Wireshark

Posted by
Tags , , , , , ,
Hello GreenHackerz readers...
The article is about a tool known as wireshark. This is a tool used for analysing network.
Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, in May 2006 the project was renamed Wireshark due to trademark issues.


Wireshark is cross-platform, using the GTK+ widget toolkit to implement its user interface, and using pcap to capture packets; it runs on various Unix-like operating systems including Linux, Mac OS X, BSD, and Solaris, and on Microsoft Windows. There is also a terminal-based (non-GUI) version called TShark. Wireshark, and the other programs distributed with it such as TShark, are free software, released under the terms of the GNU General Public License.


Functionality: 
Wireshark is very similar to tcpdump, but has a graphical front-end, plus some integrated sorting and filtering options. Wireshark allows the user to put the network interfaces that support promiscuous mode into that mode, in order to to see all traffic visible on that interface, not just traffic addressed to one of the interface's configured addresses. On Linux, BSD, and Mac OS X, with libpcap 1.0.0 or later, Wireshark 1.4 and later can also put Wi-Fi adapters into monitor mode.

Features:
Wireshark is software that "understands" the structure of different networking protocols. Thus, it is able to display the encapsulation and the fields along with their meanings of different packets specified by different networking protocols. Wireshark uses pcap to capture packets, so it can only capture the packets on the types of networks that pcap supports.
  • Data can be captured "from the wire" from a live network connection or read from a file that recorded already-captured packets.
  • Live data can be read from a number of types of network, including Ethernet, IEEE 802.11, PPP, and loopback.
  • Captured network data can be browsed via a GUI, or via the terminal (command line) version of the utility, TShark.
  • Captured files can be programmatically edited or converted via command-line switches to the "editcap" program.
  • Data display can be refined using a display filter.
  • Plug-ins can be created for dissecting new protocols.
  • VoIP calls in the captured traffic can be detected. If encoded in a compatible encoding, the media flow can even be played.
  • Raw USB traffic can be captured with Wireshark.This feature is currently available only under Linux.
Wireshark's native network trace file format is the libpcap format supported by libpcap and WinPcap, so it can exchanges files of captured network traces with other applications using the same format, including tcpdump and CA NetMaster. It can also read captures from other network analysers, such as snoop, Network General's Sniffer, and Microsoft Network Monitor.

Security:
Capturing raw network traffic from an interface requires elevated privileges on some platforms. For this reason, older versions of Ethereal/Wireshark and tethereal/TShark often ran with superuser privileges. Taking into account the huge number of protocol dissectors that are called when traffic is captured, this can pose a serious security risk given the possibility of a bug in a dissector. Due to the rather large number of vulnerabilities in the past (of which many have allowed remote code execution) and developers' doubts for better future development, OpenBSD removed Ethereal from its ports tree prior to OpenBSD 3.6.
Elevated privileges are not needed for all of the operations. For example, an alternative is to run tcpdump, or the dumpcap utility that comes with Wireshark, with superuser privileges to capture packets into a file, and later analyze the packets by running Wireshark with restricted privileges. On wireless networks, it is possible to use the Aircrack wireless security tools to capture IEEE 802.11 frames and read the resulting dump files with Wireshark.
As of Wireshark 0.99.7, Wireshark and TShark run dumpcap to do traffic capture. On platforms where special privileges are needed to capture traffic, only dumpcap needs to be set up to run with those special privileges: neither Wireshark nor TShark need to run with special privileges, and neither of them should be run with special privileges.

Obtain appropriate Wireshark package
Obtain a Wireshark package or installer for the operating system running on the system which is to be used for packet capture.
Wireshark is included in Novell's SUSE Linux products (for some products, under its old name, Ethereal). For other platforms, download a binary or installer from http://www.wireshark.org. With installers, ensure all product components are selected for installation.

Start Wireshark:
Start Wireshark. On a Linux or Unix environment, select the Wireshark or Ethereal entry in the desktop environment's menu, or run "wireshark" (or "ethereal") from a root shell in a terminal emulator. In a Microsoft Windows environment, launch wireshark.exe from C:\Program Files\Wireshark.

Note: On Unix systems, a non-GUI version of Wireshark called "tshark" (or "tethereal") may be available as well, but its use is beyond the scope of this document.

