Sunday, January 13, 2008

Wireshark and the path to network enlightenment

Most network and network security pros know about Wireshark, the protocol analyzer formerly known as Ethereal.

Their website says this about Wireshark:

"Wireshark is the world's foremost network protocol analyzer, and is the de facto (and often de jure) standard across many industries and educational institutions."

That's not hubris on their part, Wireshark is an amazing tool. Actually, Wireshark is an amazing set of tools- and not just useful for packet capture and protocol analysis, but also invaluable for learning about networks at the packet level.

In addition to the full GUI version of Wireshark, the suite also includes TShark, the command-line version of Wireshark and:

  • dumpcap a small program which only purpose is to capture network traffic, while keeping advanced features like capturing to multiple files

  • capinfos is a program that reads a saved capture file and returns any or all of several statistics about that file

  • editcap edit and/or translate the format of capture files

  • mergecap merges multiple capture files into one

  • text2pcap generates a capture file from an ASCII hexdump of packets

There have been numerous tutorials written on how to use Wireshark/Ethereal and a few books, but I think the best thing to do is download the latest version of Wireshark, install it and start playing.

To perform your first capture, just launch Wireshark, then click Capture > Interfaces, you will see a list of available interfaces, click the Start button next to one showing packet activity. You should now be capturing traffic, so open a web browser and watch for packets to appear in Wireshark. No packets? Don't worry, you card/driver may not support promiscuous mode captures- just stop the capture, go back to the list of interfaces and click Options instead of start, now clear the checkbox next to "Capture packets in promiscuous mode" and click Start.

Once you have some web traffic, click Capture > Stop to end the current capture. Now, take a look in the top (Packet List) section, find a packet tagged as HTML in the protocol column, right-click it and select "Follow TCP Stream" and you'll get a text box showing the contents of your capture decoded in (maybe) readable form. Now, start playing with options until you are really confused or hopelessly stuck.

This is when you can dive into a tutorial or book and get a series of "Aha!" moments, and you'll be hooked.

There are a few more very good resources:

You can also check out the introduction to Wireshark presentation (2MB PDF) I delivered the the Boston Area Windows Server User Group.

Once you start poking around with packet captures you will see things you "kinda knew" like three-way handshakes, but displayed in plain text on you monitor, not abstractly wandering around your brain.

The path to network enlightenment awaits you...