Tuesday, March 27, 2012

Wireshark: An Ethereal Experience

On a scale of one to ten, where one is dental surgery and ten is winning a $100 million Powerball lottery, network protocol analysis falls somewhere in the range of three or four. It isn’t exactly painful but it certainly doesn’t arouse any fireworks or thoughts of fireworks in your soul.Wireshark, however, makes network packet sniffing and analysis easy and almost fun.
Wireshark is a network protocol analyzer tool, which means that it captures and interprets live network traffic data for offline analysis. Sometimes referred to as packet sniffing, packet analysis helps you understand what’s going on network-wise so that you can assess and mitigate problems with bandwidth, security, malicious activity and normal network usage.

Wireshark is free software licensed under the GPL.
The Basics
To install Wireshark and its dependencies on Debian-based systems, enter the standard apt-get bandy.
$ sudo apt-get install wireshark
For rpm-based systems, enter the equivalent yum command.
$ sudo yum install wireshark
On some systems, you might be surprised when you look for Wireshark under Applications ->Internet and you don’t find it. Nor do you find it by entering wireshark & in a terminal window. These systems install the non-GUI applications such as tsharkeditcap andrawshark sometimes known as wireshark-common components. To install the familiar Wireshark GUI, refer to wireshark-gnome or wireshark-gtk+ in your install command.

Download the source code from the Wireshark Download page and compile in the usual way, if you’re not satisfied with pre-built binaries. There are a few dependencies needed for a source code compilation but the configure script informs you of these as it proceeds and fails.

Using Wireshark
Once installed, you’ll want to jump right in and start sniffing away at your network traffic. You might run into a roadblock or two if you “jump this shark” too quickly. For one, you have to use a privileged account, such as root, that has the ability to place one or more of your network interfaces into promiscuous mode. Second, you must perform a bit of configuration prior to gathering your data. Let’s look at a simple session.

Open Wireshark by locating its icon under Applications->Internet (GNOME). As Figure 1 shows, Wireshark is a typical-looking GUI application.

Figure 1: Getting Started with Wireshark Capture Options

Figure 1: Getting Started with Wireshark Capture Options
To configure a capture, click Capture from the menu and then select Options to launch the Capture Options entry screen. See Figure 2.

Figure 2: Configuring Wireshark for a Capture Session

Figure 2: Configuring Wireshark for a Capture Session

Select the network interface that you want to use for packet capture (eth0, for example), the Link-layer header type (Ethernet), promiscuous mode, a capture filter, a capture file, display options and name resolution options. There’s a lot of information on this screen, so let’s take a minute to examine the options.

If you don’t select “promiscuous” mode, then your capture will only see packets addressed to your system. It will see broadcast and multicast packets but you won’t see the bulk of the network traffic as it passes by your system. Promiscuous mode is the default behavior for wire sniffing. Specify a file to collect your captured data for offline viewing and analysis. The display options are a matter of personal preference and you’ll have to find which options suit you. The name resolution options, when checked, instruct Wireshark to attempt name resolution from MAC addresses and from IP addresses. Name resolution makes reading logs easier for those not accustomed to looking at Hex codes and dot notation IP numbers.

Begin your capture by clicking the Startbutton at the bottom of the Capture Optionspage. Future captures will use these settings until you return to this page and make changes. Refer to Figure 3 for a sample capture in progress.

Figure 3: Capturing Packets in Wireshark

Figure 3: Capturing Packets in Wireshark
Stop the packet capture by clicking the Stop Capture menu icon or select Capture->Stop from the menu. This halts the packet capture and saves the information to the file specified on theCapture Options page. You can’t read this file in word processing or text processing programs as is. You also can’t read it at the command line with catmore or less. To read your data in other programs, export the captured data to another format (Plain text, CSV, PostScript, XML).

Simple Wireshark Cases
You installed Wireshark to perhaps figure out where security breach attempts originate or to find some network bottlenecks that affect your systems. Let’s take the first situation, attempts on your system, as an example.

During the packet capture, you noticed some dark red colored entries flash by on the Wireshark screen. Scroll down in the list until you see the red entries. These red entries tell you that there is a serious or error condition in the capture that you need to investigate. Refer to Figure 4.

Figure 4: Wireshark Displaying Red (Error) Entries in a Packet Capture

Figure 4: Wireshark Displaying Red (Error) Entries in a Packet Capture

As the packet info shows, there was an attempt made on the local system running Wireshark ( from xenalive ( in the form of a telnet connection. This is likely someone looking for an easy way into a system that has telnet enabled. You have enough information (system name, MAC address, IP address) to find the culprit and ask him what his purpose is in attempting a connection to your system.

What does a normal connection attempt look like in Wireshark? To answer that question, you have to capture data while such an attempt is in progress. See Figure 5 for an SSH attempt.

