PCAP analysis basics with Wireshark [updated 2021]
Wireshark is a very useful tool for information security professionals and is thought of by many as the de facto standard in network packet and protocol analysis. It is a freeware tool that, once mastered, can provide valuable insight into your environment, allowing you to see what’s happening on your network.
What follows is a basic walkthrough of some of the steps you might follow when undertaking a preliminary investigation of a specific target on your network, and how it might benefit you depending on the objective in mind. This is not an exhaustive or all-encompassing tutorial, but hopefully will help to shed light on the steps that most people might take when trying to pinpoint details about a particular application or packet stream on the network.
Our example will show you how to reveal a plain-text password being transmitted over your network via Telnet, which will be intercepted by Wireshark. We can then open the capture results and see how we would go about capturing such information, as well as where we can find it in our results.
What is Wireshark used for?
- Capturing data packets
- Identifying and analyzing protocols
- Isolating and identifying source and destination traffic
- Inspecting the contents of data packets
Wireshark in action
Let’s look at an example using Telnet to log onto a Cisco Switch. By using Wireshark, we will see what data we can find on the network relating to any network communications.
The very first step for us is to open Wireshark and tell it which interface to start monitoring. In our case this will be Ethernet, as we’re currently plugged into the network via an Ethernet cab.
Next, let’s fire up Putty, as it will let us connect to our Cisco 1751 router via Telnet over the local network. Because Wireshark is monitoring all traffic over Ethernet, it will detect all traffic on the connection and save it into the PCAP that we will be analyzing. This won’t be a problem, as we will apply a filter to our results and highlight only the results that we’re after.
In this instance, we know that the IP address of the Cisco is 192.168.30.1, so we enter it into Putty like so:
Your Telnet session then opens like this. Let’s log in and get to the prompt by entering our password:
We have now successfully logged in.
Now we need to look at Wireshark and see what we’ve managed to capture.
Our PCAP file looks like this:
We can see a lot of Telnet data, but it doesn’t seem to tell us much. If we start looking through these packets we come across something very interesting in unencrypted, plain text.
See the part that says “User Access Verification Password:”? That’s the plain text from the login prompt in our earlier step that we saw in Telnet. Let’s investigate further.
We right click on the entry, and then go to “Follow -> TCP Stream”
We can see the password as “aPPTEXT” circled below.
This is a pretty good example of what you can find when passwords are being transmitted in plain text, which is why Telnet is no longer as popular as it used to be. It is best practice to use methods that encrypt traffic between you and the appliance that you are administering whenever possible.
The same applies to any other connection that you are using to connect to any service, whether it be on your LAN, over the LAN, or across the WAN. You never know who might be listening.
The same steps above will apply to standard HTTP traffic for websites and device administration, meaning that the warnings that you have always been told about are indeed valid: always seek out an HTTPS address before trusting your credentials to the network.
Analyzing a packet capture file PCAP is a matter of thinking about the problem logically, reasoning what information you are looking for, and then constructing search filters to suit your requirements. Our Telnet example was very basic as it did not require any conversions or decryption, but again, the same principles would apply.
There is a lot that can be done with Wireshark, and it’s definitely a tool that you should at least be familiar with installing and running, even if you are not using it every day. It can help with an investigation into a fault and is a brilliant starting point: the PCAP results that you get on your network can tell you a lot about what is happening around you, especially if you have reasons to be suspicious about any strange activity.
If you don’t have too much happening on your network or test lab by means of meaningful traffic, then be sure to check out Sample Captures. It is a great way to teach you how to create your own filters, and will give you much insight into how different applications communicate over the network.
Be sure to download Wireshark and get scanning!