Today's networks are complex, and if there are issues, then, on many occasions, the only way you can solve the problem is if you can see the problem. Packet sniffers such as Wireshark have been around for that very reason for many years. In addition to manually conducting packet analysis using Wireshark, today's devices incorporate the ability to pull data from the network and examine the contents to determine whether the data should be allowed on the network.
This chapter will help you recognize the many benefits of using Wireshark for packet analysis. You'll learn about Wireshark and its history as an exceptional open source software product that includes many rich features. You'll see how everyone can benefit from using packet analysis, including network administrators, students, and security analysts. You'll be able to identify the many places to conduct packet analysis, including on a LAN, on a host, or in the real world. Finally, you will gain a better understanding of the many ways in which Wireshark can provide a key role in troubleshooting, testing, baselining, and monitoring for threats.
This chapter will address all of this by covering the following:
- Reviewing packet analysis
- Recognizing who benefits from using packet analysis
- Identifying where to use packet analysis
- Outlining when to use packet analysis
- Getting to know Wireshark
Packet analysis is the process of examining packets to understand the characteristics and structure of the traffic flow.
The analyst can complete packet analysis by either studying one packet at a time or as a complete capture. Packet analysis can be done during a live capture or by using a previously captured packet.
Network administrators use packet analysis to gain information about current network conditions. Security analysts use packet analysis to determine whether there is anything unusual or suspicious about the traffic when carrying out a forensic investigation. Students use packet analysis as a learning tool, to better understand the protocols. In addition, packet analysis is also used by hackers to sniff network traffic in order to gain valuable information about the network while conducting footprinting and reconnaissance.
We use packet analysis in many places, including on a LAN, on a host, or in the real world. We also use packet analysis when troubleshooting latency issues, testing Internet of Things (IoT) devices, and as a tool to baseline the network.
Today, packet analysis using Wireshark is a valuable skill. However, analyzing packets has been around in the networking world for many years. As early as the 1990s, there were various tools that enabled analysts to carry out packet analysis on the network to troubleshoot errors and to monitor server and network behavior. In the next section, we'll examine some of the early tools used to monitor network activity.
Packet analysis has been around in some form for over 20 years as a diagnostic tool, to observe data and other information traveling across the network. Packet analysis is also referred to as sniffing. The term refers to early packet sniffers, which sniffed or captured traffic as it traveled across the network. In the 1990s, Novell, a software company, developed the Novell LANalyzer, which had a graphical UI and a dashboard feature, as shown in the following diagram:
At the same time, Microsoft introduced its network monitor. Over the last 20 years, there have been many other packet analyzers and tools to sniff traffic that include the following:
Cain and Abel
Can gather passwords and can record VoIP conversations
Formerly Carnivore, can monitor all internet traffic
Passively monitors a network for interesting traffic
Eavesdrops to capture passwords, emails, and files
Protocol analyzer that runs from the command line
Open source tool that combines packet capture with an Intrusion Detection System (IDS)
Packet sniffer used to analyze network traffic
Most packet analyzers have similar features. They capture the data, decode the raw bits in the headers to field values according to the appropriate Request for Comment (RFC) or other specifications, and present the data in a meaningful fashion.
The packet analysis tools range from very simple text-based analysis, such as terminal based Wireshark (tshark), as shown in the screenshot below, or tools that have a rich graphical UI with advanced AI-based expert systems that guide the analyst through a more targeted evaluation:
In the next section, we'll take a look at the various devices in use today that use packet analysis.
Packet analysis and packet sniffing are used by many devices on the network, including routers, switches, and firewall appliances. As data flows across the network, it passes through various network devices, which interpret the packet's raw bits and examine the field values in each packet to decide on what action should be taken.
A router captures the traffic and examines the IP header to determine where to send the traffic, as a part of the routing process. An IDS will capture the traffic and examine the contents and alert the network administrator if there is any unusual or suspicious behavior.
A firewall monitors all traffic and will drop any packets that are not in line with the Access Control List (ACL). For example, when data passes through a firewall, the device examines the traffic and determines whether to allow or deny the packets according to the ACL. For example, this ACL has the following entries:
- Allow outbound SYN packets. The destination port is 80.
- Allow inbound SYN-ACK packets. The source port is 80.
As shown in the following diagram firewall with an ACL, in order to decide whether to allow or deny a packet, the firewall must evaluate the packet header and check to see what TCP flags are set and what port numbers are in use. If the packet does not meet the ACL entry, then the firewall will drop the packet:
It's important to note that a packet sniffer sniffs traffic but doesn't modify the contents in any way. It simply gathers the traffic for analysis as it travels across the network.
