Wireshark Introduction

Wireshark is a network protocol analyzer (also called a packet sniffer). It allows the live capture of network traffic and includes many powerful tools to examine, analyze, filter and otherwise manipulate the data. Supporting hundreds of protocols across many network types, Wireshark is a valuable tool for any network administrator and is frequently used for troubleshooting network issues, the detection of malicious or otherwise unwanted traffic and as a means of monitoring the health and performance of a network. It will run on a variety of platforms, including Windows, Linux, BSD, Mac and Solaris. This article will take the reader through a typical installation on the Windows platform and demonstrate simple usage, complete with screenshots and explanations. At the end, links will be provided to further information for those who wish to learn the more advanced features. As mentioned, this tutorial will look at installation of the latest stable version (at the time of writing this is 1.4.2) on a Windows system connected to an Ethernet network. It's important to note that Wireshark isn't restricted to Ethernet networks and supports various other types such as PPP, Token Ring and even IEEE 802.11. More information on the supported feature set can be found at http://wiki.wireshark.org/CaptureSetup/NetworkMedia. As we go through, we talk more about the features Wireshark provides and how they can be used.

Getting Started
Let's start with the initial installation. We're going to install the latest stable version (1.4.2) onto a 32-bit Windows machine. Browse to the Wireshark website, locate the download page and download the appropriate version. Version 1.4.2 weighs in at around 18.3MB.

Installation
During installation a list of components is presented and you're able to uncheck the features you do not wish to install. Unless you know specifically that you won't be using certain components, I recommend you leave them all checked. As you explore Wireshark and what it can do, you may stumble across certain functionality that you may want to use - if they've been uninstalled, you'll be stuck. Besides, playing with the various provided features can be a great way to learn.

WinPcap
Carrying on through the installation, accepting the default values, you'll eventually be asked if you want to install WinPcap. This is the packet capturing API that Wireshark uses to (as the name implies) capture packets. On Unix-like operating system, this is known as libpcap. We need it, so make sure the box is checked and hit the install button.

Success
A WinPcap installer will now appear and it's simply a case of going through, clicking next and agreeing to the terms and conditions. When asked if you want to automatically start the WinPcap driver at boot time, make sure the box is checked and carry on. If all has completed successfully, you now have a fully working copy of Wireshark installed. Let's fire it up and have a look.

Starting Wireshark
This is what you should see when you open it up. The menus along the top provide a whole host of options and a huge amount of functionality. You can see an option in the center of the screen allowing you to open a previously captured file. If you've performed a packet capture previously and want to save it to analyze later, you can do just that: export it to a file and then import it again when it suits you. This is just one of Wireshark's extremely useful features.

Select an Interface
To do this, we first need to define a network interface upon which Wireshark can listen. Click on the Capture menu at the top and select Options.

The following dialog box will appear.

Capture Options
There are a few particular things here worthy of note. Firstly, at the top, you can see the interface. If you have more than one network card, you should be able to select the arrow at the side and choose between them. If you see no interface listed, you may need to update your network card drivers. To the left, we can see our IP address - in this example it's 10.0.2.15. Lower down, we can see the Capture Filter. This is something we are going to come back to, as it will give us a great deal of flexibility when analyzing our captured packets. Towards to the lower right, there are the Display Options. By default, they should all be ticked. If not, do that now. They should be fairly self-explanatory. We want to be able to see the list of captured packets updated in real time, we want the screen to scroll when the number increases and we want to hide a dialog box while that's all happening. That's all we really need to make sure of now, so press Start. If you're connected to the internet, you may see the odd packet captured. But we want to see lots of them. Here, I've opened up my browser and browsed to Google.

You can see immediately that lots of packets have scrolled up the screen and that Wireshark provides a lot of very useful information, including the packet number, the source IP address, destination IP address and the protocol, which in this case is TCP. You can stop the capture by clicking the small icon at the top, fourth from the left with the little red cross on it. Now, how do we make sense of all this? Well, you might be surprised at how simple it really is. Each line is a separate packet and by selecting one, we'll be able to inspect it much more closely. Here, I've selected packet 180. For convenience, I've resized the window so the values below it are easier to see.

