The Wireshark program will be an excellent assistant for those users who need to perform a detailed analysis of network packets - traffic computer network. The sniffer easily interacts with such common protocols as netbios, fddi, nntp, icq, x25, dns, irc, nfs, http, tcp, ipv6 and many others. During analysis, it allows you to separate a network packet into the appropriate components, according to a specific protocol, and display readable information in numerical form on the screen.
supports a huge number of different formats of transmitted and received information, and is able to open files that are used by other utilities. The principle of operation is that the network card goes into broadcast mode and begins intercepting network packets that are in its visibility area. Can work as a program for intercepting wifi packets.

How to use wireshark

The program studies the contents of information packets that pass through the network. To launch and use the results of the sniffer’s work, you do not need any specific knowledge, you just need to open it in the “Start” menu or click on the icon on the desktop (launching it is no different from any other Windows programs). A special function of the utility allows it to capture information packets, carefully decrypt their contents and return them to the user for analysis.

After launching wireshark, you will see the program's main menu on the screen, which is located at the top of the window. It is used to control the utility. If you need to load files that store data about packets caught in previous sessions, as well as save data about other packets caught in a new session, then you will need the "File" tab to do this.

To launch the network packet capture function, the user must click on the "Capture" icon, then find a special menu section called "Interfaces", with which you can open a separate "Wireshark Capture Interfaces" window, where all available network interfaces should be shown, through which will capture the necessary data packets. In the case when the program (sniffer) is able to detect only one suitable interface, it will display the entire important information about him.

The results of the utility are direct evidence that, even if users do not independently (in this moment time) transfer of any data, the exchange of information does not stop on the network. After all, the principle of operation local network is that to maintain it in operating mode, each of its elements (computer, switch and other devices) continuously exchange service information with each other, therefore such network tools are designed to intercept such packets.

There is also a version for Linux systems.

It should be noted that the sniffer is extremely useful for network administrators and services computer security, because the utility allows you to identify potentially unprotected network nodes - likely areas that can be attacked by hackers.

In addition to its direct purpose, Wireshark can be used as a tool for monitoring and further analyzing network traffic in order to organize an attack on unprotected areas of the network, because intercepted traffic can be used to achieve various goals.

Or Elcomsoft Wireless Security Auditor for Windows.

WinPcap and Wi-Fi traffic restrictions in Wireshark

Limitations for capturing Wi-Fi packets in Windows are related to the WinPcap library, and not to the Wireshark program itself. After all, Wireshark has support for specialized and quite expensive Wi-Fi adapters, whose drivers support monitoring network traffic in Windows environment, which is often called promiscuous network traffic capture on Wi-Fi networks.

Video instructions for using Acrylic WiFi with Wireshark on Windows

We have prepared a video demonstrating the process that will help if you still have questions or if you want to see how wireless traffic is captured using any Wi-Fi maps in Wireshark for Windows.

Download including many additional functions to capture traffic and process the received data. You can try the program for free or purchase it to support further development (we introduce new features every week). Free version also supports Wireshark integration. Check out the list

Each member of the ][ team has their own preferences regarding software and utilities for
pen test. After consulting, we found out that the choice varies so much that it is possible
create a real gentleman's set of proven programs. That's it
decided. In order not to make a hodgepodge, we divided the entire list into topics - and in
This time we’ll touch on utilities for sniffing and manipulating packets. Use it on
health.

Wireshark

Netcat

If we talk about data interception, then Network Miner will be taken off the air
(or from a pre-prepared dump in PCAP format) files, certificates,
images and other media, as well as passwords and other information for authorization.
A useful feature is to search for those sections of data that contain keywords
(for example, user login).

