The Usage Of Wireshark Computer Science Essay

This document explains the usage of WIRESHARK, its mechanism, its detailed evaluation and demonstration. The main objective behind this report is to operate Wireshark with its powerful features, what are the limitations / Weaknesses. This document also describes the main purpose of Wireshark along with its benefits and disadvantages in a network. Finally the steps that are required to safeguard the system by using Wireshark are also dealt.

Table of Contents

Overview …….…………..………………………………………………………………………………………. 4

Mechanism of Wireshark ………………………………………………………………………………… 5

Demonstration and Evaluation .………………………………………………………………………. 6

Limitations / Weaknesses .………………………………………………………………………………. 15

Steps to Protect System …………………………………………………………………………………. 15

Literature Review …….…………………………………………………………………………………… 16

Conclusion ……………………………………………………………………………………………………. 17

References ……………………………………………………………………………………………………. 18

1. Overview:

Wireshark is a great piece of free open source software for network monitoring and it is a fantastic packet sniffer. It was created by Gerald Combs a computer science graduate during his education period. In late 1990’s it was known as Ethereal which was used to capture and analyse packets. However in 2006 summer due to some trademark and legal issues it was renamed to WIRESHARK.

Wireshark interactively examines and investigates data from http requests, Cookies, Forms, Ethernet, Token-Ring, FDDI, live network, or a captured file. It can easily decipher data and displays it as clear as possible. It does contain some powerful features like TCP Stream which allows viewing reconstructed stream of TCP session and it also has the capability to monitor UDP and SSL streams. In the same way it allows number of protocols and media types. Wireshark uses plug-ins to eliminate new protocols. It is based on libpcap tool. Tethereal is a tcpdump like console which is included in it. It is capable of performing live capture of network packets, offline network analysis and VoIP analysis. It is also used as protocol analysis tool.

Wireshark is cross platform, easy to download and install. It comfortably runs on UNIX (NetBSD, OpenBSD, Apple Mac OS X, etc.), LINUX (Dedian, Ubuntu, Slackware, etc.), Windows (Xp, Vista, 7, etc.). Wireshark is very similar to tcp dump and it can also work with GUI. It can be executed in tty mode by using Tshark as a command line tool. It can also access packets captured from other sniffers such as Wild Packets, Visual Networks Visual UpTime, Snoop, Network General Sniffer, Microsoft Network Monitor, tcp dump, CA NetMaster and many other. Users can create personalized filter strings to attain granular level of configuration. Wireshark is a top rated packet sniffer. The best powerful feature of Wireshark is tracking, detecting and decoding data by using enormous array of display filters, which allows user to extract the exact traffic required. It has a standard built in three-pane packet browser. Various protocols like Kerberos, WEP, IPsec and WPA are supported for decryption. Coloring rules is one of the best features that applied for quick and intuitive analysis of packet list. The captured data packets can be saved to disk and that can be exported to various formats such as plain text, xml, or CSV.

In a network Wireshark enables to access different Protocol Data Units as it understands number of networking protocols. The Basic part of Wireshark software is pcap tool, but when dealt withnwindows operating systems it is known as Wincap which allows Wireshark to run on the system. Promiscuous Mode is a main feature of Wireshark which allows capturing packets across the network. It works in promiscuous mode by Network Interface Card (NIC). The network administrator must either place the correct precautions or sniffers like Wireshark which poses several security threats that traverse across a network. Because of those threats Virtual Local Network uses some reliable protocols like Secure Shell (SSH), Secure Socket Layer (SSL), and Transport Layer (TLS).

2. Mechanism of Wireshark:

Wireshark is a preinstalled tool used in many Linux distributions. However in Backtrack it is a preinstalled and can be used directly from the start menu/ All Applications/ Internet / Wireshark. The main purpose of this network analyser is to capture data packets. Wireshark grabs data packets for every single request between the host and server. Now a day’s technology is like a Gun, much more sophisticated as it can use for both good and evil. Wireshark has number of advantages, for instance, network administrators use it for trouble shooting network problems. Security engineers use it for examining the security problems in a network. Developers use it very often for debugging protocol implementations. Most of the folks use it to learn network protocols. Wireshark can measure data in a perfect manner but it cannot manipulate data.

The following illustration describes the Wireshark function blocks:

Wireshark function blocks.

