PCAP analysis basics with Wireshark [updated 2021]
Wireshark is a very useful tool for information security professionals and is thought of by many as the de facto standard in network packet and protocol analysis. It is a freeware tool that, once mastered, can provide valuable insight into your environment, allowing you to see what’s happening on your network.
What follows is a basic walkthrough of some of the steps you might follow when undertaking a preliminary investigation of a specific target on your network, and how it might benefit you depending on the objective in mind. This is not an exhaustive or all-encompassing tutorial, but hopefully will help to shed light on the steps that most people might take when trying to pinpoint details about a particular application or packet stream on the network.
Our example will show you how to reveal a plain-text password being transmitted over your network via Telnet, which will be intercepted by Wireshark. We can then open the capture results and see how we would go about capturing such information, as well as where we can find it in our results.
Learn Network Security Fundamentals
What is Wireshark used for?
- Capturing data packets
- Identifying and analyzing protocols
- Isolating and identifying source and destination traffic
- Inspecting the contents of data packets
Wireshark in action
Let’s look at an example using Telnet to log onto a Cisco Switch. By using Wireshark, we will see what data we can find on the network relating to any network communications.
The very first step for us is to open Wireshark and tell it which interface to start monitoring. In our case this will be Ethernet, as we’re currently plugged into the network via an Ethernet cab.
Next, let’s fire up Putty, as it will let us connect to our Cisco 1751 router via Telnet over the local network. Because Wireshark is monitoring all traffic over Ethernet, it will detect all traffic on the connection and save it into the PCAP that we will be analyzing. This won’t be a problem, as we will apply a filter to our results and highlight only the results that we’re after.
In this instance, we know that the IP address of the Cisco is 192.168.30.1, so we enter it into Putty like so:
Your Telnet session then opens like this. Let’s log in and get to the prompt by entering our password:
We have now successfully logged in.
Now we need to look at Wireshark and see what we’ve managed to capture.
Our PCAP file looks like this:
We can see a lot of Telnet data, but it doesn’t seem to tell us much. If we start looking through these packets we come across something very interesting in unencrypted, plain text.
See the part that says “User Access Verification Password:”? That’s the plain text from the login prompt in our earlier step that we saw in Telnet. Let’s investigate further.
We right click on the entry, and then go to “Follow -> TCP Stream”
We can see the password as “aPPTEXT” circled below.
This is a pretty good example of what you can find when passwords are being transmitted in plain text, which is why Telnet is no longer as popular as it used to be. It is best practice to use methods that encrypt traffic between you and the appliance that you are administering whenever possible.
The same applies to any other connection that you are using to connect to any service, whether it be on your LAN, over the LAN, or across the WAN. You never know who might be listening.
The same steps above will apply to standard HTTP traffic for websites and device administration, meaning that the warnings that you have always been told about are indeed valid: always seek out an HTTPS address before trusting your credentials to the network.
Learn Network Security Fundamentals
Conclusion
Analyzing a packet capture file PCAP is a matter of thinking about the problem logically, reasoning what information you are looking for, and then constructing search filters to suit your requirements. Our Telnet example was very basic as it did not require any conversions or decryption, but again, the same principles would apply.
There is a lot that can be done with Wireshark, and it’s definitely a tool that you should at least be familiar with installing and running, even if you are not using it every day. It can help with an investigation into a fault and is a brilliant starting point: the PCAP results that you get on your network can tell you a lot about what is happening around you, especially if you have reasons to be suspicious about any strange activity.
If you don’t have too much happening on your network or test lab by means of meaningful traffic, then be sure to check out Sample Captures. It is a great way to teach you how to create your own filters, and will give you much insight into how different applications communicate over the network.
Be sure to download Wireshark and get scanning!
Network Security Fundamentals
Learn the fundamentals of networking and how to secure your networks with seven hands-on courses. What you'll learn:- Models and protocols
- Networking best practices
- Wireless and mobile security
- Network security tools
- And more
In this Series
- PCAP analysis basics with Wireshark [updated 2021]
- What is zero trust architecture (ZTA)? Pillars of zero trust and trends for 2024
- A deep dive into network security protocols: Safeguarding digital infrastructure 2024
- Asset mapping and detection: How to implement the nuts and bolts
- The Pentagon goes all-in on Zero Trust
- How to configure a network firewall: Walkthrough
- 4 network utilities every security pro should know: Video walkthrough
- How to use Nmap and other network scanners
- Security engineers: The top 13 cybersecurity tools you should know
- Converting a PCAP into Zeek logs and investigating the data
- Using Zeek for network analysis and detections
- Suricata: What is it and how can we use it
- Intrusion detection software best practices
- What is intrusion detection?
- How to use Wireshark for protocol analysis: Video walkthrough
- 9 best practices for network security
- Securing voice communications
- Introduction to SIEM (security information and event management)
- VPNs and remote access technologies
- Cellular Networks and Mobile Security
- Secure network protocols
- Network security (101)
- IDS/IPS overview
- Exploiting built-in network protocols for DDoS attacks
- Firewall types and architecture
- Wireless attacks and mitigation
- Wireless network overview
- Open source IDS: Snort or Suricata? [updated 2021]
- What is a firewall: An overview
- NSA report: Indicators of compromise on personal networks
- Securing the home office: Printer security risks (and mitigations)
- Email security
- Data integrity and backups
- Cost of non-compliance: 8 largest data breach fines and penalties
- How to find weak passwords in your organization’s Active Directory
- Monitoring business communication tools like Slack for data infiltration risks
- Firewalls and IDS/IPS
- IPv4 and IPv6 overview
- The OSI model and TCP/IP model
- Endpoint hardening (best practices)
- Wireless Networks and Security
- Networking fundamentals (for network security professionals)
- How your home network can be hacked and how to prevent it
- Network design: Firewall, IDS/IPS
- Work-from-home network traffic spikes: Are your employees vulnerable?
- RTS threshold configuration for improved wireless network performance [updated 2020]
- Web server protection: Web server security monitoring
- Web server security: Active defense
- Web server security: Infrastructure components
- Web server protection: Web application firewalls for web server protection
- Web server security: Command line-fu for web server protection
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
