Wireshark is a popular network protocol analyser tool that is widely used in the field of Computer Networking & Cybersecurity. It is an open-source tool that allows users to capture and analyse network traffic. Now what’s the point of this tool? Well, every single time we communicate over the internet we are sending data. Data is encapsulated (contained) within something called a packet. Using a packet analyser such as Wireshark is used to analyse these data packets. In this blog, we will discuss all the reasons why Wireshark is such an important tool and why you should invest your precious time learning about it.

What is Wireshark?

We covered it briefly but what exactly is Wireshark? Wireshark is a powerful tool that provides deep insights into what’s happening in a network at a microscopic level. It is a network protocol analyser, often referred to as a “packet sniffer”, that captures network packets in real time and displays them in a format that network professionals (and beyond) can use for diagnostic and problem-solving purposes. Let’s delve deeper into its key aspects:

  • Packet Analysis: Wireshark can dissect hundreds of protocols and it can parse and display the packet contents for these protocols. This makes it an invaluable tool for understanding the particulars of network protocols and for diagnosing and troubleshooting network problems.
  • Network Forensics: Given Wireshark’s ability to capture and analyse network packets, it is widely used in the field of Network Forensics. This involves capturing, recording, and analysing network events to discover the source of security attacks or other problem incidents. For example, If a network or security attack ever occurs, Wireshark will likely be one tool used to figure out the IP, attack vector and the methods that are being employed by the bad actor, all in real time.
  • Real-Time Data Capture and Offline Analysis: As mentioned, Wireshark can capture live packet data from a network interface, or it can read from an existing capture file. By ‘Network Interface’ we are referring to the Ethernet NIC card or the Wireless NIC card that is within the machine. Let’s say there is a compromised machine, Wireshark would be able to capture the live capture provides a real-time view of the network traffic. Once the data is captured, it can be analysed offline.
  • Filtering: One very significant feature of Wireshark is that it allows finetuning of results. It provides a highly flexible and powerful filtering mechanism to filter the network traffic for detailed inspection. This allows focusing on the traffic of interest. For example, if there is an issue with network connections to the internet you can use Wireshark to dive deep into some HTTP/S or TCP protocols or more that underline connection to the web.

By providing these capabilities, Wireshark has become a standard tool in industries that require network analysis, cybersecurity, and diagnostics.

How to download Wireshark Network protocol Analyser:

Installing Wireshark is an easy process, follow these simple steps:

  1. Open up Chrome (or whichever browser you prefer) and navigate to Wireshark.
  2. Click on the big ‘Get Started’ button and it will scroll down to the ‘Packages’ section.
  3. The latest stable release as of writing is ‘4.0.7’ – Select the platform that you are on.
  4. Open the package & follow Wireshark’s setup wizard.
  5. Open Wireshark and you’ll be greeted with its graphical user interface.

These are the steps as of writing. Wireshark regularly update their website so the steps may be a little different when you try. The basic premise is the same however. 

The Wireshark User Interface (UI) is a feature-rich environment designed to make network analysis more intuitive and manageable. Here are some key aspects:

  • Capture Options: The UI allows you to select from a list of available network interfaces for data capture. You can also specify filters at this stage to narrow down the data that’s being captured.
  • Packet List Pane: Once the capture begins, packets start populating in this pane in real time. It gives a high-level view of each captured packet including, its timestamp, source, destination, protocol, length, and info.
  • Packet Details Pane: By selecting a packet in the Packet List Pane, you can get detailed information in this pane. It shows the selected packet’s data at each layer of the network protocol stack. (Each section can be expanded for more details)
  • Packet Bytes Pane: This pane displays the raw data of the selected packet in both hexadecimal and ASCII formats.
  • Filter Bar: The Filter Bar above the Packet List Pane allows you to apply filters to the captured data, enabling you to focus on specific packets or network activities.Below I’ve set the filter to only show TCP traffic. In the Packet List Plane all TCP traffic will be shown.
  • Menu Bar: The Menu Bar at the top provides access to several functions and tools including file operations, edit functions, view options, capture settings, analysis tools, and help resources.

Through its well-structured interface, Wireshark allows users to dig deep into network traffic, making it an invaluable tool for network analysis and troubleshooting.

How to analyse data packets:

To capture and analyse packets with Wireshark, follow these simple steps:

  1. Open Wireshark and select the network interface you wish to capture data from in the ‘Capture’ option on the top menu. This could be an Ethernet, Wi-Fi, or other network interface.
  2. Click ‘Start’ to initiate the data capture. Packets will start to flow in real time in the packet-listing window.
  3. To halt the packet capture, click ‘Stop’.
  4. You can now analyse the captured data. Each row represents a packet and displays information like time, source, destination, protocol, length, and info about the packet.
  5. Clicking on a packet will open detailed information in the packet details pane. This structure represents the different protocol layers of the packet.
  6. Filtering can be applied to focus on specific packets. Use the filter bar at the top of the window, input your filter (e.g., ‘ip.addr==192.168.0.1’ to filter by IP address), and click ‘Apply’. Only packets meeting your filter criteria will be displayed.

