Trawl for Packets with Wireshark

Understanding what's flowing over your network is key to securing it. Wireshark provides you with the tools you need to see what's going on, and how it might be compromising your network's security.

By Paul Rubens | Posted Feb 28, 2008
Page 1 of 2
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

If you want to keep your network secure then you need to know what traffic is passing through it. To do that you'll be hard pressed to find a better tool than the excellent open source network protocol analyzer called Wireshark (previously known as Ethereal).

Wireshark runs on many platforms including Windows, OS X, Linux and Solaris, and once up and running on a machine attached to your network it presents a live window on much of the traffic flowing over it.

To get started, click on "Capture – Interfaces …" to select the network interface you want to use to monitor traffic, and then "Options" to set up the interface for traffic monitoring. The most important option to check is "Capture packets in promiscuous mode" which sets up your network interface (if possible) to capture and sniff all packets on the network segment, rather than just those relating to your own NIC.

Let's imagine you want to check out your network to detect if anyone is using the MSN instant messaging network in breach of your corporate security policy. MSN typically uses port 1863, so in the "Capture Filter: " box, type "port 1863" to capture only packets using that port, and click "Start" to run the capture. If anyone is using the MSN network, then pretty soon the top part of the Wireshark window will begin to fill with details about each packet using port 1863 that passed by. The middle section of Wireshark gives more detailed information about the individual packet, while the bottom part shows the content of each highlighted packet in hex. More of that later.

To narrow this display down to show only the packets using the MSN Messenger Service (MSNMS) protocol, type

prot=msnms

into the Filter: box and press "Apply". Now the list of packets displayed will be considerably shorter. (Notice that as you type this filter in, the box turns red, indicating that your filter syntax is incorrect or incomplete. Once you have completed the filter text, the box will turn green, to tell you that you have entered a correctly formatted filter.)

By looking at the source IP addresses in the top part of the Window it should be very easy to identify which machines on your local network are the ones using MSN. In this case 192.168.1.150 is the guilty party.

Sniffing for POP Traffic

For a graphical illustration of why you should educate your users about the dangers of using laptops in public places (and why you should use secure authentication and transmission for e-mails) start a new capture session, but this time enter

prot=pop

in the Filter: box to make your capture window display only POP traffic.

As you can see in the illustration, anyone checking a standard POP account will immediately reveal the IP address of their pop server, their POP user name (in this case USER ethereal) and their e-mail password (in this case PASS Wireshark). In the illustration, the username/password combo is incorrect (to protect my security,) but any correct pairs found immediately compromise that individual's (and potentially the whole corporation's) e-mail security. There's a further security risk here: Since many users will choose the same password for all sorts of applications, the security breach is possibly far more serious than just an e-mail security breach.

You can experiment with many different protocol filters – for example prot=DNS will give you an insight into the Web servers your users are visiting. Click the "Expression…" button next to the "Filter:" box for a list of options.

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter