A Guide to Analyzing Network Traffic with Wireshark
1. What is Wireshark?
Program logo
Wireshark is a widely used tool for capturing and analyzing network traffic, widely used for both educational purposes and for troubleshooting computer and network problems. Wireshark supports virtually all OSI protocols, has a user-friendly interface, and a convenient data filtering system. Furthermore, the program is cross-platform and supports the following operating systems: Windows, Linux, Mac OS X, Solaris, FreeBSD, NetBSD, and OpenBSD.
In this guide, we'll explore the basic functionality of Wireshark, relate it to the OSI model, learn how to analyze network traffic, and secure your online presence.
2. How to install Wireshark?
First, we need to download and install Wireshark. Since the program is distributed under the GNU GPL v2 license (meaning it can be freely distributed), it's easy to find any freely available version. In this guide, we'll use the functionality of an earlier version (1.12.3). This is because this version has the SSL protocol, which is used in Chapter 6, built-in. Installing an earlier version simplifies setup, so we've chosen it. The installer can be found on the official website .Further installation of the program is simple – click “Next” - “Next” - “Next”.
Installing the program
After successful installation, a Wireshark shortcut will appear on your desktop. Let's begin exploring its functionality!
Program shortcut on the desktop
3. How to use Wireshark?
One of the program's key capabilities is network traffic capture. Therefore, to begin, you need to learn how to capture your network traffic.Let's launch the program! We're immediately greeted by the start menu, which displays the computer interfaces available for capture, developer guides, and many other interesting features.
Start menu
From all of this, we need to pay attention to this area of the program.
Network interface traffic capture area
Here you need to select the network interface through which you are connected to the Internet.
A network interface is software that interacts with the network driver and the IP layer. It provides the IP layer with access to all available network adapters, whose traffic we'll be capturing. The most common network interfaces found in Wireshark are wireless (Wi-Fi) and cable (Ethernet).
The guide uses Wi-Fi, so we'll capture "Wireless Network" and then click "Start."
If you have selected the correct interface, you will be able to see the following.
Overview of the start of traffic capture
Let's take a closer look at this window, taking into account the points listed on it:
- A filter panel allows you to find the information you need. More information is available in Chapter 5 of the guide.
- The name panel, which separates the information from point 3 into the number, the time since the start of the traffic capture, the source and destination, as well as the protocol used, the packet size and a little information about the network packet.
- A real-time package panel. Here, package information is divided into columns defined in the name panel.
- The layers panel describes the layers of the OSI model of the selected network packet.
- Metadata panel presenting data in hexadecimal code and symbols.
Now you can start analyzing network traffic.
4. How to find hidden information?
Before beginning traffic analysis, it's essential to have a basic understanding of the OSI network model protocols. A simple Wikipedia article is sufficient.Many programs use the HTTP protocol to transfer information, allowing them to retrieve various resources from the internet and back. Let's look at one of the packets transmitted via HTTP.
HTTP Package Overview
The HTTP protocol uses GET (designed to receive data) and POST (designed to send data) requests to transfer data.
In the figure, field 1 shows the recipient's IP address (in this case, my computer's address). Field 2 shows that the antivirus server sent a GET request to request some information about my computer. This is necessary for the program to update correctly. And field 3 shows what this request looks like as a URL (Internet link).
A little homework!
To reinforce the material, try to analyze any HTTP protocol packet on your computer and try to explain why it was sent.5. How to find the necessary packages among all the packages?
While completing your homework, you might have encountered problems finding the packet you needed. Wireshark has a solution for this: filtering! You can enter the necessary commands or use the prompts in the dedicated "Filter" field.
Filter Field Overview
The most commonly used filtering methods are IP addresses, port numbers, and protocols. Let's look at how this works.
IP address filtering allows us to view all packets coming from or going to someone. For example, let's filter all packets coming from IP address 10.1.30.46 by entering "ip.src == xxxx" in the filter.
Overview of the "ip.src" command
You can also filter network traffic by the packets' destination IP address using the "ip.dst == xxxx" command.
Overview of the "ip.dst" command
Additionally, you can see packets regardless of traffic direction using "ip.addr == xxxx".
Overview of the "ip.addr" command
To filter by port number, use ".port=x" after the protocol name. For example, to view TCP port 80, used for unencrypted HTTP traffic, use the command "tpc.port==80."
Overview of the "tcp.port" command
And finally, to filter traffic by the protocols used by the packets, you simply need to enter the protocol name.
Please note that filters can be combined using the logical operators AND "and/&&", OR "or/||" and NOT "not/!"
Overview of logical operators
Homework again!
To practice finding the information you need, try looking at the number of packets for a particular protocol and think about why there are so many of them.6. How to intercept data transmitted over secure communication channels?
Now that we've covered the basic functionality of Wireshark, we can move on to more complex and useful features.Data transmission over the internet is unsafe, especially if it's not protected. Modern browsers use the SSL/TLS protocol, which encrypts information and ensures secure transmission.
