Wireshark

From Embedded Lab Vienna for IoT & Security
Jump to: navigation, search

Summary

Wireshark is one of the most famous network protocol analyzers. It is a powerful multi platform open source tool, that can analyze network traffic on all possible network interfaces, like Ethernet, Wi-Fi, Bluetooth, local Loopback and VMware Adapters and even USB. The Wireshark project was founded 1998 by Gerald Combs, under the name of 'Ethernal' and gets continuously further developed by volunteers, network professionals and enthusiasts around the globe. Version 1.0 was released in 2008. Before, only expensive and proprietary solutions were available. Today Wireshark provides a wide set of features including:

  • Capturing network traffic
  • Filter and visualise the traffic
  • Safe and open captured traffic in files
  • Import and export other capture file formats

Therefore Wireshark is used to troubleshoot network problems, examine network security, test network applications and for educational purposes.

The application is free to download from the Wireshark website and is published under the GNU General Public License. A wizard leads trough the installation process. Npcap has to be installed to capture network traffic, additionally USBpcap can be installed, to capture USB traffic. Npcap is a packet sniffing driver copyrighted by the Nmap Project.

Functionality

Start screen

After starting the Wireshark application, it automatically scans for all available interfaces. In Figure 'Start screen' you can see the listed interfaces with a preview of the network traffic.

By clicking on 'Aufzeichnen' or 'Capture' above the interface list, the interface menu opens. The first tab shows the interfaces including their MAC Addresses, which helps identifying the right one. Also Pipes and remote interfaces can be configured. The second tab shows the output options. Here you can save the captures automatically in files, according to different rules. The third tab offers additional options for display and name resolution.

Capture and Display Filter

The capture process starts by double clicking a interface or select one and click on the blue fin icon in the menu bar.

Capture Filter

The Capture Filter is set before starting a packet capture and cannot be modified during the capture. It is more limited than the display filter and used to reduce the size of raw capture data. The filter can be entered in the text-field above the interfaces before the capturing is started. The Capture Filter has an own syntax described below. It only supports combinations of the listed primitives. An example is shown in figure 'Capture Filter'. The filter captures only packets which source IP address is 192.168.0.1 and the TCP port 23

Protocol selection  [tcp|udp] 
IP address          [src|dst] [host] 
Port number         [port]
Operations          [and|or] [less|greater] [not]
Display Filter
Packet List
Packet Details
Full Screen

The Display Filter only filters the output on the screen. But can be modified during the capture process and also when analysing a saved capturing. So it's more flexible and can be adjusted to current needs. It's entered during a capturing in the above text field as shown in figure 'Display Filter'.

The Display Filter has a different syntax than the Capture Filter. Probably, because Wireshark is developed by many different developers, who add single features. The filter displays only packets which source IP address is 192.168.8.109 and the TCP port 443. As shown below, the Display Filter offers more possibilities to filter packets.

MAC address         [eth]
L3 Protocol         [ip|ipv6]
L4 Protocol         [tcp|udp] 
IP address          [src|dst] [host] 
Port number         [port]
Operations          [and|or|xor] []not|in]
Comparison Operator [==|!=|<|<=|>=|>]
Slices              [x:y]
Function            [upper|lower|len|count|string]

A more detailed list with possible filter expressions can be found in the Wireshark User Guide.


Analyze

During the capture, a list of all incoming packets is displayed, as seen in figure 'Packet List'. The columns are described as follows:

  • No. stands for the packet number, which Wireshark starts at zero, to make it more readable.
  • Time shows the seconds since the capture started.
  • Source is the packet source IP- or MAC-address.
  • Destination is the packet destination IP- or MAC-address.
  • Protocol stands for the used transport protocol.
  • Length is the packet length in Bytes.
  • Info shows the packet information, which Wireshark extracts automatically.


In the packet details, shown in figure 'Packet Details', you can see all headers from the different OSI Layers. In this example the TLS Application Data is encrypted and unreadable. From the TCP header you can read the source and destination port, sequence and ACK numbers, set flags, the size and the checksum. From the IP header you can read the version, length, flags, the TTL, the encapsulated protocol (TCP), checksum and source and destination IP address. From the Ethernet Header you can read the source and destination MAC address, the frame number and lengtha and the encapsualted protocols.

Below the packet details, is the packet shown in Bytes. Mostly not very human friendly to read. To change that, the configuration and other tips are shown in the next paragraph.


