Wireshark: Packet & Protocol Analyzer
Wireshark is a tool who’s knowledge is more or less a must for any person who is interested in Security or Networks. Wireshark is basically a program that captures and analyses packets on any interface that has the ability to do so. The tool is built on top of the Pcap API. It could be compared to a graphical version of the tool tcpdump, though the options for analysis of traffic and multi-OS portability make it a un-contended must-know tool for those looking at sniffing and analysing packets.
So basically how such packet capture programs work, is that, usually when a packet reaches the user’s network card, it contains an address called the MAC address (associated with the data link layer). Every networking device on the planet is assigned a unique burned in MAC, that acts as the fingerprint of the device and is used for identification (later though we look at how we can get around to spoofing this). So when the network card on your device receives a packet, it checks the MAC address in the packet to see if the packet is meant for it. If the MAC address doesn’t match, the card drops the packet. Hence to capture all packets that the card comes across, the Pcap API is used to put the card in what is known as the promiscuous mode, which basically tells the processor to capture all packets that come across the card irrespective of whether the packets were actually meant for our device or not.
The below image shows us how the general capture interface looks.
There is more than enough material online to walk people of any skill level through the basics of Wireshark, one such example being: The Complete Wireshark Tutorial.
We will be looking at only a few interesting features of this multi-faceted tool, since tools are generally meant to be learnt manually by practice.
If we are looking to capture only a certain type of packets, such as those from a specific end-point or those of a specific protocol, we use filters to do that. There are a HUGE variety of filters that can be applied, but basically filters can be applied before (in which case it becomes Capture Filtering) or after (in which case, Display Filtering) the packets are captured. If we use Capture Filters, Wireshark only captures those packets that satisfy the criterion and drop the rest. The below screenshot shows the capture filter being applied on the start window of Wireshark.
The below image shows us the filter bar (the bar with the green highlighted text) on the capture window of Wireshark where the expression to apply Display Filters is entered.
Capture filters do not have as many options as those of display filters since many other fields open up only after the packet is captured and processed by the various layers. Both find their own uses, though effectively, capture filters are used to keep the capture file focused, while display filters allow us to focus on certain aspects while retaining other packets for further analysis.
Analysing and Statistics
The tab Analyze contains options to analyse the traffic. One of the more interesting options allows us to view conversations (exchanges between 2 specific end-points). The Statistics tab has options to resolve all the ip adresses in the capture file, list all the endpoints in the capture, resolve all port numbers to a built-in dictionary (Note: Not all ports may be standard hence Wireshark may mention a default service on certain ports whose actual use in this specific case may be different) etc.
Wireshark is a must-know tool that has volumes written about its usage. This article is aimed only at putting this tool on the record of many important and useful tools that I hope to list in this blog (though the blog is primarily aimed at covering the concepts and ideas of certain concepts in security, knowledge of a good set of tools is invaluable). The tutorial linked in this post (The Complete Wireshark Tutorial) does way better justice in covering the nuances and usage of this tool.