As we can see, packet sniffing and analysis have been influential for many years as elements of managing networks. The first step in analysis is capturing traffic, which we will explore in the next section.
On today's networks, a Network Interface Card (NIC) will only monitor traffic that is addressed to that host. We can, however, put the card into a state called promiscuous mode. Promiscuous mode is when the network adapter gathers not only traffic that is destined to that host, but all the traffic that is on the network, and is commonly used to monitor network activity. Therefore, to capture all network traffic, the NIC must be in promiscuous mode.
On a Windows machine, you can check to see whether the interface card is in promiscuous mode by running the following command in PowerShell:
Copyright (C) 2014 Microsoft Corporation. All rights reserved.
PS C:\Users\Admin> Get-NetAdapter | Format-List -Property PromiscuousMode
PromiscuousMode : False
We use packet analysis to understand the characteristics of the traffic flow. Although you can conduct packet analysis during a live capture, it's common to capture traffic and save it for further analysis. Common steps to capture packets for analysis are as follows:
- Install Wireshark and the appropriate packet capture engine.
- Launch Wireshark and select the appropriate capture options.
- Start the capture and run until you capture 1,000 – 2,000 packets.
- Stop the capture and save the trace file in the appropriate format.
- Analyze the capture by studying one packet at a time, or as a complete capture.
In some cases, you may need to send a packet capture to the corporate or security analyst for further analysis.
Wireshark allows us to capture, display, and filter data live from a single or multiple network interface(s). In addition you can examine pre-captured packets, search with granular details, and follow the data stream. As a result, packet analysis is advantageous as it helps to understand the nature of the network. The following section outlines the many different individuals who can benefit from using Wireshark for packet analysis.
Everyone can benefit from using packet analysis, including developers, network administrators, students, and security analysts. Let's look at each and explore the benefits that can be reaped through packet analysis. We'll start with developers, who can see how their program responds to requests on the network in real time.
Application performance issues can affect the bottom line, especially in a mission-critical situation. Developers diligently strive to produce elegant and efficient software. Prior to releasing an application, developers run functional and regression tests, along with stressing the server to ensure an optimized application.
Developers typically test applications in a perfect environment, with high bandwidth and low latency. However, once the application moves from the local (or test) environment to the production network, clients may complain about the slow response times. The programmers carefully check the application, however, are unable to find anything unusual.
The developer must determine the reasons for the slow response times. Once further testing determines that it is not the application that is causing the issue, a packet analysis tool such as Wireshark can assist the developer in determining the root cause of the delayed response times.
By using Wireshark, the developer can uncover common problems in transmissions, such as round-trip time and signs of congestion within an organization, which can occur in a network and impact response time.
Developers will understand that simply optimizing an application is not enough, and all development life cycles should include seeing what is happening on the network, as issues can affect overall performance.
In addition to developers, network administrators commonly use Wireshark to troubleshoot the network, as we will see next.
Network administrators use packet analysis to gain information about current network conditions. Wireshark can help identify errors and/or problems on the network that might require device tuning and/or replacement to improve overall performance.
A powerful feature in Wireshark is the ability to quickly see issues in the capture. The network administrator can use both the expert system and the intelligent scrollbar, which color codes potential problems and helps with analysis, as we'll see in the next section.
Wireshark allows us to visualize issues while performing an analysis. The expert system categorizes various traffic conditions. It has a color code for each level that allows for easy identification of general workflow and possible critical events:
- Chat color: Gray provides information about typical workflows, such as a TCP window update or connection finish
- Note color: Cyan indicates items of interest, such as duplicate acknowledgments and TCP keep-alive segments
- Warn color: Yellow indicates a warning, such as a TCP zero window or connection reset
- Error color: Red is the highest level as there may be a serious problem, such as a retransmission or a malformed packet
The visual for the expert system is in the lower left-hand corner, as shown in the following screenshot:
Wireshark also has an intelligent scrollbar, which also provides a visual to detect issues. In the preceding screenshot, we see a distinct coloring pattern on the right-hand side based on the coloring rules set in the application.
With the intelligent scrollbar, the administrator can easily click on a color band to zero in on a possible problem. Bear in mind that the intelligent scrollbar is only visible if the coloring rules are active; however, coloring rules are on by default.
Once problems are identified, you can then subset traffic, add comments, save, and export the packet captures.