Sometimes a user or system administrator needs to check traffic for suspicious activity or to ensure a program is operating correctly. This necessitates decrypting intercepted secure traffic.
First, let's understand how the SSL/TLS protocol works. Before encrypted data can be exchanged, a connection establishment process, also known as a handshake, is used .
During the handshake phase, the client and server undergo authentication, exchange information about their capabilities, and only then begin to negotiate a shared session key.
There are many algorithms for handshake over an unsecured communication channel. The choice is made from a list of algorithms supported by the client during the initial stage of the handshake.
The most common session key exchange algorithm is RSA. Let's look at an infographic describing how this algorithm works.
RSA session key exchange algorithm
During the handshake, the client generates a random number, called a pre-shared secret, and sends it encrypted with the server's public key. Both parties then convert the pre-shared secret into a master secret and create a session key, which is used for further information exchange.
Now let's try intercepting secure information in Wireshark. We'll perform some preparatory steps, namely, checking the algorithm used to negotiate session keys and configuring the browser. First, we'll find the handshake using the filter by entering "ssl.handshake" and inspect the server message.
Overview of the "ssl.handshake" command
In the "Cipher Suite" field, we can enter "TLS_RSA." This means we can proceed with the next steps.
Configuring your browser in Windows is quite simple. Open "Computer Properties," then "Advanced System Settings," and select "Environment Variables...."
Configuring your browser in Windows 10
We add a new user variable “SSKEYLOGFILE” and specify the path to the file where we want to save it.
Consider the client's response message: it contains the encrypted value of the current session's pre-secret.
Client response message
Next, let's configure Wireshark. Press Ctrl+Shift+P to open the "Preferences" menu, then expand the "Protocols" branch and select "SSL."
Setting up Wireshark
Verify the required fields shown in the image are set correctly and click the "Edit" button. In the window that appears, click the "New" button and fill in the following fields: IP Address (the IP address of the SSL server), Port (the port of the SSL server), Protocol (the protocol using SSL encryption. If unknown, use "data"), Key File (the path to the file containing the server's secret key, which we specified in Environment Variables), and Password (if the secret key is password-protected).
Setting up SSL in Wireshark
Now you can confirm the settings and begin viewing the decrypted traffic. Don't forget to use the filter!
Consolidation of the material covered!
Try connecting to a website's server yourself and see what packets your computer is exchanging with it.7. What opportunities does capturing secure traffic provide?
Capturing secure traffic offers many possibilities. One of them is intercepting HTTPS requests from users connected to the network. Let's look at how to do this and the results.To begin, repeat the steps from the previous step, but specify the address of the desired website as the SSL server's IP address. The HTTP data transfer protocol is often used to transmit passwords. We already discussed the methods used in Chapter 4. To filter HTTP traffic by method, you can use the command "http.request.method == "method name"". Since we want to intercept data sent by the client to the server, we will be examining POST requests. For this, we will apply the filter "http.request.method == "POST"".
Capturing secure traffic
By following these simple steps, we obtained another user's important data. Therefore, it's important to remember that public networks are unsafe and pose a threat even to secure traffic.
A little practice!
Try capturing secure email server traffic and log in using your username and password. Find the POST request and see what's inside.Most likely, important data will be encrypted. This way, the email service protects your data, but the risk of hacking remains.
8. How can the OSI model be related to the Wireshark program?
Having reviewed all of Wireshark's functionality, we can relate it to the OSI network model. But first, let's review what this model actually is.OSI is a set of network protocols through which various network devices communicate with each other. The model defines seven layers of system interaction. Let's look at the OSI model layer table.
Level | Data type | Functions | Examples |
7. Applied | Data | Access to network services | HTTP, FTP |
6. Representations | Data | Data presentation and encryption | ASCII, JPEG |
5. Session | Data | Communication session management | RPC, PAP |
4. Transport | Segments | Direct connection between end points and reliability | TCP, UDP |
3. Network | Packages | Route determination and logical addressing | IPv4, IPv6, ICMP |
2. Channel | Footage | Physical addressing | Ethernet, ARP |
1. Physical | Bits | Working with transmission media, signals and binary data | USB, RJ |
The HTTP protocol in Wireshark has 4 layers according to the OSI model, namely application (Hypertext Transfer Protocol), transport (TCP), network (IPv4) and data link (Ethernet II).
HTTP Protocol Overview
The TCP protocol has 3 layers according to the OSI model, which include transport (TCP), network (IPv4) and data link (Ethernet II).
TCP Protocol Overview
The ICMP protocol generally has only 2 layers according to the OSI model: network (IPv4) and data link (Ethernet II).
ICMP Protocol Overview
Wireshark identifies only five layers of the OSI model: application, transport, network, data link, and physical. Depending on the protocol, different layers may be visible.
