If you love the aroma of network packets, you'll love capturing a snifter full of your favorite network-scented morsels with Wireshark, the world's most popular network protocol analyzer.
Select the network interface that you want to use for packet capture (eth0, for example), the Link-layer header type (Ethernet), promiscuous mode, a capture filter, a capture file, display options and name resolution options. There’s a lot of information on this screen, so let’s take a minute to examine the options.
If you don’t select “promiscuous” mode, then your capture will only see packets addressed to your system. It will see broadcast and multicast packets but you won’t see the bulk of the network traffic as it passes by your system. Promiscuous mode is the default behavior for wire sniffing. Specify a file to collect your captured data for offline viewing and analysis. The display options are a matter of personal preference and you’ll have to find which options suit you. The name resolution options, when checked, instruct Wireshark to attempt name resolution from MAC addresses and from IP addresses. Name resolution makes reading logs easier for those not accustomed to looking at Hex codes and dot notation IP numbers.
Begin your capture by clicking the Start button at the bottom of the Capture Options page. Future captures will use these settings until you return to this page and make changes. Refer to Figure 3 for a sample capture in progress.
Figure 3: Capturing Packets in Wireshark
Stop the packet capture by clicking the Stop Capture menu icon or select Capture->Stop from the menu. This halts the packet capture and saves the information to the file specified on the Capture Options page. You can’t read this file in word processing or text processing programs as is. You also can’t read it at the command line with cat, more or less. To read your data in other programs, export the captured data to another format (Plain text, CSV, PostScript, XML).
Simple Wireshark Cases
You installed Wireshark to perhaps figure out where security breach attempts originate or to find some network bottlenecks that affect your systems. Let’s take the first situation, attempts on your system, as an example.
During the packet capture, you noticed some dark red colored entries flash by on the Wireshark screen. Scroll down in the list until you see the red entries. These red entries tell you that there is a serious or error condition in the capture that you need to investigate. Refer to Figure 4.
Figure 4: Wireshark Displaying Red (Error) Entries in a Packet Capture
As the packet info shows, there was an attempt made on the local system running Wireshark (192.168.1.77) from xenalive (192.168.1.72) in the form of a telnet connection. This is likely someone looking for an easy way into a system that has telnet enabled. You have enough information (system name, MAC address, IP address) to find the culprit and ask him what his purpose is in attempting a connection to your system.
What does a normal connection attempt look like in Wireshark? To answer that question, you have to capture data while such an attempt is in progress. See Figure 5 for an SSH attempt.
Figure 5: Investigating SSH Packets in a Wireshark Capture
You see that the xenalive system made an SSH connection to the local system. SSH is an allowed protocol and you’ll see hundreds of these in a log where you have users connecting to a system.
What about failed attempts on a legitimate protocol? Does Wireshark capture those? Yes and no. Yes, it captures the connection attempts but doesn’t alert or mark them in any special way other than what you saw in Figure 5. Wireshark is not an intrusion detection system. You’ll need to check your system logs for those entries.
# grep Failed auth.log
Oct 28 21:03:25 filer sshd: Failed none for invalid user fred from 192.168.1.72 port 14066 ssh2
Oct 28 21:03:28 filer sshd: Failed password for invalid user fred from 192.168.1.72 port 14066 ssh2
Oct 28 21:03:30 filer sshd: Failed password for invalid user fred from 192.168.1.72 port 14066 ssh2
Oct 28 21:03:33 filer sshd: Failed password for invalid user fred from 192.168.1.72 port 14066 ssh2
Oct 28 21:03:36 filer sshd: Failed password for invalid user fred from 192.168.1.72 port 14066 ssh2
Oct 28 21:03:39 filer sshd: Failed password for invalid user fred from 192.168.1.72 port 14066 ssh2
Oct 28 21:03:42 filer sshd: Failed password for invalid user fred from 192.168.1.72 port 14066 ssh2
A Word on Filtering
If you don’t enjoy seeing a lot of ARP traffic in your captures, you can filter it by adding a !arp in the Filter field. You don’t want to delete this information but it tends to clutter your view.
Wireshark isn’t the perfect network protocol capture and analysis tool but it comes close. And, you can’t beat the price. Next week, come back for more Wireshark, when we look at some advanced features and actual analysis.