Wireshark provides the ability to capture and analyze network traffic. It is used by network administrators and security analysts in a wide variety of industries, governments, and non-profit organizations. Prior to analysis, you'll need to tap into the data stream and capture packets from the network. Once captured, you can analyze the packets to understand the traffic flow. In this chapter, we'll review the different network architectures, along with the various types of media that can be found on today's networks. Once outlined, this will help you get a better understanding of the complex nature of today's networked environment.
So that you can confidently begin capturing traffic, we'll look at the various options, including capture, input, and output. We'll then review what happens when you tap into a network so that you can identify what types of traffic you'll see. We'll also compare and contrast conversations and endpoints. Finally, so you can better identify abnormal behavior, this chapter ends with a discussion of the importance of baselining network traffic.
This chapter will address all of this by covering the following topics:
We live in an exciting yet challenging period in history. Today, our internet-based ecosystem demands that business networks are available nearly 100 percent of the time. Enterprise networks must be able to adjust to changing traffic demands and maintain constant response times. In addition, they have to be agile enough to respond to unexpected security incidents.
Effective packet analysis begins with understanding the network architecture. In order to determine where to tap in to identify trouble spots, it's important to recognize the way that different media and devices influence network traffic. In this section, we will compare the different types of networks in use today, along with the various types of media used to transport data.
Let's begin our discussion by outlining the diverse types of networks in use today.
Today's networked environments are complex and can include data from mobile phones, cloud computing, virtualization, social media, and the Internet of Things (IoT). The network specialist deals with many different types of networks, which include Personal Area Networks (PANs), Local Area Networks (LANs), Campus Area Networks (CANs), and Wide Area Networks (WANs). All of these different types of networks influence how data is transmitted.
To begin, we will review the smallest network, a PAN, which you may encounter in your analysis.
A PAN is a network that shares data between devices that are close, normally within a range of 30 feet. Devices can connect to the internet or other networks. Because devices in a PAN generally communicate using low-powered wireless technology, a PAN is also referred to as a Wireless Personal Area Network (WPAN).
A WPAN is a short-range network that connects personal devices to exchange information using the IEEE 802.15 standard and includes technologies such as Bluetooth, Zigbee, and ultra-wideband.
Conducting packet analysis on a PAN may be done to troubleshoot or test IoT devices that connect to the internet, enabling them to send and receive data. Using Wireshark, you can study protocols such as Message Queuing Telemetry Transport (MQTT), a lightweight messaging protocol used for machine-to-machine communication.
One of the most common types of networks where you will capture traffic is a LAN. The following section provides an overview of the characteristics of a LAN.
A LAN is a private network in a localized area that an organization or individual owns, controls, and manages. A LAN is generally within a restricted geographic area, such as a corporate office, manufacturing plant, or healthcare facility, and provides the ability for hosts to share resources.
A LAN provides high-speed bandwidth using Ethernet technology on a fixed frequency, connecting network devices and enabling the ability to communicate and exchange data on a common channel.
Within a LAN, there might be a data center, which is a large group of servers that provide storage, processing, and distribution of critical company data for network clients. The data center is at the heart of any enterprise network and is located in a central location, generally in a secure computer or server room.
In today's large, multifaceted companies, there may be a larger network than a LAN that requires remote locations to serve all of the clients. The following section takes a look at the concept of a CAN.
A CAN is a large, private LAN in a common entity, such as a college, hospital, corporate campus, or military base, that has two or more interconnected LANs.
A CAN has a main campus where the central elements of the network reside, such as the data center and telephony, and provides connectivity, data, applications, and services to clients. In addition, a CAN might include remote locations that are away from the main campus.
Because a CAN, at times, is spread across a larger geographic area such as a city, remote locations will need to communicate over a WAN using an internet connection. Let's now discover the qualities of a WAN.
A WAN is a geographically dispersed collection of LANs that span a large distance. The internet is the largest WAN, spanning the globe, and is a network of globally connected networks that bring people, processes, data, and things together.
A WAN is different than a LAN in several ways. In most cases, no one entity owns a WAN; rather, WANs exist with shared or distributed ownership and management. WANs use common technology such as Multiprotocol Label Switching (MPLS), which is a data transport method for high-performance telecommunication networks. WANs can carry a signal using a variety of methods, which include the Plain Old Telephone Service (POTS), fiber-optic cables, wireless transmissions, and satellites.
