Lab: Introduction to Wireshark
• Understand the purpose of the Wireshark application. Identify the features, benefits and risks of this application.
• Try some of the features of Wireshark including exploring the interface, capturing packets, performing basic network analysis and writing ACL rules for networking devices to prevent unwanted traffic.
• Perform specific tasks with Wireshark and document your understanding of its capabilities in a well-written lab report.
What is Wireshark?
Wireshark is an open source Packet Analyzer. It captures packets off of a physical or wireless network and provides tools for their organization and analysis. When you are responsible for the health and security of a network there is no better way to ensure your success than to examine the packets. Wireshark is free, and easy to install. On windows machines, download it from www.Wireshark.org and install it. On Linux machines, Wireshark is usually available from the software repository. For example,
Wireshark can be easily installed on Ubuntu by typing sudo apt-get install wireshark into the terminal. For this Lab, Wireshark is already installed for you on your virtual machine.
Uses for network/ security analysts
There are three roles for network analysis: Troubleshooting, Optimization, and Security . Packet analysis is the surest way for a network administrator to optimize their network’s performance. You can see directly what machines, applications or processes are using network capacity unnecessarily: what machines are sending malware or using P2P software. You can track down hackers moving data across the network.
Uses for hackers
Laura Chappel of Wireshark University demonstrates the power of Wireshark by starting a live wireless capture at an IT Security conference and calmly announcing who has logged on to what. She then projects everyone’s ID and password on the screen and openly mocks them. This causes much embarrassment and drives home how vulnerable data is and how lax security standards are. Now imagine a hacker sitting in a public space that hosts free Wi-Fi. What sort of information might they glean right out of the air?
Task 1: Navigating the Start Page and the Main Page of Wireshark
Step 1 Logon On to VM Ware as directed from the following website:
Step 2 You may need to logon to the Linux virtual machine with the user name “ Administrator ” (no quotes). The password is “ password ” (no quotes).
Step 3 Welcome to your Virtual Machine. Find and open Wireshark by going to Applications >Internet > Wireshark.
Enter info in the terminal screen
a. You will be asked to enter the password for Administrator. Type the word “ password ” (no quotes) as the password and hit enter on the keyboard.
b. Click “OK” where it says running as user ‘root’ can be dangerous.
Click the “Untitled window” at the bottom of the Wireshark screen and click “OK” on the error message.
Using the start page
1. Capture area
The Capture area consists of 2 sections, the Interface List and the Capture Options area. The Interface area displays a list of the interfaces that Wireshark has identified. Clicking on one of them will start a capture on that interface. The Capture Options area allows you to define capture filters and other conditions of the capture.
2. Capture Help area
The Capture Help contains links to Wireshark.org’s online help sites. Remember, the Networking Lab’s virtual machines are not connected to the internet. You will not be able to link to this or any website on these machines.
3. Files area
The Files area contains links to recently examined capture files and by clicking “Open” you can browse the drive for other capture files.
4. Online area
The Online area contains links to the wireshark website, the wireshark users guide, and the wireshark’s security guide (if you had internet connection).
Step 7. In the Interface List, click on eth0.
The main page layout:
This is a standard menu. It is where most of the settings are located.
The toolbar contains icons for many of the most commonly used features: starting, saving, moving within, searching, zooming, editing, and changing the colors of a capture.
3. Filter toolbar
The Filter toolbar allows you to filter the traffic according to preset filters or you may write your own.
4. Packet list pane
The Packet list pane contains a list of packets in the capture file not excluded by a filter.
5. Packet details pane
The packet details pane contains a translation and analysis of most of the information in a packet selected from the packet list pane. The amount of detail displayed can be expanded or minimized by clicking on the plus minus boxes to the left of each line in the packet details window.
6. Packet Bytes pane
The Packet Bytes pane displays the raw data contained in the selected packet. It contains the raw Hexadecimal data on the left and a translation of the ASCII data on the right.
Task 2: Open a Sample Capture File
On the desktop, there is a folder titled “Wireshark Captures”, in which you can find sample capture files. Double-click the file named “ evidence03.pcap ”. You will be asked the password again, and then another instance of Wireshark starts.
What you opened is a capture file on http traffics between two machines.
Task 3: Exploring Tools for Network Analysis
Packet analysis is an essential skill for any IT professional. With it you can catch criminals, secure your network, stop espionage, make your boss’s webpages and streaming video work flawlessly, and grant yourself the kind of success you want in your career. One of the main skills you will need to learn is how to sift through the millions of packets to find the ones that show problems. Wireshark has several tools to help us with this herculean task. You can filter the packets to only show the suspicious traffic, you can graph the packet according to address or protocol, and you can color code them to make them readily identifiable from the stream of data.
