Wireshark: Basic Overview & MITM Applications

Introduction to Wireshark

Wireshark is a comprehensive network protocol analyzer designed primarily for network administrators. It provides detailed insights into network traffic, allowing professionals to:

Monitor network activity in real-time
Troubleshoot network issues
Analyze protocol behavior
Detect anomalies in network traffic

Important Ethical Consideration

Wireshark is not designed for hacking, spying, or unauthorized surveillance. It is a legitimate tool for network analysis and security assessment when used ethically and with proper authorization.

How Wireshark Works

Basic Wireshark Operation

Wireshark captures and analyzes packets flowing through a selected network interface on your computer.

Basic Operation Principles

Interface Selection: Choose which network interface to monitor (e.g., Wi-Fi adapter, Ethernet card)
Packet Capture: Wireshark logs all traffic flowing through the selected interface
Traffic Analysis: The captured packets can be analyzed in real-time or saved for later examination
Filtering & Searching: Apply filters to focus on specific protocols, IP addresses, or packet contents

Capture Limitations

By default, Wireshark can only capture traffic that passes through your own computer's interfaces. It cannot directly capture traffic from other devices on the network without special configurations or techniques.

Key Features of Wireshark

Protocol Analysis

Supports inspection of hundreds of protocols, with more being added regularly

Live Capture

Real-time packet capture and analysis from network interfaces

Deep Inspection

Detailed protocol dissection showing packet structure and contents

Powerful Filtering

Rich filtering language to isolate specific traffic patterns

Colorization Rules

Custom packet coloring for easier visual identification

VoIP Analysis

Capture and playback VoIP calls from supported protocols

Wireshark Interface Overview

The Wireshark GUI consists of several key components:

Component	Description
Packet List Pane	Shows summary of each captured packet including time, source, destination, protocol, and info
Packet Details Pane	Displays the protocols and protocol fields of the selected packet in a tree view
Packet Bytes Pane	Shows the raw data of the selected packet in hex and ASCII format
Display Filter Bar	Allows you to enter filter expressions to show only packets matching specific criteria
Status Bar	Shows capture file properties and statistics about displayed packets

Wireshark with Man-in-the-Middle (MITM) Attacks

Ethical Warning

The techniques described in this section should only be performed in controlled environments with proper authorization. Conducting MITM attacks against networks or users without permission is illegal in most jurisdictions and unethical.

Standard Network vs. MITM Attack

During a MITM attack, traffic is redirected through the attacker's machine where Wireshark can capture and analyze it.

Common MITM Techniques

To use Wireshark for capturing traffic from other devices, an attacker must first redirect that traffic through their own machine using techniques such as:

1. ARP Spoofing

ARP spoofing involves sending falsified ARP messages to associate the attacker's MAC address with the IP address of a legitimate network resource (like the default gateway).

# Example of ARP spoofing with bettercap
sudo bettercap -iface eth0 -caplet spoof.caplet

2. Creating Rogue Access Points

Setting up a fake Wi-Fi access point that victims connect to, allowing the attacker to capture all their traffic.

3. DNS Spoofing

Redirecting DNS queries to return malicious IP addresses that route through the attacker's machine.

Practical Examples

Example 1: Basic Packet Capture

Launch Wireshark (from terminal or applications menu in Kali Linux)
Select an interface (e.g., eth0 for wired connection, wlan0 for wireless)
Click the "Start capture" button (blue shark fin icon)
Generate some network traffic (e.g., browse to websites)
Observe the packets being captured in real-time
Apply filters to narrow down traffic (e.g., http to show only HTTP traffic)

Example 2: MITM Traffic Analysis with ARP Spoofing

Set up ARP spoofing to become the man-in-the-middle

# Using bettercap for ARP spoofing
sudo bettercap -iface eth0
> set arp.spoof.targets 192.168.1.5
> arp.spoof on

Launch Wireshark and capture on the same interface (eth0)
All traffic to/from the target (192.168.1.5) will now pass through your machine and be visible in Wireshark
Apply filters to focus on interesting traffic:
- http - Show HTTP traffic
- tcp.port == 80 - Show traffic on port 80
- host example.com - Show traffic to/from a specific domain

Analyzing Captured Packets

Once packets are captured, you can:

Follow TCP streams - Right-click a packet and select "Follow" > "TCP Stream" to view the entire conversation
Extract files - Use File > Export Objects to extract files transferred over protocols like HTTP
View statistics - Use Statistics menu to generate reports about captured traffic
Save captures - Save packet captures to files for later analysis using File > Save

Key Takeaways

Wireshark is a powerful network protocol analyzer designed for legitimate network analysis and troubleshooting
By default, it can only capture traffic flowing through interfaces on your own computer
When combined with MITM techniques like ARP spoofing, Wireshark can analyze traffic from other devices
Always use Wireshark ethically and with proper authorization
Mastering Wireshark's filtering capabilities is essential for effective traffic analysis

Ethical Reminder

The tools and techniques described in this document should only be used for:

Network administration and troubleshooting
Security research in controlled environments
Penetration testing with proper authorization
Educational purposes in appropriate lab environments

Unauthorized network monitoring may violate privacy laws and regulations.

What is Wireshark?