An introduction to Wireshark
What is Wireshark?
Answer: Everything in this world is analyzed, recorded, and stored. We humans infer results and come to conclusions based on this data. Confused? We use devices to measure certain things: stethoscopes to measure heartbeat, voltmeters to measure voltage, and packet sniffers to investigate what's going on inside a network. Aha, now you understand! Wireshark is a packet sniffer (don't get scared by its name).
Developed in 1998, Wireshark has become the de-facto standard for analyzing and inspecting network packets. In short, it's a packet analyzing tool which lets you sniff the network and helps to view the traffic which goes in and out of your network adapter (either wired or wireless).
What you get by reading this article?
I believe the next 10 minutes or so that you are about to invest in reading this article should be useful. There are certain learning objectives you will accomplish if you continue to read on:
- What is a packet sniffer?
- How to download the Wireshark packet sniffer
- How to use this tool
- What is inside a captured packet?
- What's next?
So, if you are thrilled to learn about the bullet points mentioned above, please continue to read this further.
What is a packet sniffer anyway?
~ two-minute answer: Before using any tool, we must ask why we need it in the first place. Packet sniffers can be very useful for anyone who wishes to troubleshoot network problems, debug protocols, and learn the basics of packet tracing. As a standard definition, a network packet sniffer is a tool that helps analyze network traffic which originates from your system or LAN. I capture packets coming in and out of my system's NIC and analyze the message format, the medium (ethernet or wireless), and the protocols used to establish the communication (TCP, TLSv2, UDP, DNS, DHCP). I accomplish this by using some useful filters.
How to download Wireshark?
~ one-minute answer: Please take a sneak-peek at the official webpage to download this free tool for your operating system.
How to use this tool?
~ two-minute answer: Right after you open this tool you can see a screen as shown below:
As you can see, Wireshark lists the available interfaces with which it can capture network packets. I'm using my wireless interface (a.k.a WiFi) to contact the outside world. Let's sniff the packets from my system and see how this tool does its magic.
What is inside a captured packet?
~ four-minute answer: Now, let's get into the core objective of this article. I'll capture some packets and walk you through the details from the log. Once you select the interface (in this case, wireless), click the shark tail icon to start to capture packets.
Once we have captured some packets, we can analyze the results. Let's get into the information we captured. The logs captured can be very large, but there is an option to filter out useful information.
Some of the most widely-used filters that I like are:
- ip.addr == x.x.x.x - Let's say you only want to know what information is getting requested from your system, you can use this.
- http or dns/dhcp - Now, in this case, I issued a request to Youtube.com. Using the filter I can see this information:
Note: I'm using a VPN so my source IP information won't help you much.
As you can see, this filter shows what OS I'm using, the HTTP1.1 protocol, and also the browser and its version that I used to issue the request to the Youtube server. This is very useful information that anyone can get to discover if my browser is out of date, my OS is old, etc.
- arp or icmp - This filter shows you the MAC address of your NIC (which I'll not be sharing), but if you want to know what NIC issued the request you can do the same. Using your DNS/DHCP server, you can discover exactly who in your LAN issued a request to a particular domain.
This is useful to see the TCP port used for communication.
As you can see, there are literally hundreds of filters, and depending on your requirements, you can set different ones and read through the messages.
~ one-minute answer: I hope now you know what Wireshark is, how to capture network packets, and how to do a basic analysis of the same. If you are interested in additional information, please check out the official website. The purpose of this blog post is to tease your curiosity and give you a start into the world of network security.
[ Want more for your network? Download a free ebook on network automation with Ansible. ]