Wireshark

Wireshark is an application that lets you capture and analyze network traffic. Wireshark is useful for learning about networking and troubleshooting network problems.

Learning Objectives

You should be able to:

• Describe the purpose of Wireshark
• Capture packets using Wireshark
• Analyze Wireshark packet captures

Video Walkthrough

Use this video to follow along with the steps in this lab.

Install Wireshark

Wireshark is an open-source application that captures network packets. It is available for free on Windows, Mac, and Linux.

It is best to do this lab in a virtual machine because Windows and Mac operating systems have a lot of background tasks constantly connecting to the network. Running Wireshark in a virtual machine helps you capture the data that you want and nothing more.

• Connect to your Windows Server virtual machine.
• Go to the Wireshark download page from within your virtual machine.
• Download the latest Windows x64 Installer.
• Run the installation, accepting all defaults.
• Note that at one point, Wireshark will launch a separate installation for a tool that captures the packets. Follow the prompts to install this tool as well.

Proceed with the next section when the Wireshark install finishes.

Running Wireshark

• Open your web browser.
  • Reduce the size of the Firefox window.
  • You will use this browser to generate traffic that Wireshark will capture.
• Launch Wireshark.
• Wireshark needs to know which network interface to use for capturing packets.
• Double-click on Ethernet 2 to choose the ethernet connection and start capturing packets.
• Open your web browser and go to cnn.com.
  
• Once the web page loads, return to Wireshark and stop the capture. It can be stopped in two ways.
  • Click the red square icon.
  • Click Capture > Stop.

• You should see a lot of data in Wireshark. The network traffic has been captured. You can scroll down the list of packets to see how many packets were captured. In my short capture, over 6,000 individual packets were sent or received.

Capturing packets in Wireshark is the easy part.

Analyzing Packet Captures

• Close your browser to get it out of the way.
• Maximize the Wireshark interface.
• Wireshark's display filters let you filter packets. Display filters can help you find packets using a specific protocol, for example.
• In the display filter, type dns and press enter to apply the filter.
  • The filter background color should be green to indicate that you have applied a valid filter.

• At this point, many packets are hidden. You can see that the packet numbers in the first column will not be continuous, but they will still be ordered.

• The following screenshot shows DNS packets that are likely similar to what you see.

• The No. column is the packet number. Every packet is numbered sequentially in the order in which it is received. The number is attached to the packet, so even if you sorted the data differently, the first packet captured will retain the number 1.
• The Time column displays the time the packet was captured after the capture was started. Wireshark counts time 0 when the first packet is captured.
• The Source column shows who sent the packet. Sometimes, the source will be your computer. Sometimes, the source will be the computer sending you the data. If you were capturing data for an entire network segment, you would have many different users as sources.
• The Destination column is the packet recipient.
• The Protocol displays the network protocol used. These protocols could be DNS, HTTP, TCP, UDP, and many other ingredients of the acronymn soup that is computer networking.
• The Length is the number of bytes in the packet.
• The Info column tries to display a relevant summary of the packet.
• The sample packet in the screenshot shows a DNS request and response.
  • The first packet was a request to DNS for an A record (IPv4) for cnn.com.
  • The third packet came 0.02 seconds later with a response from the DNS server.
  • So your computer formulated the request, sent it to your router, and the internet moved the packet across the internet to a DNS server, and the DNS server looked up cnn.com's IPv4 address, sent it back across the internet, and your computer decoded the response. And that entire process took 0.02 seconds. Honestly, that's amazing.
• Select the first DNS packet by clicking anywhere on the first row in the list of captured packets.
• There are 3 main parts of the Wireshark interface for analyzing a packet.

• The list of packets lets you select different packets. This list can be filtered and sorted. You can select individual packets.
• The packet details section shows information about the currently selected packet. The information is segmented by protocol. As shown in the screenshot, there is information about ethernet, internet protocol, user datagram protocol, and the domain name system. All of these protocols worked together to perform the DNS request. Each of these protocols can be evaluated by expanding the arrows.
• The packet bytes pane shows the raw data in hexadecimal format. If you select a part of the packet in the packet details, that portion of the packet will be highlighted in the packet bytes. For example, the following screenshot shows the Source Address highlighted in the packet details. The packet details show 4 sets of hexadecimal numbers which represent the IP address. The right side of the packet bytes pane will attempt to render the hexadecimal characters but will show a period if the characters cannot be rendered as regular text characters.

So What?

