Do you need to sniff out and spy on network communications in a LAN, WAN or any network configuration? Or have you found yourself in a difficult situation troubleshooting network-related problems inside and outside of your network? Then you need a network analyzer to examine the packets going into and out of certain media. Wireshark can help. Keep reading to find out how.
This article is for readers who are entirely new to Wireshark and network packet analysis. Because of the broad nature of this tutorial, it is divided into two parts. The first part discusses important network communication concepts, terminology and getting started on Wireshark. The second part will discuss data interpretation, packet analysis and show actual/advanced applications of Wireshark.
What is a Network Analyzer?
A network analyzer is used to analyze ALL of the information that passes into and out of a network interface/LAN card. This reveals the details of communication that pass through these interfaces. This information comes in the form of "packets" (I'll define this word in the next section). By using Wireshark and analyzing packets, a network administrator can gather the information that passes through the interface.
The screen shot below shows how the information (used by an application at the user's machine) is being converted into packets, and the protocols governing the communication (showing different layers):
Wireshark grabs packets in the transport/Internet layer. The governing protocols are TCP and IP; together, they are commonly called "TCP/IP" or the "Internet protocol suite." Since this is a packet switch network (a network based on packets communication), the data will be sent to the correct receiving machine based on the information found in the header of the packets. More detailed information about "packets" will be discussed later.
These are very important things to do, especially if you are assigned as a network administrator to examine/protect the information being transmitted away from the infrastructure. For example, if the computers on which you are working handles highly classified information, you can use Wireshark to double check whether those packets send outside the machines are encrypted. This will confirm that the encryption protocol of the machines is working (or warn you that it isn't).
Another example: if sensitive information, such as passwords, is not encrypted, it can be intercepted in clear text form during the packet analysis using Wireshark. This is both good news and bad news for the machine's users. The good thing is that, if the administrator regularly monitors and saves the packets, once the password is forgotten, it can be traced in the packet monitoring records. Another good application is to double check sensitive communication to make sure that the information is securely encrypted (i.e. confirming an SSH/Secure shell connection).