Wireshark and Packet Analysis

# CHAPTER 8

Wireshark and Packet Analysis #

1. Introduction #

Logs tell you *that* a door was opened. Packet analysis tells you exactly *who* opened it, what they were wearing, and what they carried out. When an intrusion is detected, or when network traffic behaves inexplicably, network engineers and security analysts must look at the raw data traveling over the wire. This is done via Packet Sniffing. In this chapter, we will introduce Wireshark, the industry-standard network protocol analyzer, and learn how to capture, filter, and dissect network packets to identify malicious activity and unencrypted secrets.

2. Learning Objectives #

By the end of this chapter, you will be able to:

• Define Packet Sniffing and its role in digital forensics.

• Understand the concept of Promiscuous Mode.

• Navigate the basic Wireshark interface.

• Apply Display Filters to isolate specific network traffic.

• Analyze an unencrypted HTTP packet to extract sensitive data.

3. Beginner-Friendly Explanation #

Imagine a network cable as a clear plastic tube carrying thousands of tiny envelopes (packets) every second.

• Normally, your computer's network card only reaches into the tube to grab envelopes with its specific name on them. It ignores everything else.

• Packet Sniffing: You put your network card into "Promiscuous Mode." Now, it acts like a high-speed camera, taking a photograph of *every single envelope* that flies through the tube, regardless of who it belongs to.

• Wireshark is the software that organizes these millions of photographs, allowing you to pause time, filter the envelopes by color or destination, and rip them open to read the letters inside.

4. The Wireshark Interface #

When you launch Wireshark and start a capture on your network interface (e.g., Wi-Fi or Ethernet), the screen fills with data rapidly. The interface is divided into three main panes:

1. 1. Packet List Pane (Top): A chronological list of every packet captured. Shows the Time, Source IP, Destination IP, Protocol (TCP, DNS, HTTP), and a brief info summary.

1. 2. Packet Details Pane (Middle): Select a packet in the top pane, and this pane breaks it down layer by layer, following the OSI model (Data Link, Network, Transport, Application).

1. 3. Packet Bytes Pane (Bottom): Shows the raw hexadecimal and ASCII data. This is what the computer actually sees.

5. The Power of Display Filters #

You might capture 50,000 packets in one minute. Finding a hacker's commands in that mess is impossible without filters. Essential Wireshark Display Filters:

• http: Shows only unencrypted web traffic.

• dns: Shows only domain name lookups (useful for seeing what websites someone is visiting).

• ip.addr == 192.168.1.50: Shows only traffic sent to or from that specific IP address.

• tcp.port == 22: Shows only SSH (secure remote login) traffic.

6. Mini Project: Capture and Analyze Network Packets #

Let's use Wireshark to prove why unencrypted websites are a massive security risk.

Step-by-Step Walkthrough: *(Assumption: You have Wireshark installed on your computer or a lab VM).*

1. 1. Start Capture: Open Wireshark, double-click your active network connection (e.g., Wi-Fi). You will see packets flowing.

1. 2. Generate Traffic: Open a browser and go to a deliberately unencrypted, safe testing site: http://testphp.vulnweb.com/login.php.

1. 3. Log In: Type the username AdminBob and the password SuperSecretPassword and click Login.

1. 4. Stop Capture: Go back to Wireshark and click the red square (Stop) button in the top left.

1. 5. Filter: Type http.request.method == POST into the green filter bar and press Enter.

1. 6. Analyze: You will see a packet destined for login.php. Right-click that packet, select Follow -> HTTP Stream.

1. 7. The Reveal: A new window opens showing the exact conversation between your browser and the server. You will clearly see uname=AdminBob&pass=SuperSecretPassword in plain, readable text.

7. Real-World Scenarios #

A company's intrusion detection system flags unusual outbound traffic originating from an employee's laptop, but the SIEM logs don't provide enough detail. A security analyst initiates a packet capture (PCAP) on the laptop's switch port. By analyzing the packets in Wireshark, the analyst discovers the laptop is infected with a trojan. The malware is systematically reading sensitive PDF files on the laptop, compressing them, and sending them over the network (Data Exfiltration) via unencrypted FTP to an unknown server in another country. The raw packets contain the exact files being stolen.

8. Best Practices #

• Analyzing HTTPS: If you capture HTTPS traffic, the payload will be unreadable cryptographic gibberish. Wireshark cannot magically decrypt TLS traffic. To analyze encrypted malware traffic, security researchers often have to configure Wireshark with the victim computer's session keys (if they have administrative control over the machine) to decrypt the traffic locally.

9. Legal and Ethical Notes #

Wiretapping is a Crime. Running a packet sniffer on a network you do not explicitly own or have written permission to monitor (like a university Wi-Fi network, a coffee shop, or your employer's network without authorization) is a severe violation of wiretapping laws. Only capture traffic on your personal home network or in an isolated virtual lab environment.

10. Exercises #

1. 1. Describe the function of "Promiscuous Mode" on a Network Interface Card (NIC). Why is it required for packet sniffing?

1. 2. You have a PCAP file containing 1 million packets. What exact display filter would you type into Wireshark to see only the traffic originating from IP address 10.0.0.5?

11. FAQs #

Q: Do hackers use Wireshark? A: Yes. While Wireshark is an essential defensive tool for troubleshooting and forensics, hackers use the exact same tool (or command-line equivalents like tcpdump) to sniff unencrypted passwords, session cookies, and sensitive data on compromised networks. Tools are neutral; intent makes them ethical or malicious.

12. Interview Questions #

• Q: Describe the process of investigating a suspected Data Exfiltration event using Wireshark. Which protocols would you filter for, and what specific packet details would you analyze?

• Q: Explain how you would use Wireshark to identify a suspected network bottleneck or broadcast storm on a local area network.

13. Summary #

In Chapter 8, we pulled back the curtain on network traffic. We learned that network communication is fundamentally the transmission of raw packets. We utilized Wireshark to capture these packets and apply display filters to isolate specific conversations. Through hands-on analysis, we proved the catastrophic vulnerability of unencrypted HTTP traffic, demonstrating how easily a passive listener can steal credentials. Packet analysis is the ultimate source of truth in network security.

14. Next Chapter Recommendation #

We have analyzed data moving through physical cables. But what happens when the data is broadcast through the air, completely bypassing physical boundaries? Proceed to Chapter 9: Wireless Network Security.