Not so well known Features

Here are some configurations listed to make Wireshark easier and clearer to read.

  • Wide Screen - The default view of Wireshark is not adjusted for wide screen. To make a better use of the whole screen change the following. In the menu Edit/Preferences/Appearance/Layout use the fourth Pane order. For the third pane choose Packet Diagram, instead of Packet Bytes. The result is shown in figure 'Full Screen'. In the Packet Diagram, you can click on any field and the corresponding value is shown in the Packet Details.
  • Time - By default the Time in the Packet List is set to seconds since the capture started. To make it easier to find specific packages, under View/Display Time Format, you can change it to Time of Day.
  • Name Resolution - Also by default, DNS is not activated. Under View/Name Resoultion you can activate name resolution for phyiscal, network and transport addresses. The name resolution is the only active action, which is performed by Wireshark in an observed network.
  • Open Connections - In the Statistics menu, under Conversations, you can see all open connections at once. Separated in the different Layers: Data Link (Ethernet), Network (IP) and Transport (TCP/UDP).
  • ACL Rule Creation - In the Tools menu, under Firewall ACL Rules, you can create different ACL Rules. Dependent of the selected packet in the Packet List, it shows a combination of outbound/inbound allow/deny rules. And also for different systems like Cisco IOS, IP Filter, IP Tables and Windows Firewall.
  • Credentials - Also in the Tools menu, under Credentials, Wireshark shows all credentials, which could be read automatically, and in which packet they were sent. This only works with unencrypted traffic, like Open Authentication.

Limits

Even tough, Wireshark is a powerful network analyzer, it also has its limits, which are listed below.

  • No Attack Software - Wireshark can capture and analyze the traffic of specific interfaces. But it cannot manipulate any packets or send own packets to temper with legit connections. So it's no tool for Man-In-The-Middle or any other attacks. As already stated, the only actions taken by Wireshark is name resolution (DNS).
  • No IDS - Wireshark only runs if you start it and shows the incoming and outgoing traffic in the user interface. But the analysis is left to the user. Wireshark has no built in scan engine or alert system. So it cannot be seen as Intrusion Detection System.
  • No Decryption - Wireshark can not decrypt any captured traffic. Encrypted traffic like TLS is shown as unreadable characters. Also if you hold any public or private keys, they can not be applied in the Wireshark application to decrypt the traffic. So Wireshark can analyse unencrypted traffic only.


Comparison to Tcpdump

Beside Wireshark with its graphical user interface, Tcpdump is a well known command line tool for netowrk traffic analyis. In this chapter, Tcpdump will be presented and compared to Wireshark, based on its performance and features. The focus of this list are the differences of these two tools. The similarities in traffic capturing are well known.

Tcpdump is a lightweight network traffic capturing tool working on the command line. It's available for free on most UNIX and Windows systems under the BSD license. It also uses the libcap library to capture packets and creates dumps with the raw packet data. The analysis is left to the user. To control the output and help analyzing it, Tcpdump provides a wide set of parameters. A full list is available at the Tcpdump manual.

It offers a command line interface, which makes it more lightweight. An important feature is, that Tcpdump can decrypt IPsec packets, if the needed secrets are provided. Wireshark can't decrypt any traffic. Tcpdump shows packets directly in the terminal window, without buffering them and by default. Wireshark always buffers packets, which can show them delayed. In terms of needed resources is Tcpdump much more undemanding. Wireshark needs ten times more memory and also much more energy than Tcpdump.

Wireshark offers a graphical user interface and colouring of different protocols. Which is clearly absent in Tcpdump. It's also very easy to apply different filters to captured traffic. Wireshark can save dumps in different files, like ring buffer, while Tcpdump can write one file only. As stated before, it can show current traffic statistics, which Tcpdump can't. Also Wireshark is 2-3% faster at capturing traffic. This can make a difference at high data rates. The biggest advantage of Wireshark is the flexibility in terms on analyzing and saving dumps. This can be changed in Wireshark after the capturing, while in Tcpdump everything has to be specified before you start capturing and can't be changed afterwards.


This comparison shows that both tools have advantages and disadvantages. Wireshark is the more flexible and clearer tool. The GUI makes it easier to understand and very suitable for academic purposes. Tcpdump is more suitable for professional usage, as the dump needs to be clearly specified and it needs less resources. By the features it cannot be said, which tool is the better one. It depends on the use case and the environment to analyze. And also of the knowledge of the user, since Wireshark is more user friendly for academic purposes.

References