Today's networks are complex, and many times, when faced with issues, the only way you can solve the problem is if you can see the problem. For that very reason, packet analysis, using tools such as Wireshark, has been around for many years. In addition to manually conducting packet analysis using Wireshark, today's devices incorporate the ability to pull data from the network and examine its contents. This function helps the network administrator to troubleshoot, test, baseline, and monitor the network for threats.
This chapter will help you to recognize the many benefits of using Wireshark for packet analysis. You'll learn about its history as an exceptional open source software product, which includes many rich features. You'll discover how various groups can benefit from using packet analysis, such as network administrators, students, and security analysts. In addition, we'll cover the many places in which to conduct packet analysis, including on a Local Area Network (LAN), on a host, or in the real world. Finally, you'll learn how Wireshark has the ability to decode hundreds of different protocols and is constantly being improved, making it the optimal tool for monitoring the network.
In this chapter, we will address all of this by covering the following topics:
- Reviewing packet analysis
- Recognizing who benefits from using packet analysis
- Identifying where to use packet analysis
- Outlining when to use packet analysis
- Getting to know Wireshark
Reviewing packet analysis
Packet analysis examines packets to understand the characteristics and structure of the traffic flow, either during a live capture or by using a previously captured file. The analyst can complete packet analysis by either studying one packet at a time or as a complete capture.
When monitoring the network for analysis, we capture traffic using specialized software such as Wireshark or
tshark. Once the data is captured and we save the file, the software stores the data in a file that is commonly called a packet capture or PCAP file.
- Network administrators: Use packet analysis to gain information about current network conditions.
- Security analysts: Use packet analysis to determine whether there is anything unusual or suspicious about the traffic when carrying out a forensic investigation.
- Students: Use packet analysis as a learning tool to better understand the workings of different protocols.
- Hackers: Use packet analysis to sniff network traffic while conducting footprinting and reconnaissance in order to gain valuable information about the network.
We use packet analysis in many places, including on a LAN, on a host, or in the real world. Additionally, we use packet analysis when troubleshooting latency issues, testing Internet of Things (IoT) devices, and as a tool when baselining the network.
Today, packet analysis using Wireshark is a valuable skill. However, analyzing packets has been around in the networking world for many years. As early as the 1990s, various tools enabled analysts to carry out packet analysis on the network to troubleshoot errors and to monitor server behavior. In the next section, we'll examine some of the early tools used to monitor network activity.
Exploring early packet sniffers
Packet analysis has been around in some form for over 20 years, as a diagnostic tool, to observe data and other information traveling across the network. Packet analysis is also referred to as sniffing. The term refers to early packet sniffers, which sniffed or captured traffic as it traveled across the network. In the 1990s, Novell, a software company, developed the Novell LANalyzer, which had a graphical UI and dashboard to examine network traffic. Concurrently, Microsoft introduced its Network Monitor.
Most packet analyzers work in a similar manner. They capture data and then decode the raw bits in the field values according to the appropriate Request for Comment (RFC) or other specifications. Once done, the data is presented in a meaningful fashion.
Packet analysis tools range in appearance and functionality, as follows:
- They provide simple text-based analysis, such as terminal-based Wireshark (
- They deliver a rich graphical UI with advanced artificial intelligence (AI)-based expert systems that guide the analyst through a more targeted evaluation.
In the next section, we'll take a look at the various devices that use packet analysis today.
Evaluating devices that use packet analysis
Packet analysis and traffic sniffing are used by many devices on the network, including routers, switches, and firewall appliances. As data flows across the network, the devices gather and interpret the packet's raw bits and examine the field values in each packet to decide on what action should be taken.
Devices examine network traffic in the following manner:
- A router captures the traffic and examines the IP header to determine where to send the traffic, as part of the routing process.
- An IDS examines the traffic and alerts the network administrator if there is any unusual or suspicious behavior.
- A firewall monitors all traffic and will drop any packets that are not in line with the Access Control List (ACL).
For example, when data passes through a firewall, the device examines the traffic and determines whether to allow or deny the packets according to the ACL.
