Use WireShark to Dive Deep into Your Network Traffic
Having a detailed view of the data packets crossing your network makes it easier to determine its security performance. To that end, WireShark can be of great help. Started by Gerald Combs in 1998, this open-source tool allows you to find out the composition, amount, and latency of network traffic.
It’s the de facto standard across many commercial, governmental, and non-profit organizations. And although users have to be mindful of occasional security vulnerabilities WireShark may create, a range of capabilities and huge community support make this network analyzer one of the best in its class.
Support for multiple protocols and operating systems
WireShark’s strength lies in its rich set of features. It supports over two thousand network protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2. Captured data stored for offline analysis can be browsed via a GUI, or via the TTY-mode TShark utility.
Furthermore, the tool runs on many operating systems, such as Windows, OS X, Linux distros, FreeBSD, OpenBSD, and NetBSD. And whether you’re dealing with tcpdump (libpcap) and Pcap NG or Cisco Secure IDS iplog and Microsoft Network Monitor, WireShark can help as it reads and writes many capture file formats.
Also, it reads live data from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and other sources. And the output can be exported to XML, PostScript®, CSV, or plain text.
Filters make traffic capture and analysis easier
What makes WireShark a particularly invaluable tool is its filters. Capture filters, for example, enable you to collect only the type of traffic you want. They limit the captured packets by various parameters including traffic to and from the IP address, traffic on the subnet, packets sent to the specified host, traffic on port 53, and others.
Display filters help you focus on the traffic you want to analyze. They narrow down the captured packets by IP addresses, protocols, and other factors. Some analysts even build filters that detect specific attacks, like the Sasser worm.
WireShark adds value in various situations
WireShark is a powerful tool that helps security experts with various issues. It can be used to identify faulty network appliances dropping packets, which requires running two instances of WireShark, one on each side of the faulty appliance.
The tool can also spot latency issues caused by machines routing traffic, and locate applications that are using insecure protocols on your network. WireShark helps experts identify data exfiltration or even hacking attempts against your organization.
Furthermore, it can intercept and analyze encrypted TLS traffic, assuming that you provide it with the keys. Without keys you can still analyze traffic and inspect, for instance, who is sending data to whom, how much data, or how often.
And although WireShark might not be helpful in discovering new problems because of too much noise on the network, it’s effective once you have an alert to zero in. Take, for example, security researchers that were analyzing the Norman cryptominer. They used WireShark to inspect suspicious machines, revealing that the cryptominer was communicating to command and control (C&C) servers using DuckDNS. Researchers could then identify and shut off the IP addresses of the servers and stop the attack.
Avoiding security risks when running the analyzer
Its benefits notwithstanding, running WireShark comes with several risks. The program is implemented in ANSI C, which is vulnerable to security problems such as butter overflows. Also, developers providing code to WireShark have varying levels of experience and background, which makes it more likely that new bugs will creep into the software.
Another consideration is that capturing network traffic often requires administrative (root) access. This can expose your system to bugs that might be found in the huge number of protocol dissectors called when traffic is captured. A successful exploit might take over and compromise your entire system. Also, WireShark is by design always processing untrusted data, so you shouldn’t run it on a security-critical system.
You can avoid this problem by, for example, using a capture tool less affected by security bugs, such as tcpdump or dumpcap. The capture file could then be transferred to the uncritical environment for further analysis with WireShark running with restricted privileges.
Learning WireShark is vital for security experts
WireShark is an invaluable addition to anyone’s security toolbox. It helps experts analyze network traffic and investigate suspicious behavior. This network analyzer is also a great educational tool that allows learners to dive deep into traffic and up their security game.
There are various resources on how to master WireShark, and you can download the analyzer at wireshark.org. RangeForce also covers this software in several training modules. If you’re interested to learn more about this and many other security tools, then sign up for a demo and free trial of our platform here.
Request a demo to see the RangeForce platform in action.