Tip

Wireshark: Taking a bite out of packet analysis

Whether you need to get inside of a packet, either to diagnose a problem or to root out suspicious behavior, this month's tool is for you. Wireshark, formerly known as Ethereal, offers a polished interface and industrial strength capabilities, plus it's as good

    Requires Free Membership to View

as any packet sniffer that costs thousands of dollars.

Packet capture provides information about network data packets, such as the transmit time, source, destination, protocol type (TCP, IGMP or HTTP) and "header" data such as sequence and acknowledgements. Wireshark will typically display information in three panels: the transmission overview, packet details and a pane showing raw hex.

If you need to see what is inside the packets, you're going to have to plug a host into the network somewhere along the path traversed by the packets. And while most network cards ignore packets not addressed to them, Wireshark places the interface it's capturing in promiscuous mode.

For more information on packet sniffers

Wireshark can help you interpret firewall alert messages. Ed Skoudis explains.

Use a packet sniffer to determine whether an email message is encrypted or not.

Learn how to sniff network traffic in this Wireshark tutorial

On a side note, Windows users will need to install a driver called WinPcap that has administrator privileges in order to provide packet capture capabilities not built into the OS.

Wireshark can read hundreds of protocols, which can provide a deluge of data. Viewing the raw information has its benefits, but users can opt to filter and parse the captured data using a mouse click interface to create Boolean filters. Users can also create and save filters for later use. Wireshark supports built-in searches to hone in on specific data or conditions, and will even build I/O graphs to show usage by packet type.

Its output can be exported for use by a variety of popular network analysis products, including: WildPackets Inc.'s EtherPeek and AiroPeek products, Cisco Systems Inc.'s Secure Intrusion Detection System, Microsoft's Network Monitor, Network General Corp.'s Sniffer, Novell Inc.'s LANalyzer, and various other tools using tcpdump's capture format including snoop and libpcap.

Wireshark is currently available for Windows and Linux, and has been ported to Mac OS X and Sun Solaris. It is licensed under the GNU General Public License and therefore can be used both privately and in a business environment. But this goes without saying: remember to get your company's or client's permission first!

About the author:
Scott Sidel, CISSP, is an Information Systems Security Officer (ISSO) for Lockheed Martin. 


 

This was first published in March 2007

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.