At times, the network administrator may want to share the packet capture with other members of the team. Wireshark can subset traffic to break apart large packet captures and focus on the problem areas.
For example, a large packet capture will most likely have several different types of traffic in addition to data, such as management traffic and 802.11 control frames. You can easily apply a filter using the and NOT option to exclude traffic that you don't want to see.
Within the subset, you can include comments. You can find comments either by selecting the comments icon in the lower left-hand corner that looks like a pad and pencil, or go to Statistics | Capture file properties and include your comments in the space below marked comments. If you do add comments, then you must save the file in the PCAPNG format as not all file formats will support the use of comments.
Once you have created a smaller file and added any (optional) comments, you can export the specified packets and save in a wide variety of formats. Formats include the default PCAPNG, along with PCAP, Sun Snoop, DMP, and many others.
In addition to network administrators, students will gain valuable insight into what is actually happening on the network by using Wireshark to examine headers and field values of the protocols.
Let's learn about how students can use packet analysis as a learning tool to better understand protocols. For example, when reviewing the DHCP process, the student might see the DORA process, as shown in the following diagram. While the diagram displays each of the four-part transaction, it does not show the details of each part of the four-packet exchange:
In the following screenshot, we can see an actual DHCP transaction. The student can easily identify each of the four stages of the DORA process: Discover, Offer, Request, and Acknowledge. In addition, the student can see the specifics of each exchange, including the transport protocol, the IP and MAC addresses, and the DHCP header flags:
By learning the normal behavior and purposes of common protocols, students will be able to troubleshoot problems that may occur in the future.
As you can see, packet analysis has many benefits for many people. Because of the ability to really examine what is happening on the network, another key group that uses packet analysis are security analysts.
Security analysts use packet analysis to determine whether there is anything unusual or suspicious about the traffic or discover what transpired on the network by completing a forensic investigation. To effectively discover potential problems, the security analyst must be an expert at packet analysis.
Wireshark can help the security analyst to better understand specific types of attacks so they can craft firewall rules. To hone security analysis skills, the analyst can discover and download many PCAPs on various repositories. The Honeynet project, which is found at https://www.honeynet.org, is a great place to start. Navigate to the section on challenges, which offers many examples of forensic exercises to review and learn about many common threats found on today's networks.
For example, if you go to https://www.honeynet.org/node/906, then you will see a completed challenge entitled Forensic Challenge 12 – Hiding in Plain Sight. Read the details on the challenge, which are outlined so you have a better understanding of the challenge. To strengthen your analysis skills, download the files found at the bottom of the page and work through the questions. The answers can also be found at the bottom of the page, along with other files of interest.
Security analysts feel that Wireshark is a valuable tool, as it provides valuable insight into what is happening on the network. Because of the ability to have so much insight on what is happening on the network, Wireshark is also used by hackers for reconnaissance to gather and analyze traffic—many times prior to an attack, or during an active attack, which we will discuss next.
Hackers use packet analysis to sniff network traffic in order to gain valuable information about the network as a precursor to an attack. Sometimes called a passive attack, a hacker can use Wireshark to sniff network traffic with the goal of obtaining sensitive information. In addition, hackers can use the information gathered to launch an active attack.
As a precursor to an attack, hackers gather information during reconnaissance, which is also called footprinting. The goal of reconnaissance is to gather as much information about the target as possible. Let's take a look at a couple of ways in which hackers use Wireshark as part of a passive attack.
Using Wireshark, a hacker will try to obtain confidential information, such as usernames and passwords exchanged, while traveling through the network. Using packet analysis to sniff network traffic can achieve the following goals:
- Footprinting and reconnaissance: As a precursor to an active attack, hackers use Wireshark to capture unencrypted traffic in order to gather as much information about the target as possible. In addition, Wireshark can also be used to gather additional information such as IP and MAC address, open ports and services, and possible defense methods in place.
- Sniffing plain text passwords: Another use of packet sniffing by hackers is looking for passwords that are sent in plain text. Common protocols that are susceptible to packet sniffers are the protocols that are in plain text, such as SNMP, HTTP, FTP, Telnet, and VoIP.
An organization can defend against unauthorized packet sniffing in a couple of ways. There is anti-sniffer software that can detect sniffers on the network. However, one of the best ways to prevent data exposure is to use encryption. If someone captures the traffic, then the encrypted data will appear meaningless.
