MODULE 01

WIRESHARK
Introduction to Network Sniffing
Module 01 Objectives:

❑ Introduction to Network Sniffing

❑ Introduction to Wireshark.
❑ Usage of Wireshark.
❑ Features and Benefits of Wireshark.
❑ Capturing Packets with Wireshark.
❑ Saving Captured Packets.
Network
Sniffing

Source: Ethical Hacking - What is Network Sniffing? [Video].

YouTube https://www.youtube.com/watch?v=gXTuTfOoFjg
Network Sniffing
The term “Network Sniffing" refers to the practice
In an eavesdropping
of eavesdropping on data transmissions over an attack, the hacker
online network by using a program designed for this
purpose. The software instrument is a standalone monitors
computer program or a piece of hardware
preloaded with the necessary software or firmware. communication
between two devices,
and either deletes or
SENDER RECEIVER alters the data.

SNIFFER
Packet Sniffer
❖ Packet Sniffers (Network Sniffer, Network
Analyzer, Packet Analyzer) are software or
utilities that examine data packets as they go
through the network.
❖ These tools "sniff" network traffic in real time Deep Packet Inspection Tool -
and monitor the data, which may then be Analysis Software | SolarWinds
analyzed to assess and diagnose performance
issues inside servers, networks, hubs, and
applications.
❖ A Packet Sniffer intercepts network
communication and allows the user to analyze
the data contained inside it.

Wireshark
1- Traffic Analysis What a Packet
❖ IT teams can categorize data depending on
target server IP addresses, ports, traffic Sniffer Can Do
volume, and more.
❖ This analysis distinguishes critical traffic for You.
(VOIP, etc.) from non-business traffic (social
Voice over Internet Protocol (VoIP) transmits
media, unauthorized messengers, etc.). voice and multimedia via the internet. VoIP
❖ What’s more, IT admins can filter and mark facilitates voice calls via a computer,
suspicious content. smartphone, other mobile devices.
2- Network Problem Analysis
What a Packet
Ensuring that all applications and servers Sniffer Can Do
execute without bottlenecks is demanding. It
can be difficult to determine which network or
application component caused the slowdown. for You.
Network administrators monitor their network
for maintenance and optimization. With Packet
Sniffers, they can immediately detect the
delay-causing components.
3- Performance What a Packet
IT teams use Packet Capture (PCAP) to measure
network response times and delays. It helps
Sniffer Can Do
determine a packet’s send-to-receive time. In
addition, IT can recognize congested links, detect for You.
apps with high usage, and take corrective action.
PCAP FILES: These files include network
packet data for analyzing network
Teams may collect access point and wireless
properties.
controller performance information, correlate
network data, and minimize network downtime
with packet sniffers.
 4- Bandwidth Management
What a Packet
❖ Slow or intermittent networks can hurt
business productivity and cause losses.
Advanced network monitoring solutions use
Sniffer Can Do
packet sniffing to analyze network traffic to
avoid such difficulties.
❖ Packet Sniffers prevent internal and external
for You.
network misemploy.
❖ IT teams can simply discover traffic flow and
WAN bandwidth utilization, and abnormal
network usage.
Introduction to Network Sniffing
 Wireshark
❖ Wireshark is a network protocol analyzer
or application that captures packets from
a network connection such as from your
computer to your home office or the
internet.
❖ Packet is the name given to a discrete
unit of data in a typical Ethernet
network.
❖ Wireshark is the most often-used packet
sniffer in the world.
What Does Wireshark do?
Wireshark does three things:
1. Packet Capture: Wireshark listens to a
network connection in real time, and then
grabs entire streams of traffic – quite possibly
tens of thousands of packets at a time.
2. Filtering: Wireshark is capable of slicing and
dicing all of the random live data using filters.
By applying a filter, you can obtain just the
information you need to see.
3. Visualization: Wireshark, like any good packet
sniffer, allows you to dive right into the very
middle of a network packet. It also allows you
to visualize entire conversations and network
streams.
Wireshark Features and Benefits tcpdump is a data-network packet
analyzer computer program that runs
❖ Available for UNIX and Windows. under a command line interface
❖ Captures live packet data from a network interface. WinDump is the Windows version of
❖ Opens files containing packet data captured with tcpdump.
tcpdump/WinDump, Wireshark, and many other
packet capture programs.
❖ Imports packets from text files containing hex dumps
of packet data.
❖ Displays packets with very detailed protocol
information.
❖ Saves packet data captured.
❖ Exports some or all packets in a number of capture file
formats.
❖ Filters packets on many criteria.
❖ Searches for packets on many criteria.
❖ Colorizes packet display based on filters.
❖ Creates various statistics.
When Should Wireshark be Used?
❖ Wireshark is a safe tool used by government
agencies, educational institutions,
corporations, small businesses, and
nonprofits organizations alike to
troubleshoot network issues.