As you can see, there are many different types of networks. In the next section, we'll explore each of the different types of media used to carry the signals.
Devices on a network share access to a common medium that provides a channel for traffic to travel. Media can be either of the following forms:
The following is a diagram that represents various types of network media:
For enterprise networks, it's common for multiple types of media to make up the networking environment. Each media type will influence the data flow and can include copper and fiber-optic cables, along with wireless transmissions.
Network administrators use Wireshark for troubleshooting network connectivity issues. Because of this, it's important to recognize some of the problems that may occur because of the physical layer (layer one) of the Open Systems Interconnection (OSI) model. In this section, we'll take a look at the different types of media that can transmit data. Let's begin by reviewing copper, which is subdivided into two categories, coaxial and twisted pair.
Copper is a commonly used media type in today's networks for data communications. The two types of media that use copper are coaxial and twisted pair.
Coaxial, also called coax, consists of a single copper wire encased by a layer of insulation and then by a grounded shield of braided wire. Coax is able to support high bandwidth and was originally the primary way to transmit data on a LAN.
Coax is no longer used by LANs to transmit data. However, you will still see coax, as it is used by cable television companies to transmit signals to clients in homes and businesses.
Although rare, it is possible to troubleshoot the differences in traffic transmitted between the cable modem and router, as Wireshark has a Data Over Cable Service Interface Specification (DOCSIS) dissector for that purpose.
This type of cable consists of twisted pairs of copper wire that use pulses of electricity to carry a signal. The twists provide a shielding effect that minimizes crosstalk.
Twisted pair cabling has eight wires with four pairs of twists and comes in two forms:
Today, LANs use twisted-pair cables to transmit data. Twisted-pair cabling is so popular because it is reasonably priced, easy to install, and in most cases, provides high bandwidth for carrying both data and multimedia traffic.
In addition to copper, many companies employ fiber within their organization to provide a high-speed, high-bandwidth option over copper. The following section outlines the characteristics of fiber, which is subdivided into two categories, multimode and single mode.
A fiber-optic cable uses pulses of light to carry network traffic over longer distances. Fiber has high throughput that is naturally resistant to EMI. The signals are sent via laser or a Light-Emitting Diode (LED), using a core of glass or plastic. Many times, fiber is used as the backbone on a LAN and comes in two forms:
Fiber optic has many benefits, but it is more expensive than twisted pair and requires special equipment to manage. As a result, LANs use fiber primarily for backbone traffic and use twisted pair for work areas.
Today, it is common to see wireless network communication, which uses radio waves to transmit signals. The following section outlines the various ways you may work with Wireshark to analyze a wireless connection.
Wireless networks use unbound media, which allows users to roam freely while still being connected to the network. Over time, wireless networks have improved in speed and bandwidth, and as a result, you will most likely capture wireless traffic during a troubleshooting exercise.
Wireless technology can provide connectivity for a LAN using Wi-Fi, or for a PAN using Bluetooth. Here, we will compare the two:
As you can see, there are many variables that you may deal with while capturing and analyzing traffic using Wireshark. The type of network and the media will influence how you capture traffic and what you might see once it has been captured. In most cases, however, packet capture using Wireshark is done on a LAN.
In the next section, we will explore how to properly set up a capture and examine each of the capture option tabs – Input, Output, and Options.
When capturing traffic with Wireshark, most of us are familiar with the main interface, where we go to the lower part of the screen to see what interfaces are active by viewing the sparklines. Once here, you can select an active interface and begin capturing traffic. In addition, you can put in a capture filter and begin capturing traffic.
In addition to the welcome screen, you can go to the Capture drop-down menu and then select Options to do advanced configuration before capturing traffic. Across the top, you will see three tabs, Input, Output, and Options, as shown in the following screenshot:
Let's start with a discussion on how to set up a capture by selecting an input interface.
In the Capture Options dialog box, the Input tab will show a list of available interfaces on your device. Across the top, you will see various column headers, which include Interfaces, Traffic, Link-layer Header, and Capture Filter.
In the lower-left corner, there is a checkbox called Enable promiscuous mode on all interfaces. If you uncheck the box, it will take off promiscuous mode on all interfaces. You can then select the interface you want to be in promiscuous mode by checking the box to the right of it.
