Rudd-O.com

Traffic inspection with Wireshark

As always, we’re leaving the best for the last. Wireshark is different from all the tools you’ve seen so far. It’s much harder to use, basically because it requires intimate knowledge of TCP/IP and many network concepts. It’s also harder to use because there’s no simple “overview” that you can derive from using Wireshark: it’s down-to-the-wire details all the way.

Which makes it brutally useful to diagnose problems where identifying network chatter is essential to figuring out what is going wrong. Check this screenshot out to see what I mean:

Network chatter, as I was saying, is what Wireshark’s all about:

1) Each row in the first pane displays an overview of each packet that Wireshark has captured. 2) The second pane provides a dissection of whatever packet is selected on the first pane, down to the bits and what each mean. 3) The third pane shows the actual packet contents in hexadecimal and textual views.

There’s another view that warrants further attention. For most packets, you can right-click on any packet listed on the first pane, and choose an option titled Follow TCP stream:

Sorry about the blur you see on this screenshot, but I had to black out certain areas lest I be hacked like a steak. The point of the screenshot is to show you one of the essential features of Wireshark: network chat in real-time. In this shot, text colored in red was sent by the initiating host, while text colored in blue was sent by the responding host.

In short, Wireshark will capture network traffic from any host and to any host that crosses your Ethernet (or wireless) connections. It’s one of those tools that “remove the magic factor” from computers, because it lets you see, in real-time, what the hell your computer (and others) is doing with your network connection.

As of now, I’m not sure if you perceive the looming danger with Wireshark. It’s practically the reason all secure network protocols use encryption (OK, technically it’s malicious Wireshark users sitting on network routers). Encrypted protocols appear mostly as gibberish to Wireshark. Unencrypted protocols, like HTTP and Telnet, do not. That’s why I had to blur my screenshot.

However bad you think tools like this are widely available, you cannot deny their usefulness. Without it, I’d be out of a job — keep in mind that my job does not include network penetration testing, yet I still find myriad uses for Wireshark.

I’m getting too political now. Just grab it and use it. If you don’t, you’ll never know what you were missing. If you do, you might learn a thing or two about network security you didn’t know were there.

The wrap-up

OK, that’s about everything you must know if you want to diagnose a network problem. I’m not going to show you the evil tools now (hey, Wireshark is borderline evil and outright illegal in Germany), but rest assured at some point I will show you how to use them as well.

In the meantime, back to my evil deed… I mean, day job.

Pages: 1 2 3 4 5 6

This entry was posted on Thursday, August 23rd, 2007 at 8:15 and is filed under Free software, Information security, Linux, Networking, Tutorials. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.