Configure Wireshark:
After starting Wireshark, do the following:

1. Select Capture | Interfaces
2. Select the interface on which packets need to be captured.
3. If capture options need to be configured, click the Options button for the chosen interface. Note the following recommendations for traces that are to be analysed by Novell Technical Services.
  • Capture packet in promiscuous mode: This option allows the adapter to capture all traffic not just traffic destined for this workstation. It should be enabled.
  • Limit each packet to: Leave this option unset. Novell Support will always want to see full frames.
  • Filters: Generally, Novell Support prefers an unfiltered trace. For documentation on filters, please refer to TID 10084702 - How to configure a capture filter for Ethereal (formerly NOVL90720).
  • Capture file(s): This allows a file to be specified to be used for the packet capture. By default Wireshark will use temporary files and memory to capture traffic. Specify a file for reliability.
  • Use multiple files, Ring buffer with: These options should be used when Wireshark needs to be left running capturing data data for a long period of time. The number of files is configurable. When a file fills up, it it will wrap to the next file. The file name should be specified if the ring buffer is to be used.
  • Stop capture after xxx packet(s) captured: Novell Technical Support would most likely never use this option. Leave disabled.
  • Stop capture after xxx kilobyte(s) captured: Novell Technical Support would most likely never use this option. Leave disabled.
  • Stop capture after xxx second(s): Novell Technical Support would most likely never use this option. Leave disabled.
  • Update list of packets in real time: Disable this option if the problem that's being investigated is occuring on the same workstation as where Wireshark is running.
  • Automatic scrolling in live capture: Wireshark will scroll the window so that the most current packet is displayed.
  • Hide capture info dialog: Disable this option so that you can view the count of packets being captured for each protocol.
  • Enable MAC name resolution: Wireshark contains a table to resolve MAC addresses to vendors. Leave enabled.
  • Enable network name resolution: Wireshark will issue DNS queries to resolve IP host names. Also will attempt to resolve network network names for other protocols. Leave disabled.
  • Enable transport name resolution: Wireshark will attempt to resolve transport names. Leave disabled.
4. Now click the Start button to start the capture
5. Recreate the problem. The capture dialog should show the number of packets increasing. If not, then stop the capture. Examine the interface list and pick the one that is not associated with the WANIP. It will probably be a long alpha-numeric string. If packets are still not being captured, try removing any filters that have been defined.
6. Once the problem which is to be analysed has been reproduced, click on Stop. It might take a few seconds for Wireshark to display the packets captured.

If the destination address is always displayed as FFFFFFFF (IPX) or always ends in .255 (IP) then all that has been captured is broadcast traffic. This is a useless trace.
This usually occurs when another machine is being traced (to start the trace while the target machine is powered off, in order to capture the bootup process). The capture setup needs to be reconsidered - port mirroring on the switch may need to be set up, or a dumb hub may need to be used to make the traffic reach the sniffing system. (Some devices advertised as "hubs" are in fact switches that may have the intelligence to prevent the workstations from seeing each other's packets; with these, getting a good trace may not be possible)
The Wireshark website has a good FAQ on this subject. Please refer to http://www.wireshark.org/faq.html#q7.1

7. Save the packet trace in any supported format. Just click on the File menu option and select Save As. By default Wireshark will save the packet trace in libpcap format. This is a filename with a.pcap extension. Use this default for files sent to Novell.
8. Create a trace_info.txt file with the IP and MAC address of the machines that are being traced as well as any pertinent information, such as:
  • What is the problem? (when did it start? steps to reproduce? any other pertinent information)
  • What steps were traced?
  • Give names of the servers and files being accessed.
  • If analysis of the trace has already been attempted, please provide Novell Support with analysis notes.
      For example: Packets 1-30 are boot. Packets 31-500 are login. Packets 501 to 1,000 is my application 
      loading. Packet 1,001 to 1,500 is me saving my file. The error occurred at approximately packet 1,480.
  • Give the MAC addresses of hardware involved? (Workstation, servers, printers ...)
  • What is the workstation OS and configuration?
  • What version of client software is running?
  • If it works with one version of the client (or a particular server patch), then get a trace of it working, and a trace of it not working.
  • For Novell Client issues: Are there any client patches loaded?
  • For NetWare servers: What version of NetWare (and other relevant products i.e. ZEN or NDPS) are running on the server?
  • What patches have been applied?
  • What is the configuration of the network? Are there routers involved? If so, what kind of routers?
For Downloading the Wireshark, you can directly download it from the Wireshark website. The link is given below:

Hope gives ample information to you and you like it.