Source: http://www.wireshark.org/docs/wsdg_html_chunked/ChWorksOverview.html

GTK 1/2:

GTK handles all the requests (i.e) input/output for windows and it does contain source code in gtk folder.

Core:

The main core glue code holds the extra blocks together in which the source code is available in root folder.

Epan:

Epan means Ethereal Packet Analyser, it is a data packets analysing engine. It consists of Protocol Tree, Dissectors, Plugins and vast number of display filters. Source code for EPAN is available in epan folder. Protocol Tree holds the protocol information of the captured packets. Dissectors consist of number of protocol dissectors in epan/dissectors directory. Some protocol dissectors can be executed as plugins to eliminate new protocols where as its source code is available in plugins. Display Filters can be found in epan/dfilter directory and these are also display filter engine.

Wiretap:

The wiretap is a library which is mainly used to read and write captured packets to libpcap and other file formats on harddisk. Source code is available in wiretap directory.

Capture:

Capture is an engine which has captured data. It holds captured libraries which are platform independent. As a result Wireshark has number of display and capture filters.

Builtbot:

The Buildbot automatically reconstructs Wireshark for the changes occurred in repositories source code and brings up some problematic changes. It provides up to date binary packages. It is helpful for bugfix and fuzz test and it also shows problems which are very hard to find. Buitbot can create binary package and source package. It can also run regression tests.

3. Demonstration and Evaluation:

Capturing Packets:

After logging in to Wireshark Network Analyses, click on Capture then select Interfaces as shown in Fig 1. Select the required interface to capture packets. Every interface will be provided with Start and Options as in Fig 2. Start allows capturing data and Options button allow configuring the options in the interface as shown in Fig 3.

Fig 1

C:UsersNarenDesktop1.png

Fig 2

C:UsersNarenDocumentsNarenStudy PlaceBack UpNarenWireshark1 (3).png

Fig 3

C:UsersNarenDesktop3.png

Capture packets in promiscuous mode:

This option lets the adaptor to capture packets not only within system but also across the network but network administrator can know about this.

Limit each packet to:

This option limits the maximum number of bytes to capture from each and every packet. The size includes the link layer header and other subsequent headers, so this option is generally left unset to get full frames.

Capture Filters and Capture File:

Capture Filters allow only specific type of protocols to enter so that it reduces amount of packets to capture. Capture File allows a file from the system to save the captured traffic. Wireshark by default uses temporary files and memory to capture traffic.

Multiple files:

This option stores captured data to number of files instead of a single file. When Wireshark needs to capture for a long time this option is useful. The generated file name consists of an incrementing number with the creation time captured data.

Stop Capture:

This option allows Wireshark to stop capturing after the given number of packets has been captured.

Display Options:

Update list of packets in real time option saves captured files immediately to the main screen but it slows down the capture process and packet drops can be appeared. Automatic scrolling in live capture automatically allows Wireshark to scroll the packet list (i.e.) the latest captured data. This option will work when update list of packets in real time is enable. Hide capture info dialog is to hide the information while capturing. It is better to disable this option to understand packets being captured from each protocol.

Name Resolution:

Enable MAC name resolution is to perform the mac layer name resolution by enabling it while capturing data. Enable network name resolution performs the network layer name resolution. It is better to disable this because Wireshark issues DNS quires to resolve IP protocols. Enable transport name resolution this attempts Wireshark to perform transport layer transport name resolution.

Data can be captured with (fig3) or without (fig2) configuration the options. Click in start button to start the capturing packets. But it is better to keep the browser ready before starting the capture. Now generate some traffic and that will be captured by Wireshark.

Fig 4 This was the traffic generated at that instance

C:UsersNarenDocumentsNarenStudy PlaceBack UpNarenWireshark1 (4).png

Fig 5 This was the traffic captured and it has many protocols like TCP, HTTP and TLSv1 etc.

C:UsersNarenDocumentsNarenStudy PlaceBack UpNarenWireshark1 (5).png

As shown in below fig 6, 7 protocols can be filtered by using Filter or Expression. Filters can directly sort out after typing the required addresses. But coming to Expression user must select the required addresses from the field name. Finally click Apply button on main screen, then only it will be filtered.

