Some find the fine art of capturing and interpreting the packets that run through your network to be as arcane as reading The Matrix, but you don't need to be the new Neo to be able to parse the network flux. A powerful ally can help you in this mission: Wireshark, a powerful software tool to analyze your network traffic.
Wireshark is several tools in one application. You can use it to analyze the structure of your wireless network in search of potential configuration errors. It can identify many types of encapsulation and isolate and display all the fields that make up a network packet. It also works as a packet sniffer, similar to tcpdump.
With all of those powerful capabilities, you might think Wireshark would be hard to learn. In some respects it is, but you can easily learn how to use some of the filters that come with the software and let you zero in on specific clients and kinds of traffic. In this article I'll show you several ways to use Wireshark to focus your searches.
When I say "filters," I'm referring to Berkeley Packet Filters (BPF). BPF is actually a micro-programming language (complete with mnemonics in assembly!) that is compiled and executed at runtime against packets intercepted by tools such as tcpdump and Wireshark. Filters are essential when you're trying to isolate a very small subset of packets among the hundreds of thousands per second that pass over a 100Mbps network. Filters are compiled so that they run with the best possible performance, which is important when you're doing a capture in real time.
Using filters in Wireshark is simple. You need to know only the field names of each individual protocol, such as http, icmp, and ftp. For example, if you want to display only ICMP packets, you can just write icmp in the Wireshark filter's main window. If you want to highlight all the packets that are coming or going to a specific IP address, say 10.100.1.1, the filter would be ip.dst == 10.100.1.1 || ip.src == 10.100.1.1, which translated means display only those packets where the destination field (ip.dst) or (||) the source field (ip.src) of the IP protocol matches (==) 10.100.1.1.
ip.dst == 10.100.1.1 || ip.src == 10.100.1.1
Wireshark has two kind of filters. Capture filters, as the name says, are used to capture only some of the traffic, while display filters are applied to the captured traffic to show only some packets, according to the rules you use. In this article we'll talk about both kinds.
Let's start by installing Wireshark. The application is available as a binary package in all the main distributions, so you can use your favorite package manager: sudo apt-get install wireshark under Debian or Ubuntu, emerge wireshark under Gentoo, or yum install wireshark under Red Hat or CentOS.
sudo apt-get install wireshark
yum install wireshark
Let's start with a classic example that shows people why using the FTP protocol is a bad idea. Start Wireshark by typing at a terminal:
You can begin to capture traffic by going to the left panel of the Wireshark window and clicking on Capture/Interfaces. Choose the interface that goes "out" to the network (for example eth1) and click on Start, and Wireshark will start examining all the packets in transit on the network.
Now open a second terminal window and invoke a normal FTP session. Enter the login name and password, run some FTP commands, then close the session. Return to the main Wireshark window, and you should see that many packets have passed over the network since the moment you started capturing. Click Stop Capture (or press Ctrl+E); then you can examine the traffic you've got.
Figuring out something from what is probably a large amount of traffic is not simple, until you use a BPF filter. You want one that shows only packets that are part of an FTP connection, so in the Filter field type "ftp." Immediately the traffic of your session should be highlighted, and in a stunning display of poor security, you'll see clearly your username and password. It will look something like this:
356 101.676753 10.100.1.1 192.168.0.4 FTP 86 Response: 220 (vsFTPd 1.1.3)360 104.546659 192.168.0.4 10.100.1.1 FTP 77 Request: USER wazi362 104.594520 10.100.1.1 192.168.0.4 FTP 100 Response: 331 Please specify the password.366 106.530150 192.168.0.4 10.100.1.1 FTP 77 Request: PASS mytest371 108.922240 10.100.1.1 192.168.0.4 FTP 88 Response: 530 Login incorrect.
If this result doesn't convince your colleagues to quit using FTP and turn to OpenSSH, there's no hope for them.
Here's another classic example – an HTTP session. As before, start Wireshark and start capturing the traffic from the interface that goes out. Today, most HTTP traffic is compressed to speed up the exchange of information, so by default Wireshark decompresses the body part of HTTP packets. You can click on Edit -> Preferences -> Protocols -> HTTP and verify that "Uncompress entity bodies" is checked.
During the capture, set a filter to show only HTTP traffic by entering http. Each web page that any users on your network visits will generate this kind of traffic for you to catch – which may be a lot of information. Perhaps you are interested in following a particular kind of information, or a particular user. To do that, choose an http request in the main windows where you see all the packets, right-click on it, and choose the option "Follow TCP Stream." Wireshark will open a new window containing the reconstruction of that entire HTTP session in chronological order.
You can also isolate only requests toward a specific site – Facebook, for example – to see which IP addresses are requesting it, by placing the filter http.request.uri contains facebook in the Filter field.
http.request.uri contains facebook
Now suppose you want to see all the traffic coming in and out of one specific computers. You could filter for mac-address to be sure to pinpoint the right client. To get the mac-address of the target on the other end of the connection, first issue a ping command to the hostname or URL of the target computer to learn its IP address. Then run the arp command:
ping target.comarp -a
In the list returned by the arp command, search for the IP address you found with the ping command. Once you have the MAC address – say, "AA:BB:CC:DD:EE:FF" – type in the filter box:
eth.addr == AA:BB:CC:DD:EE:FF
Alternatively, you could filter by IP address, but on a network that uses DHCP to assign IP addresses, the target's IP address could change at any time:
ip.addr == 192.168.0.1
Click apply, and you will see only the traffic that is coming from, or going to, that IP or MAC address. With the option "ip" selected, all Internet Protocol traffic is shown, which is fine in the 99% of cases.
Instead of the ip.addr filter you can use the capture filter "Host" in this way:
By entering this setting as a capturing filter, Wireshark captures all traffic to and from 192.168.0.1, regardless of the type.
Now suppose you want to capture all traffic using specific protocols generated by a host, such as pop3, ftp, http, or messenger. In the filter box, enter:
ip.addr == 192.168.0.1 and (http or ftp or messenger or pop)
This says show all the traffic generated or directed to the IP address 192.168.0.1 and display only http or ftp or pop or messenger packets.
You can capture all such traffic that runs over your network with a specific address or from multiple clients:
ip.addr == 192.168.0 and (http or ftp or messenger or pop)
On top of all of the filters we've look at so far, here are a few more useful ones. For a complete list of possible filters, refer to the official Wireshark Capture and Display filters page.
BPF filter technology makes Wireshark powerful and versatile, but this is just a hint of all this tool can do. It would take a whole other article or two to cover things like how Wireshark can check for potential DDOS attacks on your network, or analyze the quality of the SIP protocol for your VOIP solution.
Allowed tags: <a> link, <b> bold, <i> italics