Next, we'll take a look at how hackers can also use Wireshark by actively sniffing and monitoring traffic as part of an Address Resolution Protocol (ARP) spoofing attack.
Hackers can launch many different types of attacks on the network, such as Denial of Service (DoS) attacks, phishing attacks, or Structured Query Language (SQL) injection attacks. Hackers can also use Wireshark to passively gather information so they can launch a more effective attack. One example is an ARP spoofing attack.
To conduct an effective packet analysis, the first step is to get a good capture. There are many places to conduct packet analysis, including on a LAN, on a host, or in the real world. Let's start with using packet analysis on a LAN.
Today's networks are complex, as the following diagram shows. An enterprise network provides connectivity, data applications, and services to the clients on the network:
Most LANs are heterogeneous, with various operating systems such as Windows, Linux, and macOS, along with a mixture of devices, such as softphones, tablets, laptops, and mobile devices. Depending on business requirements, the network may include wide area network connectivity along with telephony.
To effectively use packet analysis, placement is key. All traffic is not created equally. Depending on placement, you may only capture a portion of the total network traffic. If the packet sniffer is on a host or end device, then it will be able to see the traffic on the segment's collision domain. If the sniffer is mirroring all traffic on a backbone, then it will be able to see all the traffic.
In certain instances, you may need to perform packet analysis on an individual host, such as a PC, to only monitor traffic destined to that host, or on a switch to see the traffic as it passes through the switchports.
We use packet analysis to troubleshoot latency issues, test IoT devices monitoring for threats, and as a tool to baseline the network. Let's start with troubleshooting, which is a common use of packet analysis.
Wireshark can be a valuable tool for troubleshooting issues on the network. There are many built-in tools designed to gather and report network statistics. We can analyze network problems and monitor bandwidth usage per application and process. The information gathered can help identify choke points and maintain efficient network data transmission.
Protocol analysis enables the network administrator to monitor the traffic on the networks, unearthing problems that determine where performance can be fine-tuned. For example, if you suspect latency, then you can obtain a capture in the area where you suspect trouble and then run a Stevens graph, as shown in the following screenshot:
In addition to troubleshooting the network, many are discovering how Wireshark can be a valuable asset in testing IoT devices prior to their implementation in an organization.
The IoT is a ubiquitous transformation of intelligent devices embedded in everyday objects that connect to the internet, enabling them to send and receive data. The IoT has several components: people, infrastructure, things, processes, and data. The IoT has become a billion-dollar industry as consumers, along with industries, are seeing the benefits of the IoT.
Even with all of the benefits, prior to connecting an IoT device to the network, it's best to test the device. Using Wireshark can help you see what happens when you plug the device into the network. The following are some of the questions Wireshark can help determine:
- How do the devices communicate once they are active? Do they phone home without being prompted?
- What information do they communicate? Are the username and password sent in plain text?
The only way you can understand the behavior of these devices is by plugging one in, capturing the data exchange, and analyzing the packet capture. The information obtained can provide valuable insights into the vulnerabilities of IoT devices.
Along with troubleshooting and testing, Wireshark can be instrumental in proactive threat assessment.
Monitoring for threats occurs in one of three ways:
- Proactive: Monitoring your systems and preventing threats by using a device such as an IDS
- Reactive: A system has fallen victim to an attack and the incident response team manages the attack, followed by a forensic exercise
- Active: Proactively seeking threats by conducting packet analysis and monitoring log files
Wireshark can help the security analyst take an active role in monitoring for threats. While Wireshark does not provide any alerts, it can be used in conjunction with an IDS to investigate possible malicious network activity.
For example, while using snort (an open source IDS), the sensor produced the following alert, which may be an indication of malicious activity on the protected network:
DELETED WEB-MISC text/html content-type without HTML – possible malware C&C (Detection of a non-standard protocol or event) 
This alert indicates that an infected host may be communicating with an external entity and sending information gathered on the network to a botmaster. The security analyst should take immediate action by running a capture in different segments of the network to identify and mitigate the threat.
Industries see the value in using Wireshark for threat monitoring as well. For example, in Cisco's CCNA Cyber Ops certification prep course, students learn how to observe and monitor for unusual traffic patterns using Wireshark, as they hone their skills in preparing to work alongside cybersecurity analysts within a Security Operations Center (SOC).
In order to determine what traffic is unusual, or to properly troubleshoot the network, you must be able to determine what is normal network activity. This is achieved by conducting a baseline, as outlined in the following section.