Using an ACL
- Allow outbound SYN packets. The destination port is
- Allow inbound SYN-ACK packets. The source port is
To decide whether to allow or deny a packet, the firewall must check each header as it passes through the device. It will determine variables such as IP addresses, Transmission Control Protocol (TCP) flags, and port numbers that are in use. If the packet does not meet the ACL entry, the firewall will drop the packet. As shown in the following diagram, an inbound SYN packet with a destination port of
80 is blocked because it does not match the rule:
As you can see, packet sniffing and analysis have been influential for many years as elements of managing networks. However, the first step of analysis is to capture traffic, which we will explore next.
Capturing network traffic
On today's networks, a Network Interface Card (NIC) will only monitor traffic that is addressed to that host. However, we can put the card into a state called promiscuous mode, which will allow the adapter to gather all the traffic that is on the network. Therefore, to capture and monitor all network traffic, the NIC must be in promiscuous mode.
On a Windows machine, you can check to see whether the interface card is in promiscuous mode by running the following command in PowerShell:
Windows PowerShell Copyright (C) 2014 Microsoft Corporation. All rights reserved. PS C:\Users\Admin> Get-NetAdapter | Format-List -Property PromiscuousMode PromiscuousMode : False
We use packet analysis to understand the characteristics of the traffic flow. Although you can conduct packet analysis during a live capture, it's common to capture traffic and save it for further analysis. Common steps to capture packets for analysis include the following:
- Install Wireshark and the appropriate packet capture engine.
- Launch Wireshark and select the capture options.
- Start the capture and run until you capture 2,000–3,000 packets.
- Stop the capture and save the trace file in the appropriate format.
- Analyze the capture by studying one packet at a time, or as a complete capture.
In some cases, you might need to send a packet capture to the corporate or security analyst for further analysis.
Wireshark allows us to capture, display, and filter data live from a single or multiple network interface(s). In addition, you can examine pre-captured packets, search with granular details, and follow the data stream. As a result, packet analysis is advantageous as it helps you to understand the nature of the network. The following section outlines the many different individuals who can benefit from using Wireshark for packet analysis.
Recognizing who benefits from using packet analysis
Nearly everyone can benefit from using packet analysis, including developers, network administrators, students, and security analysts. Let's look at each group and explore the benefits that can be reaped through packet analysis. We'll start with developers, as they can see how their program responds to requests on the network in real time.
Application performance issues can affect the bottom line, especially in a mission-critical situation. Developers diligently strive to produce elegant and efficient software. Prior to releasing an application, developers run functional and regression tests, along with stressing the server to ensure an optimized application.
Typically, developers test applications in a perfect environment, with high bandwidth and low latency. However, once the application moves from the local (or test) environment to the production network, clients may complain about the slow response times. The programmers will carefully check the application; however, on many occasions, they are unable to find anything unusual.
The developer must determine the reasons for the slow response times. Once further testing determines that it is not the application that is causing the issue, a packet analysis tool such as Wireshark can assist the developer.
By using packet analysis, the developer can uncover common problems in transmissions and help determine the root cause of the delayed response times. Problems such as delayed round-trip time and signs of congestion within an organization can occur in a network and impact response time.
Simply optimizing an application is not enough. All development life cycles should include checking what is happening on the network, as issues can affect overall performance.
In addition to developers, network administrators commonly use Wireshark to troubleshoot the network, as we will see next.
Helping network administrators monitor the network
Network administrators use packet analysis to gain information about current network conditions. Wireshark can help identify errors and/or problems on the network that might require device tuning and/or replacement to improve overall performance.
A powerful feature in Wireshark is the ability to quickly detect issues in the capture. The network administrator can use both the expert system and the intelligent scroll bar, which color codes potential problems and helps with analysis, as we'll see in the next section.
Expert system and intelligent scroll bar
Wireshark allows us to visualize issues while performing an analysis. The expert system categorizes various traffic conditions. It has a color code for each level that allows for easy identification of the general workflow and possible critical events:
- Chat color (blue): It provides information about typical workflows, such as a TCP window update or connection finish.
- Note color (cyan): It indicates items of interest, such as duplicate acknowledgments and TCP keepalive segments.
- Warn color (yellow): It indicates a warning, such as a TCP zero window or connection reset.
- Error color (red): It is the highest level as there might be a serious problem, such as a retransmission or a malformed packet.