Scapy

Website:
www.secdev.org/projects/scapy

A must-have for any hacker, it is a powerful tool for
interactive packet manipulation. Receive and decode packets of the most
different protocols, respond to the request, inject the modified and
a package created by yourself - everything is easy! With its help you can perform a whole
a number of classic tasks such as scanning, tracorute, attacks and detection
network infrastructure. In one bottle we get a replacement for such popular utilities,
like: hping, nmap, arpspoof, arp-sk, arping, tcpdump, tetheral, p0f, etc. At that
it's about time Scapy allows you to perform any task, even the most specific
a task that can never be done by another developer already created
means. Instead of writing a whole mountain of lines in C to, for example,
generating the wrong packet and fuzzing some daemon is enough
throw in a couple of lines of code using Scapy! The program does not have
graphical interface, and interactivity is achieved through the interpreter
Python. Once you get the hang of it, it won’t cost you anything to create incorrect
packets, inject the necessary 802.11 frames, combine different approaches in attacks
(say, ARP cache poisoning and VLAN hopping), etc. The developers themselves insist
to ensure that Scapy's capabilities are used in other projects. Connecting it
as a module, it’s easy to create a utility for various types of local area research,
searching for vulnerabilities, Wi-Fi injection, automatic execution specific
tasks, etc.

packeth

Website:
Platform: *nix, there is a port for Windows

An interesting development that allows, on the one hand, to generate any
ethernet packet, and, on the other hand, send sequences of packets with the purpose
checks bandwidth. Unlike other similar tools, packeth
has a graphical interface, allowing you to create packages as simply as possible
form. Further more. The creation and sending are especially elaborated
sequences of packets. You can set delays between sending,
send packets at maximum speed to test throughput
section of the network (yep, this is where they’ll be filing) and, what’s even more interesting -
dynamically change parameters in packets (for example, IP or MAC address).

Hello World! Now we’ll tell you about one useful method for troubleshooting and finding problems on routers MikroTik. The essence this method is to catch (“sniff”) packets passing through certain interfaces of our router and analyze them immediately using Wireshark.

Prerequisites

So, in order to use this method we need:

• Router MikroTik(in our case we used RB951Ui-2HnD with RouterOS firmware version 6.40.2)
• Program Wireshark(in our case version 2.4.1)
• A computer or server located on the same network as a router running Wireshark

Settings

First of all, open Wireshark, select the interface on which we want to “sniff” (in our case it is Ethernet, that is, the interface through which the computer connects to the router) and set the following filter - udp port 37008. As it shown on the picture:

It is clear that if we start packet capture without this filter, then all the traffic that passes through this interface will simply fall out to us, and we do not want that.

What kind of filter is this and what kind of port is it - 37008 ? The fact is that MikroTik sends UDP datagrams, that is, all intercepted traffic, to this port streaming server, and as you might have guessed, this streaming server is our computer running Wireshark. These packets are encapsulated using the protocol TZSP(TaZmen Sniffer Protocol), which is used to carry other protocols within itself.

So, we launch packet interception on a specific interface with a filter udp port 37008 and we see that nothing happens and there are no packets.

And now the most interesting thing - we connect to MikroTik via WinBox, go to the section Tools Further Packet Sniffer and see the following window with settings:

On the tab General we can leave everything as default, go to the tab Streaming:

Put a tick in Streaming Enabled, in field Server indicate the IP address of our computer on which we launched Wireshark and put a checkmark on Filter Stream to activate the filter, which will be configured on the next tab - Filter

On this tab we can filter the traffic that interests us. For example, on our network we have IP-PBX Asterisk and we want to see what packets it receives and sends through the MikroTik router. For example, you can track the communication of an IP PBX with the server of a VoIP service provider.

So, we select the interfaces on which we want to catch packets (in our case this is bridge), then we will filter the traffic by a specific IP address in the field IP Address(Our IP-PBX), indicate the protocol - 17 (udp) and port 5060 (sip). We will indicate any direction - any And Filter Operation = or, that is, the logic of operation of this filter is “or”. If you want to catch packets only using a strictly defined filter, then the logic should be specified and, that is, the coincidence of all filter conditions.

Great, now we go to Wireshark and see that it has already caught the necessary packets in accordance with the filter rules.

