What is Wireshark and how to use it | Cyber ​​Security | CompTIA (2023)

Few tools are as useful to IT professionals as Wireshark, the network packet capture tool. Wireshark helps you capture network packets and display them at a granular level. Once these packages are broken down, you can use them for real-time or offline analysis. With this tool, you can take a close look at your network traffic and then filter and break it down, get away from the root cause of problems, support network analysis and ultimately network security. In this free Wireshark tutorial, you'll learn how to capture, interpret, filter, and examine data packets for effective troubleshooting.

What is Wireshark?

Wireshark is a network protocol analyzer or application that captures packets from a network connection, e.g. B. from your computer to your home office or the Internet. Packet is the name given to a discrete unit of data on a typical Ethernet network.

Wireshark is the world's most widely used packet sniffer. Like any other packet sniffer, Wireshark does three things:

1. Packet Capture:Wireshark eavesdrops on a network connection in real time and then captures entire streams of traffic, potentially tens of thousands of packets at a time.
2. Filtration:Wireshark can slice all this random data live using filters. Applying a filter gives you exactly the information you need to see.
3. Display:Wireshark, like any good packet sniffer, allows you to dive right into the middle of a network packet. It also allows you to visualize entire conversations and network flows.

Figure 1: Visualization of a packet capture in Wireshark

Packet sniffing can be compared to caving: going into a cave and wandering around. People who use Wireshark on a network are like people who use flashlights to see what interesting things they can find. Finally, when you use Wireshark over a network connection (or a flashlight in a cave), you are effectively using a tool to find tunnels and tubes to see what you can see.

What is Wireshark used for?

Wireshark has many uses, includingNetwork troubleshootingThey have performance issues. Cybersecurity professionals often use Wireshark to trace connections, view the content of suspicious network transactions, and identify bursts of network traffic. It's an important part of any IT professional's toolkit, and hopefully the IT professional has the knowledge to use it.

When to use Wireshark?

Wireshark is a secure tool used by government agencies, educational institutions, businesses, small businesses, and non-profit organizations to troubleshoot network problems. Also, Wireshark can be used as a learning tool.

Those new to information security can use Wireshark as a tool to analyze network traffic, understand how communication occurs when specific protocols are involved, and where it fails in specific problems.

Of course, Wireshark can't do everything.

First, it can't help a user who has poor understandingnetwork protocols.No tool, no matter how great, is a very good replacement for knowledge. In other words, to use Wireshark successfully, you must learn exactly how a network works. This means understanding things like the TCP three-way handshake and various protocols including TCP, UDP, DHCP, and ICMP.

Second, under normal circumstances, Wireshark cannot get traffic from every other system on the network. On modern networks that use what are known as switches, Wireshark (or any other standard packet capture tool) can only eavesdrop on the traffic between your local computer and the remote system you are communicating with.

Third, while Wireshark can display bad packets and apply color codes, it doesn't actually have any warnings; Wireshark is not an Intrusion Detection System (IDS).

Fourth, Wireshark cannot help decrypt encrypted traffic.

Finally, it is quite easy to spoof IPv4 packets. Wireshark can't really tell you if a specific IP address it finds in a captured packet is real or not. This requires a little more knowledge on the part of an IT professional, as well as additional software.

Common Use Cases for Wireshark

Here's a high-level example of how a Wireshark capture can help pinpoint a problem. The following figure shows a problem on a home network where the Internet connection was very slow.

As the figure shows, the router considered a common target unreachable. This was discovered by digging into IPv6 Internet Control Message Protocol (ICMP) traffic, which is highlighted in black. In Wireshark, any packet marked as black is considered a problem.

Figure 2 Drilling Down into a Packet to Identify a Network Problem with Wireshark

In this case, Wireshark helped determine that the router was malfunctioning and couldn't find YouTube very easily. Resetting the cable modem resolved the issue. Of course, while this particular issue didn't require the use of Wireshark, it's fine to close the issue with authority.

If you look back at the bottom of Figure 2, you'll see that a specific package is highlighted. This shows the ins and outs of a TCP packet that is part of a TLS (Transport Layer Security) conversation. This is a great example of digging into the captured packet.

Using Wireshark doesn't allow you to read the encrypted content of the packet, but it can identify the version of TLS that the browser and YouTube are using to encrypt things. Interestingly, the encryption has changed to TLS version 1.2 during the eavesdropping.

Wireshark is often used to identify more complex network problems. For example, if a network experiences too many retransmissions, congestion can occur. By using Wireshark, you can identify specific transmission problems as shown in Figure 3 below.

Figure 3: Viewing packet flow statistics using Wireshark to identify retransmissions

By confirming this kind of problem, you can reconfigure or change the router to speed up the traffic.

How to use Wireshark

You can download Wireshark for free atwww.wireshark.org. It is also freely available as an open source application on theGNU General Public Licenseversion 2.

How to install Wireshark on Windows

If you are a user of the Windows operating system, download the appropriate version for your particular version. For example, if you are using Windows 10, grab the Windows 64-bit installer and follow the wizard to install it. You need administrator rights for installation.

How to Install Wireshark on Linux

if you have oneSistema Linux, install Wireshark in the following order (note that you need root privileges):

$ sudo apt-get install Wireshark

$ sudo dpkg-reconfigure wireshark-common

$ sudo usermod -a -G Wireshark $USER

$ newgrp Wireshark

After completing the steps above, log out and back in, then start Wireshark:

$ Wireshark y

How to Capture Packets with Wireshark

Once you've installed Wireshark, you can start capturing network traffic. But remember: to capture packets, you must have the appropriate permissions on your computer to put Wireshark in promiscuous mode.

• On a Windows system, this usually means you have administrator access.
• On a Linux system, this usually means you have root access.