Wireshark also has an intelligent scroll bar, which provides a visual to detect issues. In the preceding screenshot, we can see a distinct coloring pattern on the right-hand side based on the coloring rules set in the application.
With the intelligent scroll bar, the administrator can easily click on a color band to zero in on a possible problem. Bear in mind that the intelligent scroll bar is only visible if the coloring rules are active; however, coloring rules are on by default.
Once any problems have been identified, you can subset traffic, add comments, save, and export the packet captures.
Subsetting traffic, commenting, saving, and exporting
There are times when the network administrator might only want to share a small subset of traffic with other members of the team. Wireshark can subset large captures so that you can focus on the problem areas.
For example, in addition to data, a large packet capture will most likely have several different types of traffic, such as management and 802.11 control frames. You can easily apply a filter using the ...and not selected option to exclude packets that are not relevant to the analysis.
Once you have created a smaller file, you can export the specified packets and save them in a wide variety of formats. Formats include the default PCAPNG, along with PCAP, Sun Snoop, DMP, and more.
- Select the comments icon that looks like a pad and pencil in the lower-left corner to add a comment for a single packet.
- Navigate to the Edit | Packet comment menu choice to add a comment for a single packet.
- Navigate to the Statistics | Capture file properties menu choice and include comments for an entire packet capture in the comment area at the bottom of the window.
If you do add comments, then you must save the file in PCAPNG format, as not all file formats support the use of comments.
In addition to network administrators, students will gain valuable insight into what is actually happening on the network by using Wireshark to examine the headers and field values of the protocols.
Educating students on protocols
Students can use packet analysis as a learning tool to better understand protocols. For example, when reviewing the Dynamic Host Configuration Protocol (DHCP), a textbook will display the four stages of the process: Discover, Offer, Request, and Acknowledge (DORA). Take a look at the following diagram:
While the preceding diagram displays each of the four-part transactions, it does not show the details of each part of the four-packet exchange.
In the following screenshot, we can see an actual DHCP transaction in Wireshark. In addition to this, the student can see the specifics of each exchange, including the transport protocol, the IP, the Media Access Control (MAC) addresses, and the DHCP header flags:
By learning the normal behavior and purposes of common protocols, students will be able to troubleshoot any problems that might occur in the future.
As you can see, packet analysis has many benefits for many people. Because of the ability to really examine what is happening on the network, another key group that uses packet analysis is security analysts.
Alerting security analysts to threats
- Determine whether there is anything unusual or suspicious about the traffic.
- Discover what transpired on the network when completing a forensic investigation.
Wireshark can help the security analyst better understand specific types of attacks so that they can craft firewall rules. To hone security analysis skills, the analyst can discover and download many PCAPs on various repositories. The Honeynet project, which is located at https://www.honeynet.org, is a great place to start. Navigate to the section on CHALLENGES, which offers many examples of forensic exercises to review and learn about many common threats found on today's networks.
Once you are on the CHALLENGES page, search for
Challenge 12 - Hiding in Plain Sight, and read the details regarding the challenge. Then, to strengthen your analysis skills, download the files found at the bottom of the page and work through the questions. The answers can also be found at the bottom of the page, along with other files of interest.
Security analysts feel that Wireshark is a valuable tool as it provides insight into what is happening on the network. Because of its ability to have so much insight into what is happening on the network, Wireshark is also used by hackers for reconnaissance in order to gather and analyze traffic. This could be many times prior to an attack or during an active attack, which we will discuss next.
Arming hackers with information
When used as a precursor to an attack, hackers gather information during reconnaissance, which is also called footprinting. Let's take a look at a couple of ways in which hackers use Wireshark as part of a passive attack.
Outlining passive attacks
- Footprinting and reconnaissance: As a precursor to an active attack, malicious actors capture traffic to gather as much information about the target as possible. In addition to this, Wireshark can be used to gather additional information such as IP and MAC addresses, open ports and services, and possible defense methods that are in place.
- Sniffing plain text: Another use of packet sniffing is looking for passwords that are sent in plain text. In addition, protocols such as SNMP, HTTP, FTP, Telnet, and VoIP that are sent in plain text are susceptible to packet sniffers. Once captured, the protocol can expose information about the network and/or system(s).
