Ever wanted to understand how someone can look at your traffic when you connect to a rogue wifi spot? 🧐
Wireshark is an open-source network packet analyzer that allows live traffic analysis and network forensics, with support to several network protocols. Black and white hackers use this tool to understand and analyze network traffic packets. Let’s take a look at how this works, starting with how the network stack works, including the OSI model, Data Encapsulation, Switches, Routers, and Packets.
The OSI Model
The Open Systems Interconnection (OSI) model was published in 1983 and is a conceptual model that characterizes and standardizes the internal functions of a communication system by partitioning it into abstraction layers.
Protocols are separated according to their function, and the hierarchy makes it easier to understand network communication:
Layer 1: Physical Layer
Represents the physical and electrical medium through which the network data is transferred. It comprehends all hardware, hubs, network adapters, cable, etc.
Layer 2: Data Link Layer
It provides the means of transporting data across a physical network. Bridges and switches are the physical devices in this layer. This layer is responsible for providing an addressing scheme that can be used to identify physical devices: the MAC address.
Layer 3: Network Layer
Responsible for routing data between physical networks, assigning the logical addressing of network hosts. It also handles packet fragmentation and error detection.
Layer 4: Transport Layer
It provides the flow control of data between two hosts. Many firewalls and proxy servers operate at this layer.
Layer 5: Session Layer
Responsible for the session between two computers, managing operations such as gracefully terminating connections. This layer can also establish whether a connection is duplex or half-duplex.
Layer 6: Presentation Layer
Transforms the received data into a format that can be read by the application layer, such as encoding/decoding and several forms of encryption/decryption for securing the data.
Layer 7: Application Layer
Provides the details for end-users to access network resources.
The way the protocols on different layers of the OSI model communicate is through data encapsulation, where each layer in the stack adds a header or footer to the packet.
The encapsulation protocol creates a protocol data unit (PDU), including the data with all header and footer information added to it. What we call the packet is the complete PDU.
For instance, in Wireshark, we can track the sequence number where a higher layer PDU starts and stops. This allows us to measure how long it took to transfer a PDU (the display filter is tcp.pdu.time).
Switches and Routers
There are four primary ways to capture traffic from a target device on a switched network: using a hub, using a tap, by port mirroring, or by ARP spoofing/cache poisoning. The first two obviously require a hub or a tap. Port mirroring requires forwarding capability from the switch.
All of the techniques for a switched network are available on routed networks as well. However, for routers, the sniffer placement becomes more relevant since a device’s broadcast domain extends only until it reaches a router.
Types of Traffic Packets
There are three types of traffic packets within a network:
- Broadcast packet: sent to all ports on the network segment. Broadcast MAC address is
ff:ff:ff:ff:ff:ff(layer 2) or the highest possible IP address (layer 3).
- Multicast packet: sent from a single source to multiple destinations, to simplify the process using as little as bandwidth as possible.
- Unicast packet: transmitted from one computer to another.
Common Protocols by Layer
The Address Resolution Protocol (Layer 2)
Both logical and physical addresses are used for communication on a network. Logical addresses allow communication between multiple networks (indirectly connected devices). Physical addresses allow communication on a single network (devices that are connected to each other with a switch, for example).
ARP is the protocol used to determine which MAC address (physical address such as 00:09:5B:01:02:03 and belonging to layer 2) corresponds to a particular IP address (logical addresses such as 10.100.20.1, belonging to layer 3).
The ARP resolution process uses two packets (ARP request and ARP response) to find the matching MAC address, sending a broadcast packet to every device in the domain, and waiting for the response of the correct client. This works because a switch uses a MAC table to know through which port to send the traffic.
In Wireshark, ARP is easily spotted with sentences such as “Who has 192.168.11/ Tell 192.168.1.1”. Additionally, you can see the ARP table in your device with:
> arp -a
The Internet Protocol (Layer 3)
Every interface on the Internet must have a unique Internet address.
An IP has the task of delivering packets between hosts based on the IP addresses in the packet headers.
IPv4 addresses are 32-bit addresses used to identify devices connected in a network uniquely. They are represented by the dotted-quad notation with four sets of 8 bits, represented by decimal numbers between 0 and 255.
In addition, an IP address consists of two parts: a network address and a host address. The network address identifies the local area network (LAN), and the host address identifies the device on that network.
The determination of these two parts is given by another set of addressing information, the network mask (netmask or subnet mask), which is also 32-bit longs. In the netmask, every bit set to 1 identifies the portion of the IP address that belongs to the network address. Remaining bits set to 0 identify the host address:
Additionally, the IP packet header contains information such as:
- Version: the version of IP used.
