Introduction to Wireshark:
This article is focused on a few things about the Wireshark tool which is used for packet capture in the networks.
Wireshark is a free packet sniffer computer application. It is used for network troubleshooting, analysis, software and communications protocol development, and education. It was originally named as etheral.
Wireshark puts your network card into promiscuous mode, which basically tells it to accept every packet it receives. It allows the user to see all traffic being passed over the network.
Wireshark uses pcap to capture packets. Basically, pcap is a library of information about various protocols, their packet structure, and different messages passed in those protocols. So it can only capture the packets on the networks supported by pcap.
When you install Wireshark you will receive a prompt to install the WinPcap component, which is nothing but the windows version of pcap. For unix like environments, another library by the name libcap is available.
When you open Wireshark, the first thing you need to do is to choose the interface on which you need to capture the packets. To do that you can either click on the Capture menu or click on the interface, or you can click on the NIC icon in the left hand top corner. Once you get the screen, you can decide which interface to choose. You can select it based on the IP address you can see, or the name of the interface.
- Once you click on start, then Wireshark starts to capture the packets on that interface.
- You can stop the capture using the Capture->Stop or pressing Ctrl+e on the keyboard.
Wireshark provides you with a very wide scope of configuration according to your needs. You can setup filters. These filters are of 2 types
1. Capture Filters
As the name indicates, capture filters are used to filter the packets when they are captured. When you are in a corporate network, there are a lot of packets that your NIC card receives. The benefit of having capture filters set is that the size of the output of the capture can be limited. And very precise information can be extracted from the live packet flow. This can be used when you know exactly what kind of traffic you are looking for. For example, if you are looking for a packet capture for the network communication between the SEP client and SEPM, you can use the capture filter:
host 172.18.5.4 where the IP address will be of the SEPM, if you are running wireshark at a client machine. Or, if you are running wireshark at a server, then you can provide the IP address of one the clients.
As the name indicates, its a capture filter so you will need to specify it before the capture begins. You can go to Capture->Interfaces->Options [in front of the desired interface], or you can use the NIC card icon in the lft hand top corner and click on the options in front of the desired interface.
2. Display Filters
Display filters can be useful, when you have a packet capture file with you and you want to extract specific information from you.
The number of packets that match a particular filter will be less than all the packets and is much more easier to analyze.
FOLLOW TCP STREAMS:
If you are working with TCP based protocols it can be very helpful to see the data from a TCP stream in the way that the application layer sees it.
Maybe you just need a display filter to show only the packets of that TCP stream. As you will see, when you right click on a TCP packet and select Follow TCP Stream, it builds its own display filter and shows you the data transmitted in that TCP Stream.
The expert info is a kind of log of the anomalies found by Wireshark in a capture file.
The general idea behind the following "Expert Info" is to have a better display of "uncommon" or just notable network behavior. This way, both novice and expert users will hopefully find probable network problems a lot faster, compared to scanning the packet list "manually”.
Click on Analyze->Expert Info Composite.
Click on Statistics->Flow Graph and click on OK in the next window. It will show you a detailed flow graph of every message used in that particular TCP stream. It also shows you the comments, that help in understanding the flow of messages. This particular utility can be very useful if you are understanding the working of a particular protocol, are investing a particular protocol.
Click on Statistics->Destinations and click on OK. It will give you detailed analysis on each IP address in the packet capture.It will show, how many packets were sent/received on a particular port. If you are investigating a port scan/ DOS attach these figures will indicate the pattern used for probing the hosts.
It can be accessed from the menu-: Statistics-> Summary :
Basic global statistics are available in the summary window such as:
- Capture file properties
- Capture time
- Capture filter information.
- Display filter information.
- How much data was transferred while this capture was going on
• Capture only traffic to or from IP address 172.18.5.4: host 172.18.5.4 [ Can be used for capturing the traffic between SEP and SEPM based on the IP addresses ]
• Capture only DNS (port 53) traffic: port 53 [ Can be used for capturing the SEP-SEPM traffic based on the port on which SEPM is installed ]
• Capture traffic to or from a range of IP addresses: net 192.168.0.0/24 or net 192.168.0.0 mask 255.255.255.0
• Capture traffic from a range of IP addresses: src net 192.168.0.0/24 or src net 192.168.0.0 mask 255.255.255.0
• Capture traffic to a range of IP addresses: dst net 192.168.0.0/24 or dst net 192.168.0.0 mask 255.255.255.0
• Capture traffic within a range of ports (tcp[2:2] > 1500 and tcp[2:2] < 1550) or (tcp[4:2] > 1500 and tcp[4:2] < 1550)
• Capture only Ethernet type EAPOL: ether proto 0x888e
Wireshark uses display filters for general packet filtering while viewing and for its ColoringRules. The basics and the syntax of the display filters are described in the User's Guide.
• HTTP : a filter that can be used to show only the HTTP traffic between SEP and SEPM based on the communication settings protocol
• Show only SMTP (port 25) and ICMP traffic:
tcp.port eq 25 or icmp
• Show only traffic to and from an IP address
ip.addr eq 127.0.0.1