{"id":11683,"date":"2019-03-15T22:10:54","date_gmt":"2019-03-15T22:10:54","guid":{"rendered":"http:\/\/www.appservgrid.com\/paw92\/?p=11683"},"modified":"2019-03-15T22:10:54","modified_gmt":"2019-03-15T22:10:54","slug":"10-tips-on-how-to-use-wireshark-to-analyze-packets-in-your-network","status":"publish","type":"post","link":"https:\/\/www.appservgrid.com\/paw92\/index.php\/2019\/03\/15\/10-tips-on-how-to-use-wireshark-to-analyze-packets-in-your-network\/","title":{"rendered":"10 Tips On How to Use Wireshark to Analyze Packets in Your Network"},"content":{"rendered":"

In any packet-switched network, packets represent units of data that are transmitted between computers. It is the responsibility of network engineers and system administrators alike to\u00a0monitor and inspect the packets for security<\/a>\u00a0and troubleshooting purposes.<\/p>\n

To do this, they rely on software programs called\u00a0network packet analyzers<\/a>, with\u00a0Wireshark<\/strong>\u00a0perhaps being the most popular and used due to its versatility and easiness of use. On top of this, Wireshark allows you to not only\u00a0monitor traffic in real-time<\/a>, but also to save it to a file for later inspection.<\/p>\n

In this article we will share 10 tips on how to use\u00a0Wireshark<\/strong>\u00a0to analyze packets in your network, and hope that when you reach the Summary section you will feel inclined to add it to your bookmarks.<\/p>\n

Installing Wireshark in Linux<\/h3>\n

To install\u00a0Wireshark<\/strong>, select the right installer for your operating system \/ architecture from\u00a0https:\/\/www.wireshark.org\/download.html<\/a>.<\/p>\n

Particularly, if you are using Linux, Wireshark must be available directly from your distribution\u2019s repositories for an easier install at your convenience. Although versions may differ, the options and menus should be similar \u2013 if not identical in each one.<\/p>\n

