Wireshark: An Open-Source Forensic Tool
“Today we are at a defining moment in the evolution and growth of the Internet. Large-scale data breaches, uncertainties about the use of our data, cybercrime, surveillance and other online threats are eroding users’ trust…”
As networks have become more complex, hackers across the globe are launching attacks such as identity/information theft, and machine hijacking. These threats not only affect the users of the systems but the administrators and the forensic investigators themselves.
To prevent these network-related attacks, it is necessary to know their origination point. Packets traversing across networks, when seized, unveil their true signature This enables system administrators to take ownership and restore systems from damages caused by attackers.
Network attacks can be identified explicitly by analyzing the incoming and outgoing traffic because unusual behavior comes from suspicious patterns of packets.2 A network troubleshooting software and protocol analyzer would help us to identify any such anomalies.
This article reviews Wireshark, which is a free and open source packet analyzer used to capture, analyze and filter packets. This allows a systems administrator to unveil any potential attacks.
The Wireshark Tool
Wireshark, formerly known as “ethereal” can be downloaded from https://www.wireshark.org/#download
To start capturing data, the application is launched, and an interface is selected as shown below:
Figure 1 – Selecting an Interface for Capture
Immediately after the “start capturing” button (as circled in red above) is selected, the packets are displayed in real time. This is demonstrated in the illustration below:
Figure 2 – Starting a Capture
The promiscuous mode, which is enabled by default, allows all other packets on the same network to be displayed.
Verifying that the Promiscuous mode has been selected:
The promiscuous mode can be verified as follows:
- Select Capture
- Select Options
- Select Input tab
- Enable the checkbox as circled in red below:
Figure 3 – Enabling Promiscuous mode
The red stop button (as circled in blue below) may be selected at any time when the capturing needs to be stopped:
Figure 4 – Stopping a Capture
The Capture Window
Figure 5 – The Capture Window Pane
The capture window is shown above in figure 6. It consists of 3 different panes, which are as follows:
A: The packet list pane – This displays all the packets in the current capture file.
B: The packet detail panel – This shows the current packet which is selected in the “Packet List” pane, with more details.
C: The packet bytes panel – This shows the data of the current packet which is selected in the “Packet List” pane. It is displayed in a hexadecimal file format.
Analyzing Packet Contents
Figure 6 – Analyzing Captured Packets Contents
In this stage, a new capture is started, and the web traffic is generated towards amazon.co.uk. After this, the capture is then stopped.
In Figure 5 above, the trace number (119) shows the first synchronization (SYN) packet that has been sent. It has an IP of 126.96.36.199, and the Amazon server has an IP of 188.8.131.52.
The first synchronization determines the start of a TCP 3-way handshake between a client and a server.
Color Codes in the “Captured Packets” Pane – What They Mean
One useful feature in Wireshark is its packet colorization scheme. Wireshark can be set up to highlight (in color) specific packets. This allows for the easy identification of packets at first glance. This is illustrated in the screenshots below:
Light Purple – TCP Traffic
Figure 7 – TCP Traffic
Light Blue – UDP Traffic
Figure 8 – UDP Traffic
Black – Packet with Errors
Figure 9 – Packets with Errors
The specific meaning behind each color can be viewed by selecting the “View” menu item and then selecting “Coloring rules” as shown below. Any further enhancements or modification of the coloring rules can be done from this menu option.
Figure 10 – Coloring Rules
The Wireshark tool can also be used to filter for the following:
- Specific mac addresses;
- IP addresses;
- IP addresses with conditional TCP ports.
There are 17 pre-defined filters in Wireshark that can be located in the “Analyze” menu, and from there, selecting the “Display Filters” as illustrated below:
Figure 11 – Filtering Packets
Additional filters can be created by selecting the “+” sign (as circled in red below):
The features of capturing, analyzing and filtering packets as reviewed in this article reveal how crucial that Wireshark is to network forensics. The need for packet analysis is raised by the fact that current methods used by most systems administrators only detect network attacks.
It must be noted that Wireshark is not a network intrusion detection system. Its primary purpose is to unveil a broad range of security threats through packet analysis.