Wireshark is an open-source network protocol analysis software program, widely considered the industry standard. It is a packet sniffer and analysis tool which captures network traffic from ethernet, Bluetooth, wireless (IEEE.802.11), token ring, and frame relay connections, among others, and stores that data for offline analysis. In this article we will see how to do a basic network scan using Wireshark.
Like any other packet sniffer, Wireshark does three things:
- Packet capture
- Filtering
- Visualization
- Install the package
sudo apt-get install wireshark
- Update the package
sudo dpkg-reconfigure wireshark-common
- Add user privileges to use Wireshark
sudo adduser $USER wireshark
- Install the GUI and CLI version of Wireshark
sudo dnf install wireshark-qt
- Add user privileges to use Wireshark
sudo usermod -a -G wireshark username
There are also Windows and MacOs installers
There are a couple of ways in which wireshark can be used:
- Directly by capturing traffic on an interface.
- Indirectly, by importing system trace files and using Wireshark as a traffic/packet analyzer.
The latter being the most used option in a production environment where no X server is likely to be running on a host and promiscuous mode will not be allowed.
The instructions below can only be applied to a server running an X server .
Hence, this limits on all server running without it.
However, it can be used as Tracefile analyser
in the homonymous section on this page.
- Select
Capture
|Interfaces
- Select the interface on which packets need to be captured. This will usually be the interface where the Packet/s column is constantly changing, which would indicate the presence of live traffic). If you have multiple network interface cards (i.e. LAN card and Wi-Fi adapter) you may need to check with your IT administrator to determine the right interface.
- Click the
Start
button to start the capture. - Recreate the problem. The capture dialog should show the number of packets increasing. Try to avoid running any other internet applications while capturing.
- Once the problem which is to be analyzed has been reproduced, click on
Stop
. It may take a few seconds for Wireshark to display the packets captured. - Save the packet trace in the default format. Click on the
File
menu option and selectSave As
. By default Wireshark will save the packet trace in libpcap format. This is a filename with a .pcap extension.
Wireshark does provide a command line interface if you operate a system without a graphical user interface but the best practice would be to use the CLI to capture and save a log so you can review the log with the GUI.
Wireshark has its own command line toolset.
But, the utility Linux tcpdump
is the one being used in this example, as it will be likely to be already installed, or , certainly readily available from all distros.
tcpdump has many options, to get a list of interfaces on a system , use the command tcpdump -D
But, since the tracefile will be imported and filtered in Wireshark, best results are obtained by :
- either using a specific port on all interfaces (e.g. if we want to capture database traffic only)
- or capturing all traffic and then apply filters, to check, say, server comms.
Wireshark can be used from home Internet problems, checking ICMP traffic, to more complex network issues, such as packet relay issues. Here’s a common example of how a Wireshark capture can assist in identifying a problem. This figure shows an issue on a home network, where the internet connection was very slow:
The problem was discovered by drilling down into the IPv6 Internet Message Control Protocol (ICMP) traffic, which is marked in black. In Wireshark, any packet marked in black is considered to reflect some sort of issue.
The problem was resolved by restarting the cable modem. Of course, while this particular problem didn’t necessitate using Wireshark, but is a good example of how it works.
The workflow is the following:
- Capture traffic using
tcpdump
into a.pcap
file - import into Wireshark
- Filter data
Best/comprehensive results are using this expression:
tcpdump -v -i any port 5432 -w postgres.pcap
A specific number of packets can be set using the option -c
or based on output filesize -C
An example of SSL Handshake can be seen in the following picture:
The following steps were used to obtained the packet filtering shown:
- start the capture
tcpdump -v -i any port 5432 -w tcp.pcap
- In a Primary/Standby setup connect from the Standby to the Primary using SSL
psql "postgresql://david@pg1rl:5432/pooltest?sslmode=require"
-
once connected execute a query and quit
-
stop tcpdump (ctrl + c)
-
transfer the file to your desktop
-
import into wireshark (file->open)
-
Since we are interested in the SSL communication , enter the ip addresses of the two servers and the protocol in the ‘filter’ , this will remove all the TCP syn-ack
(ip.addr == 10.0.2.10 or ip.addr == 10.0.2.11) and tls
For server comms, best to capture all packets and apply suitable filtering.
tcpdump -v -i any -w tcp.pcap
On busy server the tracefiles may grow significantly, therefore, monitored targeted experimental tests are advised.
Here’s an example of a email sent from a VM running postfix as an MTA and using google smtp server:
filter applied
not ssh and not udp and not tcp.len==0 and not arp
An example of Wireshark detecting SElinux issues:
See tcpdump man pages for more details about the utility itself.
For mode details about Wireshark, please refer to the Wireshark documentation.