A network baseline is a set of parameters that define normal activity. The baseline provides a snapshot of network traffic during a window of time using Wireshark or Tshark. Characteristics to baseline can include utilization, network protocols, effective throughput forwarding rates, and network latency. The network team can use the baseline for forecasting and planning, along with optimization, tuning, and troubleshooting.
The baseline process goes through several stages: plan, capture, save, and analyze. Once the baseline is complete, the network analyst can review the captured data in order to assess general performance for end-to-end communications. Baselining the network helps to gain valuable information on the health of the network, and possibly identify current network problems. In addition, subsequent baselining exercises can help predict future problems.
Whenever the installation of new equipment is planned, it's best to do a baseline prior to the change. After implementation, do another capture to identify possible issues in the trace and to fine-tune the configuration.
As you can see, there are many ways we can use packet analysis to monitor, test, baseline, and troubleshoot. However, you should also be aware of when you shouldn't use packet analysis.
As you can see, we can use packet analysis in many ways. However, because of the ability to obtain sensitive information or as a precursor to an attack, packet analysis should only be done on a network you own or where you have explicit permission to conduct packet analysis for security scans or to troubleshoot network connectivity issues. In addition, consideration should be given to maintaining the privacy of the data collected during capture and have a proper method to obtain, analyze, and retain the packet captures.
As shown in the chapter, we have now learned about the many reasons to use packet analysis. Let's summarize by embracing Wireshark, which is one of the most powerful packet analysis tools available today.
In the late 1990s, Gerald Combs needed a tool to analyze network problems. Portable sniffers were available at the time, but they were costly. Gerald developed Ethereal with the help of some friends, and this later became Wireshark. It has been around for over 20 years and continues to evolve and improve over time.
Wireshark's strength is the ability to decode the captured bits into a readable form by using decoders or dissectors.
Dissectors provide information on how to break down the protocols into the proper format according to the appropriate RFC, or other specifications.
Wireshark can decode hundreds of different protocols. New dissectors are periodically added to the library. In addition, you can decode priority and specialty protocols by developing your own dissector.
Wireshark is compatible with many other sniffers and has a wide range of file formats for import and export. Some of the other features include the following:
- Merge packet captures.
- Provide a detailed analysis of VoIP traffic.
- Create basic and advanced I/O graphs.
Wireshark can be installed on most OSes, including Windows, Solaris, Linux, and macOS. In the following graphic, we can see the simple and streamlined Wireshark welcome screen on a Windows OS:
After using Wireshark for any length of time, you can see how it can help network administrators to understand traffic flows, troubleshoot performance problems, or conduct a network baseline.
With the variety and amount of data that travels on today's networks, it's easy to see why packet analysis using Wireshark should be in everyone's skill set. In this chapter, we took a brief look at how packet analysis began in the 1990s with the use of hardware sniffers. Fast forwarding to today, we can see that packet analysis is used by nearly every device on the network to gather traffic, examine the contents, and then decide what action to take.
We learned about how developers, network administrators, students, and security analysts can all benefit from using packet analysis. We saw the many places where we conduct packet analysis: on a LAN, on a host, and in the real world. In addition, we have learned about how packet analysis has a variety of uses on today's networks, including troubleshooting, testing IoT devices, monitoring threats, and baselining. We have learned about how Wireshark is an exceptional open source software product that includes many rich features, has many tools available to easily solve visual problems, and provides one of the best ways to analyze network traffic.
In the next chapter, we will learn about Wireshark's predecessor, Ethereal, and how it evolved to become Wireshark. We will then compare and contrast Legacy with Wireshark Next Generation, and learn about the many improvements to the software. Because Wireshark can be resource intensive, we will learn about how Tshark can provide a lightweight alternative to Wireshark. At the end of the chapter, you will embrace the benefits of Wireshark Next Generation.
Now it's time to check your knowledge. Select the best response, and then check your answers, which can be found in the Assessment:
- Packet analysis has been around in some form since the _____ as a diagnostic tool to observe data and other information traveling across the network.
- Packet analysis is used in the real world in many forms. One is the DHS _____system, which monitors for threats.
- In the expert system, _____ provides information about typical workflows such as TCP window updates or connection finishes.
- A ____ provides a snapshot of network traffic during a window of time using Wireshark or Tshark. Characteristics can include utilization, network protocols, and effective throughput forwarding rates.
- Round Robin
- DORA process
- Monitoring for threats occurs in one of three ways. _____ is when a system has fallen victim to an attack and the incident response team manages the attack, followed by a forensic exercise.