Wireshark (formerly known as ethereal) offers a series of different display filters to transform each captured packet into a readable format. This allows users to identify the cause of network security issues and even discover potential cybercriminal activity.
When a packet sniffer is used in ‘promiscuous mode’ users can analyze network traffic regardless of its destination – like a fly on a wall watching office activity. While this empowers IT professionals to perform a quick and thorough diagnosis of network security, in the wrong hands, Wireshark could be used for cyberattack reconnaissance campaigns.
Because you can download Wireshark for free, cybercriminals have liberal access to it, so it’s best security practice to assume the software is currently being used with hostile intentions. Luckily, there are some security measures you can implement to protect against network sniffing.
What is Wireshark Used For?
Packet analysis software like Wireshark is used by entities that must remain informed about the state of security of their network, as such, the software is commonly used by governments, schools, and technology businesses.
Common Wireshark use cases include:
- Identify the cause of a slow internet connection
- Investigating lost data packets
- Troubleshooting latency issues
- Detecting malicious network activity
- Identify unauthorized data exfiltration
- Analyzing bandwidth usage
- Tracing voice over Internet (VoIP) calls over the network
- Intercepting Man-in-the-Middle (MITM) attacks
Wireshark makes all of the above use cases possible by rendering and translating traffic into readable formats – saving users the frustrations of having to translate binary information manually. All of this is done in real-time so that detected issues can be rapidly addressed before they develop into a service outage, or worse, a data breach.
How to Use Wireshark
Before following a Wireshark tutorial, it’s important to understand how networking systems work.
The OSI model (Open Systems Interconnection Model) is a framework that represents how network traffic is transferred and displayed to an end-user. It’s comprised of 7 layers
- Application (Layer 7) – Displays the graphical User Interface (UI) – what the end-user sees
- Presentation (Layer 6) – Formats data to achieve effective communication between networked applications
- Session Layer (Layer 5) – Ensures connections between end-points are continuous and uninterrupted.
- Transports Layer (Layer 4) – Proxy servers and firewalls reside on this layer. Ensures error-free data transfer between each endpoint by processing TCP and UDP protocols. At this layer, Wireshark can be used to analyze TCP traffic between two IP addresses
- Network Layer (Layer 3) – Ensures routing data for routers residing on this network are error-free.
- Data Link Layer (Layer 2) – Identifies physical servers through two sub-layers, Media Access Control (MAC), and Logical Link Control (LLC).
- Physical Layer (Layer 1) – Comprised of all the physical hardware that processes network activity
To use correctly use Wireshark, you must be aware of the different proctors being processed at each OSI layer. This will help you decide which layer should be analyzed for each specific diagnostic requirement.
Here’s a run-through of the protocols being processed at each OSI layer:
- Application (Layer 7) – SMTP, HTTP, FTP, POP3, SNMP
- Presentation (Layer 6) – MPEG, ASCH, SSL, TLS
- Session Layer (Layer 5) – NetBIOS, SAP
- Transports Layer (Layer 4) – TCP, UDP
- Network Layer (Layer 3) – IPV5, IPV6, ICMP, IPSEC, ARP, MPLS.
- Data Link Layer (Layer 2) – RAPA, PPP, Frame Relay, ATM, Fiber Cable, etc.
- Physical Layer (Layer 1) – RS232, 100BaseTX, ISDN, 11.
Each layer is stacked on top of the other and information flows between each layer during network activity.
Even with just a surface-level understanding of the different functions of each layer, you can perform a high-level assessment of networking issues.
For example, if you’re having issues browsing the internet, you can assume that there’s likely an error on the Network Layer (layer 3) since it processes router data.
Wireshark can then be used to further investigate such an assumption. It can confirm which layer is failing and the specific protocols that contain errors.
Now that you’ve established some foundational background knowledge, you will get the most value from the following Wireshark tutorial
If you’re struggling to understand any of the above concepts, you will need to develop some essential skills before using Wireshark.
A thorough understanding of each of the following concepts is a prerequisite to using Wireshark. Each item on the list links out to an article offering more information should you wish to fill any essential knowledge gaps.
- Networking basics
- Mechanics of network packets
- Three-way TCP handshakes
- TCP/IP stack
- TCP protocols
- UDP protocols
- DHCP protocols
- ICMP protocols
- How to read and interpret captured packet headers
- How routing works
- How port forwarding works
Additional Wireshark Eesources
Wireshark offers a wealth of free resources to help you master network analysis with its product.
They can be accessed from the Wireshark website.
How to Protect Against Network Sniffing
The probability of an organization suffering a data breach is rising, and from this, we can infer that network sniffing is also on the rise since they facilitate cyberattacks.