Packet Analysis: Sample Case Study - Administration
In the first part of this two-part series, you learned the network communication concepts you need to know to understand the operation and data provided by Wireshark. I also covered the installation steps and some very basic configuration. This part will delve more deeply into using Wireshark for analyzing your network.
Now that you've learned the basic features of Wireshark, let's look at an example of packet analysis. Say you are tasked to retrieve a password from the packets. The password is entered in a log-in form (unencrypted). To grab sensitive data such as passwords that are sent in clear text form (not encrypted), follow the procedure below:
Step 1. Since most password submission originates from the client machine (at the application layer), the protocol is to use HTTP for the unencrypted method. Sort for “HTTP” protocol results by clicking the “Protocol” header (screenshot details below).
Step 2. Sending passwords to the website server using HTTP should involve using POST or GET. But POST is more common, since it hides passwords in the URL/browser address bar. So find a POST entry under “Info” column.
If you know the login page URL (for example: wp-login.php) in WordPress, you can find it faster.
Step 3. Once you see the results, double click that packet result, and then it will open a new window. Maximize that window, and navigate to “line based text data.” Expand it, and you can see the password in that entry (actual password in bold):
So far the packets you have been studying in the above section are traveling between your machine and the outside world. In a realistic application, such as administering a lot of computers in the local area network, you need to capture packets from other computers.
Because of this, you need to install/set up your Wireshark on a network interface card that can see all packets in the network (commonly called “promiscuous mode”), not just one computer. Different methods can do this, which you can learn in detail in the official Wireshark documentation
Future tutorials will focus on more advanced applications of Wireshark, such as capturing packets on a wireless network and an in-depth application of Wireshark in network administration.