Wireshark tutorial: How to sniff network traffic

For more on Wireshark In an on-screen presentation, Peter Giannoulis demonstrates how to use Wireshark to catch network traffic.

Why sniff the network?
The phrase "sniff the network" may conjure Orwellian visions of a Big Brother network administrator reading people's private email messages. Before anyone uses Wireshark, an organization should ensure that it has a clearly defined privacy policy that spells out the rights of individuals using its network, grants permission to sniff traffic for security and troubleshooting issues, and states the organization's policy requirements for obtaining, analyzing and retaining network traffic dumps. Anyone who uses a tool like Wireshark without first obtaining the necessary permissions may quickly find themselves in hot water legally.

However, as a security professional, there are two important reasons to sniff network traffic. First, peering into the details of packets can prove invaluable when dissecting a network attack and designing countermeasures. For example, if a denial of service occurs, Wireshark can be used to identify the specific type of attack. The tool can then craft upstream firewall rules that block the unwanted traffic. The second major use of Wireshark is to troubleshoot security devices. Specifically, I regularly use it to troubleshoot firewall rules. If systems running Wireshark are connected to either side of a firewall, it's easy to see which packets successfully traverse the device and identify whether the firewall is the cause of connectivity problems.

That being said, it's important to remember that Wireshark can be used for good or for evil, as is the case with many security analyzers. In the hands of a network or security administrator it's a valuable troubleshooting tool. In the hands of someone with questionable ethics, however, it's a powerful eavesdropping tool that enables someone to view every packet that traverses the network.

Installing Wireshark
Installing Wireshark is a piece of cake. Binary versions can be downloaded for Windows or Macintosh OS X. Wireshark is also available through the standard software distribution systems for most flavors of Unix/Linux, and the source code is also available for installation on other operating systems.

The Wireshark development team built the Windows version on top of the WinPcap packet capture library. Those running Windows must install WinPcap if they haven't already. One word of caution: If you're running an outdated version of WinPcap, remove it manually through the "Add/Remove Programs" control panel before running the Wireshark installer.

The installation process uses a familiar wizard-based sequence that only asks two significant questions: whether you want to install WinPcap and whether you want to start the WinPcap Netgroup Packet Filter (NPF) service at startup. Selecting the latter option allows users without administrator privileges to capture packets. If you don't start this service, only administrators will be able to run Wireshark.

Running a simple packet capture
Once Wireshark is installed, start it up and you'll be presented with the blank screen shown below:

See larger image

To start scanning, choose Interfaces from the Capture menu. You'll see a pop-up window similar to the one below:

See larger image

If you'd like to configure advanced options -- like capturing a file, resolving MAC addresses and DNS names, or limiting the time or size of the capture -- click the Options button corresponding to the interface you wish to configure. Many of these options can help to improve the performance of Wireshark. For example, you can adjust settings to avoid name-resolution issues, as they will otherwise slow down your capture system and generate large numbers of name queries. Time and size limits can also place limitations on unattended captures. Otherwise, simply click the Start button next to the name of the interface on which you wish to capture traffic. The Wireshark screen will immediately begin filling up with traffic seen on the network interface, as shown below:

See larger image

Interpreting the results
Each line in the top pane of the Wireshark window corresponds to a single packet seen on the network. The default display shows the time of the packet (relative to the initiation of the capture), the source and destination IP addresses, the protocol used and some information about the packet. You can drill down and obtain more information by clicking on a row. This causes the bottom two window panes to fill with information.

The middle pane contains drill-down details on the packet selected in the top frame. The "+" icons reveal varying levels of detail about each layer of information contained within the packet. In the example above, I've selected a DNS response packet. I've expanded the DNS response (application layer) section of the packet to show that the original was requesting a DNS resolution for www.cnn.com, and this response is informing us that the available IP addresses include 64.236.91.21. The bottom window pane shows the contents of the packet in both hexadecimal and ASCII representations.

Color is your friend when analyzing packets with Wireshark. Notice in the example above that each row is color-coded. The darker blue rows correspond to DNS traffic, the lighter blue rows are UDP SNMP traffic, and the green rows signify HTTP traffic. Wireshark includes a complex color-coding scheme (which you can customize). The default settings appear below:

See larger image

That sums up the basics of using Wireshark to capture and analyze network traffic. The best way to become an expert quickly is to get your hands dirty and start capturing network traffic. There's no doubt you'll find that it can be a helpful tool for everything from configuring firewall rules to spotting an intrusion. Remember, however, that you must always have permission from the network owner before capturing traffic on any network. In future tips I'll look at advanced Wireshark techniques, including writing traffic filters to simplify packet analysis and exporting data for use in other applications.

About the author:
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated. He also answers your questions on network security.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Tactics Cracks in WPA? How to continue protecting Wi-Fi networks Screencast: How to gather host-level data with Network Miner How to secure desktops as suites expand, network perimeters shrink Writing Wireshark network traffic filters Screencast: Collecting metadata with Metagoofil Video: Setting up a secure wireless network How to implement and enforce a social networking security policy New blacklists: Highly predictive or hardly worth it? Smartphone security: The growing threat of mobile malware Screencast: How Tor improves Web surfing privacy and security audits Monitoring Network Traffic and Network Forensics Screencast: How to gather host-level data with Network Miner Writing Wireshark network traffic filters Ixia network security tool exposes problems Windows registry forensics: Investigating system-wide settings Product Review: Altor Networks' Virtual Network Security Analyzer (VNSA) 1.0 Screencast: Catching network traffic with Wireshark Windows registry forensics guide: Investigating hacker activities More built-in Windows commands for system analysis Is security improved when the number of Internet gateways is reduced? Screencast: Using Nessus to scan for vulnerabilities Open Source Security Tools Open source security concerns can trump cost savings Writing Wireshark network traffic filters TrueCrypt an open source laptop encryption choice for SMBs Free security tool helps track down bots Screencasts: On-screen demonstrations of today's IT tools FISMA compliance made easier with OpenFISMA Screencast: How to use Nipper to create network security reports Sun launches open source OpenSSO for identity management What reporting tools are available for an enterprise IDS? Positive changes coming to ModSecurity RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary computer forensics  (SearchSecurity.com) Einstein  (SearchSecurity.com) footprinting  (SearchSecurity.com) information signature  (SearchSecurity.com) intrusion detection  (SearchSecurity.com) network forensics  (SearchSecurity.com) port scan  (SearchSecurity.com) probe  (SearchSecurity.com) promiscuous mode  (SearchSecurity.com) snoop server  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.