Wireshark - Network traffic analyzer. Part 1.



  • This article will only theory and installation.
    What is wireshark?

    Wireshark is a powerful network analyzer that can be used to analyze traffic passing through the network interface of your computer. You may need it to detect and solve network problems, debug your web applications, network programs or sites. It allows you to fully view the contents of the package at all levels: so you can better understand how the network works at a low level.

    All packets are intercepted in real time and provided in a readable format. The program supports a very powerful filtering system, color highlighting, and other features that will help you find the packages you need. Wireshark is thriving with contributions from network experts around the world. It is a continuation of the project, which began in 1998.

    Wireshark works with the vast majority of known protocols, has a clear and logical graphical interface based on GTK + and a powerful filter system. Cross-platform, runs on OSs such as Linux, Solaris, FreeBSD, NetBSD, OpenBSD, Mac OS X, and Windows. Amazing right?

    We learned that Wireshark is used for traffic analysis, but what is traffic analysis?

    Traffic analysis is needed to conduct research on network applications and protocols, as well as to find problems in the network, and, importantly, find out the causes of these problems. It is quite obvious that in order to maximize the use of sniffers or traffic analyzers, at least general knowledge and understanding of the operation of networks and network protocols are required. I also remind you that in many countries the use of a sniffer without explicit permission is equivalent to a crime.
    Who is using Wireshark?

    Network Administrators - Network troubleshooting.
    Network Security Engineers - Test network applications.
    Developers - Debugging protocol implementation.
    Users - Explore internal network protocols.
    

    What can he do?

    In-depth verification of hundreds of protocols that are constantly being added.
    There is both online capture and offline analysis.
    Standard three-panel package browser.
    Run on Linux, Solaris, FreeBSD, NetBSD, OpenBSD, Mac OS X, and Windows.
    It captures network data, where it can be viewed through a graphical interface or in console mode through the TShark utility.
    The industry's most powerful display filters.
    Rich VoIP Analysis.
    Read / write many different capture file formats: tcpdump, Pcap NG, Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer, Sniffer Pro, and NetXray, Network Instruments Observer, NetScreen snoop, Novell LANalyzer, RADCOM WAN / LAN Analyzer, Shomiti / Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, WildPackets EtherPeek / TokenPeek / AiroPeek and many others.
    Captured compressed gzip files can be unzipped on the fly.
    Live data can be read with Ethernet, IEEE 802.11, PPP / HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI and others.
    Support for decryption of many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL / TLS, WEP and WPA / WPA2.
    Coloring rules can be applied to the list of packages for quick, intuitive analysis.
    The output can be exported to XML, PostScript, CSV, or plain text.
    

    Installation:

    In all IB distributions, Wireshark is already embedded. I will show how to install on Windows and on Ubuntu.
    Ubuntu:

    Install:
    sudo apt install wireshark

    Wireshark needs to be run through sudo otherwise it will not be able to analyze network packets.

    KDE:

    kdesu wireshark

    Gnome / Unity:

    gksu wireshark

    Windows:

    Download and run the installer:

    https://1.eu.dl.wireshark.org/win64/Wireshark-win64-2.6.5.exe

    On the choice of components:

    1. Wireshark - network protocol analyzer. In which we fell in love at first sight.

    2. TShark - a network command line protocol analyzer.

    3. Wireshark 1 Legacy - the old user interface if necessary. (Optionally, you can remove)

    Plugins and Extensions:

    1. Dissector Plugins - plugins with some advanced analysis.

    2. Tree Statistics Plugins - Advanced statistics.

    3. Mate (Meta Analysis and Tracing Engine) - customizable extensions of the screen display mechanism

    4. SNMP MIBs - SNMP MIBs for more detailed SNMP discovery.

    Instruments:

    1. Editcap - reads the capture file and writes some or all of the packets to another capture file.

    2. Text2Pcap - Reads in ASCII hexadecimal dump and writes data to the pcap capture file.

    3. Reordercap - reorders capture file by timestamp

    4. Mergecap - Merge several saved capture files into one output file.

    5. Capinfos - provides information on capture files.

    6. Rawshark - raw packet filter.

    User’s Guide - Installing the User Guide locally.

    In 2 parts, we will intercept passwords.


Log in to reply
 


LIVE Chat
Login in your account to Start Chat