Wireshark — The Best Packet Analyzer

Introduction.

Wireshark is an open-source network protocol analysis software program which is also a packet sniffer and analysis tool. It captures network traffic from ethernet, Bluetooth, wireless (IEEE.802.11), token ring, and frame relay connections, among others, and stores that data for offline analysis. It also allows filtering of the logs before the capture starts or during analysis, so that the user can narrow down and zero in on looking in the network trace. In Wireshark it is possible to set a filter to see TCP traffic between two IP addresses or set it only to show the packets sent from one computer. Also, Wireshark is used to trace connections, view the contents of suspect network transactions and identify bursts of network traffic.

Installation.

Wireshark installation on windows can be done easily with the administrator permissions by downloading the appropriate version for example: for windows-10, 64-bit windows installer can be used. Whereas in case of Linux system,
Wireshark can be installed using:

Once the installation is complete, it is possible to gather the network traffic with proper permissions. As soon as the network interface is selected, a simple click on the Start button will begin the capture of packets and it’s possible to view the packets that appear on the screen and do further analysis. On a Kali machine, as Wireshark is a part of basic package it is already installed.

Wireshark also has a docker image which can be used to avoid platform specific installation. Wireshark-docker can be used using a single command:

What Wireshark does.

Packet Capture.

Wireshark listens to a network connection in real time and then grabs entire streams of traffic — quite possibly tens of thousands of packets at a time.

Filtering.

Wireshark is capable of slicing and dicing all this random live data using filters. By applying a filter, it is possible obtain just the information needed.

Visualization.

Allows to dive right into the very middle of a network packet. It also allows to visualize entire conversations and network streams.

Advantages of Wireshark.

Supported protocols.

Wireshark excels in the number of protocols that it supports. These range from common ones like IP and DHCP to more advanced proprietary protocols like AppleTalk and BitTorrent.

User-friendliness.

The Wireshark interface is one of the easiest to understand of any packet-sniffing application. It is GUI-based, with very clearly written context menus and a straightforward layout. It also provides several features designed to enhance usability, such as protocol-based color coding and detailed graphical representations of raw data.

Cost.

Since it is open source, Wireshark’s pricing can’t be beat: Wireshark is released as free software under the GPL. You can download and use Wireshark for any purpose, whether personal or commercial.

Disadvantages.

Wireshark can’t help with the decryption of encrypted traffic. It also can’t grab traffic from all the other systems on the network under normal circumstances. On modern networks that use devices called switches, it is possible for Wireshark to only sniff traffic between your local computer and the remote system it is talking to. As Wireshark is not an intrusion detection system (IDS) it can only show malformed packets and apply color coding and not have any actual alerts. Another disadvantage of Wireshark is that it can neither send packets nor it can alter or generate packets. Also, when the traffic between the localhost and the server is a lot, this would tend to slow down Wireshark’s capturing resulting in packets not being caught.

Methodology.

Wireshark filters can be applied in two ways: First one, using the display Filter window, at the top of the screen and second one by highlighting a packet (or a portion of a packet) and right-clicking on the packet.

Wireshark shows three different panes for inspecting packet data. The Packet List, the top pane, lists all the packets in the capture. When the user clicks on a packet, the other two panes change to show you the details about the selected packet, and it is possible to tell if the packets are part of the conversation.

Use Cases of Wireshark.

Identifying the cause of a slow internet connection.

The http.time filter is used in Wireshark to quickly identify slow application response time from web servers. The duplicate ACK, followed by fast retransmissions if both sides support the TCP extension and single packets got lost; full retransmission if multiple packets got lost.
The filters that can be utilized are:

  • tcp.analysis.lost_segment: This filter indicates : a gap in sequence numbers in the capture. Packet loss can lead to duplicate ACKs, which leads to retransmissions.
  • tcp.analysis.retransmission: This filter will display all retransmissions in the capture. A few retransmissions are accepted, excessive retransmissions are bad. This usually shows up as slow application performance and/or packet loss to the user.

Packet Capture with Wireshark.

  • Finding Packets: To find packets that match a particular criteria, open the Find Packet bar by pressing CTRL-F. This dialog offers three options for finding packets:
    - The Display filter option allows you to enter an expression-based filter that will find only those packets that satisfy that expression.
    - The Hex value option searches for packets with a hexadecimal (with bytes separated by colons) value you specify.
    - The String option searches for packets with a text string you specify.
    - The Regular Expression option searches for packets with a regex you specify.
  • Marking Packets: After you have found the packets that match your criteria, you can mark those of particular interest. For example, you may want to mark packets to be able to save those packets separately or to find them quickly based on the coloration. Marked packets stand out with a black background and white text.
    To mark a packet, right-click it in the Packet List pane and choose Mark Packet from the pop-up or click a packet in the Packet List pane and press CTRL-M. To unmark a packet, toggle this setting off using CTRL-M again.

Protocol Hierarchy Statistics.

When dealing with extremely large capture files, you sometimes need to determine the distribution of protocols in the file — that is, what percentage of a capture is TCP, IP, DHCP, and so on. Rather than counting each packet and totaling the results, you can use Wireshark’s Protocol Hierarchy Statistics window, which is a great way to benchmark your network. For instance, if you know that 10 percent of your network traffic is usually made up of ARP traffic, and one day you take a capture that is 50 percent ARP traffic, then you know something might be wrong.

Protocol Dissection.

A protocol dissector allows Wireshark to break down a protocol into various sections so that it can be analyzed. For example, the ICMP protocol dissector allows Wireshark to take the raw data off the wire and format it as an ICMP packet. You can think of a dissector as the translator between the raw data flowing across the wire and the Wireshark program. In order for a protocol to be supported by Wireshark, it must have a dissector built into it (or you can write your own in C or Python).

Following TCP Streams.

One of Wireshark’s best analysis features is its ability to reassemble TCP streams into an easily readable format. Rather than viewing data being sent from client to server in a bunch of small chunks, the Follow TCP Stream feature sorts the data to make it easier to view. This comes in handy when viewing plaintext application layer protocols such as HTTP, FTP, and so on.

Graphing.

Viewing I/O Graphs.

Wireshark’s IO Graphs window allows you to graph the throughput of data on a network. You can use such graphs to find spikes and lulls in data throughput, discover performance lags in individual protocols, and to compare simultaneous data streams.

Round-Trip Time Graphing.

Another graphing feature of Wireshark is the ability to view a plot of round-trip times for a given capture file. The round-trip time (RTT) is the time it takes for an acknowledgment to be received for a packet. Effectively, this is the time it took your packet to get to its destination and for the acknowledgment of that packet to be sent back to you. Analysis of RTTs is often done to find slow points or bottlenecks in communication and to determine if there is any latency.

Flow Graphing.

The flow graphing feature is very useful for visualizing connections and showing the flow of data over time. Basically, a flow graph contains a column-based view of a connection between hosts and organizes the traffic so you can interpret it visually.

Advanced Use Cases of Wireshark.

  • Investigating lost data packets.
  • Troubleshooting latency issues.
  • Detecting malicious network activity.
  • Identifying unauthorized data exfiltration.
  • Analyzing bandwidth usage.
  • Tracing voice over Internet (VoIP) calls over the network.
  • Intercepting Man-in-the-Middle (MITM) attacks.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store