In our case, this is communication between the Asterisk IP PBX and the server of the VoIP service provider, a request for registration and confirmation on the other side. Please note that the encapsulation type is TZSP however, Wireshark was able to properly de-encapsulate these packets and display the packets to us SIP.

Was this article useful to you?

Please tell me why?

We are sorry that the article was not useful for you: (Please, if it is not difficult, indicate why? We will be very grateful for a detailed answer. Thank you for helping us become better!

Original: Weekend Project: Analyze Your Network with Wireshark
Author: Nathan Willis
Date published: October 29, 2010
Translation: V. Semenenko
Translation date: July 2011

Introduction

Wireshark is a network packet sniffer program with source code. Without any special equipment or reconfiguration, this program can intercept incoming and outgoing data on any computer network interface: Ethernet, WiFi, PPP, loopback and even USB. Usually Wireshark used to identify network problems such as congestion, excessive latency, or protocol errors. But in order to study Wireshark, there is no need to wait at all for any breakdown to occur. Let's get started with the review of this program.

Wireshark written in GTK+ libraries and has a graphical interface (GUI). But in addition to the GUI, there is a console implementation of the program called TShark, which has the same functionality as its graphic version. Since the program is very popular as administrative instrument for network analysis, it is available in the repositories of almost any Linux distribution. There are versions of the program for Windows and Mac OS X. If for some reason you could not find it in your Linux repositories, you can always download ready-made assemblies for various distributions from the official website. Or download, compile and install the program from source.

It is immediately worth noting that the launch Wireshark must be produced with rights root, since to intercept traffic the program needs superuser privileges to enter the so-called promiscuous mode. Core Wireshark is the libpcap library, which is used to intercept data. The program has built-in support large quantity network devices. Check if yours will be LAN card You can work with this program on the project’s wiki page Wireshark. But almost all modern Ethernet and Wifi cards do not have any compatibility issues in this program.

Traffic interception

A new interception session is launched in the program window from the menu " Capture ". To see the entire list of network interfaces that I could detect Wireshark, follow the path to the menu " Capture > Interfaces ". A dialog box will appear in which, in addition to physical devices, there will be a pseudo-device present" any ", which intercepts data from all other devices on this list.
Before starting, you can set some options with which the interception will be launched. By going to " Capture > Options ", just select:

Filters for selective traffic analysis (for example, by a specific protocol or address range);
- automatically stop interception when the time specified in the settings is reached;
- sort the received data by specified size or date.

The first thing you will see when starting a new session is the log window, which will show basic information about the process being executed by the program: source, destination, protocol, time, etc. All information is organized in a table with headings. For greater readability Wireshark performs color highlighting of text fragments, changing the background color, or marking the most “interesting” packages using flags.

The duration of the interception depends on what information you would like to receive as a result. For example, it will take several hours to analyze and solve difficult-to-define problems related to the operation of Internet services. But to get acquainted with the main features of the program, only a few minutes will be enough.

To analyze any received packet, simply select it in the log window. However, it is advisable to do this after stopping data interception. Detailed details of the package of interest will be presented in a separate tree-like window, in which all its components will be sorted by network levels. For example, if you have problems with Ethernet, you need to analyze Ethernet frames; if this is an HTTP protocol, then you need to “dive” into the http protocol layer.

You can always save the intercepted data for further analysis. Wireshark saves the received data to a file with the extension .pcap.
However, be careful as this file can be quite large. Therefore, if you are only interested in a certain part of all network traffic, you can use filters Wireshark to reduce the size of this file. The filter system is located in the same window as the general table of intercepted data. Use these filters to reduce the size of a file before saving it to disk.

Data analysis

The filter system is the main way to convert the received data into the format you need. To choose required filter, click on the button " Filter " in the program window. A window will appear with options to choose from: TCP only; UDP only; all IP addresses except local ones; all except DNS and ARP; and many others. When you select any filter from the list in the syntax window Wireshark the complete command will be displayed, representing the filter in its “expanded” form. This is useful for learning syntax Wireshark when writing your own filters.