- Header Length: length of the IP header.
- Type of Service: flag used by routers to prioritize traffic.
- Total length: length of the IP header and the data in the packet.
- Identification: identification of a packet or sequence of fragmented packets.
- Fragment offset: identification of whether a packet is a fragment.
- Time to Live: definition of the lifetime of the packet, measured in hops/seconds through routers. A TTL is defined when a packet is created and generally is decremented by one every time the packet is forwarded by a router.
- Protocol: identification of the type of packet coming next in the sequence.
- Header checksum: error-detection mechanism.
- Source IP Address.
- Destination IP address.
- Options: for routing and timestamps.
The Internet Control Message Protocol (Layer 3)
ICMP is the utility protocol of TCP/IP responsible for providing information about the availability of devices, services, or routes on a network.
An example of a service that uses ICMP is ping:
> ping www.google.comPING www.google.com (18.104.22.168) 56(84) bytes of data.
64 bytes from iad23s23-in-f18.1e100.net (22.214.171.124): icmp_seq=1 ttl=53 time=21.5 ms
64 bytes from iad23s23-in-f18.1e100.net (126.96.36.199): icmp_seq=2 ttl=53 time=22.5 ms
64 bytes from iad23s23-in-f18.1e100.net (188.8.131.52): icmp_seq=3 ttl=53 time=21.4 ms
and traceroute (Windows sends ICMP packets, Linux sends UDP):
> traceroute www.google.comtraceroute to www.google.com (184.108.40.206), 30 hops max, 60 byte packets
1 * * *
2 220.127.116.11 (18.104.22.168) 30.078 ms 30.452 ms 30.766 ms
3 22.214.171.124 (126.96.36.199) 33.889 ms 188.8.131.52 (184.108.40.206) 33.426 ms 220.127.116.11 (18.104.22.168) 34.007 ms
4 rtr101.wan.hcvlny.cv.net (22.214.171.124) 34.004 ms 451be075.cst.lightpath.net (126.96.36.199) 32.743 ms rtr102.wan.hcvlny.cv.net (188.8.131.52) 33.951 ms
5 184.108.40.206 (220.127.116.11) 34.972 ms 18.104.22.168 (22.214.171.124) 35.187 ms 35.120 ms
6 * 126.96.36.199 (188.8.131.52) 29.225 ms 29.646 ms
7 184.108.40.206 (220.127.116.11) 29.361 ms 18.104.22.168 (22.214.171.124) 39.780 ms 42.108 ms
8 126.96.36.199 (188.8.131.52) 33.220 ms 184.108.40.206 (220.127.116.11) 33.500 ms 33.786 ms
9 18.104.22.168 (22.214.171.124) 53.231 ms 57.314 ms 126.96.36.199 (188.8.131.52) 52.140 ms
10 184.108.40.206 (220.127.116.11) 52.022 ms 18.104.22.168 (22.214.171.124) 48.517 ms 48.075 ms
11 126.96.36.199 (188.8.131.52) 56.220 ms 45.359 ms 44.934 ms
12 ord08s11-in-f20.1e100.net (184.108.40.206) 43.184 ms 39.770 ms 45.095 ms
The way traceroute works is by sending an echo request that has a particular feature in the IP header: the TTL is 1. This means that the packet will be dropped at the first hop. The second packet goes through the first hop and then is dropped in the second hop (TTL is 2), and so on.
To make this work, the router replies response with a double-headed packet, containing a copy of the IP header and the data that was sent in the original echo request.
PS: Check out this post from Julia Evans on how to create a simple Traceroute in 15 lines of code using Python’s Scapy.
The Transmission Control Protocol (Layer 4)
It provides a reliable flow of data between two hosts with a three-way handshake. The purpose of this protocol is to allow the transmitting host to ensure that the destination host is up and let the transmitting host check the availability of the port as well.
This handshake works as follows:
- Host A sends an initial packet with no data but with the synchronize (SYN) flag and the initial sequence number and maximum segment size (MSS) for the communication process.
- Host B responds with a synchronized and acknowledged (SYN + ACK) flag, with its initial sequence number.
- Host A sends an acknowledge (ACK) packet.
When the communication is done, a TCP teardown process is used to end a connection between two devices gracefully. The process involves four packets:
- Host A sends a packet with FIN and ACK flags.
- Host B sends an ACK packet and then a FIN/ACK packet.
- Host A sends an ACK packet.
Sometimes, however, connections can end abruptly (for example, due to a potential attacker issuing a port scan). In these cases, TCP resets packets with an RST flag are used. This indicates that a connection was closed abruptly, or a connection attempt was refused.
