29 Wireshark Packet Analyzer

Mr. Hardik Joshi

epgp books

 

Overview of Packet Analysis

 

The process of capturing and interpreting the data that flows across a network is known as packet analysis. It is also known as packet sniffing or protocol analysis. The tool that does packet analysis or sniffing is known as packet sniffer. Tools are useful to understand the network and what is happening in the network. The tool can capture raw network data across wire or wireless transmission. Packet sniffing/analysing tool can be used to

  • Get an overview of network characteristics
  • To learn protocols and networking
  • To determine who is on the network and what is being utilized
  • To know possible malicious activities or attacks
  • Determine unsecured applications
  • Identify whether the network is over-utilized or under-utilized

Tools like packet sniffers are important for the following professionals to meet their day to day demands:

  • Students – to learn network protocol internals
  • System Developers – to debug protocol implementations
  • Network administrators – to troubleshoot network problems
  • Application Developers – to debug applications
  • Network security engineers – to examine security problems

Introduction to Wireshark

 

Wireshark is an open source packet analyzer released under the terms of GNU General Public License. Wireshark is used for software and communications protocol development, in academia to teach networking and network security and mostly used for network troubleshooting, network analysis. Wireshark is a GUI tool which is similar to tcpdump found in most of the Unix and Linux operating systems. Wireshark was originally known as Ethereal. Wireshark supports many different protocols to display the data in an understandable manner.

 

Wireshark is available for free and can be downloaded from the website www.wireshark.org. Wireshark is available for Linux, macOS, Solaris, BSD and few Unix-like operating systems. Wireshark provides GUI, there is a non-GUI version called TShark that uses terminal. Wireshark captures and parses the packets travelling over wire and displays the fields and its contents in an understandable manner. Wireshark uses pcap to capture the packets. Wireshark can also understand the packets captured by other similar products like tcpdump, snoop or Windows network monitor.

 

Few important features of wireshark are:

  • Wireshark can capture live data flowing over the wire or can also import data from a file if it in the required format of Wireshark.
  • Wireshark supports different types of network like Ethernet, IEEE 802.11, PPP, and loopback.
  • The data that gets captured can be browsed in GUI and can be searched for matching patterns in header of the protocols. The same data can also be displayed by TShark.
  • With the help of editcap program, the captured data can be edited
  • We can apply filters to restrict the data matching our selection criteria.
  • Plug-ins can be created for dissecting new protocols
  • Extensions of wireshark can capture raw USB traffic
  • Wireshark has in-built settings, timers, and filters that can be used to provide the facility of filtering the oUtput of the captured traffic.
  • Various statistical analysis tools are available to generate summary of network data
  • Portable version of wireshark does not require installation

Capturing Packets with Wireshark

 

Now, let us see how to capture packets using wireshark software. On starting the wireshark software, it asks to select the interface we want to capture. In the following screen, there is a LAN interface (802.3) which was selected to capture the live network data. The interface is shown in figure 1.

 

Figure 1: Interfaces to capture live network data

 

Once we have selected the interface, a window is seen where live packets that are being captured start scrolling. We can observe the packets that are being captured live on the network. The interface is shown in figure 2. The wireshark window is divided into 3 panels. The top panel shows packet list, middle panel shows packet details and corresponding protocols and the bottom most panel shows the data (bytes) within the packet.

Figure 2: Interface showing packets being captured

 

The menu of middle panel is collapsible, with the help of which we can observe the headers of each of the protocols of the stack. As we can see in figure 2, the DNS protocol is using services of UDP which is further using the services of IP and so on. Since wireshark generates huge amount of data, we can apply filter to display the selected packets. Filters can be applied based on port number, IP addresses, protocols and other network related criteria.

 

Display Filters

 

As we have noted earlier that wireshark can capture hundreds of packets and display in GUI. Now, if a user wants to select packets from a particular source IP or suppose wants to filter out packets on a particular port, he can use display filters to selectively display the desired packets. The following are few cases to explain how display filters can be applied:

 

Shows only HTTP (port 25) and ICMP traffic

 

 

Capture Filters

 

Capture filters (like tcp port 80) are different from the display filters (like tcp.port == 80). Capture filters are much more limited and the main purpose is to reduce the size of data generated by packet capturing. Display filters are used to hide some packets from the packet list. Capture filters are applied before starting the capture of packets and they are not dynamic (cannot be modified runtime). Display filters do not have this limitation and they can be changed when the packet capturing is going on. In figure 1, a capture filter can be viewed with greenish color. There is no capture applied in figure 1. Few capture filters are as follows:

 

Capture only traffic to or from IP address 172.16.5.4:

Packet Lists

 

The packet list panel contains few fields that are common to all packets. Figure 3 is a screen shot of particular instance while capturing the network packets. Let us understand the fields that are used to describe packets. Each packet has its own row and a corresponding value.

