Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone
Wireshark: Capture, Filter & Inspect packets within seconds (2016 version)
Wireshark network interfaces

You are about to discover the full potential of Wireshark.  In short, Wireshark is a network analysis tool, the network analysis tool is capable of capturing packets in real time. Allowing the operator of the tool to filter and inspect captured packets.

The Wireshark tool has evolved in the last years into a full functioning and easy to use network analysis tool. The tool provides a straight forward interface, the interface contains various advanced options and the network packets which are shown in the GUI have been categorized with colors, making it very easy to identify the packets you are looking for.

In this guide, we will take a look on how to use Wireshark to capture, filter and inspect packets within seconds.

Downloading and installing Wireshark

First of all, I want to make it very clear to download your software from legitimate and official sources only. If you do not have Wireshark installed, you will need to download and install the Wireshark application from the official source.

If you are using Ubuntu, you will be able to find the Wireshark network analysis tool in the package repositories. Simply navigate to your Ubuntu Software Center and search for ‘Wireshark’, click install and follow the instructions.

Interfaces

The network analysis tool uses interfaces to capture traffic, the interfaces are network adapters that have been detected by the network analysis tool.

In order to capture the LAN traffic that is being generated by my machine, I will need to start capturing the ‘Ethernet’ network interface.

Wireshark: Capture, Filter & Inspect packets within seconds (2016 version)
Network interfaces

Double click on the network interface that you want to capture, in my situation, I have to select the ‘Ethernet’ network interface to start capturing my LAN network traffic. If everything is functioning as it should, you should start seeing LAN network traffic in your GUI. It should look something like this.

Wireshark: Capture, Filter & Inspect packets within seconds (2016 version)
LAN network traffic

Colors

Colors explained
TCP traffic Green
TCP packets with issues Black
UDP traffic Light blue
DNS traffic Dark blue

Start sniffing

To fully understand the capabilities of Wireshark, it is important to have network data that you want to inspect. On the official Wireshark website, you will be able to find .pcap files that clean hold network traffic. These packages are called .pcap and Wireshark is capable of generating and reading .pcap files. If you want to take a real dive into network analysis, you can also try the free .pcap files that are provided by malware-traffic-analysis. The Malware Traffic Analysis site holds .pcap files that have shown malicious behaviour.

Wireshark: Capture, Filter & Inspect packets within seconds (2016 version)

In this example, we are going to use a .pcap file from the malware-traffic-analysis site. We have chosen to use a sample which would hold exploit kit behavior.

Download the .pcap file from the official site, and double click on the downloaded .pcap file. If everything worked correctly, you should see this screen.

Wireshark: Capture, Filter & Inspect packets within seconds (2016 version)
Malicious Traffic example

The exercise challenges us to answer the following questions:

  • What is the host name of the Windows computer that gets infected?
    • Use the NBNS protocol to find the answer.
  • What is the IP address of the Windows computer that gets infected?
    • Once you have found the host name, you will be able to find the IP in the Source tab.
  • What is the MAC address of the Windows computer that gets infected?
    • Click on the host that has been infected, and search for the Src: mac address.

Usefull resources

Malware-Traffic-Analysis.net – The perfect website to deep dive into malware traffic analysis with Wireshark or any other network analysis tool that is capable of reading .pcap files.

Wireshark.org – The official wireshark site holds a WIKI, on the WIKI you can find answers, tips and guides.

HowToGeek – The HowToGeek tutorial is from 2014, but it still contains usefull information.

If you still have questions left, feel free to leave a comment or use the Cyberwarzone forum

Source

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone
  • Learn more about eGRC Strategy, Products and Services click here
  • Learn more about Threat & Vulnerability Management Platforms click here
  • Learn more about Advanced End Point Protection click here
  • Learn more about NextGen Identity & Access Management Solutions click here