions of networking experts around the globe and is the continuation of a project started by Gerald Combs in 1998. (wireshark.org)
The Wireshark interface is divided into three main areas: packet list, packet details and packet bits. Additionally, the user is provided with a display filter input to customize a more convenient packet list output for any preference. The details pane presents the protocols and protocol fields of the selected packet. By expanding the selection, the user can apply individual filters. By selecting a specific portion of the packet bits, the corresponding section will be highlighted in the packet details pane and vice versa. Any bytes that cannot be printed are instead represented by a period.
The packet list consists of a number of useful columns like the Time column which shows when the packet was captured, the Source column which shows from where the packet originated from (IP or other), the Destination column which shows where the packet was heading, the Protocol column which shows the protocol used, the Length column which shows the length of that packet and finally the Info column with any additional information about the packet itself.
Exporting Data and Files
A handy feature in Wireshark is Export Objects which can be accessed through File -> Export Objects. This allows you to extract several types of packet data, be it HTTP, SMB or any other type of object. When exporting a set of objects, you get a list of all the files that have moved around in the network. And going further, it is even possible to save those objects into a file later as well. Just to clarify - this means you can extract all the files that have been moving around in the network… Cool, I know!
Filtering packets in Wireshark is fairly easy and straightforward. Just combine a filter string to your liking and go for it! If you are not into writing your own filters, then there is an option of using premade filters. This can be accessed by clicking on the blue ribbon on the left side of the filter input field. But to get you started, here are a few filter examples:
http.request.method == GET # Filter out all GET http requests !(tcp.port == 22) # Don't show any port 22 (SSH) traffic tcp portrange 1234-3456 # Capture traffic within a range of ports src net 10.10.10.0/24 # Capture traffic from a range of IP addresses:
Wireshark is a handy tool to fiddle around with. It can be a fun toy for an enthusiast and a powerful tool for a professional. This blog post only scratched the surface of what Wireshark is actually capable of. To find more detailed stuff about this tool visit wireshark.org.