 

Figure 3: Packet list being captured in wireshark

 

The fields listed in packet list panel and its significance is as follows:

  • No: Each packet is identified by a unique number
  • Time: It indicates the timestamp when the packet was captured. The time is displayed in number of seconds since the wireshark was started.
  • Source: Usually it contains the IP address from where the packet originated
  • Destination: Usually it contains the IP address of destination
  • Protocol: Protocol name of the packet
  • Length: It indicates the length of the packet in bytes
  • Info: Additional details of the packet are displayed here.

Below the packet list panel is the packet details panel. Wireshark segregates the packet details as per TCP/IP stack. As seen in figure 4, the packet DNS is captured. The header details of DNS packet can be seen in this panel. Apart from DNS, we can also see the headers of related protocols like UDP, IP, Ethernet II and Frame data as per the TCP/IP stack.

Figure 4: Packet Details as seen in wireshark

 

Wireshark provides many other options like saving the captured data in various formats, analyzing the data by applying display filters, following stream data, generating statistics of network usage, etc. Graphs of network utilization that shows the throughput or error rate can also be generated using wireshark. Wireshark can be customized to capture selected packets matching our criteria. Wireshark uses around 20 default coloring rules that are built-in, we can customize these rules to display selected color format.

Let us summarize what we have studied in this module:

  • Packet Sniffers/Analyzers can be helpful to network administrators, developers and students
  • Wireshark is a widely used packet analyzer tool
  • Wireshark displays live packet and segregates according to the TCP/IP stack
  • We can apply filters to capture or display packets as per our criteria
  • Wieshark provides tools to perform statistical analysis.
you can view video on Wireshark Packet Analyzer

Extra Reading

  1. Yoram Orzach 2017. Network analysis using wireshark 2 cookbook., PACKT Publishing Limited.
  2. Charit. Mishra, James. H Baxter, and Yoram. Orzach. 2017. Wireshark Revealed Get up and running with Wireshark to analyze your network effectively., Packt Publishing.
  3. James H. Baxter. 2014. Wireshark Essentials, Packt Publishing.
  4. Yoram. Orzach. 2013. Network Analysis Using Wireshark Cookbook : Over 80 recipes to analyze and troubleshoot network problems using Wireshark, Packt Publishing.
  5. Robert. Shimonski. 2013. The wireshark field guide : analyzing and troubleshooting network traffic, Syngress.
  6. Laura. Chappell. 2010. Wireshark certified network analyst : Official exam prep guide, Chappell University.
  7. Abhinav. Singh. 2013. Instant Wireshark starter : a quick and easy guide to getting started with network analysis using Wireshark, Packt Pub. Ltd.
  8. Laura (Laura A… Chappell. 2012. Wireshark network analysis : the official Wireshark certified network analyst study guide, Chappell University.
  9. Robert. Shimonski. 2013. The wireshark field guide : analyzing and troubleshooting network traffic, Syngress.
  10. Chris Sanders. Practical packet analysis : using Wireshark to solve real-world network problems,
  11. Charit Mishra. Mastering Wireshark : analyze data network like a professional by mastering Wireshark, from 0 to 1337,
  12. Angela. Orebaugh, Gilbert Ramirez, and Josh. Burke. 2007. Wireshark &; Ethereal network protocol analyzer toolkit, Syngress.
  13. Jessey Bullock and Adam Gordon. Wireshark for security professionals : usingWireshark and the Metasploit Framework,
  14. Chris Sanders. 2007. Practical packet analysis : using Wireshark to solve real-world network problems, No Starch Press.
  15. Piyush Verma. Wireshark network security : a succinct guide to securely administer your network using Wireshark,
  16. Anish Nath. 2015. Packet Analysis with Wireshark., Packt Publishing.