As long as you have the correct permissions, you have several options to actually start the ingestion. The best way is to select Capture >> Options in the main window. This will open the Capture Interfaces window as shown in Figure 4 below.



Figure 4: The Capture Interfaces dialog in Wireshark

This window lists all available interfaces. In this case, Wireshark offers several to choose from.

For this example, we choose the Ethernet 3 interface, which is the most active interface. Wireshark visualizes the traffic by showing a moving line that represents the packets on the network.

Once the network interface is selected, simply click the Start button to start capturing. At the beginning of the acquisition, it is possible to see the packets appearing on the screen as shown in Figure 5 below.



Figure 5: Wireshark Captures Packets

When you have entered all the packages you want, just click the red square button above. Now you need to examine a static packet capture.

What does color coding mean in Wireshark?

Now that you have some packages, it's time to figure out what they mean. Wireshark attempts to help you identify packet types by applying sensitive color coding. The following table describes the default colors for the main package types.

Color en Wireshark	package type
Pours purple	TCP
Light Blue	UDP
Negro	packets with errors
light green	http traffic
Light yellow	Windows-specific traffic, including Server Message Blocks (SMB) and NetBIOS
dark yellow	routing
dark gray	TCP SYN, FIN, and ACK traffic

The default color scheme is shown in Figure 6 below. You can see it by going to View >> Color Rules.



Figure 6: Default Color Rules

You can even change the default settings or apply a custom rule. If you don't want to color anything, go to View and then click Colorize Package List. It's a lever. So if you want to recolor, just go back and click Colorize Package List again. It is even possible to color specific conversations between computers.

In Figure 7 below, you can see standard UDP (light blue), TCP (light purple), TCP handshake (dark grey), and routing traffic (yellow).



Figure 7: Show Color Packets in Wireshark

However, you are not limited to interpreting based solely on color. It is possible to view the input/output (I/O) statistics of a complete packet capture.

Simply go to Statistics >> I/O Graph in Wireshark and you will see a graph similar to the one shown in Figure 8.

(Video) [Hindi] What is wireshark | Complete wireshark tutorial | Introduction



Figure 8: Ingress/Egress Traffic Graph Display in Wireshark

This particular graph shows the typical traffic generated by a home office. The spikes in the graph are bursts of traffic caused by the generation of aDistributed Denial of Service (DDoS)-Angriffwith some Linux systems.

In this case, three large bursts of traffic were generated. Cybersecurity professionals often use Wireshark as a quick and dirty way to identify traffic spikes during attacks.

It is also possible to capture the amount of traffic generated between one system and another. If you go to Statistics and then select Conversations, you will see a summary of the conversations between the endpoints as shown in Figure 9 below.



Figure 9 Display of Terminal Conversations in Wireshark

In the above case, Wireshark was used to see if an old device could be traced from MCI communications running on a customer's network.

It turned out that the client did not even know that this device was on the network. So it was removed to helpMake the network a little more secure.Also note that this network connection sees a lot of traffic to Amazon (then it manages a server on AWS) and Box.com (then Box for system backup).

In some cases, it is even possible to use Wireshark to identify the geographic location of source and destination traffic. If you click the Map button at the bottom of the screen (see Figure 9 above), Wireshark will show you a map (Figure 10) with the best estimate of the location of the IP addresses it has identified.



Figure 10: Viewing geographic estimates in Wireshark

Because IPv4 addresses are easily spoofed, you cannot completely trust this geographic information. But it can be quite accurate.

How to filter and inspect packets in Wireshark

You can apply Wireshark filters in two ways:

1. In the display filter window at the top of the screen
2. Highlighting a package (or part of a package) and right-clicking on the package

Wireshark filters use key phrases like the following:

You can also use the following values:

Valid filter rules are always colored green. If you make a mistake in a filter rule, the box will turn bright pink.

Let's start with some basic rules. Suppose you want to see packets that only contain the IP address 18.224.161.65 somewhere. I would create the following command line and paste it into the filter window:

ip.address == 18.224.161.65

Figure 11 shows the results of adding this filter:

Figure 11: Applying a filter to a capture in Wireshark

Alternatively, you can tag a packet's IP address and then create a filter for it. After selecting the IP address, right-click and then select the Apply as filter option.

You will then see a menu with additional options. One of them is called Selected. If you choose Selected, Wireshark will create a filter that only shows packets with that IP address.

You can also choose to filter a specific IP address using the following filter, also shown in Figure 12:

!IP address==18.224.161.65

Figure 12: Filtering a specific IP address in Wireshark

You are not limited to just IPv4 addresses. For example, if you want to see if a specific computer is up and using an IPv6 address on your network, you can open a copy of Wireshark and apply the following rule:

ipv6.dst == 2607:f8b0:400a:15::b

The same rule is shown in Figure 13.

Figure 13: Applying an IPv6 filter in Wireshark

This system is clearly alive and well and talking on the net. There are many possibilities.

Additional filters include:

As you can see, Wireshark is a powerful application.

Do you want to know more about Wireshark?

If you want to dig a little deeper, check out the hour-long webinar titled below.Using Wireshark: A Practical Demonstration. It's available on demand - all you have to do is sign up and you'll be able to watch the video.

And the following table provides links to Wireshark as well as actual packet captures that you can use to learn more. You can even download a quick "Cheat Sheet" in PDF format from Packetlife.net.

Red CompTIA+,CompTIA Security+y CompTIA-Cybersicherheitsanalyst (CySA+)They all cover Wireshark and network packet capture, as well as other computer networking and cybersecurity topics.Online training tools like CompTIA CertMasterto be able to help.Learny CompTIA Laboratoriesit can help you improve your skills before becoming certified.Download the exam objectivesto see for free which certification is right for you.

Read more about internet security.