An organization can defend against unauthorized packet sniffing in a couple of ways. There is anti-sniffer software that can detect sniffers on the network. However, one of the best ways to prevent data exposure is to use encryption. If someone captures the traffic, then the encrypted data will appear meaningless.
Understanding active attacks
Malicious actors launch many different types of attacks on the network, such as Denial of Service (DoS), phishing, or Structured Query Language (SQL) injection attacks. Next, let's take a look at another type of attack: an ARP cache poison attack.
Poisoning the cache
ARP cache poisoning, also known as ARP spoofing, is used in a Man-in-the-Middle (MitM) attack. In order to understand why this is an effective attack, let's walk through the normal use of ARP on a LAN.
On a LAN, hosts are identified by their MAC (or physical) addresses. In order to communicate with the correct host, each device keeps track of all LAN hosts' MAC addresses in an ARP or MAC address table, also known as an ARP cache table.
Entries in the ARP or MAC address table will time out after a while. Under normal circumstances, when the device needs to communicate with another device on the network, it needs its own MAC address. First, the device will check the ARP cache and, if there is no entry in the table, the device will send an ARP request broadcast out to all hosts on the network.
The ARP reply is a response that holds information on the host's IP address and the requested MAC address. Once received, the ARP cache is updated to reflect the MAC address.
In an ARP spoofing attack, a malicious actor will do the following:
- Send an unsolicited ARP reply message that contains a spoofed MAC address for the attacker's machine to all hosts on the LAN.
- After the ARP reply is received, all devices on the LAN will update their ARP (or MAC address) tables with the incorrect MAC address. This effectively poisons the cache on the end devices.
- Once the ARP tables are poisoned, this will allow an intruder to impersonate another host to gain access to sensitive information.
In the following diagram, a bogus ARP reply was sent by the malicious actor, which then poisoned the cache in all of the network devices. All hosts on the network now think that
10.40.10.103 is at
46:89:FF:4C:57:BB, instead of
00:80:68:B4:87:EF, and will go to the attacker with the spoofed MAC address:
The malicious actor will then use active sniffing to gather the misdirected traffic in an attempt to obtain sensitive information. In most cases, the traffic sent to the malicious actor is forwarded to the victim, who has no idea that anything is amiss.
Now we have seen the many individuals who can benefit from using packet analysis. In the next section, we will examine where packet analysis is most effective.
Identifying where to use packet analysis
To conduct an effective packet analysis, the first step is to get a good capture. There are many places in which to conduct packet analysis, including on a LAN, on a host, or in the real world. Let's start with using packet analysis on a LAN.
Analyzing traffic on a LAN
Most LANs are heterogeneous, with various operating systems such as Windows, Linux, and macOS, along with a mixture of devices such as softphones, tablets, laptops, and mobile devices. Depending on the business requirements, the network might include wide area network connectivity along with telephony.
To effectively use packet analysis, placement is the key. Not all traffic is created equally. Depending on placement, you might only capture a portion of the total network traffic. If the packet sniffer is on a host or end device, then it will be able to see the traffic on the segment's collision domain. If the sniffer is mirroring all traffic on a backbone, then it will be able to see all the traffic.
In certain instances, you might need to perform packet analysis on an individual host, such as a PC, to only monitor traffic destined to that host. In other cases, you might need to gather traffic on a switch to see the traffic as it passes through the switch ports.
Sniffing network traffic
- If the protocol analyzer is installed on a client device attached to a switch, then the view of network traffic is limited. While sniffing traffic on a single switch port, you will only see broadcasts, multicasts, and your own unicast traffic.
- To see all the traffic on a switch, the network administrator can use port monitoring or Switched Port Analyzer (SPAN). In some cases, you may be able to monitor within the switch, as Wireshark is built into the Cisco Nexus 7000 series and many other devices.
- Another option is to use a full-duplex tap in line with traffic. The tap makes a copy or mirror of the traffic, which is pulled into the device for analysis. If this option is used, then you might require a special adapter.
In addition to using packet analysis on a LAN or a host, packet analysis can be used in the real world to monitor traffic for threats.