❖ Wireshark also can be used as a learning

tool. When a problem occurs in network
communication, Wireshark can be used to
figure out what went wrong, and why.
Installing Wireshark on Windows

Wireshark
Download
Source: Wireshark Install for MacOS [Video].
YouTube https://www.youtube.com/watch?v=FndUL-dhgtQ
Installing Wireshark on MAC

MAC
Source: Wireshark Install for MacOS [Video].
YouTube https://www.youtube.com/watch?v=jYDDFjp_4aM
 Installing Wireshark on Linux

Linux
Source: How to Install Wireshark on Ubuntu 22 04 LTS [Video].
YouTube https://www.youtube.com/watch?v=xzCVrooqSZU
Wireshark Capture Files What is a PCAPNG file?

To understand what information will remain available PCAP Next Generation is a standard
after the captured packets are saved to a capture file, format for storing captured data that
it is helpful to know a bit about the capture file includes a "dump" of data packets
contents. recorded across a network. Each PCAPNG
file consists of many blocks of data
containing various sorts of information.
❖ Wireshark uses the pcapng file format as the
default format to save captured packets. It is very
What is a libcap file?
flexible but other tools may not support it.
The libpcap file format is the main
❖ Wireshark also supports the libpcap file format. capture file format used in TcpDump /
This is a much simpler format and is well WinDump, snort, and many other
established. However, it has some drawbacks networking tools. It is fully supported by
○ It is not extensible. Wireshark/TShark, but they now
○ It lacks some information that would be really generate pcapng files by default.
helpful (e.g., being able to add a comment to a
packet such as “the problems start here”).
How to Capture Packets Using
Wireshark
Once you have installed Wireshark, you can start
grabbing network traffic. But remember: To capture
any packets, you need to have proper permissions on
your computer to put Wireshark into promiscuous
mode.

❖ In Windows 10, search for Wireshark and select

Run as administrator.
❖ In macOS, right-click the app icon and select Get
Info. In the Sharing & Permissions settings, give
the admin Read & Write privileges.
❖ In a Linux system, it usually means that you have
root access.
How to Capture Packets Using Wireshark
❖ As long as you have the right
permissions, you have several options to
actually start the capture.
❖ Perhaps the best is to select Capture >>
Options from the main window. This will
bring up the Capture Interfaces window.

This window will list all of the

available interfaces. In this
case, Wireshark provides
several to choose from.
How to Capture Packets Using Wireshark
We will use the Ethernet 3 interface,
which is the busiest. Wireshark displays
network traffic as a moving line that
represents packets on the network.

Once the network interface is

selected, you simply click the Start
button to begin your capture. As the
capture begins, it is possible to view
the packets that appear on the
screen.
 Once you have captured
all of the packets that
you want, simply click the
red square button at the
top, or press Ctrl+E

Wireshark capturing packets

Now you have a static
packet capture to
investigate.
Input Tab: Interface Table shows the following: Monitor Mode: Lets
you capture full, raw
Promiscuous: Lets you 802.11 headers.
Traffic: A Sparkline Buffer: The size of
put this interface in Support depends on
the kernel buffer that
The Interface showing network promiscuous mode
is reserved for the interface type,
Name activity. while capturing hardware, driver, and
capturing Packets.
Packets. OS.

