Capturing Packets with the Wireshark Network Analyzer

In the first part of this two-part series, you learned the network communication concepts you need to know to understand the operation and data provided by Wireshark. I also covered the installation steps and some very basic configuration. This part will delve more deeply into using Wireshark for analyzing your network.

Specifically, in this part, you will learn details about Wireshark, its operation, features, capturing packets and getting text data, as well as interpretation of packet information. You will also learn how to optimize the configuration of Wireshark so that you can capture not only packets from your computer, but from other computers connected in the network as well.

Capturing Packets and Basic Interpretation

In the first part of the article series you learned how to determine which network interfaces are capturing packets (they are called an “active interface”). To start capturing packets, the easiest method is to click the active network interface under “Interface List.” In the screenshot below, the interface “Realtek RTL8139 Family Fast Ethernet Adapter” (inside the bold red box) is active, so it is clicked.

When clicked, Wireshark will start capturing the packets passing through that network interface. If you have significant network activity (such as from browsing the Internet), Wireshark will monitor a lot of packets. In the screenshot below:

Packets are captured serially in the network interface and shown by Wireshark. In the above screenshot I opened the Firefox browse,r and then Firefox opened the default home page with the address:

http://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

The Firefox browsing event has been captured accurately by Wireshark. The first packet transmission event originates from my computer (local / LAN IP address: 192.168.2.100) and is sent to 217.73.224.2, which is an ISP DNS server. The local computer queries the DNS server for www.google.com, which is the default home page I use for the Firefox browser.

Once the DNS has been resolved (not shown in the above packets), the browser will then fetch information. In the above screenshot, you can see six columns in the Wireshark Packet capturing window. The first column is the “No.” which is the packet number. The time (second column) is the number of seconds since the start of capture. It shows that at t=0, the local machine initiated a DNS query (shown in the above screenshot).

The third column is the source IP address (it shows the local IP address, not the WAN IP address). The fourth column is the destination IP address (where the packet will be sent). The fifth column is the protocol that contains the packet (For example, DNS for domain name servers query, TCP for Transmission Control Protocol, and HTTP for browsing).

Finally, the last column (INFO) shows a snippet/description of the packet being monitored. It explains a bit of what the protocol is doing.

{mospagebreak title=Stop Capturing and Exporting Data}

Note that Wireshark will not stop capturing packets unless it has been told to stop. To stop capturing packets, go to Capture and click “Stop.”

Wireshark provides some ways in which files containing packet information can be exported to another file type suitable for processing. Exporting the live capture packets (such as those you saw in the previous screenshot) containing the data for the six basic columns to MS Excel will be a bit challenging, because there is no direct export to MS Excel. There is, however, a .CSV export which we can use. But the .CSV export will give a distorted output when opened in MS Excel, since they are comma-separated values.

Working and capturing packets seems to be very important for an administrator monitoring traffic in the network. This can be done conveniently with MS Excel, since you can easily filter, sort and analyze information. However, the best approach that I found is using Open Office Calc (a program with feature similar to MS Excel’s). This is an open source spreadsheet application that can be easily downloaded.

Below are the detailed steps:

Step 1. Go to your Wireshark application, and then go to File -> Export -> File.

Step 2. Enter the file name.

Step 3. Under “Save as type,” select CSV.

Step 4. You can choose to download all packets or a selected range of packets under “Packet Range.” However, the default setting allows it to export all packets.

Step 5. You can also customize the exported packet details under “Packet format.”

“As displayed” exports to spreadsheet those packets as displayed in Wireshark.

“All collapsed” exports to spreadsheet with all collapsed (no further details given).

“All expanded” exports all possible details of the packet, including the header and information.

{mospagebreak title=Saving Exported Packet Information}

Step 6. When everything has been set, click “Save.” See screenshot below:

Step 7. Now go to My Documents (or any path in your computer where you save the .csv file).

Step 8. Right click on the file, and then click “Open.”

Step 9. The “Open With” dialog box will then appear. In the programs, select “scalc,” which is the Open Office Calc application, and then press OK.

Step 10. The next thing you will see is the Text Import Window in calc. Now look for “Separator Options.” Under that, confirm that “Separated by” is checked. If not, check it and then uncheck “Tab;” you will then need to check “Comma.” After that click OK; this should format the spreadsheet to the correct settings.

Step 11. Now to save it as an Excel file, go to File -> Save As -> and then, under "save as type," select Microsoft Excel 97/2000/XP (.xls). If there is a warning after clicking save, just click “Keep current format.”

Step 12. You can now close the calc spreadsheet and open the exported Excel file. You can start analyzing and working with your captured packets in the MS Excel environment.

{mospagebreak title=Packet Analysis: Sample Case Study}

Now that you’ve learned the basic features of Wireshark, let’s look at an example of packet analysis. Say you are tasked to retrieve a password from the packets. The password is entered in a log-in form (unencrypted). To grab sensitive data such as passwords that are sent in clear text form (not encrypted), follow the procedure below:

Step 1. Since most password submission originates from the client machine (at the application layer), the protocol is to use HTTP for the unencrypted method. Sort for “HTTP” protocol results by clicking the “Protocol” header (screenshot details below).

Step 2. Sending passwords to the website server using HTTP should involve using POST or GET. But POST is more common, since it hides passwords in the URL/browser address bar. So find a POST entry under “Info” column.

If you know the login page URL (for example: wp-login.php) in WordPress, you can find it faster.

Step 3. Once you see the results, double click that packet result, and then it will open a new window. Maximize that window, and navigate to “line based text data.” Expand it, and you can see the password in that entry (actual password in bold):

log=admin&pwd=xtyunbghgrtfderwdfh&wp-submit=Log+In&redirect_to=http%3A%2F%2Fwww.php-developer.org%2Fwp-admin%2F&testcookie=1

The actual password is xtyunbghgrtfderwdfh.

Getting Packets from Other Networked Computers

So far the packets you have been studying in the above section are traveling between your machine and the outside world. In a realistic application, such as administering a lot of computers in the local area network, you need to capture packets from other computers.

Because of this, you need to install/set up your Wireshark on a network interface card that can see all packets in the network (commonly called “promiscuous mode”), not just one computer. Different methods can do this, which you can learn in detail in the official Wireshark documentation

Future tutorials will focus on more advanced applications of Wireshark, such as capturing packets on a wireless network and an in-depth application of Wireshark in network administration.

[gp-comments width="770" linklove="off" ]

antalya escort bayan antalya escort bayan Antalya escort diyarbakir escort