Wireshark tutorial: How to sniff network traffic

One of today's most popular network security analysis tools is Wireshark. The freely available analyzer can inspect traffic, identify denial-of-service attacks and troubleshoot devices and firewalls. In this new tutorial, Wireshark whiz Mike Chapple explains how to use the tool to capture network traffic and how to learn if your enterprise's network security is lacking.

In this Wireshark tutorial, Mike Chapple explains how to sniff network traffic and how to learn if your enterprise's network security is lacking. 

Wireshark, formerly known as Ethereal, is one of the most powerful tools in a network security analyst's toolkit. As a network packet analyzer, Wireshark can peer inside the network and examine the details of traffic at a variety of levels, ranging from connection-level information to the bits comprising a single packet. This flexibility and depth of inspection allows the valuable tool to analyze security events and troubleshoot network security device issues. It's also priced right: it's free!

How to sniff network traffic and why sniff the network?

The phrase "sniff the network" may conjure Orwellian visions of a Big Brother network administrator reading people's private email messages. Before anyone uses Wireshark, an organization should ensure that it has a clearly defined privacy policy that spells out the rights of individuals using its network, grants permission to sniff traffic for security and troubleshooting issues, and states the organization's policy requirements for obtaining, analyzing and retaining network traffic dumps. Anyone who uses a tool like Wireshark without first obtaining the necessary permissions may quickly find themselves in hot water legally.

However, as a security professional, there are two important reasons to sniff network traffic. First, peering into the details of packets can prove invaluable when dissecting a network attack and designing countermeasures. For example, if a denial of service occurs, Wireshark can be used to identify the specific type of attack. The tool can then craft upstream firewall rules that block the unwanted traffic. The second major use of Wireshark is to troubleshoot security devices. Specifically, I regularly use it to troubleshoot firewall rules. If systems running Wireshark are connected to either side of a firewall, it's easy to see which packets successfully traverse the device and identify whether the firewall is the cause of connectivity problems.

That being said, it's important to remember that Wireshark can be used for good or for evil, as is the case with many security analyzers. In the hands of a network or security administrator it's a valuable troubleshooting tool. In the hands of someone with questionable ethics, however, it's a powerful eavesdropping tool that enables someone to view every packet that traverses the network.

Wireshark how-to: Installing Wireshark

Installing Wireshark is a piece of cake. Binary versions can be downloaded for Windows or Macintosh OS X. Wireshark is also available through the standard software distribution systems for most flavors of Unix/Linux, and the source code is also available for installation on other operating systems.

The Wireshark development team built the Windows version on top of the WinPcap packet capture library. Those running Windows must install WinPcap if they haven't already. One word of caution: If you're running an outdated version of WinPcap, remove it manually through the "Add/Remove Programs" control panel before running the Wireshark installer.

The installation process uses a familiar wizard-based sequence that only asks two significant questions: whether you want to install WinPcap and whether you want to start the WinPcap Netgroup Packet Filter (NPF) service at startup. Selecting the latter option allows users without administrator privileges to capture packets. If you don't start this service, only administrators will be able to run Wireshark.

Running a simple packet capture

Once Wireshark is installed, start it up and you'll be presented with the blank screen shown below:



See larger image

To start scanning, choose Interfaces from the Capture menu. You'll see a pop-up window similar to the one below:


See larger image

If you'd like to configure advanced options -- like capturing a file, resolving MAC addresses and DNS names, or limiting the time or size of the capture -- click the Options button corresponding to the interface you wish to configure. Many of these options can help to improve the performance of Wireshark. For example, you can adjust settings to avoid name-resolution issues, as they will otherwise slow down your capture system and generate large numbers of name queries. Time and size limits can also place limitations on unattended captures. Otherwise, simply click the Start button next to the name of the interface on which you wish to capture traffic. The Wireshark screen will immediately begin filling up with traffic seen on the network interface, as shown below:


See larger image

Interpreting the results with Wireshark color codes

Each line in the top pane of the Wireshark window corresponds to a single packet seen on the network. The default display shows the time of the packet (relative to the initiation of the capture), the source and destination IP addresses, the protocol used and some information about the packet. You can drill down and obtain more information by clicking on a row. This causes the bottom two window panes to fill with information.

The middle pane contains drill-down details on the packet selected in the top frame. The "+" icons reveal varying levels of detail about each layer of information contained within the packet. In the example above, I've selected a DNS response packet. I've expanded the DNS response (application layer) section of the packet to show that the original was requesting a DNS resolution for www.cnn.com, and this response is informing us that the available IP addresses include 64.236.91.21. The bottom window pane shows the contents of the packet in both hexadecimal and ASCII representations.

Wireshark color codes

Color is your friend when analyzing packets with Wireshark. Notice in the example above that each row is color-coded. The darker blue rows correspond to DNS traffic, the lighter blue rows are UDP SNMP traffic, and the green rows signify HTTP traffic. Wireshark includes a complex color-coding scheme (which you can customize). The default settings appear below:


See larger image

That sums up the basics of using Wireshark to capture and analyze network traffic. The best way to become an expert quickly is to get your hands dirty and start capturing network traffic. There's no doubt you'll find that it can be a helpful tool for everything from configuring firewall rules to spotting an intrusion. Remember, however, that you must always have permission from the network owner before capturing traffic on any network. In future tips I'll look at advanced Wireshark techniques, including writing traffic filters to simplify packet analysis and exporting data for use in other applications.

More from this Wireshark tutorial

About the author of this Wireshark tutorial:
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated. He also answers your questions on network security.

This was first published in October 2008

Dig deeper on Monitoring Network Traffic and Network Forensics

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

1 comment

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close