Across the bottom, you can create a capture filter for the selected interface.
In the lower right, you can select Manage Interfaces..., which will allow you to hide interfaces that you do not want to be visible on the Input tab. For example, we can see five unchecked USBPcap interfaces in the following screenshot:
Once you have selected what you would like for input, you may want to save your file in a specific way. The next section outlines the Output tab.
The Output tab directs where and how you want to save your file. Within this tab, there are several options.
The first option is Capture to a permanent file. In most cases, this box is left blank. When you begin capturing traffic, Wireshark will save the capture to a temporary file until you save it as something else.
Output format defaults as saving the file as pcapng (short for PCAP Next Generation); however, you can force Wireshark to save the file as pcap. Most of the time, pcapng is the best choice, as it allows you to add comments.
Whatever option you select, the next selection is Create a new file automatically…. The options include the following:
The following screenshot shows the Output tab of the Capture Interfaces dialog:
Wireshark also provides the ability to compress files using GNU zip (gzip).
Although you may be tempted to launch Wireshark and let it run while monitoring traffic for a long period of time, that isn't the best option. This is mainly because Wireshark will consume all of your memory if you leave a capture running, as it holds the capture in a temporary file until you stop the capture and save it to a permanent file.
The next selection outlines how you can use a ring buffer to monitor traffic.
A ring buffer is handy if you want to run a capture to watch for a specific protocol or signature on your network. To use a ring buffer, you create multiple files and set a parameter to create a file automatically after either a specific file size is reached, such as after 1 megabyte, or after a period of time has passed, such as 10 seconds.
If you do want to create multiple files, you must specify a filename and location for the files; otherwise, you will throw an error, as shown here:
When you are ready, select Use a ring buffer with at the bottom of the dialog box and enter how many files you want to overwrite.
In addition to providing ways to select input and output options, Wireshark provides some custom options that you can modify. Let's take a look.
When looking at the Options tab, you will see across the top Display Options, which can be set as follows:
In addition, you'll also find the Name Resolution choices, which include the following:
In most cases, it's okay to resolve MAC addresses and transport names, as these are changed into a human-readable format using static text files found in the local Wireshark folder. The files include the following:
However, if you select Resolve network names, this will ask the host Operating System (OS) to contact the Domain Name System (DNS) server multiple times while resolving the IP addresses. This activity will most likely impact system performance and cause additional traffic on the network.
The last selection on the Options tab is Stop capture automatically after…, whatever option you select. There are four choices:
This last option can be used when baselining, and you can specify to stop capturing after 1,000 packets and then start your capture; Wireshark will capture 1,000 packets and then automatically stop the capture after a specified time period.
All options are shown in the following screenshot:
After you understand the network architecture and topology and have selected your capture options, you're ready to tap into the network. This next section will review the different types of packets you will see, along with how to look at the conversations and endpoints that are gathered while capturing traffic.
While tapping into a LAN with the Network Interface Card (NIC) in promiscuous mode, the adapter captures the traffic and sends the packets up through the Enhanced Packet Analyzer (EPAN) for dissection and decoding, and then on to the Wireshark interface.
You'll then see the packets filling the screen. If you are on an end device and communicating with another host, you will most likely see three types of packets – namely, broadcast, multicast, and unicast:
In a normal conversation with another host, once you have a connection, the OS will create a socket, which consists of an IP address and a port. During a capture, Wireshark will keep track of all of the connections or streams, which you can examine.
This next section explains how you can take a look at the conversations and endpoints in a capture.
Whenever you are actively connecting with other hosts on the network, the OS keeps track of all the connections. To see all of your active connections on a Windows machine, open a command line and run netstat with the -an parameters, as shown in the following screenshot:
In Wireshark, a conversation consists of two endpoints that are in a connection together. An endpoint is one side of the conversation. To view all of the conversations in a capture, go to Statistics and then Conversations. Once the window opens, there are tabs along the top that allow you to view a specific type of conversation.
Each tab provides details of the type of conversation you selected, and each row represents one conversation. For example, the Ethernet tab shows conversations listing the MAC addresses of the endpoints, as shown in the following screenshot:
You can always add or remove tabs by selecting Conversation Types in the lower right-hand corner, as shown here:
Wireshark has advanced options within this window. Right-click any of the conversations and you will see the following options:
The following screenshot shows the search toolbar that is launched when you select Find:
All of these options allow you to further refine your selection. Right-click and select one of several options that include A to B, B to A, and A to Any.