In the above screenshot, you can see a list of 4 items in the lower window. The lower 3 correspond to the different "sections" that make up the packet. The bottom one is the TCP header that specifies (amongst other things) to which destination port the packet should be sent. This line also includes the application data. Above it is the IP header that contains the destination IP address and encapsulates the TCP header and application data. Above that is the ethernet frame. If I wasn't using an ethernet network, this would not be present. The top item is simply information supplied by Wireshark and isn't really of any value here. The bottom window displays the raw data, but we're not going to bother with that now. Wireshark has extracted information from that packet and gives it to us in a much more friendly format in the window above.

To view information contained within the TCP header, click the expanding cross next to the relevant list item.

You can see the various fields of the TCP header presented in a readily accessible format. Immediately obvious is the source port, in this case 80. This of course makes sense, as we connected to Google using HTTP which (by default) uses port 80. The destination port is 1106 (though it may be different for you), a randomly selected port by our local machine to send and receive packets on. By checking the source and destination of the packet, I can see that this packet originated from Google's webserver (141.30.3.84) on port 80 and arrived on my local machine (10.0.2.15) on port 1106.

IP Header
Previously, we looked at the TCP header. Now let's turn our attention to the IP header and what it contains.

A few more interesting values are shown here. Besides the source and destination IP address being visible, we can see that the version of IP used is 4 and that the header length is 20 bytes. In addition, there's even a field that defines which protocol the IP header is encapsulating - in our case, TCP. All useful information that could potentially be used for constructing filters. Now that we've gone over a basic capture and how to view all the information contained within individual

packets, let's look at how we can filter the packets. We'll stick with our Google capture for the time being. Say we only want to view the packets that originate from Google and NOT the ones that originate from our local machine. How can we do that? Simple.

As you can see, I've entered a capture filter in the box above where the packets are listed:
ip.src == 141.30.3.84

It's fairly self-explanatory and effectively just tells Wireshark to display all packets that have a source IP address of 141.30.3.84. After pressing Enter, the list of captured packets instantly changes to show only the packets we want to see. Clearly, the use of filters could be extremely useful. If you're running Wireshark on a big corporate network and are seeing thousands of packets fly past each second, you can't possibly pick out the ones you want - particularly not in a live capture. But by using a filter, it's easy. You can filter based on a huge number of things: source, destination, protocol, port, subnet, flags and much, much more. http://wiki.wireshark.org/CaptureFilters provides more information on how to construct these filters. Clicking the Expression button next to the filter box can also help you construct them, although it won't be discussed in this particular article.

The TCP Handshake

This section was deemed appropriate as it could prove useful for people new to Wireshark. All users of Wireshark should be able to identify a TCP handshake. In the past, I've needed to determine whether a TCP handshake is taking place or whether something - be it suspicious routing, a misconfigured firewall or a faulty network card - is preventing it. So how can we check? Take a look at the next screenshot. I've begun a new live capture and established a new connection to Google. Since a TCP handshake takes place at the very beginning of any TCP connection, we want to concentrate on the first few packets.

Let's have a look at those first few packets, one by one. 1. Clearly a DNS query, my computer (10.0.2.15) asking the DNS server (208.67.222.222) to resolve www.google.co.uk. 2. The reply from the DNS server, complete with the IP address for Google (173.194.37.104). 3. The first packet making up the TCP handshake. The SYN packet my computer sends to Google. 4. Google sends back a SYN ACK packet (that is, a packet with the SYN and ACK flags set - expand the TCP header as we did before to examine it in greater detail) 5. Finally, my computer completes the handshake by sending back an ACK. My computer and Google's server are satisfied that the connection is established and the transfer of data commences. So there we have it, a good example of a 3-way handshake. If you're not already familiar with the workings of TCP, its flags and so on, a bit of practice identifying them and working out what the packet does will soon become a lot easier. As with all things, practice is the key!

What's Next?
So what's next? Well, that's for you to decide. In this tutorial, we barely even scratched the surface of what Wireshark can do. It has been to give you an idea of how Wireshark operates and what it's capable of. The best way of learning something new is to strike out on your own, experiment and read all you can about it. Here are a few ideas to take things further, however: * Fire up Wireshark while sending email using a client such as Microsoft Outlook or Thunderbird. What can you see? Which protocols are they using? Are you able to read any of the messages? * What can you see when making an encrypted connection? What happens when you use SSH? * Run Wireshark and ping something. Ping doesn't use TCP or UDP, so what do you see? * If you come across any strange packets (and believe me, there are lots of strange packets flying around out there), investigate them. What are they? What protocol are they using? What kind of device may have sent it?