Networking

Learn how to use Wireshark to capture and analyze network traffic

Wireshark is the most popular and widely used packet analyzer in the world. Thanks to this program, we will be able to capture and analyze in detail all the network traffic that enters and leaves our PC, in addition, we must remember that it is multiplatform, this means that it is available for Windows, Linux, macOS, Solaris, FreeBSD operating systems, NetBSD and others. Today in RedesZone we are going to teach you in a basic way, how to perform a traffic capture, and how to analyze network traffic to see if there is any type of anomaly.

Wireshark main features

This program, which is completely free, allows us to carry out deep inspection of hundreds of protocols, since it supports physical layer protocols, link protocols, network protocols, transport layer and also application layer. It will allow us to make a capture in real time, and when we have finished capturing all the packets that enter and leave our wired or wireless network card, we can perform an in-depth analysis offline, that is, on another computer (or on the same) and at any time.

Wireshark allows you to see all the traffic captured via GUI with the program itself, however, we can also see all the information captured with the TShark program, a tool that works through the console and will allow us to read everything through the CLI command line , to see everything via SSH, for example. A fundamental characteristic of any packet analyzer are the filters, so that it only shows us what we want it to show us, and no more information that would generate extra work for us.

Wireshark is capable of reading and writing in different capture formats, such as tcpdump (libpcap), pcap ng, and many other extensions, to perfectly adapt to different programs for later analysis. Another important aspect is that the captured capture can be compressed with GZIP on the fly, and, of course, decompressed on the fly also in case we are reading the capture. Of course, it is capable of reading data from different network technologies such as Ethernet, IEEE 802.11, PPP / HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others. Today we have many protocols with encrypted data, with the appropriate private key, Wireshark is able to decrypt the traffic of different protocols such as IPsec, ISAKMP, Kerberos, SNMPv3, SSL / TLS, WEP, and WPA / WPA2.

Once we have seen the main features, we are going to download and install it.

Download and install

This program is completely free, we can directly access the official Wireshark website where you can find the links to download it. The installation of this program is very simple, we simply have to follow the installation wizard step by step, and restart the computer at the end. Wireshark is a program that is constantly updated, so it is highly recommended to always have the latest version installed on your computer to enjoy the latest news.

If you have a Linux-based operating system, it is very likely that in your package manager you have Wireshark, and you simply have to execute a command like this:

sudo apt install wireshark

Once we have seen how to download and install Wireshark, we are going to use it to perform a data capture.

Perform a traffic capture with Wireshark in Windows 10

We have used the Windows 10 operating system to capture traffic, but on Linux or macOS systems it is exactly the same, since we have exactly the same graphical user interface. The first thing we will see when starting this program are all the network cards and network interfaces of our computer, in our case we have a total of three wired network cards (ASUS XG-C100C, Realtek 2.5G and Intel 1G), a card Wi-Fi network (WiFi 2), in addition, we have different virtual network interfaces that correspond to the interfaces of VMware and Virtual Box.

Wireshark allows us to capture the traffic of any network card, whether physical or virtual, we simply have to be clear about which is our network card that is currently in use, and from which we want to capture network traffic. In our case it is the ASUS XG-C100C, so we simply double click on this card.

By double clicking, it will automatically start capturing all network traffic, both incoming and outgoing. Some recommendations BEFORE performing a traffic capture, are the following:

  • Close all programs that generate network traffic, which we do not want to capture
  • Make sure that the firewall is disabled, since it could block certain traffic and it will not appear in Wireshark, or only part of the generated traffic will appear.
  • If we want to capture some data traffic generated by an application, it is advisable to wait 1 second before starting it and to capture network traffic from the computer, then we execute that application, and finally, we close the application and wait 1 second before stop capturing traffic.

With these recommendations, we are sure that your traffic capture will be a success.

In this traffic capture, you can see traffic from different protocols, both network Spanning-Tree Protocol traffic, as well as TCP traffic and TLSv1.2 traffic from different applications that we have open.

With each data entry, we will be able to display and see in detail the entire data package, both at the application level, transport, at the network level, link and also at the physical level, that is, Wireshark will provide us with the information by layers, to more easily find the information we need to know.

Of course, it will also tell us what the source and destination ports are if we use TCP or UDP, and we can even see the sequence numbers in an advanced way, and if there has been an RST in the connection or a segment has had to be forwarded due to a problem.

In the following screenshot, you can see the result of executing the command “nslookup www.redeszone.net” through the console, make the DNS request to our DNS server, and it will automatically reply with the DNS resolution made from the previous domain. Of course, this traffic is “mixed” with other traffic that we have on our computer from different applications, for this reason it is so important to close all applications that use Internet connectivity before starting to capture traffic.

Here you can see the response of the DNS server to the previous DNS request:

If we do the typical ping, using the ICMP protocol, it will also show us perfectly, it will show us both the “Echo request” as well as the “Echo reply”.

As you have seen, it is very easy to capture data with Wireshark to analyze all network traffic. If we want to save this capture, we simply have to click on the red “Stop” button to stop the data capture, and then click on “File / Save” to save it.

We can save this capture on our computer or on an external support for later analysis, or send it to an expert who is capable of detecting the problem, although you must bear in mind that they will have access to all the captured traffic, so you must send this capture someone you trust. If we have captured traffic with TLS or IPsec, you will need the corresponding decryption key, so that you will not be able to “read” it without this information, the same happens with WPA / WPA2 traffic, without the key, you will not be able to read the internal traffic .

There are some operating systems for routers and firewalls that incorporate a packet capturer, this built-in packet capturer will allow us to catch all the network traffic from one or more physical or logical interfaces, and we can even define that we only want to capture the traffic from or to a certain IP / port, in this way, the capture that we make will not be so extensive that it occupies many MB or GB of information. These operating systems will always allow us to export the capture in pcap format, therefore, later we can open this capture with Wireshark and examine it in detail. For example, pfSense incorporates a fairly complete packet capture to limit the data capture per interface, and we will have a button that will allow us to download this capture for later analysis. Thanks to the use of Wireshark, we will be able to load this newly created capture externally, and apply all the Wireshark filters to only see what interests us and not all the capture made by pfSense. The same happens with some router firmwares such as AVM, which has an internal packet analyzer to detect bad configurations or problems at the network level.

We hope that this tutorial will help you to capture data traffic with this great program, and you will be able to detect problems in the network, in addition, you should not forget that it also allows us to open captures of pcap traffic and in other formats, to perform a in-depth analysis of captures made externally with other programs or applications.

Leave a Reply

Your email address will not be published.

Back to top button