Using packet analysis in the real world
Packet analysis is used in the real world in many forms. One example is the Department of Homeland Security (DHS) EINSTEIN system, which has an active role in federal government cybersecurity. The United States government is constantly at risk of many types of attacks, including DoS attacks, malware, unauthorized access, and active scanning and probing.
The EINSTEIN system actively monitors the traffic for threats. Its two main functions are as follows:
- To observe and report possible cyber threats
- To detect and block attacks from compromising federal agencies
The EINSTEIN system provides the situational awareness that is necessary to take a proactive approach against an active attack. The intelligence gathered helps agencies to defend against ongoing threats.
As illustrated, packet analysis is effective in many locations. The following section provides guidance on what circumstances packet analysis will reap the most benefits under.
Outlining when to use packet analysis
We use packet analysis in many ways. We can troubleshoot latency issues, test IoT devices, monitor for threats, and baseline the network. Let's evaluate some of this activity, starting with troubleshooting, which is a common use of packet analysis.
Troubleshooting latency issues
Wireshark can be a valuable asset when troubleshooting issues on the network. There are many built-in tools designed to gather and report network statistics. We can analyze network problems and monitor bandwidth usage per application and process. The information gathered can help identify choke points and maintain efficient network data transmission.
Protocol analysis enables the network administrator to monitor the traffic on the network, unearthing problems that determine where performance can be fine-tuned. For example, if you suspect latency, you can obtain a capture in the area where you suspect trouble, and then run a Stevens graph, as shown in the following screenshot:
Once the graph is complete, you can examine details that can highlight errors in the communication stream. For example, along the top of the graph, we see a straight line that continues for approximately four (4) seconds. The line represents a gap in transmission and may warrant further investigation.
In addition to troubleshooting the network, many are discovering how Wireshark can be a valuable asset in testing IoT devices prior to their implementation in an organization.
Testing IoT devices
The IoT is a ubiquitous transformation of intelligent devices embedded in everyday objects that connect to the internet, enabling them to send and receive data. The IoT has several components: people, infrastructure, things, processes, and data. IoT has become a billion-dollar industry as consumers, along with industries, are seeing the benefits.
Even with all of the benefits, prior to connecting an IoT device to the network, it's best to run some tests. Using Wireshark can help you see what happens when you plug the device into the network. The following is a list of questions that Wireshark can help determine:
- How do the devices communicate once they are active? Do they phone home without being prompted?
- What information do they communicate? Are the username and password sent in plain text?
The only way you can understand the behavior of these devices is by plugging one in, capturing the data exchange, and analyzing the packet capture. The information obtained can provide valuable insights into the vulnerabilities of IoT devices.
Along with troubleshooting and testing, Wireshark can be instrumental in proactive threat assessment.
Monitoring for threats
- Proactive: Monitoring your systems and preventing threats by using a device such as an IDS.
- Active: Proactively seeking threats by conducting packet analysis and monitoring log files.
- Reactive: A system has fallen victim to an attack and the incident response team manages the attack, followed by a forensic exercise.
Wireshark can help the security analyst take an active role in monitoring for threats. While Wireshark does not provide any alerts, it can be used in conjunction with an IDS to investigate possible malicious network activity.
For example, while using snort (an open source IDS), the sensor produced the following alert, which could be an indication of malicious activity on the protected network:
DELETED WEB-MISC text/html content-type without HTML – possible malware C&C (Detection of a non-standard protocol or event) 
This alert indicates that an infected host might be communicating with an external entity and sending information gathered on the network to a botmaster. The security analyst should take immediate action by running a capture in different segments of the network to identify and mitigate the threat.
Industries also see the value in using Wireshark for threat monitoring. For example, in the Cisco Certified CyberOps Associate certification prep course, students learn how to observe and monitor for unusual traffic patterns using Wireshark, as they hone their skills in preparing to work alongside cybersecurity analysts within a Security Operations Center (SOC).
In order to determine what traffic is unusual, or to properly troubleshoot the network, you must be able to determine what constitutes normal network activity. This is achieved by conducting a baseline, as outlined in the following section.
