PenTest Edition: Wireshark

Wireshark is a GUI, cross-platform, open-source protocol and packet analyzer available for Microsoft Windows, Linux, Mac OS, BSD, Solaris, and some other Unix-like operating systems. As a packet analyzer, Wireshark’s functionality includes network troubleshooting, packet capture analysis, real-time network traffic observation, examining security problems, protocol implementation debugging, and reconnaissance. If you’re already familiar with tcpdump or Tshark, then Wireshark will be simple to understand. Before understanding how Wireshark works, it definitely helps to understand the OSI model, so be sure to familiarize yourself with how computers communicate with each other.

You can download Wireshark here.

How Does Wireshark Capture Traffic?

Wireshark uses a pcap (packet capture) API to capture packets. UNIX/Linux systems come with “libpcap,” which stands for “Promiscuous Library Capture.” This API is used to grab packets right off the network interface card. Windows systems, on the other hand, don’t come with libpcap and must therefore download and install “WinPcap,” which stands for “Windows Packet Capture.”

Promiscuous Mode and Monitor Mode

Whether we’re using wireless or wired network interfaces cards, our system only process the unicast, multicast, and broadcast traffic destined to our system. Other systems’ unicast traffic, if received by our network interface card, is not processed because the traffic is not specifically addressed to our system. This makes sense in the world of networking and it’s also favorable from a security perspective.

Promiscuous Mode

In “Promiscuous Mode,” Wireshark captures all the traffic on the network that we are currently associated with. If you are on a wired network, there’s a high chance you’re connected directly to a switch located on a small subnet or broadcast domain. In Promiscuous Mode, you can the see the traffic destined to and from your system, including other systems’ multicast and broadcast traffic; however, you cannot view any of the unicast traffic from the other systems connected to the switch. This is because switches forward unicast traffic only to their intended destinations. This is very different from hubs and wireless networks. On a hub, you can see other systems’ unicast traffic as long as the interface you are connected to operates at the same speed as the other interfaces. The only way to see another system’s unicast traffic on the switch would be to enable port mirroring by configuring the mirror and destination port (requires administrative access), installing a network tap device (like a hub) inline with the traffic you wish to examine, or using ARP poisoning techniques to initiate a MitM attack.

On a wireless network, Promiscuous Mode allows you to capture traffic on the wireless network you are associated with. In theory, promiscuous mode is possible on wireless network interface cards, but you will likely only see the unicast, multicast, and broadcast traffic intended for your system. Though you might receive other system’s wireless traffic, it will not be processed. This can be easily bypassed by ARP poisoning and MitM attacks.

The annoying thing regarding Promiscuous Mode on wireless networks is that the wireless network interface card will process the full 802.11 frame, but won’t pass them along “intact.” Instead, the wireless layer 2 information will be replaced with “fake” Ethernet headers, which is troublesome for packet analysis. To solve this problem, we can put the wireless network interface card into another mode.

Monitor Mode

“Monitor Mode” is one of the six modes for our wireless interface cards reserved specifically for wireless networks. By default, they are set to Managed Mode, but they can also be set to Ad Hoc, Mesh, Repeater, and Master. Unlike Promiscuous Mode, you don’t have to associate (authenticate) with an AP or wireless network to capture traffic. When set to Monitor Mode, the wireless network interface card ceases sending any information in order to fully dedicate itself to a passive “monitoring” of all the wireless traffic it can receive within range.

Specifically, the wireless network interface card is not associated with any particular service set, but captures other 802.11 frames. While in Monitor Mode, you cannot use the network unless you have an additional network interface card set up. Monitor mode will display wireless packets, full 802.11 frame headers, access points, wireless nodes, signal strength, and the channel being monitored.

Not all wireless network interface cards support Monitor Mode. WinPcap also doesn’t support Monitor Mode. If you have a Windows machine, I suggest investing in an Alfa AWUS036NHA, a USB wireless b/g/n network adapter by Alfa Network, Inc. This adapter is capable of monitor mode and packet injection.

Protocol Display Filters

Wireshark will display a ton of protocols…too many for me to mention, but I can mention the more important ones. You’ll want to be familiar with more of the TCP/IP protocols and applications. Think ftp, ssh, scp, sftp, telnet, icmp, udp, smtp, pop3, imap, TACACS+, RADIUS, Kerberos, dns, tftp, http, https, ldap, l2tp, pptp, rdp, and so forth. This also means you’re going to want to memorize each protocol’s corresponding port number as well (e.g., ftp = 20 and 21; ssh = 22; telnet = 23; smtp = 25).

