In this tutorial I am going to be showing you how you can tap into the network card of your machine and see each individual frame as it is sent in and out of your machine. This is an invaluable tool in not only learning network communication but also in the troubleshooting process as some faults may only be resolved after looking at the raw data that is being sent on the wire.
First I want you to imagine the iconic scene of some government entity tapping into your phone line with some crocodile clips and then listening into your phone conversation as and when. Well Wireshark is essentially that tool but for computer networks and without the need to physically piece network cabling to reach the data as it flows. This obviously makes it a powerful tool and like anything with power it could be abused therefore this tutorial is for educational purposes only and must be used only on networks that are under your authoritative control. I and Sysnative condemn the use of Wireshark in a way that would threaten the confidentiality or integrity of someones data through the use of Wireshark.
INSTALLATION
The first step in getting this software is to download and install it. Fortunately, Wireshark is an open source application and therefore can be downloaded from their website for free. As of posting Wireshark supports all major operating systems and supports the analysis of most protocols ranging from TCP/IP to CLNS (OSI).
To download and install the application first navigate to their website at - Wireshark · Go Deep.
The install wizard itself is explanatory and mostly contains preferential information which is up to you in terms of options however I wish to highlight one step in the wizard that should be completed.
When/If given the option make sure you install WinPcap as it is the driver used to capture live traffic on your network card. Ensure that the install box is checked and then proceed with the install.
How To Use
Now that it is installed you can now launch the application and begin "sniffing" your network. To launch Wireshark the default location is Start > All Programs > Wireshark. The image below should help you in finding where it is:
Once you launch the application it will take a couple of seconds for it to compile all the protocols. Once it is launched you will be brought to the home screen where you can then open a saved capture or start a new live capture. In this example I am going to be starting a new capture. To complete this, in the left hand pane is a list of applicable interfaces that can be listened on for network communication. Simply highlight the interface you want to capture traffic on and then click on the start button to initiate the capture.
After starting the capture the packets will then be automatically captured and shown in a colour format in the table above. Depending on what you are doing for example, streaming a video or browsing the web you may find that there is a lot of information flowing by. This is normal and filters can be used to better manage this. I will be showing some simple filters later on.
When you have enough traffic to analyse make sure you stop the capture by pressing the stop button otherwise it can make handling and interpreting the data more difficult as more traffic is appended. You may use filters on live traffic however when actually interpreting the data it is best to stop the capture. To do so click on the button as indicated below:
Now that the capture is stopped we can get into the "nitty gritty" of it and see each packet one by one and what information is attached to it. For this example capture I am going to be filtering out the output to only show packets that used ARP (Address Resolution Protocol - Used for mapping MAC addresses to IP addresses). To complete this simply input the protocol you wish to only see and then click apply.
Once the filter is applied only the packets/frames that match the filter will be shown. From here we can highlight a particular frame and then from the detailed tree information shown below you can further see the data within it.
For example, looking at a particular ARP frame we can see that a source and destination MAC address has been attached and then the ARP data included.
Note
From this frame we can see that it came from a source MAC address of D4:BE
9:84:8E:07 and going to a destination MAC address of FF:FF:FF:FF:FF:FF. Another note, this destination MAC address is used to flood the frame out to all connected devices since the sender does not yet know the MAC address of the destination IP address all it can do is broadcast out. This is why we are receiving this frame even though this device (where the capture is) is not 192.168.0.17.
Looking further down into the actual contents of the frame we can see that this frame came from a source IP address of 192.168.0.14 and a MAC address of D4:BE9:84:8E:07 (As reflected in the source and destination MAC part). We can then see that this message is directed to the IP address of 192.168.0.17 and that because the target MAC address is zeroed out we can assume that this device wishes to know what MAC address is associated with that IP address. If you look at the information part in the table above we can see that this is also reflected "Who has 192.168.0.17? Tell 192.168.0.14".
That is your first analysis! But wait... what about the response to that frame? Why can we not see 192.168.0.17 responding to the request via ARP. Well in actual fact it did however this reply back was sent directly to the device and not broadcasted out. Remember where the capture was placed, we can only see traffic flowing to and from our network card and since the reply traffic doesn't involve us, we cannot see the reply.
This is another important part of Wireshark which is that placement of the capture can be just as important as what is captured. Some skilled engineers can pull off a man in the middle attack which allows us to see traffic flowing to and from two hosts as we sniff the information between them. That being said, it is a more advanced topic and wouldn't be appropriate to cover here.
Now to conclude, just like any other document you can now save and send this capture file to anyone you like and then they can open it up and analyse it. For example, I have attached the capture file that I had made in this example should you wish to look further into the analysis of traffic.
