Wireshark – Packet Capturing and Analyzing
Prerequisite: Introduction to Wireshark
This article will introduce the methods of packet capturing and analyzing. It will also introduce some advanced tools that are used for increasing efficiency during capture and analysis.
Why sniff around?
If you have prior experience with securing systems, you can not emphasize enough the importance of reconnaissance. And if you are new, just know that it is very important. Packet sniffing is an essential form of network recon as well as monitoring. It’s equally useful for students and IT professionals.
Wireshark captures the data coming or going through the NICs on its device by using an underlying packet capture library. By default, Wireshark captures on-device data only, but it can capture almost all the data on its LAN if run in promiscuous mode. Currently, Wireshark uses NMAP’s Packet Capture library(called npcap).
Getting Up and Running: After installation launch Wireshark, approve the administrator or superuser privileges and you will be presented with a window that looks like this:
This window shows the interfaces on your device. To start sniffing select one interface and click on the bluefin icon on the top left. The data capture screen has three panes. The top pane shows real-time traffic, the middle one shows information about the chosen packet and the bottom pane shows the raw packet data. The top pane shows source address(IPv4 or IPv6) destination address, source and destination ports, protocol to which the packet belongs to and additional information about the packet.
Since there are a lot of packets going in and out every second, looking at all of them or searching for one type of packets will be tedious. This is why packet filters are provided. Packets can be filtered based on many parameters like IP address, port number or protocol at capture level or at display level. As obvious a display level filter will not affect the packets being captured.
Some of the general capture filters are:
- host (capture the traffic through a single target)
- net( capture the traffic through a network or sub-network). “net” can be prefixed with “src” or “dst” to indicate whether the data coming from or going to the target host(s).)
- port (capture the traffic through or from a port). “port” can be prefixed with “src” or “dst” to indicate whether the data coming from or going to the target port.
- “and”, “not” and “or” logical connectives.(Used to combine multiple filters together).
There are some more basic filters and they can be combined very creatively. Another range of filters, display filters are used to create abstraction on captured data. These basic examples should provide a basic idea of their syntax:
- tcp.port==80/udp.port==X shows the tcp/udp traffic at port X.
- http.request.uri matches “parameter=value$” shows packets that are HTTP requests at the application layer level and their URI ends with a parameter with some value.
- The logical connective and or and not work here too.
- ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16 will show traffic to and from workstations and servers.
There is also a concept of coloring rules. Each protocol/port/other element is provided a unique color to make it easily visible for quick analysis. More details on coluring rules is here
Plugins are extra pieces of codes that can be embedded into the native Wireshark. Plugins help in analysis by:
- Showing parameter specific statistics and insights.
- Handling capture files and issues related to their formats.
- Collaborating with other tools and frameworks to set up an all-in-one network monitoring solution.
With just the basic capability to see all the traffic going through your device or in your LAN and the tools and plugins to help you in analysis, you can do a great deal of things with your device. Like:
- Troubleshooting Internet connectivity problems with your device or WiFi.
- Monitoring your device for unwanted traffic that may be an indication of a malware infection.
- Testing the working of your application that involve networking.
- Using it to just understand how computer networks work.