At the bottom of the window, there are additional choices with which you can refine and customize your view:
As you become more experienced with using Wireshark, you will be able to navigate around the interface with ease. Until then, experiment with some of the menu choices and options.
In order to troubleshoot a network more effectively, it is important to start with a packet capture so that you can compare possible changes. One way to achieve this is by creating a baseline, which we will cover in this next section.
Every network is like a snowflake in that no two are alike. Each network has its own signature that includes characteristics such as utilization, network protocols, and latency issues.
A baseline is a packet capture on a subnetwork that is obtained using Wireshark or tshark during normal working conditions. If the network is experiencing problems, the network administrator can then use the baseline to identify any changes. Once you learn what normal network behavior is, you can better identify abnormal network behavior.
In addition to troubleshooting, a network baseline can be used for optimizing, forecasting, planning, and tuning a network. The baseline process goes through several stages – plan, capture, analyze, and save.
We will begin with planning, which provides steps for the best way to go through the process.
To plan the baseline, create a network map and list all of the subnetworks and Virtual Local Area Networks (VLANs). You should have a strategy on how you are going to go about the process. Some things to consider include the following:
Once planning is complete, we can then move on to the next step, which is where we actually capture network traffic.
When it's time to capture the traffic, limit the packet capture to a consistent size so that you have a consistent capture size for the baselines. Determine what an appropriate capture would be for your network so that you can get a snapshot of the network at a slice in time.
The process should be documented – for example, document where the capture was obtained, the time of day, and what equipment was used during the capture.
The key is to be as consistent as possible with your captures so that you compare apples to apples. If you select Statistics and then Capture File Properties, you can add a comment to provide additional information about the capture, as shown in the following screenshot:
After we complete the capture phase, we then move to the analyzing phase, where we will take a closer look at the capture.
Once you have obtained the packet capture, take a moment, and review the capture to see whether anything stands out as unusual or suspicious. Within Wireshark, you can go to Statistics and then Protocol Hierarchy to spot-check what protocols appear on the subnetwork, as shown here:
For example, after examining the capture, you will see a large amount of Spotify (a streaming music service) traffic, which is prohibited on your network. At that point, you might choose to investigate the source of the traffic.
In addition, you can go to Statistics and then Conversations to identify what ports are in use. After all of the captures are complete, we will move on to the final phase where we save the captures for later comparison.
Once you have completed and analyzed the capture, and made any appropriate comments, it's time to preserve the baseline. Whether you work on your own or within a team, you should have a standard format and procedure to document the findings.
The suggested guidelines for documentation include the following:
Although much of the information in the preceding list can be recorded within the capture in the form of comments, it's best to document to preserve the information.
When naming the capture files, have your team agree on a standard format. This is so you can easily search through the captures later. One format or standard might be to use the building name and room or even the subnetwork IP address.
For example, you might use this format – building-room-subnet (or BLD-RM-SN). Then, if you have a capture from aviation building – room 78 – subnetwork 192.168.10.112, you can save the file as AV-78-10.112.pcap.
The format for saving the information can be a shared spreadsheet that the team can update and use to record their findings.
By now, you understand the many different types of networks that can influence how data travels. In addition to the various network types, we saw how we must also contend with the media that transmits the data. So that you can effectively capture traffic, we took a closer look at various capture selections that include display options, using multiple files, and name resolution.
We then moved into a discussion of the different types of traffic you will see when tapping into a switched network and compared the difference between conversations and endpoints. We then looked at the many options for analysis within the Conversations window. Finally, we summarized the importance of baselining the network and provided some steps on how to move through this process.
In the next chapter, we will discover the many ways to personalize the Wireshark interface. You will learn ways to adjust the appearance and basic layout. I'll show you ways to add, modify, and personalize the configuration profiles. Then, we will evaluate how to add comments to a single packet or an entire capture. Finally, we'll take a look at creating a complex filter expression and a button for your toolbar to simplify your analysis.
Now, it's time to check your knowledge. Select the best response, and then check your answers with those found in the Assessments appendix: