Network security

How to use Wireshark for protocol analysis: Video walkthrough

August 22, 2021 by Jeff Peters

Capturing and analyzing network traffic is a foundational skill for many cybersecurity positions. Learn how to use popular tools like the free protocol analyzer Wireshark and sniffing tool tcpdump in this walkthrough from Infosec Skills author Mike Meyers.

How to use Wireshark to analyze network traffic

In this episode of Cyber Work Applied, Mike explains what a protocol analyzer is and how cybersecurity professionals use them to filter network traffic for red flags that need further investigation.

Watch the full breakdown below of how the attack works:

How to use Wireshark for protocol analysis | Free Cyber Work Applied series

New episodes of Cyber Work Applied are released every other week. Check out the full collection of free Cyber Work Applied training videos.

More Free Training Videos

Wireshark demo and walkthrough

The edited transcript of the network traffic analysis walkthrough is provided below, separated into each step Mike covers in the video.

What is a protocol analyzer?

(0:00–0:55) Protocol analyzers are tools that we use to analyze the network traffic coming in and out of a specific host computer. Usually, although not necessarily required, the one we’re sitting on at any given moment.

I never really liked the word protocol analyzer. To me, they’re more like network analyzers or network traffic analyzers, and these are critical tools that any good IT security person should know extremely well.

The one I’m going to concentrate on today is the very, very famous Wireshark. Now, Wireshark has been around for 20 years and has been a powerful go-to tool for that entire time. Wireshark is also completely free.  So if we’re talking about protocol analyzers, we need to know about Wireshark.

How does a protocol analyzer work?

(0:56–1:58) Now, before I start opening one up and letting you look at it, you need to understand that there are two very separate pieces to any protocol analyzer.

The first piece is what I’m going to call the sniffer. The sniffer is some type of software, and it usually has a name like Pcap (packet capture), WinPcap, Npcap or Win10Pcap. And these are tools that are actually grabbing all the data that’s going in and out of a particular interface. And when I say grabbing all the data, I mean all of the data. So all the ethernet information, all the IP information, all the application information — it’s all there and these tools grab it.

So a sniffer grabs all this information, and then the sniffer’s going to do one of two things. It’s either going to save it into a file or it’s going to make a live feed directly into the protocol analyzer.

The protocol analyzer really just reads pcap data and then — here’s where the term comes from — analyzes it in a way that we can look at it. The best way to see this is to see it in action.

How to capture data using Wireshark

(1:59–3:47) Let’s fire up Wireshark. I’ve just started Wireshark up for us, and you’ll see that on this particular system, it’s these three different interfaces. I want to keep it simple and just go to my ethernet interface. So I’m going to click on that, and then I click on capture and let’s start her up.

Now let’s take a look at this. So what’s happening is in real-time is we are grabbing lots and lots of packets. What I’d like to do is arbitrarily pick something. So I’m going to pick one of these. What you’re seeing right here is the 146th packet that it’s picked up in this capture so far.

When I click on this, what we’re looking at here at the bottom is the raw, binary values in hex. People don’t use that very often so I’m going to scroll down. It’s this middle part is where things are the most interesting. You’ll notice what I’ve clicked on is some kind of command, let’s go down one more because that’s an ARP (Address Resolution Protocol). I know what that is.

What you can do here is click and get information. This is Wireshark information. When was this picked up? How big is it? Stuff like that.

The next one down is where things get interesting. You’ll notice it says ethernet two, so this is all layer two information. You’ll see the destination and source MAC addresses. You’ll see what type of data it is — in this case, it’s a simple ARP. And then we go in a little bit deeper and then we see the information that’s being carried by an ARP.

What is an ARP?

(3:48–4:15) ARP is designed so that if somebody asks what an IP address is, whatever device with that IP address responds back with its MAC address. So ARP resolves IP addresses to MAC addresses.

Knowing that, if we take a look in Wireshark, we can see what it’s saying is: here’s my IP address, here’s the MAC, here’s my IP address and then here’s the MAC. This is a perfect example of an ARP taking place without us having to do much.

How to filter data in Wireshark

(4:16–7:12) The downside to all this is that you get tremendous amounts of information. So what I’m gonna do is start another capture, and I’m going to sit here and let it capture for a while. The challenge we’re going to run into is trying to find what data is what. You can see I’m up to 7,000 different packets.