I think the best approach is to just use Wireshark, and when you come across a protocol that you’ve never heard of before or cannot remember what the protocol is used for, refer to this page here. This contains a LARGE list of every protocol Wireshark is able to capture. Click on the protocol that you wish to learn more about. If not enough information is provided, just research the protocol.

The User Interface

In Windows, you can start Wireshark by pressing the “Windows” button + r and then typing “Wireshark” and ENTER. In UNIX/Linux, you can simply open a terminal and type “Wireshark” and ENTER. Here’s what the user interface looks like after capturing network traffic.

Wireshark pcap.png

I’ve highlighted in red three boxes, or “panes,” we’ll discuss in detail here. We’ll start with the first pane.

The Packet List Pane

The packet list pane displays all the packets in the current capture file. From right to left you have:

  • No.: The number of the packet
  • Time: The timestamp of the packet in seconds since the packet capture started
  • Source: The source IP address of the packet
  • Destination: The destination IP address of the packet
  • Protocol: The protocol name
  • Length: The length of each packet in bytes
  • Info: Additional useful information about the packet, such as missing flags, HTTP POST requests, errors, or encryption.

wireshark packet list pane.png

In the Packet List pane, you’ll also see symbols that appear to the left of the No. column. These are particularly useful if you are following a sequence of data.

Wireshark symbols.png

The Packet Details Pane

As the name suggests, the Packet Details pane gives us a little more information about a selected packet and displays it in a listed OSI model format. Think of it as a dissection of the packet. If not encrypted this pane is where you would find useful payload information, usernames, passwords, and sensitive information.

wireshark packet details pane.png

The Packet Bytes Pane

This pane displays the data of the selected packet in a hexadecimal format style.

wireshark packet bytes pane.png

Menus and Toolbars

Wireshark’s menu was displayed in the previous images located at the top of the main window. Here is a close up.

wireshark menu.png

Clicking each one of these menus brings down a drop-down box where users can select one of several different items. I really appreciate how Wireshark’s User’s Guide summarizes each one of these menu items. Since, I don’t want to overload the reader with too much information, I’ll be grabbing these summaries straight from the user’s guide.

  • File: This menu contains items to open and merge capture files, save, print, or export capture files in whole or in part, and to quit the Wireshark application
  • Edit: This menu contain items to find a packet, time reference, or mark on or more packets, handle configuration profiles, and set your preferences
  • View: This menu controls the display of the captured data, including colorization of packets, zooming the font, showing a packet in a separate window, expanding and collapsing trees in packet details, etc. There is a “name resolution” item here that will try to convert some of the numerical address values into a human readable format. For example you can resolve an Ethernet MAC address ( e.g., 00:09:5b:01:02:03) to something more human readable.
  • Go: This menu contains items to go to a specific packet. Simply press next for the next packet or go back. Or you can get more specific and choose the next corresponding packet currently selected for that protocol field. Or you can go to the next packet in the conversation.
  • Capture: This menus allows you to start and stop captures and to edit capture filters. Choose the interface you would like to capture from. Also under this menu, you can create and save filters so you do not have to constantly re-type them. Ex: enter a filter string (e.g., ip.addr == 255.255.255.255). This string filters only traffic coming from this subnet mask. You can then add a filter name for it, such as “ip broadcast.”
  • Analyze: This menu contains items to manipulate display filters, enable or disable the dissection of protocols, configure user specified decodes and follow a TCP stream. This is where you can bring up your saved filters, apply them, and even prepare a filter. You can also use the “Find Packet” item to easily find packets you have captured using a filter. You can also enable/disable protocols here. You can also follow specific TCP, UDP, and SSL streams, that is, it displays all the segments that are on the same connection.
  • Statistics: The menu items to display various statistic windows, including summary or the packets that have been captured, display protocl hierarchy stats, and much more. It allows you to also display a list of captured conversations, HTTP request/response stats, IP addresses, IP destinations, protocol types, WLAN traffic, etc.
  • Telephony: This menu contains items to display various telephony related statistic windows, including media analysis, flow diagrams, display protocol hierarchy stats, and much more. Ex: you can display LTE traffic if possible.
  • Wireless: The items in this menu show Bluetooth and IEEE 802.11 statistics.
  • Tools: his menu contains various tools available in Wireshark, such as creating Firewall ACL rules.
  • Help: Brings up the Wireshark user’s guide manual.

