Trawl for Packets with Wireshark

If you want to keep your network secure then you need to know what traffic is passing through
it. To do that you’ll be hard pressed to find a better tool than the excellent open source
network protocol analyzer called Wireshark (previously known as Ethereal).

Wireshark runs on many platforms including Windows, OS X, Linux and Solaris, and once up and
running on a machine attached to your network it presents a live window on much of the traffic
flowing over it.

To get started, click on “Capture – Interfaces …” to select the network interface
you want to use to monitor traffic, and then “Options” to set up the interface for traffic
monitoring. The most important option to check is “Capture packets in promiscuous mode” which
sets up your network interface (if possible) to capture and sniff all packets on the network
segment, rather than just those relating to your own NIC.

Let’s imagine you want to check out your network to detect if anyone is using the MSN instant
messaging network in breach of your corporate security policy. MSN typically uses port 1863, so
in the “Capture Filter: ” box, type “port 1863” to capture only packets using that port, and
click “Start” to run the capture. If anyone is using the MSN network, then pretty soon the top
part of the Wireshark window will begin to fill with details about each packet using port 1863
that passed by. The middle section of Wireshark gives more detailed information about the
individual packet, while the bottom part shows the content of each highlighted packet in hex.
More of that later.

To narrow this display down to show only the packets using the MSN Messenger Service (MSNMS)
protocol, type

prot=msnms

into the Filter: box and press “Apply”. Now the list of packets displayed will be
considerably shorter. (Notice that as you type this filter in, the box turns red, indicating
that your filter syntax is incorrect or incomplete. Once you have completed the filter text, the
box will turn green, to tell you that you have entered a correctly formatted filter.)

By looking at the source IP addresses in the top part of the Window it
should be very easy to identify which machines on your local network are the ones using MSN. In
this case 192.168.1.150 is the guilty party.

Sniffing for POP Traffic

For a graphical illustration of why you should educate your users about the dangers of using
laptops in public places (and why you should use secure authentication and transmission for
e-mails) start a new capture session, but this time enter

prot=pop

in the Filter: box to make your capture window display only POP traffic.

As you can see in the illustration, anyone checking a standard POP account will immediately
reveal the IP address of their pop server, their POP user name (in this case USER ethereal) and
their e-mail password (in this case PASS Wireshark). In the illustration, the username/password
combo is incorrect (to protect my security,) but any correct pairs found immediately compromise
that individual’s (and potentially the whole corporation’s) e-mail security. There’s a further
security risk here: Since many users will choose the same password for all sorts of
applications, the security breach is possibly far more serious than just an e-mail security
breach.

You can experiment with many different protocol filters – for example prot=DNS
will give you an insight into the Web servers your users are visiting. Click the
“Expression…” button next to the “Filter:” box for a list of options.

Dissecting ARP

I mentioned earlier that the bottom part of Wireshark
shows a hexdump of any given highlighted packet that the analyzer sniffs. This offers some
interesting possibilities, especially for hackers. For example, lets imagine that a hacker
sniffs an ARP response, using the filter:

prot=arp

to find one easily.

If you look at figure 4, an ARP response has been highlighted in the top pane. In the middle
pane, the additional information includes the sender MAC and IP address, and the target MAC and IP
address. The bottom pane shows the actual ARP response packet as a hexdump – if you look
you can identify the parts of the packet that contain these MAC and IP addresses.

By copying this hex data into a hex editor, a hacker could change the portion of the packet
containing the sender MAC address to a different MAC address – his own for example. This
modified ARP packet, if sent on to the network, would tell the recipient machine that henceforth
any packets destined for the source IP address (in this case 192.168.1.10) should be sent to the
hacker’s MAC address. In other words, a very basic man in the middle attack would have been
performed by capturing an ARP packet in Wireshark, opening it as a file and editing it manually
in a hex editor, and finally sending the edited file as a raw Ethernet frame on to the network
using an application such as the Linux utility file2cable. (In fact, a hacker would be more
likely to use a more specialist tool such as Ettercap or Cain to do an ARP poisoning exploit
like this, but this does illustrate the power of Wireshark.)

There’s far, far more that Wireshark can do than what’s just been described, but this article
should give you an idea of the basics.

When You Don’t Get What You Expected

Before
finishing it’s worth mentioning a common problem with Wireshark – failing to capture
the packets you’d expect. Assuming the software is installed correctly, there are a couple of
things to watch out for.

The first is simply that the network interface you have chosen is not capable of being placed
in promiscuous mode, and is there for only capturing packets traveling to and from the host
running Wireshark.

The other reason is to do with switched networks, and hubs that behave as switches. Since
switches only send packets to ports leading to the destination machine, if you plug your
monitoring machine into certain ports then some packets won’t reach your network interface card
at all. (Some switches have a special port which replicates traffic to all other ports –
plugging your monitoring machine into this port does enable you to see all traffic through that
switch.) And some hubs (which should send traffic to all ports) are actually switched, so again
you’ll miss out on some traffic.

But if you take time to understand your network topology and your hardware, you should be
able to work out the best place (or places) to connect Wireshark to the network to capture all
the packets you are interested in. If all else fails, connecting it at the Internet gateway
(assuming there is only one) will ensure that you capture all traffic to and from your network
even if you miss some internal traffic.

Many people describe using Wireshark as a revelation – the difference between getting a
feel for their network and turning on the lights and looking at it. If you want to get a clear
view of what is traveling over yours, you’d be well advised to take it for a spin.

Latest Articles

Follow Us On Social Media

Explore More