Wireshark: Sniffing & Analyzing Data

Introduction to Packet Sniffing with Wireshark

Wireshark is a powerful network protocol analyzer that allows security professionals to capture and interactively browse the traffic running on a computer network. This tutorial explores how to sniff packets in real-time and analyze the captured data.

Note: For ethical hacking purposes, always ensure you have proper authorization before capturing network traffic. Unauthorized packet sniffing may violate privacy laws and regulations.

Getting Started with Wireshark Packet Capture

Prerequisites

Before starting packet capture, you need to be in the "man in the middle" position to effectively capture relevant traffic. This typically means being on the same network segment as your target or using techniques like ARP spoofing to route traffic through your machine.

1Select Network Interface

Choose the correct network interface (e.g., eth0) that is generating traffic from your target machine.

2Configure Capture Options

Set capture filters and output options to control what traffic is captured and where it's stored.

3Begin Capture

Start the packet capture process and generate traffic on the target system for analysis.

Selecting the Correct Interface

Wireshark can capture traffic on multiple network interfaces simultaneously:

Identify the interface connected to your target network (typically eth0 for wired connections)
Look for interfaces showing intermittent traffic, which indicates active communication
Hold the Ctrl key to select multiple interfaces if needed

Configuring Capture Options

Output Settings

Wireshark allows you to save captured packets for later analysis:

Navigate to the Output section in capture options
Browse to select a location for saving the packet capture file (.pcapng)
These saved files can be opened later via File → Open in Wireshark

Important: When dealing with HTTPS traffic, it will appear encrypted unless you've successfully implemented SSL/TLS downgrading techniques like HSTS caplet manipulation. For educational purposes, focus on HTTP traffic which is readable by default.

Understanding the Wireshark Interface

Once you've captured packets, you'll need to understand how to navigate the Wireshark interface:

No.	Time	Source	Destination	Protocol	Length	Info
1	0.000000	10.20.14.206	8.8.8.8	DNS	83	Standard query 0x1234 A google.ie
2	0.045892	8.8.8.8	10.20.14.206	DNS	99	Standard query response 0x1234 A 142.250.74.110
3	0.048733	10.20.14.206	142.250.74.110	TCP	74	52846 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
4	0.085923	142.250.74.110	10.20.14.206	TCP	74	80 → 52846 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
5	0.086012	10.20.14.206	142.250.74.110	TCP	66	52846 → 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
6	0.086453	10.20.14.206	142.250.74.110	HTTP	518	GET /search?q=zSecurity HTTP/1.1
7	0.134629	142.250.74.110	10.20.14.206	TCP	54	[TCP Previous segment not captured] [TCP Out-Of-Order]

Packets: 7 Displayed: 7 Marked: 0 Dropped: 0

Packet Color Coding

Wireshark uses colors to help you quickly identify different types of packets:

Green - TCP traffic

Dark Blue - DNS traffic

Light Blue - UDP traffic

Black - TCP errors/issues

Key Interface Components

Packet Number: Sequential identifier for each packet
Time: Relative timestamp (0 = start of capture)
Source/Destination: IP addresses of the sender/receiver
Protocol: Network protocol used (TCP, UDP, ICMP, etc.)
Length: Size of the packet in bytes
Info: Additional context about the packet's purpose

Analyzing HTTP Traffic

When capturing HTTP traffic (especially after HTTPS downgrading), you can observe detailed information about web requests:

Example HTTP Traffic Analysis:

DNS Query for "google.ie" sent from client
DNS Response with IP address returned
TCP 3-way handshake established (SYN, SYN-ACK, ACK)
HTTP GET request for "/search?q=zSecurity"
HTTP Response with search results

Traffic Pattern Visualization

Key Takeaways

Wireshark can capture and analyze live network packets or previously captured packet files.
Selecting the correct network interface, such as eth0, is essential for capturing relevant traffic.
Traffic can be saved to a file for later analysis, allowing flexibility in packet inspection.
The Wireshark interface uses color coding to help quickly identify different protocol types.
Understanding packet headers and the structure of network communications is crucial for effective analysis.
For ethical hacking purposes, focus on analyzing unencrypted HTTP traffic or implement proper HTTPS downgrading techniques.