As you might’ve noticed earlier, Wireshark also has a bunch of toolbar options under the menu. Most of these are already self-explanatory based on their icon picture, but if you’re unsure, you can scroll over the icon for its name or refer to the table below.

This slideshow requires JavaScript.

Capturing Network Traffic

Capturing your own network traffic will be the easiest thing you can do regardless of the type of network you are on. Open Wireshark to open the main window. You’ll see a list of network interfaces to choose from (e.g., Ethernet, Npcap Loopback adapter, VMware Network Adapter, Wi-Fi, etc.). You’ll see which interface has more activity by a line graph displayed to the right of the interface. For me, that would be my wireless network interface card (Wi-Fi).

Wireshark capture 1.pngIf you want a broader overview of the interfaces, you can navigate to Capture > Options. Here, you can enable Promiscuous Mode or Monitor Mode (if available). You can also specify an output capture file to save the contents of your packet capture in once you are finished. This is located under the “Output” tab. You can save files in pcap-ng or pcap format. Under the “Options” tab, you can enable or disable certain display and name resolution options.

This slideshow requires JavaScript.

After you’re finished, close the “Capture Interfaces” box and start the packet capture by double-clicking on the interface you wish to capture traffic on or click the Wireshark capture icon on the toolbar.

Working With Captured Traffic

After you’ve captured network traffic, you can right click any column in the Packet List or Packet Details pane to bring up a pop-up menu. Here, you can display the list of packets in ascending or descending order, set their alignment, change the column preferences, rename the column, hide the column, and so on.

This slideshow requires JavaScript.

If you do the same thing for the Packet Details pane, you can see additional information. For instance, you can mark the packet if you find it interesting or suspicious, throw the packet out (ignore), resolve any names, apply a filter, prepare a filter, follow the TCP stream, and more.

This slideshow requires JavaScript.

Applying Filters

You can apply filters in real-time during the packet capture in order to filter out the particular traffic you are interested in, for example, maybe DNS or DHCP. Or, after the packet capture is finished, you can apply display filters to locate the specific information you are searching for. For example, if you’re only interested in finding tcp traffic, simply type “tcp” in the Filter: field.

wireshark tcp fiter.png

It’s not all that easy though. For example, if you wanted to filter out the packet capture to display the IP address of the particular system you are interested in, you wouldn’t type just the IP address. Instead, you’d have to use a specific operator, which in this case, is ip.addr ==. Therefore, the full string in the Filter bar would be ip.addr == [the IP address you’re interested in].

The filtering options get trickier the more specific you get. For instance, the filter ip.proto == 6 && tcp.flags == 2 is a filter to locate SYN Stealth scans on your network. The ip.proto == 6 means TCP because TCP’s assigned protocol number is 6. The && just means “and.” There are many tcp flags (e.g., SYN, ACK, FIN, RST, etc.). In this case, we put a “2” to represent the decimal value of a SYN flag. This filter therefore looks for TCP streams where only a SYN packet was sent and nothing else, indicative of a SYN stealth scan.

I don’t think there’s anyone out there who knows how to fluently write any filter on-the-fly. Once you regularly apply filters, they stick in your head. If you have trouble, the operators and expressions below can help you.

This slideshow requires JavaScript.

Extra Topics

Wireshark allows the user to use more advanced features. For example, if you want to make sense of a data stream, you could select a tcp packet in the packet list pane and then select Follow TCP Stream. This would open a new window with the entire TCP stream laid out. The image below shows a TCP stream, which is just a normal web exchange from source to destination. But, you could use it to find additional information, like cookies or passwords.

Wireshark web exchange.png

You also might be wondering what all the colors mean. Wireshark will display specific colors for specific forms of traffic. For example, http is green and udp is a light blue. You can change these colors if you wish, but the default color coding scheme is displayed below.

Wireshark colors

You can see what your coloring scheme is by going to View > Coloring Rules.

Conclusion

This is what I believe to be the most basic information beginners need to get started using Wireshark. As always, I think the best way to understand tools like these is to simply open them up and play around on your own network. When you find something you don’t understand, simply refer to the user’s guide. There are also plenty of other resources online, such as more advanced tutorials should you feel you want a more in-depth experience.

 

References

https://www.wireshark.org/docs/wsug_html_chunked/

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

WordPress.com.

Up ↑

%d bloggers like this: