Wireshark is a free open source tool that analyzes network traffic in real-time for Windows, Mac, Unix, and Linux systems. It captures data packets passing through a network interface (such as Ethernet, LAN, or SDRs) and translates that data into valuable information for IT professionals and cybersecurity teams.
Wireshark is a type of packet sniffer (also known as a network protocol analyzer, protocol analyzer, and network analyzer). Packet sniffers intercept network traffic to understand the activity being processed and harvest useful insights.
Wireshark (formerly known as ethereal) offers a series of different display filters to transform each captured packet into a readable format. This allows users to identify the cause of network security issues and even discover potential cybercriminal activity.
When a packet sniffer is used in 'promiscuous mode' users can analyze network traffic regardless of its destination - like a fly on a wall watching office activity. While this empowers IT professionals to perform a quick and thorough diagnosis of network security, in the wrong hands, Wireshark could be used for cyberattack reconnaissance campaigns.
Because you can download Wireshark for free, cybercriminals have liberal access to it, so it's best security practice to assume the software is currently being used with hostile intentions. Luckily, there are some security measures you can implement to protect against network sniffing.
What is Wireshark Used For?
Packet analysis software like Wireshark is used by entities that must remain informed about the state of security of their network, as such, the software is commonly used by governments, schools, and technology businesses.
Common Wireshark use cases include:
- Identify the cause of a slow internet connection
- Investigating lost data packets
- Troubleshooting latency issues
- Detecting malicious network activity
- Identify unauthorized data exfiltration
- Analyzing bandwidth usage
- Tracing voice over Internet (VoIP) calls over the network
- Intercepting Man-in-the-Middle (MITM) attacks
Wireshark makes all of the above use cases possible by rendering and translating traffic into readable formats - saving users the frustrations of having to translate binary information manually. All of this is done in real-time so that detected issues can be rapidly addressed before they develop into a service outage, or worse, a data breach.
How to use Wireshark
Before following a Wireshark tutorial, it's important to understand how networking systems work.
The OSI model (Open Systems Interconnection Model) is a framework that represents how network traffic is transferred and displayed to an end-user. It's comprised of 7 layers
- Application (Layer 7) - Displays the graphical User Interface (UI) - what the end-user sees
- Presentation (Layer 6) - Formats data to achieve effective communication between networked applications
- Session Layer (Layer 5) - Ensures connections between end-points are continuous and uninterrupted.
- Transports Layer (Layer 4) - Proxy servers and firewalls reside on this layer. Ensures error-free data transfer between each endpoint by processing TCP and UDP protocols. At this layer, Wireshark can be used to analyze TCP traffic between two IP addresses
- Network Layer (Layer 3) - Ensures routing data for routers residing on this network are error-free.
- Data Link Layer (Layer 2) - Identifies physical servers through two sub-layers, Media Access Control (MAC), and Logical Link Control (LLC).
- Physical Layer (Layer 1) - Comprised of all the physical hardware that processes network activity
To use correctly use Wireshark, you must be aware of the different proctors being processed at each OSI layer. This will help you decide which layer should be analyzed for each specific diagnostic requirement.
Here's a run-through of the protocols being processed at each OSI layer:
- Application (Layer 7) - SMTP, HTTP, FTP, POP3, SNMP
- Presentation (Layer 6) - MPEG, ASCH, SSL, TLS
- Session Layer (Layer 5) - NetBIOS, SAP
- Transports Layer (Layer 4) - TCP, UDP
- Network Layer (Layer 3) - IPV5, IPV6, ICMP, IPSEC, ARP, MPLS.
- Data Link Layer (Layer 2) - RAPA, PPP, Frame Relay, ATM, Fiber Cable, etc.
- Physical Layer (Layer 1) - RS232, 100BaseTX, ISDN, 11.
Each layer is stacked on top of the other and information flows between each layer during network activity.
Even with just a surface-level understanding of the different functions of each layer, you can perform a high-level assessment of networking issues.
