This chapter provides you with an introduction to the basics of the TCP/IP model and a step-by-step walkthrough of how to install Wireshark on your favorite operating system. You will be introduced to the following topics:
- What is Wireshark?
- A brief overview of the TCP/IP model
- Installing and running Wireshark on different platforms
- Troubleshooting common installation errors
Wireshark is an advanced network and protocol analyser, it lets you visualize network's activity in graphical form, and assists professionals in debugging network-level issues. Wireshark enhances the ability of network and security professionals by providing detailed insight into the network traffic. However, Wireshark is also used by malicious users to sniff network traffic in order to obtain sensitive data in the form of plain text.
Many people, including myself, are obsessed with the simplicity of the packet-capturing features that Wireshark provides us with. Let's quickly go through a few of the reasons why most professionals prefer Wireshark to other packet sniffers:
- User friendly: The interface of Wireshark is easy to use and understand, tools & features are very well organized and represented.
- Robustness: Wireshark is capable of handling enormous volumes of network traffic with ease.
- Platform independent: Wireshark is available for different flavors of operating system, whether Windows, Linux, and Macintosh.
- Filters: There are two kinds of filtering options available in Wireshark:
- You choose what to capture (capture filters)
- You choose what to display after you've captured (display filters)
- Cost: Wireshark is a free and open source packet analyzer that is developed and maintained by a dedicated community of professionals. Wireshark also offers a few paid professional applications as well. For more details, refer to Wireshark's official website https://www.wireshark.org/.
- Support: Wireshark is being continuously developed by a group of contributors that are scattered around the globe. We can sign up to Wireshark's mailing list or we can get help from the online documentation, which can be accessed through the GUI itself. Various other online forums are also available for you to get the most effective help; go to Google Paid Wireshark Support to learn more about the available support.
- The recipes and examples in this book will be for use on a Macintosh and Windows PC; for other operating systems, the installation is the same. Some OSes, such as Kali Linux, come with a preinstalled version of Wireshark.
- Once you have located the correct version of Wireshark for your platform (Wireshark 2.6.1 Intel 64.dmg), install Wireshark by following the wizard.
- Restart the computer after completion of the installation process to commit the changes that were made.
- Double-click the Wireshark icon on your desktop to the run the application:
The Wireshark screen
- You have downloaded Wireshark from known and trusted source only
- You have administrative privileges to run Wireshark
- The installation of Wireshark and the Winpcap driver has been completed successfully without any exceptions
- You are connected to the network that you want to capture network traffic from
- If you are trying to sniff using a virtual machine, ensure that you have set your network adapter to bridged mode
- Restart your machine to ensure the changes have been applied after successful installation of Wireshark
- Your NIC card supports promiscuous mode sniffing (when needed)
- You can see all of the interfaces (wired, wireless, and logical) on the home screen of Wireshark
- The line graph followed by the interface name shows activity on the Homescreen
- Also, you have legal permissions to capture network traffic
The world of network communication is governed by a set of protocols (rules and regulations) in order to function as intended. Protocols govern the transmission of network packets/segments/frames over a communication channel between endpoints. In order to understand how network packets stick together, forming a stream of traffic, we need to understand the basics of the networking that is the TCP/IP model. The TCP/IP model was originally known as the DoD model, a project that was regulated by the United States Department of Defense. All of the communication that we witness over the internet and other networks happens only through TCP/IP.
The TCP/IP model takes care of every part of packet's life cycle, namely, how a packet comes to life, how a packet is generated, how information pertaining to packet gets attached data payload (PDU), how it is routed through intermediary nodes, linking with other packets and so on.
It is strongly recommended to do some self-study on TCP/IP and how it functions, before you proceed ahead, as this book requires decent amount of familiarity with protocols.