Furthermore, when communicating with TCP, 65,535 ports are available. We typically divide them into two groups:
- standard port group: from 1 to 1023, used by specific services.
- ephemeral port group: from 1024 through 65535, randomly chosen by services.
Finally, the TCP header contains information such as:
- Source Port.
- Destination Port.
- Sequence number: identify a TCP segment.
- Acknowledgment Number: sequence number to be expected in the next packet from the other device.
- Flags: URG, ACK, PSH, RST, SYN, FIN flags for identifying the type of TCP packet being transmitted.
- Windows size: the size of the TCP receiver buffer in bytes.
- Checksum: ensure the contents of the TCP header.
- Urgent Pointer: examined for additional instructions where the CPU should be reading the data within the packet.
- Options: optional fields.
The User Datagram Protocol (Layer 4)
While TCP is designed for reliable data delivery, UDP focuses on speed. UDP sends packets of data called datagrams from one host to another, with no guarantee that they reach the other end.
Unlike TCP, UDP does not formally establish and terminate a connection between hosts. For this reason, it usually relies on built-in reliability services (for example, protocols such as DNS and DHCP).
The UDP header has fewer fields than TCP:
- Source Port.
- Destination Port.
- Packet Length.
The Dynamic Host Configuration Protocol (Layer 7)
At the beginning of the Internet, when a device needed to communicate over a network, it would be assigned an address by hand.
As the Internet has grown, the Bootstrap Protocol (BOOTP) was created, automatically assigning addresses to devices. Later, BOOTP was replaced by DHCP.
The Hypertext Transfer Protocol (Layer 7)
HTTP is the mechanism that allows browsers to connect to web servers to view web pages. HTTP packets are built on the top of TCP, and they are identified by one of the eight different request methods.
Analyzing Packets in Wireshark
In Wireshark, the process of network sniffing can be divided into three steps:
- Collection: transferring the selected network interface into promiscuous mode so it can capture raw binary data.
- Conversion: chunks of collected binary are converted into readable form.
- Analysis: processing of the protocol type, communication channel, port number, protocol headers, etc.
Network traffic sniffing is only possible if the network interface (NIC) is transferred to promiscuous mode. This allows the transfer of all received traffic to the CPU (instead of processing frames that the interface was intended to receive).
If the NIC is not set to promiscuous mode, packets that are not destined to that controller are discarded.
Wireshark main’s GUI
The Wireshark main’s GUI is composed of four parts:
- Capture’s options.
- Packet List: list all packets in the capture file. It can be edited to display packet number, relative time, source, destination, protocol, etc.
- Packet details: the hierarchal display of information about a single packet.
- Packet Bytes: a packet in its raw, unprocessed form.
To start capturing packets, all you need to do is to choose the network interface. You may also edit a capture filter prior to the packet collection.
The packet list panel displays several types of traffic by (configurable) colors. For instance:
- green is TCP (and consequently HTTP),
- dark blue is DNS,
- light blue is UDP,
- light yellow is for ARP,
- black identifies TCP packets with problems.
Packet Visualization and Statistics
Wireshark has several tools to learn about packets and networks:
- Statistics -> IO Graphs: Allows to graph throughput of data. For instance, you can use graphs to find peaks in the data, discover performance bottlenecks in individual protocols, and compare data streams. Filtering is available in this interface (for example, to show ARP and DHCP traffic).
- Statistics -> TCP -> Stream Graph -> Round Trip Time Graph: Allows to plot round-trip times (RTT) for a given capture file. This is the time it takes for an acknowledgment to be received from a sent packet.
- Statistics -> Flow Graph: Timeline-based representation of communication statistics (based on time intervals). It allows the visualization of connections and the flow of data over time. A flow graph contains a column-based view of a connection between hosts and organizes the traffic. This analysis can show slow points or bottlenecks and determine if there is any latency.
- Statistics -> Summary: Returns a report about the entire process by features such as interface, capture duration, capture number, and size of packets.
- Statistics -> Protocol Hierarchy: Shows statistical information of different protocols in a nodal form. It arranges the protocols according to its layers, presenting them in percentage form. For example, if you know that your network usually gets 15% ARP traffic, if you see a value such as 50%, you know something is wrong.
- Statistics -> Conversations: Shows the address of the endpoints involved in the conversation.
- Statistics -> Endpoints: Similar to conversations, reflecting the statistics of traffic to and from an IP address. For example, for TCP, it can look like SYN, SYN/ACK, SYN.
- Edit-> Finding Packet or CTRL-F: Finds packets that match some criteria. There are three options:
- Display filter: expression-based filter (for example not ip, ip addr==192.168.0.10, or arp).