For example, if you're having issues browsing the internet, you can assume that there's likely an error on the Network Layer (layer 3) since it processes router data.
Wireshark can then be used to further investigate such an assumption. It can confirm which layer is failing and the specific protocols that contain errors.
Now that you've established some foundational background knowledge, you will get the most value from the following Wireshark tutorial
If you're struggling to understand any of the above concepts, you will need to develop some essential skills before using Wireshark.
A thorough understanding of each of the following concepts is a prerequisite to using Wireshark. Each item on the list links out to an article offering more information should you wish to fill any essential knowledge gaps.
- Networking basics
- Mechanics of network packets
- Three-way TCP handshakes
- TCP/IP stack
- TCP protocols
- UDP protocols
- DHCP protocols
- ICMP protocols
- How to read and interpret captured packet headers
- How routing works
- How port forwarding works
Additional Wireshark resources
Wireshark offers a wealth of free resources to help you master network analysis with its product.
They can be accessed from the Wireshark website.
How to protect against network sniffing
The probability of an organization suffering a data breach is rising, and from this, we can infer that network sniffing is also on the rise since they facilitate cyberattacks.
The following security controls could prevent network sniffing.
Keep antivirus software updated
Network sniffers are usually delivered through trojans, worms, viruses, and malware. Antivirus software could block such hostile payloads before they have a chance to deploy a sniffing campaign.
To increase the chances of successful protection, it's important to keep antivirus software updated so that it's configured to detect the latest cyber threats.
Encrypt all network data
When network data is encrypted, it's difficult for cybercriminals to glean sensitive information from it in a sniffing campaign.
There are different types of encryption methods available, but for the highest degree of obfuscation, the Advanced Encryption Standards (AES) should be used.
This encryption algorithm is impervious to almost all forms of cyberattacks (except brute force attacks), this is why it's the preferred encryption method of the United States government.
Use a VPN
Virtual Private Networks (VPNs) secure all internal traffic in an encrypted tunnel. They also secure remote connections to sensitive internal networks, so that businesses can maintain a remote workforce without compromising on security.
For the best results, choose a VPN that uses AES encryption and couple it with antivirus software that's always kept updated.
Universal Plug and Play (UPnP) could allow cybercriminals to connect to your router and deploy network sniffing software. These connections could occur autonomously, outside of your control, because that's what UPnP is designed to do
Most new routers come with UPnP already enabled, so you could currently be exposing your network to sniffing attacks without knowing it.
Read this post to learn more about UPnP and how to disable it.
Only interact with secure websites
Protected websites encrypt all of the data that's submitted to them. Submissions occur through any website element that accepts user input. This includes contact forms, login fields, and even payment information fields.
A secure website can be identified in two ways:
- The URL of a secure website begins with HTTPS. The insecure websites don't include an "s", they begin with just HTTP.
- Secure websites display a tiny locked padlock before their URL. Insecure websites display an unlocked padllock
Do not connect to public Wi-Fi
The security of public Wi-Fi can never be confirmed. You can never be certain that they even encrypt their data. Cybercriminals often set up malicious free Wi-Fi hotspots so that they can monitor the activity of connected devices.
DIscovering a Wi-Fi hotspot that doesn't require a password may seem like a life-saver, but their potential security risks greatly outweigh any of the benefits they might offer. Best to avoid all public Wi-Fi hotspots.
Use a third-party attack surface monitoring solution
The chances of network sniffing attacks are high if operating systems and third-party software are not updated with the latest patches. A vendor attack surface monitoring solution will alert you if any of your vendors are exposed through security vulnerabilities, including unpatched software.
Cybercriminals can access your internal network, through a compromised vendor. This is a very real and very dangerous threat. By remediating vendor vulnerabilities before they're exploited by cyber attackers, the chances of your vendors becoming attack vectors for networking sniffing campaigns are diminished.
To investigate how UpGuard could strengthen your entire security posture, click here for a free trial today.