Hope This Helps and if you have any questions please post them below and I'll do my best to answer them
Josh
First I want you to imagine the iconic scene of some government entity tapping into your phone line with some crocodile clips and then listening into your phone conversation as and when. Well Wireshark is essentially that tool but for computer networks and without the need to physically piece network cabling to reach the data as it flows. This obviously makes it a powerful tool and like anything with power it could be abused therefore this tutorial is for educational purposes only and must be used only on networks that are under your authoritative control. I and Sysnative condemn the use of Wireshark in a way that would threaten the confidentiality or integrity of someones data through the use of Wireshark.
INSTALLATION
The first step in getting this software is to download and install it. Fortunately, Wireshark is an open source application and therefore can be downloaded from their website for free. As of posting Wireshark supports all major operating systems and supports the analysis of most protocols ranging from TCP/IP to CLNS (OSI).
To download and install the application first navigate to their website at - Wireshark · Go Deep.
The install wizard itself is explanatory and mostly contains preferential information which is up to you in terms of options however I wish to highlight one step in the wizard that should be completed.
When/If given the option make sure you install WinPcap as it is the driver used to capture live traffic on your network card. Ensure that the install box is checked and then proceed with the install.
How To Use
Now that it is installed you can now launch the application and begin "sniffing" your network. To launch Wireshark the default location is Start > All Programs > Wireshark. The image below should help you in finding where it is:
Once you launch the application it will take a couple of seconds for it to compile all the protocols. Once it is launched you will be brought to the home screen where you can then open a saved capture or start a new live capture. In this example I am going to be starting a new capture. To complete this, in the left hand pane is a list of applicable interfaces that can be listened on for network communication. Simply highlight the interface you want to capture traffic on and then click on the start button to initiate the capture.
After starting the capture the packets will then be automatically captured and shown in a colour format in the table above. Depending on what you are doing for example, streaming a video or browsing the web you may find that there is a lot of information flowing by. This is normal and filters can be used to better manage this. I will be showing some simple filters later on.
When you have enough traffic to analyse make sure you stop the capture by pressing the stop button otherwise it can make handling and interpreting the data more difficult as more traffic is appended. You may use filters on live traffic however when actually interpreting the data it is best to stop the capture. To do so click on the button as indicated below:
Now that the capture is stopped we can get into the "nitty gritty" of it and see each packet one by one and what information is attached to it. For this example capture I am going to be filtering out the output to only show packets that used ARP (Address Resolution Protocol - Used for mapping MAC addresses to IP addresses). To complete this simply input the protocol you wish to only see and then click apply.
Once the filter is applied only the packets/frames that match the filter will be shown. From here we can highlight a particular frame and then from the detailed tree information shown below you can further see the data within it.
For example, looking at a particular ARP frame we can see that a source and destination MAC address has been attached and then the ARP data included.
Note
As a side note, ARP is known as a layer 2 protocol and therefore no IP addresses are used in its communication. When looking at other protocols you will also be able to see the source and destination IP address
From this frame we can see that it came from a source MAC address of D4:BE
9:84:8E:07 and going to a destination MAC address of FF:FF:FF:FF:FF:FF. Another note, this destination MAC address is used to flood the frame out to all connected devices since the sender does not yet know the MAC address of the destination IP address all it can do is broadcast out. This is why we are receiving this frame even though this device (where the capture is) is not 192.168.0.17.Looking further down into the actual contents of the frame we can see that this frame came from a source IP address of 192.168.0.14 and a MAC address of D4:BE
9:84:8E:07 (As reflected in the source and destination MAC part). We can then see that this message is directed to the IP address of 192.168.0.17 and that because the target MAC address is zeroed out we can assume that this device wishes to know what MAC address is associated with that IP address. If you look at the information part in the table above we can see that this is also reflected "Who has 192.168.0.17? Tell 192.168.0.14".That is your first analysis! But wait... what about the response to that frame? Why can we not see 192.168.0.17 responding to the request via ARP. Well in actual fact it did however this reply back was sent directly to the device and not broadcasted out. Remember where the capture was placed, we can only see traffic flowing to and from our network card and since the reply traffic doesn't involve us, we cannot see the reply.
This is another important part of Wireshark which is that placement of the capture can be just as important as what is captured. Some skilled engineers can pull off a man in the middle attack which allows us to see traffic flowing to and from two hosts as we sniff the information between them. That being said, it is a more advanced topic and wouldn't be appropriate to cover here.
Now to conclude, just like any other document you can now save and send this capture file to anyone you like and then they can open it up and analyse it. For example, I have attached the capture file that I had made in this example should you wish to look further into the analysis of traffic.
Hope This Helps and if you have any questions please post them below and I'll do my best to answer them
Josh
Last edited by a moderator:
