This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
This document explains how to use WIRESHARK and its mechanism. The detail evaluation and demonstration of Wireshark. The main objective behind this report is how to operate Wireshark with its powerful features, what are the limitations and weaknesses, what is the main purpose of Wireshark and how is it beneficial and harmful in a network. Finally what are required steps to safeguard system by using Wireshark?
Wireshark is a great piece of free open source software for network monitoring and it is a fantastic packet sniffer. It was created by Gerald Combs a computer science graduate during his education period. In late 1990's it was known as Ethereal, to capture and analyse packets. However in 2006 summer due to some trademark and legal issues it was renamed to WIRESHARK.
Wireshark interactively examines and investigates data from http requests, Cookies, Forms, Ethernet, Token-Ring, FDDI, live network, or a captured file. It can easily decipher data and displays data as clear as possible. It does contain some powerful features like TCP Stream which allows viewing reconstructed stream of TCP session and it also has the capability to monitor UDP and SSL streams. In the same way it allows number of protocols and media types. Wireshark uses plug-ins to eliminate new protocols. It is based on libpcap tool. Tethereal is a tcpdump like console which is included in it. Wireshark is capable to perform live capture of network packets, offline network analysis and VoIP analysis. It is also protocol analysis tool
Wireshark is cross platform, easy to download and install, it can comfortable runs on UNIX (NetBSD, OpenBSD, Apple Mac OS X, etc.), LINUX (Dedian, Ubuntu, Slackware, etc.), Windows (Xp, Vista, 7, etc.). Wireshark is very similar tcp dump but it can work with GUI. Wireshark can be executed in tty mode by using Tshark as a command line tool. Wireshark can access packets captured from other sniffers such as Wild Packets, Visual Networks Visual UpTime, Snoop, Network General Sniffer, Microsoft Network Monitor, tcp dump, CA NetMaster and many more. Users can create personalized filter strings to attain granular level of configuration. Wireshark is a top rated packet sniffer. The best and powerful feature with Wireshark is tracking, detecting and decoding data by using enormous array of display filters, which allows user to extract the exact traffic required. It has a standard built in three-pane packet browser. Various protocols like Kerberos, WEP, IPsec and WPA are supported for decryption. Coloring rules is one of the best features that applied for quick and intuitive analysis of packet list. The captured data packets can be saved to disk and that can be exported to various formats such as plain test, xml, or CSV.
In a network Wireshark enables to access different Protocol Data Units. It is capable to do this because it understands number of networking protocols. The Basic part Wireshark software is pcap tool, but coming to windows operating systems it is known as Wincap which allow Wireshark to run on the system. Promiscuous Mode is a main feature which allows capturing packets across the network. It works in promiscuous mode by Network Interface Card (NIC). The network administrator must place the correct precautions If not sniffers like Wireshark poses several security threats which traverse a network. Because of those threats Virtual Local Network uses some reliable protocols like Secure Shell (SSH), Secure Socket Layer (SSL), and Transport Layer (TLS).
2. Mechanism of Wireshark:
Wireshark is a preinstalled tool in many Linux distributions. However in Backtrack it is a preinstalled and can be used straight away from start menu/ All Applications/ Internet / Wireshark. The main purpose of this network analyser is to capture data packets. Wireshark grabs data packets for every single request between the host and server. Now a day's technology is like a Gun it can use for both good and evil. Wireshark has number of advantages, for instance, network administrators use it for trouble shooting network problems. Security engineers use Wireshark for examining the security problems in a network. Developers use it very often for debugging protocol implementations. Most of the folks use it to learn network protocols. Wireshark can measure data in a perfect manner but it cannot manipulate data.
The following illustration describes the Wireshark function blocks:
Wireshark function blocks.
GTK handles all the requests (i.e) input/output for windows and it does contain source code in gtk folder.
The main core glue code holds the extra blocks together and source code is available in root folder.
Epan means Ethereal Packet Analyser, it is a data packets analysing engine. It consists of Protocol Tree, Dissectors, Plugins and vast number of display filters. Source code for EPAN is available in epan folder. Protocol Tree holds the protocol information of the captured packets. Dissectors consist of number of protocol dissectors in epan/dissectors directory. Some protocol dissectors can be executed as plugins to eliminate new protocols and its source code is available in plugins. Display Filters can be found in epan/dfilter anf these are display filter engine.