Baselining the network
A network baseline is a set of parameters that define normal activity. The baseline provides a snapshot of network traffic during a window of time using Wireshark or
tshark. Key characteristics for baseline can include utilization, network protocols, effective throughput, forwarding rates, and network latency. The network team can use the baseline for forecasting and planning, along with optimization, tuning, and troubleshooting.
The baseline process goes through several stages: plan, capture, save, and analyze. Once the baseline is complete, the network analyst can review the captured data in order to assess general performance for end-to-end communications. Baselining the network helps to gain valuable information regarding the health of the network, and possibly identify current network problems. In addition to this, subsequent baselining exercises can help predict future problems.
Whenever the installation of new equipment is planned, it's best to do a baseline prior to the change. After implementation, do another capture so you can identify possible issues in the traffic flow and then fine-tune the configuration.
As you can see, there are many ways we can use packet analysis to monitor, test, baseline, and troubleshoot. However, because of the ability to obtain sensitive information or as a precursor to an attack, packet analysis should only be done in the following circumstances:
- The network is your own, or you have received explicit permission to conduct packet analysis for security scans.
- It is completed during troubleshooting network connectivity issues.
In addition, consideration should be given to maintain the privacy of the data collected, and have a proper method to obtain, analyze, and retain any packet captures.
As outlined, we now know the many reasons to use packet analysis. Let's summarize by embracing Wireshark, which is one of the most powerful packet analysis tools available today.
Getting to know Wireshark
In the late 1990s, Gerald Combs needed a tool to analyze network problems. Portable sniffers were available at the time, but they were costly. Gerald developed Ethereal with the help of some friends, and this later became Wireshark. It has been around for over 20 years and continues to evolve and improve over time.
Dissectors provide information on how to break down the protocols into the proper format according to the appropriate RFC, or other specifications.
Wireshark can decode hundreds of different protocols. New dissectors are periodically added to the library. In addition, you can decode proprietary and specialty protocols by developing your own dissector.
- Merge packet captures.
- Provide a detailed analysis of VoIP traffic.
- Create basic and advanced I/O graphs.
After using Wireshark for any length of time, you can observe how it can help network administrators to understand traffic flows, troubleshoot performance problems, or conduct a network baseline.
With the variety and amount of data that travels on today's networks, it's easy to understand why packet analysis using Wireshark should be in everyone's skill set. In this chapter, we took a brief look at how packet analysis began in the 1990s with the use of hardware sniffers. Fast forward to today, and we can see that packet analysis is used by nearly every device on the network to gather traffic, examine the contents, and then decide what action to take.
We learned how developers, network administrators, students, and security analysts can all benefit from using packet analysis. We examined the many places where we conduct packet analysis: on a LAN, on a host, and in the real world. In addition to this, we discovered how packet analysis has a variety of uses within today's networks, including troubleshooting, testing IoT devices, monitoring threats, and baselining. We can now appreciate how Wireshark is an exceptional open source software product that includes rich features and a variety of tools available to easily solve problems and analyze network traffic.
In the next chapter, we'll examine the Wireshark interface and review the phases of packet analysis. We'll also review the built-in Command-Line Interface (CLI) tools, such as
editcap. Additionally, because Wireshark can be resource-intensive, we will learn how
tshark (or terminal-based Wireshark can provide a lightweight alternative to Wireshark.
Now it's time to check your knowledge. Select the best response and then check your answers, which can be found in the Assessments appendix:
- Packet analysis has been around in some form since the _____ as a diagnostic tool to observe data and other information traveling across the network.
- Packet analysis is used in the real world in many forms. One is the DHS _____system, which monitors for threats.
- In the expert system, _____ provides information about typical workflows such as TCP window updates or connection finishes.
- A ____ provides a snapshot of network traffic during a window of time using Wireshark or
tshark. Characteristics can include utilization, network protocols, and effective throughput forwarding rates.
- Round Robin
- DORA process
- Monitoring for threats occurs in one of three ways. _____ is when a system has fallen victim to an attack and the incident response team manages the attack, followed by a forensic exercise.
- When testing _____ using Wireshark, you will be able to determine how they communicate once active and see whether they phone home without being prompted.
- Expert systems
- IoT devices
- When obtaining an IP address, DHCP will go through a four-part transaction called the _____.
- Round Robin
- DORA process