Trawl for Packets with Wireshark

By Paul Rubens | Feb 28, 2008 | Print this Page
http://www.enterprisenetworkingplanet.com/netsecur/article.php/10952_3731111_2/Trawl-for-Packets-with-Wireshark.htm

If you want to keep your network secure then you need to know what traffic is passing through it. To do that you'll be hard pressed to find a better tool than the excellent open source network protocol analyzer called Wireshark (previously known as Ethereal).

Wireshark runs on many platforms including Windows, OS X, Linux and Solaris, and once up and running on a machine attached to your network it presents a live window on much of the traffic flowing over it.

To get started, click on "Capture – Interfaces …" to select the network interface you want to use to monitor traffic, and then "Options" to set up the interface for traffic monitoring. The most important option to check is "Capture packets in promiscuous mode" which sets up your network interface (if possible) to capture and sniff all packets on the network segment, rather than just those relating to your own NIC.

Let's imagine you want to check out your network to detect if anyone is using the MSN instant messaging network in breach of your corporate security policy. MSN typically uses port 1863, so in the "Capture Filter: " box, type "port 1863" to capture only packets using that port, and click "Start" to run the capture. If anyone is using the MSN network, then pretty soon the top part of the Wireshark window will begin to fill with details about each packet using port 1863 that passed by. The middle section of Wireshark gives more detailed information about the individual packet, while the bottom part shows the content of each highlighted packet in hex. More of that later.

To narrow this display down to show only the packets using the MSN Messenger Service (MSNMS) protocol, type

prot=msnms

into the Filter: box and press "Apply". Now the list of packets displayed will be considerably shorter. (Notice that as you type this filter in, the box turns red, indicating that your filter syntax is incorrect or incomplete. Once you have completed the filter text, the box will turn green, to tell you that you have entered a correctly formatted filter.)

By looking at the source IP addresses in the top part of the Window it should be very easy to identify which machines on your local network are the ones using MSN. In this case 192.168.1.150 is the guilty party.

Sniffing for POP Traffic

For a graphical illustration of why you should educate your users about the dangers of using laptops in public places (and why you should use secure authentication and transmission for e-mails) start a new capture session, but this time enter

prot=pop

in the Filter: box to make your capture window display only POP traffic.

As you can see in the illustration, anyone checking a standard POP account will immediately reveal the IP address of their pop server, their POP user name (in this case USER ethereal) and their e-mail password (in this case PASS Wireshark). In the illustration, the username/password combo is incorrect (to protect my security,) but any correct pairs found immediately compromise that individual's (and potentially the whole corporation's) e-mail security. There's a further security risk here: Since many users will choose the same password for all sorts of applications, the security breach is possibly far more serious than just an e-mail security breach.

You can experiment with many different protocol filters – for example prot=DNS will give you an insight into the Web servers your users are visiting. Click the "Expression…" button next to the "Filter:" box for a list of options.

Dissecting ARP

I mentioned earlier that the bottom part of Wireshark shows a hexdump of any given highlighted packet that the analyzer sniffs. This offers some interesting possibilities, especially for hackers. For example, lets imagine that a hacker sniffs an ARP response, using the filter:

prot=arp

to find one easily.

If you look at figure 4, an ARP response has been highlighted in the top pane. In the middle pane, the additional information includes the sender MAC and IP address, and the target MAC and IP address. The bottom pane shows the actual ARP response packet as a hexdump – if you look you can identify the parts of the packet that contain these MAC and IP addresses.

By copying this hex data into a hex editor, a hacker could change the portion of the packet containing the sender MAC address to a different MAC address – his own for example. This modified ARP packet, if sent on to the network, would tell the recipient machine that henceforth any packets destined for the source IP address (in this case 192.168.1.10) should be sent to the hacker's MAC address. In other words, a very basic man in the middle attack would have been performed by capturing an ARP packet in Wireshark, opening it as a file and editing it manually in a hex editor, and finally sending the edited file as a raw Ethernet frame on to the network using an application such as the Linux utility file2cable. (In fact, a hacker would be more likely to use a more specialist tool such as Ettercap or Cain to do an ARP poisoning exploit like this, but this does illustrate the power of Wireshark.)

There's far, far more that Wireshark can do than what's just been described, but this article should give you an idea of the basics.

When You Don't Get What You Expected

Before finishing it’s worth mentioning a common problem with Wireshark – failing to capture the packets you'd expect. Assuming the software is installed correctly, there are a couple of things to watch out for.

The first is simply that the network interface you have chosen is not capable of being placed in promiscuous mode, and is there for only capturing packets traveling to and from the host running Wireshark.

The other reason is to do with switched networks, and hubs that behave as switches. Since switches only send packets to ports leading to the destination machine, if you plug your monitoring machine into certain ports then some packets won't reach your network interface card at all. (Some switches have a special port which replicates traffic to all other ports – plugging your monitoring machine into this port does enable you to see all traffic through that switch.) And some hubs (which should send traffic to all ports) are actually switched, so again you'll miss out on some traffic.

But if you take time to understand your network topology and your hardware, you should be able to work out the best place (or places) to connect Wireshark to the network to capture all the packets you are interested in. If all else fails, connecting it at the Internet gateway (assuming there is only one) will ensure that you capture all traffic to and from your network even if you miss some internal traffic.

Many people describe using Wireshark as a revelation – the difference between getting a feel for their network and turning on the lights and looking at it. If you want to get a clear view of what is traveling over yours, you'd be well advised to take it for a spin.