Forensic Toolbox: Wireshark

Description

The infamous Wireshark (formerly known as “Ethereal) – a network analyzer used to capture and analyze network traffic going through a given Network Interface Card (NIC) on your system. Network traffic is made up of “packets”. When information is sent from your computer to another device via a network, the NIC divides that information up into small chunks called packets and puts those packets onto the medium you are using (copper, fiber, or air). Wireshark is able to capture these packets so they can be analyzed in detail individually, or combined with other packets in the packet “stream” to form the original message.

For example, if a password were sent in cleartext (as they typically are if sent via email), the packets forming the email content can be put together and that password could be viewed by an outside entity if they were using some packet capture tool and if they were on the same network as the computer which sent the email. Wireshark is also useful for network troubleshooting and forensic analysis. If any of this seems vague, don’t worry, the more you use it and learn about networking, the more it will make sense.

 

Basic Usage

  1. Tell Wireshark which network interface to listen on. Your system may have multiple NICs in order to connect to a network wirelessly or via a Cat-5 cable. This can be done upon opening Wireshark or by going to Capture -> Options.

wireshark_interfaces

2. Next, either double-click the interface or go to Capture -> Start to begin capturing packets.

wireshark_capturing

From here, there are many options. You can stop the capture at any time and then save it for future reference. The capture is saved as a .pcap (packet capture) file and can be opened by Wireshark at any time. 

One of Wireshark’s features I use frequently is the “Follow TCP Stream” feature, which can be accessed by right clicking on a packet (the protocol has to use TCP as the connection method) and choosing “Follow”, and then the stream you’d like to follow (for most purposes, this will be TCP, but UDP is an option as well). This is how packets can be analyzed together with other packets to view the actual information which was sent before being broken up into packets. If this information is encrypted somehow, the stream will appear to be a bunch of nonsense. If in cleartext, you will be able to see the exact data traveling across the network. 

There are so many more ways to use Wireshark (filters, statistics, etc.), but this tutorial is only meant as an introduction to the tool and what it can do. 

 

How to Use in Forensics Investigation

If you suspect an infected device on your network, it is important to analyze network-based evidence (NBE) to see if the device is communicating with some outside system. The infection could cause the infected machine to send an attacker private information or it could be receiving commands from the attacker. Both of these events would show up in network traffic. Wireshark is one of the best network capture and analyzer tools freely available, and should be used on a monitor system (placed on the same network as the victim machine to capture the traffic) to search for any unusual traffic coming from or going to the victim machine. This can be used to discover what sort of data is being exfiltrated to an attacker. If the traffic is being encrypted, this analysis is still useful as you will be able to see the IP address(es) which the victim machine is sending data to or getting commands from.

 

TCP vs. UDP

TCP means that there is a connection between your computer and whatever you’re connecting to. UDP is a connection-less protocol, meaning that packets are being thrown, but there is no guarantee that they will arrive. Video streaming, for example, since it needs to be fast and doesn’t care if a few packets are lost, is almost always UDP. Your computer gets sent packets, but there is no connection established to guarantee the arrival of those packets. 

 

Try it out!

Start running Wireshark and then open up a web browser, navigating to some http site (NOT https, as this adds encryption). Go to Wireshark again, type “http” in the filter input box, and follow the TCP stream of one of the packets. You should be able to see the data passed from or to the website in cleartext. This is why it is never a good idea to submit passwords to any website not using the https protocol.

 

Personal Note

Wireshark is a fun tool. You can tell a lot about a network by looking at a packet capture. Packet capture tools like Wireshark are also a reason why there is so much emphasis on keeping networks secure. For example, if a wireless access point is given too much power, the signal could potentially leak outside of a building. If a malicious user is able to connect to the network through this, he/she could then listen in on all the private traffic going through a company’s network. It is important to keep your networks safe and always send important information using encryption protocols, to protect your data from attackers who may be listening on the network.

 

Download Source: 

For Windows and Mac computers, you can download Wireshark here.

For Linux machines (Debian versions), 

 

More Information: 

Wireshark Walkthrough Video for Beginners

Image-based Tutorial on Basic Wireshark Usage

 

css.php