Wireshark (Ethereal) – Sniffing packets

Posted: September 6, 2013 in Cyber Forensics, Ethical Hacking/Anti-Forensics, Wireshark (Ethereal) - Sniffing packets
Tags: , , ,

Wireshark (originally named Ethereal), is a free and open source packet/network analyzer. It is used to capture packets in real time and are displayed in human-readable format. Wireshark provides GUI. For Command Line Interface you can go for TShark. Download Wireshark from the official website.

Once done with the installation, launch Wireshark.

Screenshot from 2013-08-31 20:17:33

1. Capture/Sniff packets :

Choose an interface to capture the packets from the traffic. You can choose an interface from the interface list, or,
select capture->interfaces

Screenshot from 2013-09-06 11:37:14

Choose an appropriate interface. I am using Wireshark inside my virtualbox. So, I will be choosing eth1 to capture the packets from. You can choose any interface. Once that is done, to start capturing your packets, hit start or,
select capture->start
At first, it has no packets. So it will be blank.

Screenshot from 2013-09-06 11:37:57

Lets initiate a connection. I will request the info.php page (refer LAMP). So, let me open my browser and type in, http://192.168.1.10/info.php. This gives me the info page like so,

Screenshot from 2013-09-06 11:41:53

Lets see the back-end now. Your Wireshark window will show up few packets that it captured during our http request.

Screenshot from 2013-09-06 11:43:50

By default, Wireshark displays packets in three panels/sub-windows. Starting from the top,

  • Packet List : The packets that are captured is listed. Each line indicates an individual packet, with brief details. This includes, packet number, time, source ip, destination ip, the highest-level protocol in use, length of the packet and information. Wireshark use colors for easy identification of the type of traffic at a glimpse. By default, green is TCP traffic, light blue is UDP traffic and so on. And black indicates TCP packets with problem.

    Screenshot from 2013-09-06 11:52:04

  • Packet Details : This gives the information right from the physical layer to the network layer. Information here is the header information. For the selected packet in the packet list, a copy of Ethernet frame and IP datagram information is displayed.

    Screenshot from 2013-09-06 11:46:27

  • Packet Bytes : This window displays the entire contents of the captured frame including Layer 2 data (of the OSI), in both ASCII and hexadecimal format.

    Screenshot from 2013-09-06 11:47:11

2. Packet Analysis :

Filtering Packets :

Say you are working on specific packets type, or packets from a particular IP etc, the concept of filtering the packets comes handy. Say you want to inspect only http packets, you can filter them out by typing in http in the filter space. And the result would be something like this…

Screenshot from 2013-09-06 11:44:51

Follow TCP Stream :

To view the complete conversation between the client and the server, right click on a particular packet and select Follow TCP Stream.

Screenshot from 2013-09-06 12:19:50         Screenshot from 2013-09-06 12:18:39

 

 

 

Advertisements
Comments
  1. […] the packet is sent. But how do you confirm? Well, we know Wireshark! Go ahead and start your Wireshark, and resend the packet to actually capture your packet. Here is […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s