- Hex value: packets with a hexadecimal (for example 00:ff, ff:ff).
- String: packets with a text string (for example, admin or workstation).
- Right-click -> Follow TCP Stream: Reassembles TCP streams into a readable format (instead of having the data being in small chunks). The text displayed in red to signify traffic from the source to the destination, and in blue, identifies traffic in the opposite direction. If you know the stream number (value to be followed to get various data packets), you can also use the following filter for the same purpose:
tcp.stream eq <number>
- Right-click -> Mark Packet or CTRL+M: Helps to the organization of relevant packets.
The Berkeley Packet Filter Syntax
Wireshark’s filtering is a very powerful feature. It uses the Berkeley Packet Filter (BFP) syntax. The syntax corresponds to an expression which is made of one more primitive. These primitives can have one or more qualifier, which is defined below:
- Type: ID name or number (for example, host, net, port).
- Dir: transfer direction to or from the ID name or number (for example src and dst).
- Proto: restricts the match to a particular protocol (for example ether, ip, tcp, udp, or http)
An example of primitive is:
dst host 192.168.0.10
where dst host is the qualifier, and the IP address is the ID.
Types of Filters
Packages can be filtering in two ways:
- Capture filters: specified when packets are being captured. This method is good for the performance of large captures.
- Display filters: applied to an existing set of collected packets. This method gives more versatility since you have the entire data available.
In the following sessions, I show several examples of capture and display filters.
Capture Filters by Host Address and Name
- Traffic associated with a host’s IPV4 address (also works for an IPv6 network).
- Traffic to or from a range of IP addresses:
- Device’s hostname with the host qualifier:
- If you are concerned that the IP address for a host changed, you can filter based on MAC address:
ether host ff-ff-ff-ff-ff-aa
- Only traffic coming from a particular host (host is an optional qualifier):
src host 172.16.16.150
- All the traffic leaving a host:
dst host 172.16.16.150
- Only traffic to or from IP address 220.127.116.11
- Traffic from a range of IP addresses:
src net 192.168.0.0/24
Capture Filters by Ports
- Gets traffic only on port 8000:
- All traffic except on port 443:
- Traffic going to a host listening on 80:
dst port 80
- Traffic within a range of port:
tcp portrange 1501-1549
- Both inbound and outbound traffic on port 80 and 21:
port 80 || port == 21
- Only non-HTTP and non-SMTP traffic (equivalent):
host www.example.com and not (port 80 or port 25)
Capture Filters by Protocols
- Capture only unicast traffic (useful to get rid of the noise on the network):
not broadcast and not multicast
- ICMP traffic only:
- Drop ARP packets:
- Drop IPv6 traffic:
- DNS traffic:
- Clear text email traffic:
smtp || pop || imap
Capture Filters by Packet’s Properties
- TCP packets with SYN flag set:
- ICMP packets with destination unreachable (type 3):
- HTTP GET requests (bytes ‘G’,’E’,’T’ are hex values 47, 45, 54):
port 80 and tcp[((tcp[12:1] & 0xf0 ) >> 2 ):4 ] = 0x47455420
Display Filters by Host Address and Name
- Filter by IP address:
ip.addr == 10.0.0.1
- IP source address field:
ip.src == 192.168.1.114
- IP address src/dst for a network range:
Display Filters by Ports
- Any TCP packet with 4000 as a source or destination port:
tcp.port == 4000
- Source port:
tcp.srcport == 31337
Display Filters by Protocols
- Drops arp, icmp, dns, or whatever other protocols may be background noise:
!(arp or icmp or dns)
- Displays all re-transmissions in the trace (helps when tracking down slow application performance and packet loss):
- ICMP Type field to find all PING packets:
Display Filters by Packet’s Properties
- Displays all HTTP GET requests:
- Display all POST requests:
http.request.method == "POST"
- Filter for the HEX values:
udp contains 33:27:58
- The sequence number field in a TCP header:
tcp.seq == 52703261
- Packets that are less than 128 bytes in length:
frame.len <= 128
- TCP packets with SYN flag set:
tcp.flags.syn == 1
- TCP packets with RST flag set:
tcp.flags.rst == 1
- Displays all TCP resets:
tcp.flags.reset == 1
- IP flags where fragment bit is not set (see if someone is trying ping):
ip.flags.df == 0
Wireshark for Simple Security Tasks
Network Scan with SYN
A TCP SYN scan is a fast and reliable method to scan ports and services in a network. It is also less noisy than other scanning techniques.
Basically, it relies on the three-way handshake process to determine which ports are open on a target host:
- The attacker sends a TCP SYN packet to a range of ports on the victim.