The TCP/IP model comprises four layers, as shown in the following diagram. Each layer has a specific purpose to fulfill and utilizes a set of protocols to facilitate communications. Every protocol in every layer has a specific purpose:
The first layer is the Application Layer, which directly interacts with users and subsequent layers and protocols; it is primarily concerned with the representation of the data in a understandable format to the user. The application layer also keeps track of user sessions, monitoring who is connected; it uses a set of protocols that helps to interface with users and other layers in the TCP/IP model. Some popular protocols in the Application Layer are as follows:
- Hypertext Transfer Protocol (HTTP)
- File Transfer Protocol (FTP)
- Simple Network Management Protocol (SNMP)
- Simple Mail Transfer Protocol (SMTP)
The second layer is the Transport Layer. The purpose of this layer is to create sockets (a combination of the port and IP address) in order to let two endpoints communicate. Sockets facilitate the creation of multiple distinct connections between two or more devices (more than one tab can be opened in Chrome).
An IP address is required for communication between devices in different networks/segments (such as is used between two router interfaces or communication over the internet). It can also be used in local area network (LAN) communication, and is established over physical addresses (MAC). Apart from the restricted range of port numbers, operating systems and applications can choose a random port (other than ports
1013) for communication.
The transport layer also serves as a backbone for the communication. The two most critical protocols that work in this layer are the TCP and UDP:
- The TCP is a connection-oriented protocol, also called a reliable protocol. Firstly, a dedicated communication channel is established between the endpoints, which is then followed by data transmission. Equally partitioned chunks are transmitted from the source, and the receiving end sends an acknowledgement for every packet received. The side that is sending the data resends the packet if an acknowledgement is not received within a stated time frame.
- The UDP is a connectionless protocol and is often called an unreliable communication form. In the UDP, no dedicated channel is established, which also makes it a simpler and faster way of communication. There are also no acknowledgement packets sent by the endpoints. For example, if you are playing an online game, the loss of a few packets over the communication channel is not going to hamper your gaming experience because the number of packets coming through is huge, and a few missing packets will not make much difference to the overall quality of the network stream.
The third layer is the Internet Layer, which is primarily concerned with routing and movement of data between networks. The primary protocol that works in this layer is the IP (Internet Protocol). The IP provides the network packets with the routing capability that they need in order to reach their destination. Other protocols included in this layer are the ICMP and IGMP.
The fourth andfinallayer is the Link Layer(often called the network interface layer). It interfaces with the physical network hardware. There are no protocols specified in this layer by the TCP/IP; however, several protocols are implemented, such as the Address Resolution Protocol(ARP) and thePoint to Point Protocol(PPP). This layer is concerned with how information travels inside the communication channel (wired or wireless). The link layer is responsible for establishing and terminating the connection, as well as converting the signals from analog to digital and vice versa. Devices such as bridges and switches operate in this layer.
As data progresses from the application layer to the link layer, several bits of information are attached to the data in the form of headers or footers, which allow different layers of the TCP/IP to communicate with each other. The process of adding these extra bits is called data encapsulation, and in this process, a protocol data unit (PDU) is created at the end of the networking process (passing through the application to the link layer).
PDU consists of the data along with network addressing and protocol information that gets attached as part of the header or footer. By the time PDU reaches the bottom-most layer, it is embedded with all the required information necessary for transmission. Once the PDU reaches the destination, the attached header and footer PDU elements are ripped off one by one as it passes through each layer of the TCP/IP model and progresses upward in the model.
The following diagram depicts the process of encapsulation:
In this chapter, we looked at the basic networking concepts that you need to know, along with an introduction to Wireshark. Wireshark is a protocol analyzer that is used worldwide by technology professionals to capture and analyze network-level packets.
We also learned about the TCP/IP model. The TCP/IP model has four layers: the application layer, transport layer, network layer, and the link layer. Data is encapsulated as it passes from one layer to another; the resulting packet at the bottom is called a complete PDU.
The TCP is a reliable protocol because acknowledgements are sent as part of its process, whereas the UDP is an unreliable protocol because no acknowledgements are sent.
To install Wireshark, you just need to visit http://www.wireshark.org and then download the appropriate version for your operating system.
Troubleshooting your Wireshark can be done by ensuring that the network is working fine, that you have the full rights required to install and run the application, and that the installation had completed without any exceptions.
In the next chapter we will run our first Wireshark capture and get to feel the protocol analysis experience.