What Is Wireshark? – Wireshark, as discussed earlier, is the most popular packet analyzer, and there is a reason behind its huge fan following. It hosts tons of features, supports a huge list of common and uncommon protocols with an easy-to-navigate GUI, and can be easily installed and used on popular operating systems, such as Windows, Linux, and Mac OS X for absolutely no cost at all.
Wireshark can be downloaded and installed from the official website ( http://www.wireshark.org ). The installation setup is comparatively simple, and within a few clicks, you will be up and running with Wireshark on a Windows machine.
The Purpose Of Sniffing
Packet sniffing is performed in order to better understand what flows through our networks. Just as a poison flowing through the veins of the human body has the potential to kill an individual, similarly malicious traffic traversing our networks can have a severe and sometimes irreparable effect on the network devices, performance, and business continuity.
Sniffing helps a network analyst verify whether the implementation and functionality of the network and network security devices, such as the router, switch, firewall, IDS, or IPS, are as expected and also confirms that data is traversing through secure channels of communication.
Security analysts use sniffing to gather evidence in the case of a security breach with regard to the source of the attack, time and duration of the attack, protocols and port numbers involved, and data transmitted for the purpose of the attack. It can also help to prove the use of any insecure protocol(s) used to transmit sensitive information.
First Packet Capture
Let’s get started with our first packet capture using Wireshark by following these steps:
- Launch Wireshark
- Select the correct interface to capture traffic. This can be done by navigating to the Menu bar and clicking on Capture | Interfaces (As a shortcut, we may choose Ctrl + I). Once we have the Wireshark: Capture Interfaces window open, perform the following steps:
- Select the Internet-facing interface (for example, Wi-Fi in my case). A good indication of the active interface is the Packets and Packets/s column on the right-hand side of the window as shown in the following screenshot:
- After selecting the interface, click on the Options button, as highlighted in the screenshot, and the Wireshark: Capture Options window pops up as shown in the following screenshot:
- The next step is to let Wireshark run in the background and open a browser of your choice (for example, Mozilla Firefox in my case) and browse example.com .
- Once example.com loads, navigate to Wireshark, and stop the packet capture, by clicking on the Stop button in the main toolbar. Once stopped, the capture appears as shown in the following screenshot:
In the preceding screenshot, we can see Wireshark’s menu bar, main toolbar and filter toolbar followed by three different panes and the Status bar. The three panes are as follows:
- Packet List pane: This pane reflects the packets captured by Wireshark and some basic details about those packets. For example, the first packet in our capture is an SYN packet of the three-way handshake from the client to the server.
- Packet Details pane: If we select any packet in the Packet List pane, its details are shown under this pane. For example, after selecting the first packet in our capture, we can look at the packet at a more granular level, that is, the changes it undergoes at different layers of networking (for example, source and destination ports under the Transmission Control Protocol (TCP), that is, the Transport layer of the TCP/IP model). This pane shows the protocols and protocol fields in a tree format and also displays any links when the current packet in question has a relationship to another packet in the same capture (for example, a request and response relationship for a single communication).
- Packet Bytes pane: This pane displays the bytes of the selected packet in a hex dump format and is affected by what is selected in the previous pane, that is, the Packet Details pane.
- The final step is to save the captured packets. We can do this by navigating to the menu bar, clicking on File | Save and saving it with an appropriate name in the directory of your choice.
Congratulations! With this, we have successfully captured and saved our first trace file.