For example, filter " Do not receive data via HTTP and SMTP from the address 192.168.0.1" will look like this:
not (tcp.port == 80) and not (tcp.port == 25) and ip.addr == 192.168.0.1
Click the " Apply " ("Apply ") And Wireshark will filter the data it intercepted in the main window. Of course, you can write and then save your own filter by clicking the " Extensions " ("Expression "); Wireshark allows you to manually select logical operators and well-known fields that you can use to create your own filters.

Menu " Analysis " ("Analyze ") contains a set of more complex preset filtering options.

1 ."Enable Protocols" gives you the option to enable or disable protocols;
2 ."Specified Decodes" allows you to decode certain protocols, which can be useful in diagnosing a specific application;
3 ."Follow TCP Stream" will help you select a separate connection using the TCP protocol and track its status from beginning to end; similar options are available for UDP and SSL connections;
4 ."Expert Information" retrieves error messages and warning flags (such as lost or out-of-queue segment) to quickly detect the problem.

Menu " Statistics " ("Statistics ") provides a more general overview of the entire set of intercepted data. This menu contains preset functions for analyzing general network parameters and presents them in a convenient tabular form. If you are exploring network traffic your network for the first time, this tool will help you understand the basic principles of its functioning. Here you can analyze data such as response time; sizes of fragments into which packets are divided; traffic at the link and application level.

Wireshark It can also display the received information in graphical mode, which makes it easier to perceive. Going to " Graphs tool " on the menu " Statistics " ("Statistics "), you can select five filters to compare files head by head using different colors.

Start of analysis

As mentioned at the beginning of this article, the main profile for analyzing traffic in Wireshark is just a tool with which you can find out the reason for the strange behavior of any equipment and the source of this behavior. Unfortunately, this method is not that easy to get to the root of the problem, such as when there is too much latency or low throughput.

Of course, if you have a zombie machine on your network that is infected with a Trojan, you can easily detect it, for example, as a spam bot if you see thousands of SMTP connections running in one hour. Virus detection and malware is an important task of analysis. But determining why one of your file servers is running a little slower than the rest may require you to dig deeper.

The training materials for this program on the Wireshark project website are an indispensable help. The Wiki has several pages dedicated to major network issues, as well as links to other sources with similar information. Information is provided on other network analysis and security analysis programs such as Nagios, NMap, and tcpdump. Most networking research requires an understanding of TCP/IP protocol stacks, so a good book or two on the subject is a must.

IN Wireshark Includes many capabilities to analyze your network as you probe it to find the source of problems. For example, you can run a statistical comparison between two saved traffic capture files; this allows you to capture while you're first learning about a problem and then compare them again.
In other words, you can collect and compare capture files with different cars, for example, in different network segments or with different configurations. This is all the more useful since there are assemblies Wireshark for proprietary operating systems: When troubleshooting performance issues, you may need to gather information from a variety of sources.

Extra features: visualization, alternative interceptions

Despite the fact that the analysis and filtering tools included in graphical interface Wireshark, provide great opportunities for intercepting traffic; the GUI capabilities are not limited to this.

There are many examples of how graphical reporting provides information in a way that tables could never present. There are many tools available to expand your capabilities. Wireshark as visualizations written for this program. But all (or almost all) of them are paid. But I want to reassure you - you won’t need them.

Wireshark can export captured data to a file CSV format, which you can later open in any other application, for example, in an ordinary spreadsheet, like Gnumeric or OpenOffice, or in a statistical package such as gnuplot. Good apps for analysis you can find at forensicswiki.org. The list of these applications is constantly changing. For example, the popular analysis engine Freebase Gridworks has been converted into a Google Refine project, which can visualize network traffic in a much more user-friendly way.

And last but not least. Although Wireshark almost always positioned as network tool for analysis, the truth is that it can analyze other devices, such as USB traffic and even Unix sockets between applications.

To summarize the above, it can be noted that after reading this article you have the knowledge and ability to experiment with Wireshark.