A really powerful feature of Wireshark is the ability to filter data. What I want to do is go through and let’s look for some certain things. For example, one of the things I’d like to find is has there been any DHCP traffic going on? What I’m going to do is, way up here in the left-hand corner, I’m gonna type in — DHCP uses the term BOOTP. I’m going to say filter out everything out of this capture with the exception of DHCP traffic.

Now that I filtered all this out, you can see that I’ve got two different DHCPs in there. I’ve got one DHCP that released itself and then another DHCP that came in and re-established itself. I did that myself, but I want you to be able to understand that the real power of Wireshark — and this is absolutely amazing — is the way Wireshark can filter information.

Let’s do this again. Except this time what I want to do is just look at HTTP traffic. In this case you’ll see, I’ve just got HTTP information. Just looking at HTTP doesn’t do me much good, but what I can do — and this is another great feature. I could have four or five web browsers open right now, so I’m just gonna arbitrarily click on any one of these and I’m going to go down to follow TCP stream.

What you’re looking at now is actually the entire webpage for that one particular HTTP session that came in. Now, I don’t necessarily know exactly what this is. If I look a little bit, it looks like a JPEG image was brought down. So if I was really interested, I could probably just grab all this. I can look at the EXIF data for that JPEG.

There are a lot of scenarios where I can do some real research in terms of what’s taking place on any particular session using Wireshark.

Other uses for Wireshark analysis

(7:13–8:52) That’s all I want to do on Wireshark. What I need to stress to you more than anything else is that Wireshark is an incredibly, incredibly powerful tool.

For example, what if I was looking for a rogue DHCP server? In that particular case, I could just look for BOOTP information and suddenly I’ve got another MAC address for something that isn’t my DHCP server. Wireshark would be an instant way to know that you’ve got a rogue DHCP server.

What if I had ARP poisoning going on? Instead of just a few ARP commands, what if I was getting zillions of them and doing strange ARP commands like router redirects and stuff like that, which is pretty non-standard. I can just do a quick filter on ARP, I can see all those, and I can very quickly ascertain the fact that I’ve probably got an ARP poisoner out on my network someplace.

The last place where Wireshark is really handy is stuff, for example, like a broadcast storm. What if one person’s NIC (network interface controller) in the network just breaks and it starts sending out all kinds of arbitrary, garbage traffic? Well, again, with a tool like Wireshark, I could just filter on a particular IP address or even the MAC address of the suspect NIC and get all of this ugly information. Yeah, I wouldn’t be able to read it, but I would certainly know that particular system with that particular IP address in that particular MAC is sending out bad information. At the very least, I could zero in on that system and do some diagnosis.

There are tons of places where this really comes into play. If you want to learn about Wireshark, there are books out there that are this thick and they’re actually interesting reading in terms of the power of what Wireshark can actually provide. Hopefully, I’ve got you a little bit interested and you’ll take it deeper.

tcpdump demo and walkthrough

(8:53–9:27) The one downside to Wireshark is that it sometimes misses a lot of incoming and outgoing packets. For casual users like me, it’s not that big of a deal, but for some people, it’s incredibly irritating. Instead of using the sniffers that come with Wireshark, they’re going to use other tools, and probably one of the most famous is tcpdump, which runs only on Linux. Let me show that to you.

Here I am in my Ubuntu system, and I’m going to do a quick run of tcpdump. So I’m just going to do a sudo tcpdump, and I want you to watch this. This looks very similar to what we were seeing earlier with Wireshark. Tcpdump is not really a protocol analyzer, although it has some basic tools. What tcpdump does much better than the Wireshark is sniff. It’s really slim, it works really well and it is very rare that this particular tool will miss even a single packet coming in or out of a particular host.

So when it comes to looking for very specific scenarios on your network, things like rogue DHCP servers, ARP poisoning, being able to read incoming and outgoing HTTP or SSH or anything type packets, your go-to tool is going to be a protocol analyzer and my go-to tool is Wireshark.

More free training videos

If you want more free training from Mike and other Infosec instructors, check out the Cyber Work Applied training series, where you’ll learn:

More Free Training Videos

Posted: August 22, 2021
Articles Author
Jeff Peters
View Profile

Jeff Peters is a communications professional with eight years of experience creating cybersecurity-related content. As the Director of Content Marketing at Infosec, he focuses on developing materials to help cybersecurity professionals improve their skills and advance their careers. He oversees the Infosec Resources website, the Cyber Work series (Cyber Work Podcast, Cyber Work Applied and Cyber Work Live) and a variety of other Infosec content.

Leave a Reply

Your email address will not be published. Required fields are marked *