The wiretap is a library which is mainly used to read and write captured packets to libpcap and other file formats on harddisk. Source code is available in wiretap directory.
Capture is an engine which has captured data. It is holds capture libraries which are platform independent, because of this reason Wireshark has number of display and capture filters.
The Buildbot automatically reconstructs Wireshark for the changes occurred in repositories source code and brings up some problematic changes. It provides up to date binary packages. It is helpful for bugfix and fuzz test shows problems which are very hard to find. Buitbot can create binary package and source package. It can also run regression tests.
3. Demonstration and Evaluation:
First after logging to Wireshark Network Analyses, click on Capture then select Interfaces as shown in Fig 1. Select the required interface to capture packets. Every interface will be provided with Start and Options as in Fig 2. Start allows capturing data and Options button allow configuring the options in the interface as shown in Fig 3.
C:\Users\Naren\Documents\Naren\Study Place\Back Up\Naren\Wireshark\1 (3).png
Capture packets in promiscuous mode:
This option lets the adaptor to capture packets not only within system but also across the network but network administrator can know about this.
Limit each packet to:
This option limits the maximum number of bytes to capture from each and every packet. The size includes the link layer header and other subsequent headers, so leave this option unset to get full frames.
Capture Filters and Capture File:
Capture Filters allow entering specific type of protocols so that it reduces amount of packets to capture. Capture File allows a file from the system to save the captured traffic. Wireshark by default uses temporary files and memory to capture traffic.
This option stores captured data to number of files instead of a single file. When Wireshark needs to capture for a long time this option will be useful. The generated file name consists of an increment number with the creation time captured data.
This option allows Wireshark to stop capturing after the given number of packets has been captured.
Update list of packets in real time option saves captured files immediately to the main screen but it will slow down the capture process and packet drops can be appeared. Automatic scrolling in live capture lets Wireshark to scroll the packet list and that to automatically to latest captured data. This option will work when update list of packets in real time is enable. Hide capture info dialog is to hide the capture information while capturing. Better to disable this option to understand packets being captured from each protocol.
Enable MAC name resolution is to perform the mac layer name resolution while capturing data better is to enable. Enable network name resolution performs the network layer name resolution better is to disable this because Wireshark issues DNS quires to resolve IP protocols. Enable transport name resolution this attempts Wireshark to perform transport layer transport name resolution.
Data can be captured with (fig3) or without (fig2) configuration the options. Click in start button to start the capturing packets. But make sure to keep the browser ready before starting the capture. Now generate some traffic and that will be captured by Wireshark.
Fig 4 This was the traffic generated at that instance
C:\Users\Naren\Documents\Naren\Study Place\Back Up\Naren\Wireshark\1 (4).png
Fig 5 This was the traffic captured and it has many protocols like TCP, HTTP and TLSv1 etc.
C:\Users\Naren\Documents\Naren\Study Place\Back Up\Naren\Wireshark\1 (5).png
As shown in below fig 6, 7 protocols can be filtered by using Filter or Expression. Filters can directly sort out after typing the required addresses. But coming to Expression user must select the required addresses from the field name. Finally click Apply button on main screen, then only it will be filtered.
C:\Users\Naren\Documents\Naren\Study Place\Back Up\Naren\Wireshark\1 (6).PNG
The following Fig 8, Fig 9 shows the filtered HTTP addresses
The Wireshark grabs data for each and every request between the host and server. Traffic can also be sorted by click on Protocol, Time, Source and Destination. But I filtered it by using Expression. In the above Fig 9 I have selected the (774 http GET) address then Wireshark displayed Frame Number, Ethernet, Internet Protocol, Hypertext Transfer Protocol and few more. Among Hypertext Transfer Protocol is very important because it consists of the following data.
User - Agent: Mozilla/…..
It provides some more details like Accept, Accept - Language and few more as shown in Fig 9. In Fig 10 there is column at last which consists of hard cipher. Data like user id, password and cookies etc. will be embedded in that cipher. To view that data simply click on Analyze and next click Follow TCP Stream as shown in Fig 11.
The above picture shows all the details in the captured data. Coming to this data it doesn't contain user id and password because it was not login page. If it was login a page means here itself the user id and password will be displayed. Wireshark has so many options like start capture, stop capture restart live capture and save capture etc.
In Fig 12 and 13 shows how to save the captured data. It also shows the packets selected and how many are totally captured by it. Wireshark can reuse that data for further investigation.