------------ On Debian\/Ubuntu based Distros ------------<\/strong> \r\n$ sudo apt-get install wireshark\r\n\r\n------------ On CentOS\/RHEL based Distros ------------<\/strong>\r\n$ sudo yum install wireshark\r\n\r\n------------ On Fedora 22+ Releases ------------<\/strong>\r\n$ sudo dnf install wireshark\r\n<\/pre>\n
There is a known bug in\u00a0Debian<\/strong>\u00a0and derivatives that may prevent listing the network interfaces unless you\u00a0use sudo<\/a>\u00a0to launch Wireshark. To fix this, follow the accepted answer in\u00a0this post<\/a>.<\/p>\n
Once\u00a0Wireshark<\/strong>\u00a0is running, you can select the network interface that you want to monitor under\u00a0Capture<\/strong>:<\/p>\n
\n
\"Wireshark<\/a><\/p>\n
Wireshark Network Analyzer<\/p>\n<\/div>\n
In this article we will use\u00a0eth0<\/code>, but you can choose another one if you wish. Don\u2019t click on the interface yet \u2013 we will do so later once we have reviewed a few capture options.<\/p>\n
Setting Capture Options<\/h4>\n
The most useful capture options we will consider are:<\/p>\n
    \n
  1. Network interface<\/strong>\u00a0\u2013 As we explained before, we will only analyze packets coming through\u00a0eth0<\/strong>, either incoming or outcoming.<\/li>\n
  2. Capture filter<\/strong>\u00a0\u2013 This option allows us to indicate what kind of traffic we want to monitor by port, protocol, or type.<\/li>\n<\/ol>\n
    Before we proceed with the tips, it is important to note that some organizations forbid the use of\u00a0Wireshark<\/strong>\u00a0in their networks. That said, if you are not utilizing Wireshark for personal purposes make sure your organization allows its use.<\/p>\n
    For the time being, just select\u00a0eth0<\/code>\u00a0from the dropdown list and click\u00a0Start<\/strong>\u00a0at the button. You will start seeing all traffic passing through that interface. Not really useful for monitoring purposes due to the high amount of packets inspected, but it\u2019s a start.<\/p>\n
    \n
    \"Monitor<\/a><\/p>\n
    Monitor Network Interface Traffic<\/p>\n<\/div>\n
    In the above image we can also see the\u00a0icons<\/strong>\u00a0to list the available interfaces, to\u00a0stop<\/strong>\u00a0the current capture, and to\u00a0restart<\/strong>\u00a0it (red box on the\u00a0left<\/strong>) and to configure and edit a filter (red box on the\u00a0right<\/strong>). When you hover over one of these icons, a tooltip will be displayed to indicate what it does.<\/p>\n
    We will begin by illustrating capture options, whereas tips\u00a0#7<\/strong>\u00a0through\u00a0#10<\/strong>\u00a0will discuss how to do actually do something useful with a capture.<\/p>\n
    TIP #1 \u2013 Inspect HTTP Traffic<\/h3>\n
    Type\u00a0http<\/code>\u00a0in the filter box and click\u00a0Apply<\/strong>. Launch your browser and go to any site you wish:<\/p>\n
    \n
    \"Inspect<\/a><\/p>\n
    Inspect HTTP Network Traffic<\/p>\n<\/div>\n
    To begin every subsequent tip, stop the live capture and edit the capture filter.<\/p>\n
    TIP #2 \u2013 Inspect HTTP Traffic from a Given IP Address<\/h3>\n
    In this particular tip, we will prepend\u00a0ip==192.168.0.10&&<\/code>\u00a0to the filter stanza to monitor HTTP traffic between the local computer and\u00a0192.168.0.10<\/strong>:<\/p>\n
    \n
    \"Inspect<\/a><\/p>\n
    Inspect HTTP Traffic on IP Address<\/p>\n<\/div>\n
    TIP #3 \u2013 Inspect HTTP Traffic to a Given IP Address<\/h3>\n
    Closely related with\u00a0#2<\/strong>, in this case we will use\u00a0ip.dst<\/code>\u00a0as part of the capture filter as follows:<\/p>\n
    ip.dst==192.168.0.10&&http\r\n<\/pre>\n
    \n
    \"Monitor<\/a><\/p>\n
    Monitor HTTP Network Traffic to IP Address<\/p>\n<\/div>\n
    To combine tips\u00a0#2<\/strong>\u00a0and\u00a0#3<\/strong>, you can use\u00a0ip.addr<\/code>\u00a0in the filter rule instead of\u00a0ip.src<\/code>\u00a0or\u00a0ip.dst<\/code>.<\/p>\n
    TIP #4 \u2013 Monitor Apache and MySQL Network Traffic<\/h3>\n
    Sometimes you will be interested in inspecting traffic that matches either (or both) conditions whatsoever. For example, to monitor traffic on TCP ports\u00a080<\/strong>\u00a0(web server) and\u00a03306<\/strong>\u00a0(MySQL \/ MariaDB database server), you can use an\u00a0OR<\/code>\u00a0condition in the capture filter:<\/p>\n
    tcp.port==80||tcp.port==3306\r\n<\/pre>\n
    \n
    \"Monitor<\/a><\/p>\n
    Monitor Apache and MySQL Traffic<\/p>\n<\/div>\n