Figure 5: Investigating SSH Packets in a Wireshark Capture

Figure 5: Investigating SSH Packets in a Wireshark Capture
You see that the xenalive system made an SSH connection to the local system. SSH is an allowed protocol and you’ll see hundreds of these in a log where you have users connecting to a system.
What about failed attempts on a legitimate protocol? Does Wireshark capture those? Yes and no. Yes, it captures the connection attempts but doesn’t alert or mark them in any special way other than what you saw in Figure 5. Wireshark is not an intrusion detection system. You’ll need to check your system logs for those entries.
# grep Failed auth.log
Oct 28 21:03:25 filer sshd[4740]: Failed none for invalid user fred from port 14066 ssh2
Oct 28 21:03:28 filer sshd[4740]: Failed password for invalid user fred from port 14066 ssh2
Oct 28 21:03:30 filer sshd[4740]: Failed password for invalid user fred from port 14066 ssh2
Oct 28 21:03:33 filer sshd[4740]: Failed password for invalid user fred from port 14066 ssh2
Oct 28 21:03:36 filer sshd[4740]: Failed password for invalid user fred from port 14066 ssh2
Oct 28 21:03:39 filer sshd[4740]: Failed password for invalid user fred from port 14066 ssh2
Oct 28 21:03:42 filer sshd[4740]: Failed password for invalid user fred from port 14066 ssh2
A Word on Filtering
If you don’t enjoy seeing a lot of ARP traffic in your captures, you can filter it by adding a !arpin the Filter field. You don’t want to delete this information but it tends to clutter your view.
Wireshark isn’t the perfect network protocol capture and analysis tool but it comes close. And, you can’t beat the price. Next week, come back for more Wireshark, when we look at some advanced features and actual analysis.

Wireshark, by itself, is an effective analytical tool and it can point you in the right direction for some trouble spots. For example, if someone on your network has an email virus, you can see those packets, their source and their destination. Unfortunately, you’ll see them mixed in with all of the other packets that you’ve captured. The solution is selective filtering.

Casting a Smaller Net
Take one of your recent packet captures and count the number of “Who Has” broadcasts that you see. Chances are that you have an abundance of them cluttering up your capture. These are ARP requests and they tend to annoy rather than assist in your quest to find problems. Don’t misunderstand that statement. ARP requests are important and can point to problems on your network but unless an ARP “storm” is the root of your problem, there’s too many of them and they distract your attention from the real issues at hand.

You can resolve this problem by using a filter when you perform a packet capture. Using that same recent packet capture, enter “!arp” into the Filter field (See Figure 1) and press the ENTER key to accept. All of the ARP entries should disappear. Now you can focus on potential problems without the extraneous matter fogging your vision.

Figure 1: Removing the ARP Entries from a Packet Capture

Figure 1: Removing the ARP Entries from a Packet Capture
If you don’t know the correct filter syntax, you can click the Filter button, scroll through the list of common filter selections and choose the one you want to use. Try selecting No ARP and no DNS from the list to see how much your capture changes.
Alternatively, you can select a single packet type of interest and filter on that selection. Select a single packet, right click it, select Apply as Filter and click Selected to accept the change. See Figures 2 and 3 for reference. Note the change in your display. You can apply filters before or after a packet capture event. To return to your original capture, click the Clearbutton.

Figure 2: Applying a Packet Filter

Figure 2: Applying a Packet Filter
Figure 3: Viewing the Filtered Results

Figure 3: Viewing the Filtered Results

Sometimes it’s helpful, to grab a quick capture while you’re observing an event in progress. For example, if you see that a network attack is underway. The quickest way to bring up a Wireshark capture is with your excellent command line skills. Rather than wrestling with a GUI, you can use a simple command to start Wireshark and start that packet capture as soon as you notice something fishy happening with your system.
Enter the following in a terminal window.
# wireshark -i eth0 -k
Wireshark starts up and immediately (Using the -k switch) begins capturing packets oneth0 with no interaction needed from you. Click the Stop Capture button when finished. You’re correct if you noticed that this capture had no filters. And, you’re also correct if you wondered if command line captures can include filters. Look at the following example discussed earlier.
# wireshark -i eth0 -k "not arp"
This launches Wireshark on eth0immediately (-k) with no ARP messages included in the capture. The command line alternative allows a rapid response to those rapidly changing conditions and when timing is important.

Collaborative Analysis
What happens when you’ve captured thousands of packets and you still can’t figure out what’s going on? A second, third or fourth set of eyes on a problem couldn’t hurt. There is a collaborative method that allows you and your colleagues to ponder over Wireshark packet captures simultaneously and offline.
You can upload your packet capture to one of the free online services for that efficient and collective view. One such site is CloudShark. See Figure 4. CloudShark is a free service that allows you to upload your packet captures without the need for user registration. Connect, upload, distribute the URL for your capture and while away the hours on this worthy pursuit.

Figure 4: Using CloudShark to View a Packet Capture Online

Figure 4: Using CloudShark to View a Packet Capture Online
One reader shared Network Timeout as an alternative capture upload and analysis site.
Wireshark offers you one method for packet capture and analysis for your networks. It is a powerful tool that can help you maintain a safe and well-running network. A word of caution for those of you who want to use Wireshark for unsavory purposes: Most corporate networks frown upon port scanning and packet sniffing unless you have a job title that includes such activities. Please don’t allow your use of Wireshark to take you down hook, line and sinker.