Fig 6

C:UsersNarenDocumentsNarenStudy PlaceBack UpNarenWireshark1 (6).PNG

Fig 7

The following Fig 8, Fig 9 shows the filtered HTTP addresses

Fig 8

Fig 9

Wireshark grabs data for each and every request between the host and server. Traffic can also be sorted by clicking on Protocol, Time, Source and Destination. But in above Fig 9 it was filtered by using Expression. In the above Fig 9 (774 http GET) address was selected and then Wireshark displayed Frame Number, Ethernet, Internet Protocol, Hypertext Transfer Protocol and few more. Among Hypertext Transfer Protocol is very important because it consists of the following data.

GET /webapps/SHU-pmt-bb…../bullets……

Host: shuspace.shu.ac.ukrn

User – Agent: Mozilla/…..

It provides some more details like Accept, Accept – Language and few more as shown in Fig 9. In Fig 10 there is column at last which consists of hard cipher. Data like user id, password and cookies etc. will be embedded in that cipher. To view that data simply click on Analyze and next click Follow TCP Stream as shown in Fig 11.

Fig 10

Fig 11

The above picture shows all the details in the captured data. The data in the Fig 11 doesn’t contain user id and password because it was not login page. If it is the login page means here itself the user id and password will be displayed. Wireshark can also grab data from forms and examine cookies. Wireshark has so many options like start capture, stop capture restart live capture and save capture etc. Fig 12 and 13 shows how the captured data can be saved. It also shows the number of packets selected and captured by it. Wireshark can reuse that data for further investigation. It allows adding a new capture type to libpcap. When Tap interface is added to Wireshark, it can produce protocol statistics.

Fig 12

Fig 13

4. Limitations / Weaknesses:

Some sniffers have the best feature, metrics of network traffic can be counted without storing captured packets because some host may have tremendous amount of traffic and required to monitor for a long time without causing conflicts like inbound or outbound traffic. Bounce diagrams are very helpful to view TCP traffic but in Wireshark TCP Tap listener must be included to draw bounce diagrams. If Wireshark allows pair of Ethernet interfaces then it will be easy to test network latency. When comparing captures manually it is better to include SHA1, CRC and MD5 on protocols so that packet corruption can be eliminated.

Wireshark required adding automatic update feature to Win32 for every month to update security features. Properties of the last used interface (MAC and IP etc.) must be made available so that it is easy to use variables. Wireshark must be able to capture an interface which is not in existence presently so that it can start capturing immediately after creating of that preferred interface and similarly to capture from USB and FireWire on platforms which are supported. It must also have a compressor to compress data while writing to harddisk. In recent times Wireshark was becoming popular in security bulletins because of several security related bugs.

Protecting the system:

Network administrators use Wireshark for troubleshooting the network problems. Protocol examination is a procedure used to notice in a real time. The raw data sent across the network interface is helpful for network arrangement and troubleshooting. Wireshark is used to monitoring distributed application and that monitored data can be used for detecting errors so performance will be improved. It is mainly used for examining the security problems and debugging protocol implementations. Easy to access and learn TCPIP protocols, MAC frame, IP datagram.

Dag cards are specialised network monitoring cards. Multi-threading allows the capturing and also speedup the application by reducing the response time. The captured data can be used in any way depends on the persons goal. Sniffers are designed to solve network problems but in same they are malicious. It is very hard to identify sniffer because of passiveness, alternatively there are some way to detect by ARP detection technique, RTT detection and some more like SNMP monitoring.

6. Literature Review:

7. Conclusion:

This report explains the operation of Wireshark – Network Analyser with clear demonstration. Initially report describes the overview and outstanding features of Wireshark like TCP Steam, Promiscous Mode, TethereaI, Plugins, Three-Pane, PDU, NIC and cross platform working etc. In mechanism illustrated the internal function blocks, Interfaces and Packages of Wireshark. Next in demonstration part capturing procedure steps, configuration options and filters are described with graphical representation. This report mainly focuses on how Wireshark grabs data packets from the network and why it is the best among all the sniffers. Lastly some of the limitations/weaknesses that are present in Wireshark.

The main objective of this assignment was to complete the Systems and Application Security module in ISS Masters and get idea of all the applications regarding to security stream. In particular, I would like to state that the assignment helped a lot to learn about all the options in Wireshark. Finally I thank Mr Neil for giving me this chance to explore my knowledge.