- Once this packet is received by the victim, the following response will be observed:
- Open ports: replies with a TCP SYN/ACK packet (three times). Then the attacker knows that port is open, and a service is listening on it.
- Closed ports, not filtered: the attacker receives an RST response.
- Filtered ports (by a firewall, for example): the attacker does not receive any response.
Operating System Fingerprint
Fingerprinting is a technique to determine the operating system on a system without having access to it.
In Passive Fingerprinting, an attacker can use certain fields within packets sent from the target to craft a stealthy fingerprint.
This is possible due to the lack of specificity by protocol’s RFCs: although the various fields contained in the TCP, UDP, and IP headers are very specific, no default values are defined for these fields.
p0f is nice tool for operating system fingerprinting.
For instance, the following header values can help one to distinguish between several operating systems:
IP, Initial Time to Live:
- 64 for Linux, Mac OS
- 128 for Windows
- 255 for Cisco IOS
IP, Don’t Fragment Flag:
- Set for Linux, Mac OS, Windows
- Not set for Cisco IOS
TCP, Max Segment Size:
- 1440 for Windows
- 1460 for Mac OS 10, Linux
TCP, Window Size:
- 2920–5840 for Linux
- 4128 for Cisco IOS
- 65535 for Mac OS 10
- variable for Windows
- Set for Linux, Windows
- Not set for Cisco IOS, Mac OS 10
In Active Fingerprinting, the attacker actively sends crafted packets to the victim whose replies reveal the OS. This can be done with Nmap.
Look at different DNS queries that are made while the user was online. A possible filter is:
This will give a view of any malicious DNS request done without the knowledge of the user. An example is a case where a visited website has a hidden iframe with some malicious script inside.
HTTP GET Headers
You can also look at different GET requests with:
tcp contains "GET"
Checking for DNS Leaks with VMs
In a virtual machine look at statistics → Endpoints. There should be only one public IP address: the VPN server that the virtual machine is connected to.
In networks with very high demand, when you reroute traffic, everything transmitted and received by the target system must first go through your analyzer system. This makes your analyzer the bottleneck in the communication process and is suitable to cause DoS.
You might be able to avoid all the traffic going through your analyzer system by using a feature called asymmetric routing.
Checking for ARP Cache Poisoning
ARP cache poisoning allows tapping into the wire with Wireshark. This can be used for good or for evil.
The way it works is the following: all devices on a network communicate with each other on layer 3 using IP addresses. Because switches operate on layer 2 they only see MAC addresses, which are usually cached.
When a MAC address is not in the cache list, ARP broadcasts a packet asking which IP address owns some MAC address. The destination machine replies to the packet with its MAC address via an ARP reply (as we have learned above). So, at this point, the transmitting computer has the data link layer addressing the information it needs to communicate with the remote computer. This information is then stored in the ARP cache.
An attacker can spoof this process by sending ARP messages to an Ethernet switch or router with fake MAC addresses in order to intercept the traffic of another computer.
In Linux, ARP spoofing can be done with arpspoof or Ettercap. For instance, if your wlan0 is at 192.168.0.10 and the router is at 192.168.0.1, you can run:
$ arpspoof -i wlan0 -t 192.168.0.10 192.168.0.1
If you are a Windows user, ARP cache poising can be crafted using Cain & Abel.
The 802.11 Spectrum
The unique difference when capturing traffic from a wireless local area network (WLAN) is that the wireless spectrum is a shared medium (unlike wired networks, where each client has its own cable to the switch).
A single WLAN occupies a portion of the 802.11 spectra, allowing multiple systems to operate in the same physical medium. In the US, 11 channels are available, and a WLAN can operate only one channel at a time (and so the sniffing).
However, a technique called channel hopping allows quick change between channels to collect data. A tool to perform this is kismet, which can hop up to 10 channels/second.
Wireless NIC modes
Wireless network cards can have four modes:
- Managed: when the wireless client connects directly to a wireless access point (WAP).
- ad hoc mode: devices connect directly to each other, sharing the responsibility of a WAP.
- Master mode: the NIC works with specialized software to allow the computer to act as a WAP for other devices.
- Monitor: used to stop transmitting and receiving data, and start listening to the packets flying in the air.
To access the wireless extensions in Linux you can type:
To change the interface (for example eth1) to monitor mode, you type:
> iwconfig eth1 mode monitor
> iwconfig eth1 up
To change the channel of the interface:
> iwconfig eth channel 4
Thank you for reading!
I hope this post sheds a bit of light on how Network traffic analysis works in Wireshark, empowering hackers and developers to experiment and innovate more!
Resources and source codes related to this tutorial are available here.