Capture Filter: The

capture filter applied
to this interface.

Link-layer Header: Snaplen: The snapshot

The type of Packet length or the number of
captured by this bytes to capture for
each Packet.
interface.
Output Tab shows the following:
File: This field allows you Output Format: Allows you to
to specify the file name set the format of the capture
and location that will be file. pcapng is the default and is
used for the capture file. more flexible than pcap.

Create a new file automatically…: Sets the conditions

for switching a new capture file based on:
❑ The number of packets in the capture file.
❑ The size of the capture file.
❑ The duration of the capture file.
❑ The wall clock time.

Use a ring buffer with: Multiple files only.

Form a ring buffer of the capture files
with the given number of files.
Main Window The Menu
Main Toolbar The “Filter” Toolbar The “Packet List”
Pane

The “Packet Details” Pane

The “Packet Bytes

Hexadecimal ” Pane
Options Tab shows the following:
Name Resolution
❑ Resolve MAC addresses: Translate MAC addresses into names.
❑ Resolve network names: Translate network addresses into names.
❑ Resolve transport names: Translate transport names (port numbers).

Display options:
❑ Update list of packets in real-time: If you do not enable this,
Wireshark will not display any packets until you stop the
capture.
❑ Automatically scroll during live capture: Scroll the packet list
pane as new packets come in so that you are always looking at
the most recent packet.
❑ Show capture information during capture: If this option is
enabled, the capture information dialog “While a Capture is
running) will be shown while packets are captured.

Stop capture automatically after…

Capturing can be stopped based on the following conditions:
❑ The number of packets in the capture file.
❑ The number of capture files.
❑ The capture file size.
❑ The capture file duration.
The “Packet List” Pane

❑ Each line in the packet list corresponds to one packet in the capture file. If you
select a line in this pane, more details will be displayed in the “Packet Details” and
“Packet Bytes” panes.
❑ While dissecting a packet, Wireshark will place information from the protocol
dissectors into the columns. As higher-level protocols might overwrite information
from lower levels, you will typically see the information from the highest possible
level only.
Wireshark's Default Columns:

❑ No.: The number of the packet in the capture file. This number will not change, even if a
display filter is used.
❑ Time: The timestamp of the packet. The presentation format of this timestamp can be
changed.
❑ Source: The address where this packet is coming from.
❑ Destination: The address where this packet is going to.
❑ Protocol: The protocol name in a short (perhaps abbreviated) version.
❑ Length: The length of each packet.
❑ Info: Additional information about the packet content.
The “Packet Details” Pane

❑ The packet details pane gives in depth information about a packet

selected in the packet list pane.
❑ The information is displayed per OSI layer and can be expanded and
collapsed.
What Color Coding Means in Wireshark
❖ Wireshark tries to help you identify packet types by Wireshark Color coding:
applying common-sense color coding.
❖ The default coloring scheme is shown below in the
picture below.
❖ You can view this by going to:
View >> Coloring Rules.
Change
Wireshark
Color Code

"Source: Mastering Wireshark 2.6: Colouring Rules to Highlight Potential Performance | packtpub.com
[Video]. YouTube https://www.youtube.com/watch?v=FRoXrm9ywyc
 Saving Captured Packets
Saving Captured Packets
You can save captured packets by using the:
menu items. You can choose
which packets to save and which file format to be used,
or you can choose an Export option to record the
capture.