By following these steps, you will be able to capture and analyse packets using Wireshark effectively. Remember to respect ethical and legal guidelines when capturing and analysing network data.

10 Tips on using WireShark Effectively:

  1. Understand the Protocols: To get the most out of using Wireshark, it is essential to understand the protocols that are being used on a network. Knowing how different protocols interact will allow you to diagnose and troubleshoot potential issues more efficiently. For example, if you don’t understand what TCP or UDP is, or the different attributes there are within packets or frames or other PDUs (protocol data units) you may have a hard time. Luckily for you, I will be covering these topics in depth in a different blog.
  2. Utilize Colour Coding: Wireshark supports colour coding of packets to help you differentiate between different types of traffic. This is a pretty neat feature that allows you to customize the colour coding of different packets by right-clicking on the packet and selecting ‘Apply as Colouring Rule’ option. For example, you might want to colour code error codes in red. E.g. frames/packets that have failed the CRC check, or the ARP or TCP processes in green. Whatever colour scheme helps you analyse critical information quicker.
  3. Use Statistics: Wireshark also includes powerful statistical tools that allow you to review network behavior over time, including average throughput and packet sizes. To access this feature, click on the ‘Statistics’ menu.
  4. Utilize Command Line Tools: Wireshark also comes with a set of command line tools that allow you to capture and analyse packets from the terminal. The available commands are tshark, dumpcap, and editcap.

    Tshark is useful for automating packet analysis, Dumpcap is mainly used when you want to capture packets without using the UI and Editcap is used for managing and preprocessing capture files. (Preprocessing refers to performing operations on capture files before a thourough in-depth analysis.)
  5. Write Custom Filters: Using custom filters can help you quickly focus in on specific packets. This can be done by writing a filter expression with the Filter bar at the top of the window (e.g., ‘ip.addr==192.168.0.1’ to filter by IP address).
  6. Save and Share: You can also save Wireshark captures to a file for later or share with other people. To do this, click on the ‘File’ menu and select either ‘Save As…’ or ‘Export Specified Packets’, respectively.
  7. Take Advantage of Documentation: Wireshark has a lot of features that can be intimidating to understand at first glance. Fortunately, the official Wireshark documentation is very comprehensive and can provide detailed information about specific topics.
  8. Use 3rd-Party Tools: There are several third-party tools that can help you analyse Wireshark captures more effectively. These include tools such as NetworkMiner and Xplico, both of which have powerful features for extracting data from captured packets.

    NetworkMiner is a tool mainly used for forensic analysis. It can capture, analyse and extract information from the network traffic gathered. For example, it can extract files, images, emails and more from the data gathered.

    Xplico is similar to NetworkMiner, being a forensic tool that also can reconstruct and organize the data in a meaningful way. Making it easier to analyse and understand network activity.
  9. Automate Workflows: Wireshark can be used as part of automated workflows with various scripting languages, allowing you to create programs that can capture and analyse packets.
  10. Take Advantage of Plugins: Additional plugins are available for Wireshark that enable further functionality. These include features such as wireless network sniffing and VoIP call decoding. You can find these in the ‘Plugins’ menu.

Wireshark is a powerful tool for network analysis and troubleshooting. With its range of features, you can quickly capture packets and extract valuable information from them. To get the most out of Wireshark, it’s important to understand the basic operations as well as how to use custom filters, save captures, take advantage of documentation

Why monitoring Network Traffic is important:

Monitoring network traffic is crucial for several reasons. First and foremost, it provides visibility into what is happening within your network. This visibility can help you detect unauthorized or suspicious activity, such as a cyber attack or data breach before it causes significant damage. Not only can these attacks cause reputational damage, but the financial damage can be crippling. To the point where a business can well..go out of business. There are all sorts of rules & regulations a business has to follow from GDPR (General Data Protection Act) to HIPPA (Health Insurance Portability and Accountability Act) to PCIDSS (Payment Card Industry Data Security Standard) and more. These are all legal requirements to protect data.

For Network Security engineers in particular, network traffic monitoring is an indispensable tool. It allows them to keep a vigilant eye on possible threats and vulnerabilities, thus enabling proactive protection of the network infrastructure. With real-time network monitoring, Network & Cybersecurity professionals can swiftly identify and neutralize threats, thereby minimizing potential damage. Furthermore, data obtained from network monitoring aids in conducting thorough post-incident analyses, which are crucial for improving future security measures and strategies. Therefore, Network Security Engineers use Wireshark not just as a reactive measure but also serves as a proactive tool for ensuring optimal network security.

Real Life cases:

Troubleshooting Scenario: DNS Resolution Issue

Let’s consider a situation where users on a network are experiencing intermittent issues with web page accessibility, though their network connection seems to be stable. Network Security Engineers can use Wireshark to diagnose this issue.

