Wireshark: Taking a bite out of packet analysis

If you need to sniff out problem packets, you don't have to spend thousands of dollars on network data analysis. Scott sidel recommends a free tool that's right under your nose: Wireshark.

Whether you need to get inside of a packet, either to diagnose a problem or to root out suspicious behavior, this month's tool is for you. Wireshark, formerly known as Ethereal, offers a polished interface and industrial strength capabilities, plus it's as good as any packet sniffer that costs thousands of dollars.

Packet capture provides information about network data packets, such as the transmit time, source, destination, protocol type (TCP, IGMP or HTTP) and "header" data such as sequence and acknowledgements. Wireshark will typically display information in three panels: the transmission overview, packet details and a pane showing raw hex.

If you need to see what is inside the packets, you're going to have to plug a host into the network somewhere along the path traversed by the packets. And while most network cards ignore packets not addressed to them, Wireshark places the interface it's capturing in promiscuous mode.

On a side note, Windows users will need to install a driver called WinPcap that has administrator privileges in order to provide packet capture capabilities not built into the OS.

Wireshark can read hundreds of protocols, which can provide a deluge of data. Viewing the raw information has its benefits, but users can opt to filter and parse the captured data using a mouse click interface to create Boolean filters. Users can also create and save filters for later use. Wireshark supports built-in searches to hone in on specific data or conditions, and will even build I/O graphs to show usage by packet type.

Its output can be exported for use by a variety of popular network analysis products, including: WildPackets Inc.'s EtherPeek and AiroPeek products, Cisco Systems Inc.'s Secure Intrusion Detection System, Microsoft's Network Monitor, Network General Corp.'s Sniffer, Novell Inc.'s LANalyzer, and various other tools using tcpdump's capture format including snoop and libpcap.

Wireshark is currently available for Windows and Linux, and has been ported to Mac OS X and Sun Solaris. It is licensed under the GNU General Public License and therefore can be used both privately and in a business environment. But this goes without saying: remember to get your company's or client's permission first!

About the author:
Scott Sidel, CISSP, is an Information Systems Security Officer (ISSO) for Lockheed Martin. 


Next Steps

Wireshark can help you interpret firewall alert messages. Ed Skoudis explains

Use a packet sniffer to determine whether an email message is encrypted or not

Learn how to sniff network traffic in this Wireshark tutorial

This was last published in March 2007

Dig Deeper on Open source security tools and software