When performing a packet analysis, it is important to follow 2 lines of inquiry: simple and in-depth. In the simple stage you answer basic questions: Who is sending the traffic? What kind of traffic? Who is the target? And when did it start and when did it end? Answering these questions will give you immediate solutions to most security or network problems such as: ‘The network is being scanned from a certain address.’ Answer: ‘Add that address to the ACL list’. Once the easy problems have been solved, you can perform an in-depth analysis. In-depth analysis includes examining the contents of the individual packet and determining what the traffic was attempting to do. This involves a lot of online research, and usually involves updating patches and configuration settings to resolve.
You can filter your traffic to exclude or include traffic that contains certain characteristics. This helps trim your traffic to more manageable levels. A few seconds of capture could possibly contain hundreds or thousands of packets. Trying to sift through that many, packet-by-packet, is liable to take so long as to be futile.
The filter tool bar allows you to filter traffic two ways.
a. You can click on the “filter” button to see a list of default filters for you to edit.
b. To customize the filter to fit your needs, you click in the filter that does what you want in the list then you customize it in the filter string box. For example, to filter the traffic to see only the traffic from a certain address you click on the IP address filter in the list, then you swap the address in the Filter String window for the address you are interested in.
c. You can also click on the “expression” button to create a filter. You then choose a protocol using Boolean operators to create a filter in relation to the information you type into the value window.
You can also filter traffic by right-clicking on a suspect packet in the packet list pane or on a listing in the packet details pane.
Right click on a packet in the packet list. You can filter for IP address.
By right clicking on an attribute in the packet details window you can filter for the specific attribute, such as source address, mac address, port, protocol, or any of the other qualities you choose.
Experiment with coloring the packets. You may want to do this when the packet is taking part in a particular conversation in the packet list to make them easier to spot.
The statistics menu contains:
• Summary: Summary contains the metadata about the capture. Time, size, format, amount of packets, size of packets, etc.
• Protocol Hierarchy: Provides a breakdown of what percentage of traffic belongs to what protocol.
• Conversations: Keeps track of the traffic based on the conversations between two hosts and what addresses they use.
• Endpoints: While conversations are pairs of hosts communicating, endpoints is a single side of a conversation. It shows the traffic in relation to a single host.
• IO Graphs : Allows you to make graphs of the capture based on the display filters you choose.
“Find a packet” Icon
The “Find a packet” Icon allows you to instantly find all the packets based on a string you enter.
https://www.youtube.com/watch?v=NHLTa29iovU Intro to Wireshark video
https://policy.psu.edu/policies/ad95 Penn State ad95
https://www.wireshark.org/docs/dfref/ Wireshark filter Reference
https://holisticinfosec.io/toolsmith/pdf/november2006.pdf Security Analysis with Wireshark
Note: This is an individual lab assignment. Each student needs work on and submit his/her report independently.
Clearly state your results of this project. You are expected to hand in a report in the following format:
• A cover page including project title and your name and Penn State email address
• Numbered pages. Font size 12, single column
• Save the Microsoft Word (.doc or .docx) document with your name in the title. Upload the document into the appropriate Canvas dropbox.
The report should have the following sections. Each section should cover all the topics described below. Place screenshots as indicated. Reference the screen capture in the text you write.
1. In this exercise, you will analyze live packets captured when you use “ping” utility to test the reachability of a host. First, you need to identify a host in the network. For this exercise, you can simply choose the instructor’s virtual machine as the host (IP: 192.168.0.72).
Next, Log into your virtual machine and start a capture in Wireshark.
Then, open a terminal window (Applications Accessories Terminal) and type “ping 192.168.0.72”.
After one minute, stop the Wireshark capture. Answer the following questions:
a. Using the statistics tools provided by Wireshark, determine the number of packets sent and received by each computer (yours and the instructor’s). Include a screenshot which shows where you found your answer. Note that I am not asking you to count packets in the packets pane.
b. Using the statistics tools provided by Wireshark, identify the most common protocol across all of the packets sent and received by your machine. Include a screenshot which shows where you found your answer.
2. Open the evidence03.pcap capture file. Answer the following questions:
a. Open Conversations tool in Wireshark, and then click the “IPv4” tab. Sort by Packets A->B and determine which A->B conversation has the most number of packets in this capture (in other words, determine the IP addresses of the two hosts that are sending the most packets to each other). Next, using the “Expression…” button in the filter toolbar, build a Wireshark filter that shows only the packets that comprise that conversation. You can confirm that you’ve done this successfully by comparing the number of results in the filtered packet list against the number of packets you saw in the Conversations tool. Include a screenshot that shows your filter and (part of) the resulting packet list.
b. Explore the filter tools by right-clicking a packet. Filter the packets using one IP address of your choice. Include a screenshot that shows (part of) the resulting packet list.
Section II (40 pts): Short Essay Questions.
1. What is the purpose of network analysis?
2. Name at least three troubleshooting tasks that can be performed using network analysis.
3. Why is network analysis considered a security risk by some companies?
4. How can you determine whether your machine sent or received a packet?