Wireshark: Beginner Tips & Tutorial
Introduction
For those of you that are unfamiliar with Wireshark. It is an open-source application that be used to capture packets that are being transferred across a local network to be analyzed. What sets Wireshark apart from the rest is the ability it gives its users to sort through the thousands of packets to find specific network activity. Because of this Wireshark is widely used in the IT industry. Some cases that Wireshark is used is for are network troubleshooting, monitoring, securing networks and even as a learning tool.
A common misconception of Wireshark is that it will alert users of any malicious activity. Wireshark only captures packets, and then filters are applied to make it more understandable for users. That doesn’t mean that users can’t use it to identify that activity. With the right filters and user customizations users can easily identify what is going on in the network.
My goal for this first Wireshark blog is that you as a reader will understand more on what Wireshark can do and how it can be customized to suit your needs.
Setup/Install
The installation of Wireshark is fairly straight forward. The installer can be fond on the Wireshark website (https://www.wireshark.org/#download). Included on the page are different OS installation types and older releases of the application.
After downloading all you will need to do is follow the wizard. But one important thing to consider when installing is to ensure that Npcap is installed. Without Npcap, Wireshark will not be able to identify the network interfaces on your system. If Npcap is not installed Wireshark will end up looking something like this:
If you have installed Npcap with Wireshark and you still cannot find any interfaces to capture packets from. It is most likely that you do not have the necessary permissions to run the application. Simply running as an admin user will negate that issue.
Customizations
Now that Wireshark is installed and properly running, we can now capture some packets on the network.
All it takes to start a capture is to select the interface that you want and click the blue fin on the upper left corner. After starting the capture packets come pouring in and it is hard to keep up and understand what is going on. Connections between systems will not be put next to each other. Packets will be presented to you at the time that Wireshark sees it on the network. So, when looking for a specific packet for a certain protocol or system can be difficult to find and end feeling like finding a needle in a haystack.
This is what is going to make Wireshark such a great tool. With Wireshark you able to make customizations to how packets are presented to you. Making life much easy when looking at the capture. These customizations that I will show you here will make your experience with Wireshark easier and more enjoyable.
The first thing I recommend doing is creating a configuration profile. These profiles will save your preferences, so you won’t need to go to settings every time you start-up the application. Not only can you create profiles for a specific user but even create profiles that are tailored for particular situations.
Now that we have a profile set, we can dive into some preferences that will make starting with Wireshark a much easier task. One of my favorite ones is the ability to change layout of the capture. This customization will allow users to change where each pane of the capture is and gives users the option of what they want to see in each pane. As a beginner to Wireshark, I have a hard time understanding some of details that are laid out by Wireshark. For instance, in the image below in the bottom right pane there are a bunch of numbers and letters for the packet bytes and honestly, I have no idea what any of it means yet.
So, for my preferences I have changed that pane to display the packet diagram. Know you can see a breakdown of the packet. Which helps make Wireshark such a great learning tool. A user can look at the diagram and see details about the size, protocol, addressing and much more. This all helps to develop a greater understanding of networking.
The next customization that I recommend is to change the colors of packets to something that is easily distinguished. For example, if we wanted to see connections that are being established on your network you could change the color of every SYN flag in the capture to blue.
As you can see from the screenshot that all the SYN flags have changed color. Another great advantage of setting up colors is what it does to the scroll bar. On the right side of the capture, you can see a scroll bar with a bunch of different colors. This scroll bar is pointing out all the different packets that is set up with a color code. So, now instead of scrolling through thousands of packets to find a certain SYN packet you can simply click on the color in the scroll bar, and it will jump you there. To change the color, select view from the toolbar and click on coloring rules.
Another good way to sort through your captures is by applying filters to the capture to find the network activity you want. There are two ways that you can do this. One way is to right click on a packet you want, then go to apply filter then click on selected. Clicking on the selected option will apply the filter for the IP source of the packet and the capture will now only present packets that have come from that IP address. Clicking on “Not Selected” will have the opposite effect on the capture. It will not show any of the packets coming from that source IP. Helping narrow down the packets you are looking at.
Now the second method to apply these filters is to type them in. The variables can be hard to figure out so below I have made a table of some variables that will be useful for you when analyzing a capture.
Filter Examples | Description |
ip.addr == 10.0.0.5 | All packets for a certain address. This will include packets that are being sent and received |
ip.src == 192.168.54.4 | Filter packets that are being sent from an IP address. |
ip.dst == 192.168.22.3 | Filter packets for packets being sent to an IP address. |
tcp.port == 3006 | Filter packets that are using a certain port. |
!(ip.src == 192.168.0.1) | Exclude all packets being sent from a specific IP address. |
tcp.flag.syn == 1 | Show all packets that are using TCP and are only using a SYN flag. |
Wireshark allows the use of multiple filters at a time. To do this type in the first filter you want then add “&&” and then your next filer. It will also allow users to add multiple filters to one variable. For example:
ip.src == 192.168.1.2 && 10.0.0.54
I hope some of these tricks will help you navigate your Wireshark captures. Below is a video of some of these tricks in action, with a couple extra things to help you on your adventure.
Comments
Post a Comment