Wireshark lets you peek under the covers of your network traffic to discover what is really going on. Most people will never have to look at or understand this traffic because engineers and administrators effectively hide this complexity. But occasionally, network administrators need to look at packets in this level of detail for troubleshooting or threat hunting.

In this sample capture, you only captured packets that originated or were destined for your computer. But, network administrators can put packet capture software are network choke points to capture everybody's traffic. This traffic is used to determine if somebody's computer has malware and might be trying to exfiltrate data to a foreign adversary. The data could be used to find an employee gambling on company time using company equipment. For a massive data collection and analysis, you would not use Wireshark, but the programs you would use capture packets in the same way. The software, like Snort, captures the packets and then applies rules to determine the packets that might be suspicious. Alerts might be raised, and employees working in a security operations center (SOC) might triage the alert to determine if action needs to be taken. Continuous network traffic monitoring is increasingly becoming an industry standard. Threat hunting is the process of manually looking for malicious traffic that the automated tools might miss. Threat hunters use a variety of tools and techniques to periodically inspect network traffic. Wireshark could be one of the tools that threat hunters use on a subset of a large amount of data.

Back to the Packets

Clearing display filters and applying new filters is critical. This trips up a lot of new Wireshark users.

• Click the X icon in the filter bar to clear the current filter.
• All of the captured packets will now be displayed in the packet list.
• Enter tcp as the display filter.
  • Look for the TCP handshake. TCP is a connection-oriented protocol. A connection must be established before any application data is transmitted with TCP. The TCP handshake is a 3 step process with a synchronization (SYN) packet sent to the recipient, the synchronization packet along with an acknowledgement (ACK) is sent back to the originator, and the originator responds with an acknowledgment. The following screenshot shows the TCP handshake.

Capture Unencrypted Web Traffic

• In Wireshark, choose File > Close. Choose to continue without saving.
• Clear any display filters.
• Select Ethernet 2 from the list.
• Enter tcp port http as a capture filter.
• Double-click Ethernet 2 to start capturing packets.

• In your web browser, open http://neverssl.com. Be sure to type http:// to force your browser to use http instead of the encrypted https.
• Once the page loads, stop the capture in Wireshark.
• In Wireshark, pick an HTTP protocol row, right-click, and choose Follow > HTTP Stream.

• You may have to change streams to find the web page's content. Eventually, you should see the source code of the website.

The purpose of capturing NeverSSL.com is to show the importance of encrypting traffic. CNN's content was encrypted, so Wireshark could not display the text. NeverSSL's content was not encrypted, and therefore the page content could be read in Wireshark.

Challenge

• Spend some time in Wireshark evaluating packet data.
• Sort by the Protocol column by clicking on it. What protocols were used?
• How many DNS queries were run when loading cnn.com? Why so many if you just browsed one site?
• Apply the tcp filter. Right-click on one of the packets and choose Follow > TCP Stream. This will find all of the related TCP packets and assemble them.

• Change streams using the up and down arrows in the bottom-right corner of the window.

• Some of the streams will be in cleartext, but some of them may be encrypted. Note that your web browser had the key to decrypt all of this data, but Wireshark does not. Without the key, packet capture software cannot decrypt encrypted data.

Reflection

• What could hackers do with Wireshark if they could capture your packets?
• How do you feel about network administrators tracking your network usage?

Key Terms

• Packet: A unit of data transmitted over a network. Packets contain both the data being sent and control information, such as source and destination addresses, necessary for routing the data to its intended recipient.
• Packet Capture: The process of intercepting and logging traffic that passes over a computer network. Packet capture tools collect data packets for analysis, helping network administrators and security professionals diagnose issues and monitor network activity.
• Wireshark: A popular open-source network protocol analyzer used for network troubleshooting, analysis, and education. It captures and displays data packets in real-time, allowing users to inspect the details of network traffic.
• Wireshark Capture Filter: A set of criteria used to specify which packets should be captured by Wireshark during a packet capture session. Capture filters are applied before the data is collected, allowing users to focus on specific types of traffic and reduce the amount of data captured.
• Wireshark Display Filter: A set of criteria used to specify which packets should be displayed in Wireshark after the data has been captured. Display filters allow users to focus on specific packets of interest within a larger capture file, making it easier to analyze and troubleshoot network issues.
• Wireshark TCP Stream: A feature in Wireshark that allows users to follow and analyze the sequence of packets that make up a single TCP connection. It reconstructs the data flow between two endpoints, providing a clear view of the communication within that TCP session.
• TCP Handshake: The process used to establish a TCP connection between two devices on a network. It involves a three-step exchange of packets: SYN, SYN-ACK, and ACK.