Network Packet Capturing and Analysis with Wireshark

Penetration testing is one of the most robust defenses businesses have against cyberattacks. By simulating attacks in a safe, controlled environment, penetration testers can more easily identify vulnerabilities in an IT environment and fix them before malicious actors can exploit them.

The good news is that penetration testers have no shortage of tools, including Wireshark, a packet-capturing and analysis tool commonly used by network administrators and IT security professionals. So, what is Wireshark, and how is it used in penetration testing? This Wireshark tutorial will cover everything you need to know about using Wireshark.

What Is Wireshark?

To answer the question “What is Wireshark?”, you first must understand the concept of a network packet. Network packets are “chunks” or data units sent between two connected devices on a network using protocols such as TCP/IP. Each packet consists of a header containing metadata about the packet (such as its source and destination) and a payload (the actual content of the packet, such as an email or web page).
Wireshark is a free, open-source software application for capturing and analyzing network packets. Wireshark can help users glean valuable insights about the network’s activity and identify issues or threats by capturing and analyzing these packets.

Wireshark Uses

A great deal of Wireshark’s popularity is due to its flexibility and versatility. The Wireshark tool has many use cases, including:

• Troubleshooting: Network administrators can better understand the goings-on in their IT environment by analyzing the packets captured in Wireshark. This can help diagnose, troubleshoot, and resolve network issues.
• Network analysis: The packets captured by Wireshark are helpful for network monitoring and forensics. For example, Wireshark can detect several common network-based attacks, such as port scanning and attacks using FTP, ICMP, or BitTorrent.
• Software development: Wireshark helps software engineers during the development and testing process. For example, Wireshark can help debug problems related to unexpected network behavior or performance issues.
• Education: The nonprofit Wireshark Foundation supports the development of Wireshark and promotes its use in education programs. Wireshark is a common tool used in penetration testing certifications and training.

Wireshark Features

Wireshark has many valuable features and functionalities, making it an invaluable addition to any IT security professional’s toolkit. The features of Wireshark include the following:

• Live packet capture: With Wireshark, users can capture network packets in real-time, giving up-to-the-minute insights about network activity.
• Detailed analysis: Wireshark provides various details about the header and contents of each packet, letting users filter the traffic they want to view and analyze.
• Support for thousands of protocols: As of writing, Wireshark is compatible with more than 3,000 network protocols, making it useful in a wide variety of applications (Wireshark).
• Multi-platform support: Wireshark is compatible with the Windows, macOS, and Linux operating systems, making it accessible to millions of users interested in networking and IT security.

Using Wireshark in Penetration Testing

Although Wireshark has numerous features and use cases, one of its most popular applications is penetration testing. The ways in which Wireshark is used in penetration testing include:

• Network reconnaissance: Penetration testers can use Wireshark to perform reconnaissance: identifying targets such as ports, devices, and services based on the type and amount of network traffic they exchange.
• Traffic analysis: Wireshark can run scans on network traffic to detect signals of malicious activity, such as unusual payloads or surges in traffic patterns from a particular location.
• Password cracking: Network packets that contain user credentials such as usernames and passwords should use encryption for security. However, penetration testers can attempt to identify and crack these packets to test for vulnerabilities.
• Denial-of-service (DoS) attacks: DoS attacks attempt to prevent legitimate users from accessing a server or resource by flooding it with malicious traffic. IT security professionals can use Wireshark to detect DoS attacks and mitigate them by blocking traffic from specific sources or locations.

Packet Capturing in Wireshark

To get started with Wireshark, users must first define what kind of network packets they wish to capture. Packet capturing in Wireshark involves following the steps below:

1. Select the network interface: First, users must select the proper network interface from which to capture packets. This is likely the name of the wired or wireless network adapter used by the current machine.
2. Configure the capturing options: Wireshark users can select from various options when capturing network packets. Users may configure the type of packets to capture, the number of bytes to capture for each packet, the size of the kernel buffer for packet capture, the file name and capture format, and much more.
3. Start the packet capture: Once the capture is set up, users can start the Wireshark packet capture process. Wireshark will automatically capture all packets sent and received by the current machine and network interface using the provided options.
4. End the packet capture: When the process is complete, users can manually or automatically stop packet capture in Wireshark (e.g., after capturing a specified number of packets). The results will be saved to a file for later analysis.

Analyzing Data Packets in Wireshark

After packet capture is complete, users can also perform network packet analysis with Wireshark. First, users should be aware of the various filters and options available in Wireshark. For example, the Wireshark tool can automatically label different types of traffic with different colors (e.g., packets using TCP/IP with one color or packets containing errors with another).

To analyze data packets in Wireshark, first, open the corresponding file that has been saved after the packet capturing process. Next, users can narrow their search by using Wireshark’s filter options. Below are just a few possibilities for using Wireshark filters:

• Showing only traffic from a particular port.
• Showing only packets that contain a particular byte sequence.
• Showing only traffic to a particular source or from a particular destination.

Users can select a given packet in the Wireshark interface to display more details about that packet. Wireshark’s Packet Details pane contains additional information about the packet’s IP address, header, payload data, and more (Wireshark).

How C|PENT Helps with Wireshark and Penetration Testing

If you are interested in strengthening your skills in penetration testing, then EC-Council’s C|PENT (Certified Penetration Testing Professional) program provides the right combination of theoretical and practical knowledge as well as hands-on modules to begin or further your career as a penetration tester. The C|PENT certification offers extensive training that helps students master penetration testing tools and techniques they need in the real world.

Ready to enhance your penetration testing career? Learn more about the CPENT certification.

References

1. Wireshark. Display Filter Reference. https://www.wireshark.org/docs/dfref/
2. Wireshark. 3.19. The “Packet Details” Pane. https://www.wireshark.org/docs/wsug_html_chunked/ChUsePacketDetailsPaneSection.html

About the Author

David Tidmarsh is a programmer and writer. He’s worked as a software developer at MIT, has a B.A. in history from Yale, and is currently a graduate student in computer science at UT Austin.