    In tips\u00a0#2<\/strong>\u00a0and\u00a0#3<\/strong>,\u00a0||<\/code>\u00a0and the word\u00a0or<\/strong>\u00a0produce the same results. Same with\u00a0&&<\/code>\u00a0and the word\u00a0and<\/strong>.<\/p>\n
    TIP #5 \u2013 Reject Packets to Given IP Address<\/h3>\n
    To exclude packets not matching the filter rule, use\u00a0!<\/code>\u00a0and enclose the rule within parentheses. For example, to exclude packages originating from or being directed to a given IP address, you can use:<\/p>\n
    !(ip.addr == 192.168.0.10)\r\n<\/pre>\n
    TIP #6 \u2013 Monitor Local Network Traffic (192.168.0.0\/24)<\/h3>\n
    The following filter rule will display only local traffic and exclude packets going to and coming from the Internet:<\/p>\n
    ip.src==192.168.0.0\/24 and ip.dst==192.168.0.0\/24\r\n<\/pre>\n
    \n
    \"Monitor<\/a><\/p>\n
    Monitor Local Network Traffic<\/p>\n<\/div>\n
    TIP #7 \u2013 Monitor the Contents of a TCP Conversation<\/h3>\n
    To inspect the contents of a\u00a0TCP<\/strong>\u00a0conversation (data exchange), right click on a given packet and choose Follow\u00a0TCP<\/strong>\u00a0stream. A window will pop-up with the content of the conversation.<\/p>\n
    This will include\u00a0HTTP<\/strong>\u00a0headers if we are inspecting web traffic, and also any plain text credentials transmitted during the process, if any.<\/p>\n
    \n
    \"Monitor<\/a><\/p>\n
    Monitor TCP Conversation<\/p>\n<\/div>\n
    TIP #8 \u2013 Edit Coloring Rules<\/h3>\n
    By now I am sure you already noticed that each row in the capture window is colored. By default,\u00a0HTTP<\/strong>\u00a0traffic appears in\u00a0green<\/strong>\u00a0background with black text, whereas\u00a0checksum<\/strong>\u00a0errors are shown in\u00a0red<\/strong>\u00a0text with black background.<\/p>\n
    If you wish to change these settings, click the\u00a0Edit<\/strong>\u00a0coloring rules icon, choose a given filter and click\u00a0Edit<\/strong>.<\/p>\n
    \n
    \"Customize<\/a><\/p>\n
    Customize Wireshark Output in Colors<\/p>\n<\/div>\n
    TIP #9 \u2013 Save the Capture to a File<\/h3>\n
    Saving the contents of a capture will allow us to be able to inspect it with greater detail. To do this, go to\u00a0File \u2192 Export<\/strong>\u00a0and choose an export format from the list:<\/p>\n
    \n
    \"Save<\/a><\/p>\n
    Save Wireshark Capture to File<\/p>\n<\/div>\n
    TIP #10 \u2013 Practice with Capture Samples<\/h3>\n
    If you think your network is \u201cboring<\/strong>\u201d, Wireshark provides a series of sample capture files that you can use to practice and learn. You can download these\u00a0SampleCaptures<\/a>\u00a0and import them via the\u00a0File \u2192 Import<\/strong>\u00a0menu.<\/p>\n
    Summary<\/h5>\n
    Wireshark<\/strong>\u00a0is free and open source software, as you can see in the\u00a0FAQs section<\/a>\u00a0of the official website. You can configure a capture filter either before or after starting an inspection.<\/p>\n
    In case you didn\u2019t notice, the filter has an autocomplete feature that allows you to easily search for the most used options that you can customize later. With that, the sky is the limit!<\/p>\n
    Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
    In any packet-switched network, packets represent units of data that are transmitted between computers. It is the responsibility of network engineers and system administrators alike to\u00a0monitor and inspect the packets for security\u00a0and troubleshooting purposes. To do this, they rely on software programs called\u00a0network packet analyzers, with\u00a0Wireshark\u00a0perhaps being the most popular and used due to its … <\/p>\n
    Continue reading “10 Tips On How to Use Wireshark to Analyze Packets in Your Network”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-11683","post","type-post","status-publish","format-standard","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/11683","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/comments?post=11683"}],"version-history":[{"count":1,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/11683\/revisions"}],"predecessor-version":[{"id":11684,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/11683\/revisions\/11684"}],"wp:attachment":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/media?parent=11683"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/categories?post=11683"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/tags?post=11683"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}