They can start a Wireshark capture and instruct a user to attempt accessing the problematic web page. The engineers would then stop the capture, and use Wireshark’s powerful filtering capabilities to zero in on DNS traffic by applying the filter `dns`. This would isolate only the packets that are relevant to DNS operations, thereby simplifying the analysis.

Upon close inspection, they might find frequent DNS Query Requests followed by no corresponding DNS Response, an indication of a DNS resolution problem. This could mean the DNS server isn’t responding in time or there are network delays causing the DNS server’s response to arrive too late. Armed with this information, network engineers can then focus their troubleshooting efforts on the DNS server or network latency issues, guiding them towards a timely resolution of the problem.

Troubleshooting Scenario: Identifying Network Latency Issues

Imagine a scenario where a company is experiencing sluggish application performance across its network. Users report that certain hosted applications are slow, affecting productivity. A Network Security Engineer can employ Wireshark to identify the root cause of this latency.

The engineer would start a Wireshark packet capture while the slow application is in use. After the capture, they can utilize Wireshark’s “Statistics” feature to get an overview of the conversation between the client and the server, focusing on TCP streams.

By studying the TCP stream, they might notice a high number of TCP retransmissions. This indicates that the network is congested, causing packets to be dropped and retransmitted, leading to the slow performance. Additional inspection may reveal a spike in traffic from a specific IP or MAC address, possibly pinpointing a single device or application that’s consuming excessive bandwidth.

With this analysis, the engineer can take targeted steps to mitigate network congestion, such as addressing the bandwidth-hogging device or reviewing QoS settings, efficiently resolving the latency issues and restoring application performance to optimal levels.

Troubleshooting Scenario: Resolving DHCP Issues

Consider a situation where a company’s employees are unable to establish a connection to the network. The employees report that they are not receiving valid IP addresses when they attempt to connect their devices to the network. A possible cause could be an issue with the Dynamic Host Configuration Protocol (DHCP) server, which is responsible for assigning IP addresses to devices.

To troubleshoot this problem, the Network Security Engineer can use Wireshark to capture packets on the network. By filtering for DHCP packets, the engineer can verify whether or not devices are sending DHCP request packets and whether the DHCP server is responding appropriately. If the server is not responding, or if the responses are not reaching the client, the issue is likely with the DHCP server or the path between the server and clients.

Upon identifying the DHCP server issue, the engineer can take necessary actions such as rebooting the server, checking for correct configuration, or ensuring that no other device is conflicting with the server’s operation. By doing so, the network connectivity issue can be resolved, restoring normal operation and allowing employees to connect their devices to the network.

Wireshark Plugins and Their Utility

Wireshark, being an open-source packet analyser, enables developers to extend its functionality by adding plugins. These plugins serve as valuable tools to extract and visualize data, performing specific tasks that fulfill user requirements.

One of the most popular plugins is the `SSL/TLS Decryption` plugin. In an era where encrypted traffic is the norm, this plugin serves as an invaluable tool for troubleshooting, as it allows network engineers to decrypt and inspect SSL/TLS traffic, given they have access to the necessary keys.

Another worthwhile mention is the `GeoIP` plugin. This plugin provides the geographic location of IP addresses captured in the packet data, offering valuable context and insights about the geographical origin and destination of the traffic.

Yet another notable plugin is `Follow TCP Stream`, which reassembles and displays all the packets in a TCP session. This plugin is particularly useful when you need to see the entire conversation between two nodes.

Lastly, the `HTTP Analysis` plugin is also quite useful. It provides a breakdown of HTTP traffic, showing the HTTP methods used, the response codes, and even the size of the data being transferred. This can be particularly useful when troubleshooting web-based applications.

Is WireShark the best Packet Sniffer?

Wireshark is certainly an excellent packet sniffer, renowned for its detailed data analytics capabilities and comprehensive range of features. Its ability to provide granular insights into network traffic, coupled with its wide array of custom filters, makes it a go-to tool for many Network Security Engineers. However, it’s worth noting that there are several other packet sniffers available, each with its own strengths and unique features.

For instance, SolarWinds offers a packet sniffing tool that features a user-friendly GUI and advanced network performance metrics. EtherApe, on the other hand, is recognized for its unique graphical network display. Another notable packet sniffer is Kismet, which specializes in 802.11 wireless networks and includes features like intrusion detection and network discovery.

While Wireshark may be an optimal choice for some, the ‘best’ packet sniffer ultimately depends on specific user requirements and preferences. I will be covering these and other packet sniffers in more detail in future blogs, providing comprehensive insights to help you select the right tool for your network monitoring needs.

Bottom Line:

Wireshark is a powerful network analyser that provides users with a range of benefits, including troubleshooting networking issues, identifying security risks, and optimizing network performance. While utilizing Wireshark effectively requires some technical knowledge, it is a vital tool for IT professionals in the networking industry. By following these tips and leveraging the available resources, users can deepen their understanding of network traffic and enhance their overall productivity and efficiency. Whether you’re an IT professional, a network administrator, or a security analyst, Wireshark is an indispensable asset in your toolbox.

References:

Data Analysis Image: Image by rawpixel.com on Freepik


Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *