Network traffic using Wireshark

1. Network Traffic Analysis with Wireshark: A Beginner’s Guide

Introduction

Wireshark is a powerful, free, and open-source packet analyzer used for network troubleshooting, analysis, software and communications protocol development, and education. Essentially, it allows you to "see" the data flowing across your network. This article provides a comprehensive beginner's guide to understanding and utilizing Wireshark to capture and analyze network traffic. We'll cover the basics of packet capture, filtering, dissection, and interpretation, equipping you with the foundational knowledge to diagnose network issues and understand network communication. This is crucial for Network Security professionals and anyone interested in understanding how data travels.

What is Network Traffic and Why Analyze it?

Network traffic consists of small units of data called *packets*. These packets contain the information being sent between devices on a network, such as your computer, smartphone, server, or router. Each packet includes source and destination addresses, the data itself, and control information.

Analyzing network traffic is valuable for several reasons:

• **Troubleshooting Network Issues:** Identifying slow connections, dropped packets, or network outages.
• **Security Analysis:** Detecting malicious activity, such as unauthorized access attempts or data exfiltration. Understanding Malware Analysis often starts with network traffic inspection.
• **Application Performance Monitoring:** Identifying bottlenecks in application performance and optimizing network usage.
• **Protocol Analysis:** Understanding how different network protocols function.
• **Debugging:** Diagnosing issues within network applications.
• **Learning:** Gaining a deeper understanding of networking concepts. It complements Network Fundamentals.

Installing Wireshark

Wireshark can be downloaded from its official website: [1](https://www.wireshark.org/download.html). Installation is straightforward on most operating systems (Windows, macOS, Linux).

• **Windows:** The installer typically includes WinPcap or Npcap, which are packet capture drivers. Npcap is the recommended option as it provides better performance and supports loopback traffic capture. Ensure you install Npcap with administrator privileges.
• **macOS:** Wireshark requires `ChmodBPF` to be installed to capture packets. The installer will usually prompt you to install this.
• **Linux:** Installation is typically done through your distribution's package manager (e.g., `apt-get install wireshark` on Debian/Ubuntu, `yum install wireshark` on CentOS/RHEL). You may need to configure permissions to allow non-root users to capture packets. This often involves adding your user to the `wireshark` group.

The Wireshark Interface

Upon launching Wireshark, you'll be presented with a complex interface. Here’s a breakdown of the key components:

• **Capture Options:** Allows you to select the network interface to capture traffic from.
• **Packet List Pane (Top):** Displays a list of captured packets, showing information like packet number, time, source, destination, protocol, and a brief info summary.
• **Packet Details Pane (Middle):** Displays the detailed information about the selected packet, broken down into protocol layers. This is where you examine the individual fields within each packet. This pane is vital for Packet Inspection.
• **Packet Bytes Pane (Bottom):** Displays the raw hexadecimal and ASCII representation of the selected packet’s data.
• **Filter Toolbar:** Allows you to filter the captured packets based on various criteria. This is arguably the most important feature of Wireshark.
• **Main Menu:** Provides access to various functions, including file operations, capture options, analysis tools, and settings.

Capturing Network Traffic

1. **Select an Interface:** In the main Wireshark window, choose the network interface you want to capture traffic from. This is usually your Ethernet adapter, Wi-Fi adapter, or a virtual interface. Double-clicking an interface will start capturing traffic immediately. 2. **Start Capture:** Click the "Start Capture" button (the shark fin icon) to begin capturing packets. 3. **Generate Traffic:** While capturing, generate some network traffic. This could involve browsing a website, sending an email, or running a network application. 4. **Stop Capture:** Click the "Stop Capture" button (the red square icon) to stop capturing packets when you've collected enough data.

Understanding Packet List Columns

The Packet List Pane displays several columns by default. Here's a description of the most common ones:

• **No.:** The sequential number of the packet.
• **Time:** The time the packet was captured.
• **Source:** The IP address or MAC address of the packet's sender.
• **Destination:** The IP address or MAC address of the packet's recipient.
• **Protocol:** The network protocol used (e.g., TCP, UDP, HTTP, DNS).
• **Length:** The size of the packet in bytes.
• **Info:** A brief summary of the packet's content.

You can customize these columns by right-clicking on the column headers and selecting "Column Preferences."

Filtering Packets

Filtering is essential for focusing on relevant traffic. Wireshark offers two types of filters:

• **Capture Filters:** Applied *before* capturing traffic, reducing the amount of data captured. They are more efficient for capturing only specific types of traffic. Examples:

   *   `host 192.168.1.1`: Captures traffic to or from the IP address 192.168.1.1.
   *   `port 80`: Captures traffic on port 80 (typically HTTP).
   *   `tcp`: Captures only TCP traffic.

• **Display Filters:** Applied *after* capturing traffic, filtering the displayed packets. They are more flexible and allow you to filter based on a wider range of criteria. Examples:

   *   `ip.addr == 192.168.1.1`:  Displays packets with either source or destination IP address 192.168.1.1.
   *   `tcp.port == 80`: Displays packets with either source or destination TCP port 80.
   *   `http.request.method == "GET"`: Displays HTTP GET requests.
   *   `dns`: Displays DNS traffic.
   *   `icmp`: Displays ICMP traffic (ping).

To apply a display filter, type it into the filter toolbar and press Enter. The packets that match the filter will be displayed. Learning to craft effective filters is a key skill in Network Forensics.

Dissecting Packets: The Packet Details Pane

The Packet Details Pane is where you examine the individual layers of a packet. Wireshark dissects packets according to the OSI model or TCP/IP model, displaying each layer's headers and data.

• **Ethernet:** The lowest layer, containing MAC addresses.
• **IP:** Contains source and destination IP addresses, TTL (Time To Live), and protocol information.
• **TCP/UDP:** Transport layer protocols. TCP provides reliable, connection-oriented communication, while UDP provides unreliable, connectionless communication.
• **Application Layer:** Contains the data specific to the application being used (e.g., HTTP, DNS, SMTP).

Expanding each layer reveals its individual fields. For example, in a TCP packet, you can see the source and destination ports, sequence numbers, acknowledgment numbers, and flags. Understanding these fields is crucial for Protocol Analysis.

Common Protocols and What to Look For

• **HTTP (Port 80/443):** Used for web browsing. Look for request methods (GET, POST), status codes (200 OK, 404 Not Found), and data transmitted in the request and response bodies. Analyzing HTTP traffic is beneficial for Web Application Security assessment.
• **DNS (Port 53):** Used for resolving domain names to IP addresses. Look for DNS queries and responses. Suspicious DNS requests could indicate malware activity. Monitoring DNS traffic is part of Threat Intelligence.
• **TCP (Ports vary):** The foundation of many applications. Look for connection establishment (SYN, SYN-ACK, ACK), data transfer, and connection termination (FIN, ACK). Analyzing TCP handshakes can reveal connection issues.
• **UDP (Ports vary):** Used for streaming media, online gaming, and DNS. Less reliable than TCP, but faster.
• **ICMP (Port varies):** Used for network diagnostics (ping). Look for echo requests and replies. Excessive ICMP traffic could indicate a denial-of-service attack. Examining ICMP responses is part of Network Troubleshooting.
• **SMTP (Port 25):** Used for sending email. Analyzing SMTP traffic can reveal email communication patterns.
• **SSH (Port 22):** Used for secure remote access. Analyzing SSH traffic (if decrypted) can reveal user credentials and commands executed. However, SSH is typically encrypted.

Following TCP Streams

Wireshark allows you to follow a TCP stream, which reconstructs the entire conversation between two devices. Right-click on a TCP packet and select "Follow" -> "TCP Stream." This will display all packets belonging to that stream in a new window, making it easier to understand the overall communication flow. This is extremely useful for debugging application-level protocols.

Saving and Exporting Captured Data

Wireshark allows you to save captured data to a `.pcap` or `.pcapng` file for later analysis. You can also export the captured data in various formats, such as CSV or text.

Advanced Features

• **Statistics:** Wireshark provides various statistics tools, such as protocol hierarchy, conversation statistics, and endpoint statistics.
• **Expert Info:** Displays warnings and errors detected during packet analysis.
• **Coloring Rules:** Allows you to color-code packets based on specific criteria, making it easier to identify patterns.
• **Lua Scripting:** Allows you to extend Wireshark's functionality with custom scripts. This is an advanced feature used for Custom Protocol Decoding.

Resources for Further Learning

• **Wireshark Wiki:** [2](https://wiki.wireshark.org/)
• **Wireshark Documentation:** [3](https://www.wireshark.org/docs/)
• **Packet Analysis News:** [4](https://packetanalysis.net/)
• **SANS Institute Packet Analysis Resources:** [5](https://www.sans.org/reading-room/whitepapers/packetanalysis/)
• **CloudShark:** [6](https://www.cloudshark.ng/) (Online packet analysis platform)
• **Security Onion:** [7](https://securityonion.net/) (Linux distribution for network security monitoring)
• **Practical Packet Analysis:** [8](https://www.practicalpacketanalysis.com/)
• **TCP/IP Illustrated, Volume 1:** A classic book on TCP/IP networking.
• **Network Warrior:** A practical guide to network troubleshooting.
• **The Practice of System and Network Administration:** Comprehensive guide to network administration.
• **Nmap:** [9](https://nmap.org/) (Network mapper, often used in conjunction with Wireshark)
• **NetFlow/sFlow:** [10](https://www.solarwinds.com/netflow/) (Network flow monitoring technologies)
• **Zeek (Bro):** [11](https://www.zeek.org/) (Network security monitoring framework)
• **Suricata:** [12](https://suricata.io/) (Network intrusion detection system)
• **Snort:** [13](https://www.snort.org/) (Network intrusion detection system)
• **Tshark:** [14](https://www.wireshark.org/docs/tshark.html) (Command-line packet analyzer)
• **NetworkMiner:** [15](https://www.networkminer.net/) (Network forensic analysis tool)
• **Moloch:** [16](https://moloch.awesome.nl/) (Large-scale full packet capture and indexing)
• **Argus:** [17](https://argus-security.github.io/) (Network security auditing tool)
• **Bro IDS:** [18](https://www.bro.org/) (A powerful network security monitor)
• **Darknet Diaries Podcast:** [19](https://darknetdiaries.com/) (Podcast covering real-world cybersecurity incidents)
• **OWASP:** [20](https://owasp.org/) (Open Web Application Security Project - relevant for HTTP analysis).
• **SANS ISC InfoSec Forums:** [21](https://forums.sans.org/) (Good place to ask questions and learn from experts).

Start Trading Now

Sign up at IQ Option (Minimum deposit $10) Open an account at Pocket Option (Minimum deposit $5)

Join Our Community

Subscribe to our Telegram channel @strategybin to receive: ✓ Daily trading signals ✓ Exclusive strategy analysis ✓ Market trend alerts ✓ Educational materials for beginners