Saving Captured File As Dialog Box Save as:

The “Save Capture File As” dialog box allows you to
save the current capture to a file. The exact appearance
of this dialog box depends on your system. However,
the functionality is the same across systems.
 The following file formats can be saved by
Wireshark (with the known file extensions):
Output File Formats ❑ pcapng (*.pcapng). A flexible, extensible successor to
the libpcap format. Wireshark 1.8 and later save files as
pcapng by default. Versions prior to 1.8 used libpcap.
Wireshark can save the packet data in its ❑ pcap (*.pcap). The default format used by the libpcap
packet capture library. Used by tcpdump, Snort,
native file format (pcapng) and in the file ❑
Nmap, Ntop, and many other tools.
Accellent 5Views (*.5vw)
❑
formats of other protocol analyzers so that ❑
captures from HP-UX nettl ({asterisktrc0,*.trc1)
Microsoft Network Monitor - NetMon (*.cap)
❑ Network Associates Sniffer – DOS (*.cap, *.enc, *.trc,
other tools can read the capture data. *.fdc, *.svc)
❑ Cinco Networks NetXray captures (*.cap)
❑ Network Associates Sniffer - Windows (*.cap)
❑ Network Instruments/Viavi Observer (*.bfr)
❑
Saving in a different format might lose data: ❑
Novell LANalyzer (*.tr1)
Oracle (previously Sun) snoop (*.snoop,*.cap)
❑
Saving your file in a different format might cause ❑
Visual Networks Visual UpTime traffic (*.*)
Symbian OS btsnoop captures (*.log)
you to lose information such as comments, name ❑ Tamosoft CommView captures (*.ncf)
❑ Catapult (now Ixia/Keysight) DCT2000 .out files (*.out)
resolution, and time-stamp resolution. ❑ Endace Measurement Systems’ ERF format
capture(*.erf)
❑ EyeSDN USB S0 traces (*.trc)
❑ Tektronix K12 text file format captures (*.txt)
❑ Tektronix K12xx 32bit .rf5 format captures (*.rf5)
❑ Android Logcat binary logs (*.logcat)
❑ Android Logcat text logs (*.*)
❑ Citrix NetScaler Trace files (*.cap)
 How to Save Capture Packets in
Wireshark.

Source: How to Capture Packets in Wireshark [Video].

YouTube https://www.youtube.com/watch?v=C9Z2aXDVPzo
 Capture
Network
Traffic
Using
Wireshark

Source: Learn Wireshark in 10 minutes - Wireshark Tutorial for Beginners [Video].

YouTube https://www.youtube.com/watch?v=lb1Dw0elw0Q
 How
Hackers
Sniff
-MiTM-
-ATTACK-

"Source: How Hackers SNiFF (capture) network traffic // MiTM attack [Video].
YouTube https://www.youtube.com/watch?v=-rSqbgI7oZM
Summary
In this module, we discussed:

● The term “Network Sniffing," which refers to the practice

of eavesdropping on data transmissions over an online
network by using a program designed for this purpose.
● Wireshark, which is a network protocol analyzer or
application that captures packets from a network
connection, such as from your computer to your home
office or the internet.
● Wireshark’s three main features: Packet Capture, Packet
Filtering, and Data Visualization.
● PCAP Next Generation, which is a standard format for
storing captured data that includes a "dump" of data
packets recorded across a network. Each PCAPNG file
consists of many blocks of data containing various sorts of
information.
Introduction to Network Sniffing
CASE STUDY
You are a cyber analyst tier 1 employee. The organization shifted to a remote work
environment due to pandemic. All staff are in the office while clients are
encouraged to connect with the team through Zoom. The business solutions team
approached you to ask if there is an attack on the network, as the whole
department is experiencing issues with the Internet. Over the past few days,
Internet applications have been slow to respond.

After some investigation, you found that this is a company-wide issue; many
departments have experienced similar situations over in the last two days.

● What are at least two reasons that might cause the network to be slow in responding?
● What steps can be taken to find the problem?
● What steps can be taken to mitigate the issue and provide a quality internet
experience?