You are about to discover the full potential of Wireshark. In short, Wireshark is a network analysis tool, the network analysis tool is capable of capturing packets in real time. Allowing the operator of the tool to filter and inspect captured packets.
The Wireshark tool has evolved in the last years into a full functioning and easy to use network analysis tool. The tool provides a straight forward interface, the interface contains various advanced options and the network packets which are shown in the GUI have been categorized with colors, making it very easy to identify the packets you are looking for.
In this guide, we will take a look on how to use Wireshark to capture, filter and inspect packets within seconds.
Downloading and installing Wireshark
First of all, I want to make it very clear to download your software from legitimate and official sources only. If you do not have Wireshark installed, you will need to download and install the Wireshark application from the official source.
If you are using Ubuntu, you will be able to find the Wireshark network analysis tool in the package repositories. Simply navigate to your Ubuntu Software Center and search for ‘Wireshark’, click install and follow the instructions.
The network analysis tool uses interfaces to capture traffic, the interfaces are network adapters that have been detected by the network analysis tool.
In order to capture the LAN traffic that is being generated by my machine, I will need to start capturing the ‘Ethernet’ network interface.
Double click on the network interface that you want to capture, in my situation, I have to select the ‘Ethernet’ network interface to start capturing my LAN network traffic. If everything is functioning as it should, you should start seeing LAN network traffic in your GUI. It should look something like this.
|TCP packets with issues||Black|
|UDP traffic||Light blue|
|DNS traffic||Dark blue|
To fully understand the capabilities of Wireshark, it is important to have network data that you want to inspect. On the official Wireshark website, you will be able to find .pcap files that clean hold network traffic. These packages are called .pcap and Wireshark is capable of generating and reading .pcap files. If you want to take a real dive into network analysis, you can also try the free .pcap files that are provided by malware-traffic-analysis. The Malware Traffic Analysis site holds .pcap files that have shown malicious behaviour.
In this example, we are going to use a .pcap file from the malware-traffic-analysis site. We have chosen to use a sample which would hold exploit kit behavior.
Download the .pcap file from the official site, and double click on the downloaded .pcap file. If everything worked correctly, you should see this screen.
The exercise challenges us to answer the following questions:
- What is the host name of the Windows computer that gets infected?
- Use the NBNS protocol to find the answer.
- What is the IP address of the Windows computer that gets infected?
- Once you have found the host name, you will be able to find the IP in the Source tab.
- What is the MAC address of the Windows computer that gets infected?
- Click on the host that has been infected, and search for the Src: mac address.
Malware-Traffic-Analysis.net – The perfect website to deep dive into malware traffic analysis with Wireshark or any other network analysis tool that is capable of reading .pcap files.
Wireshark.org – The official wireshark site holds a WIKI, on the WIKI you can find answers, tips and guides.
HowToGeek – The HowToGeek tutorial is from 2014, but it still contains usefull information.
If you still have questions left, feel free to leave a comment or use the Cyberwarzone forum