Wireshark is a free open source tool that analyzes network traffic in real-time for Windows, Mac, Unix, and Linux systems. It captures data packets passing through a network interface (such as Ethernet, LAN, or SDRs) and translates that data into valuable information for IT professionals and cybersecurity teams.
What is Wireshark Used For?
Wireshark is a type of packet sniffer (also known as a network protocol analyzer, protocol analyzer, and network analyzer). Packet sniffers intercept network traffic to understand the activity being processed and harvest useful insights.
Wireshark (ethereal) offers a series of different display filters to transform each captured packet into a readable format. This allows users to identify the cause of network security issues and even discover potential cybercriminal activity.
When a packet sniffer is used in ‘promiscuous mode’ users can analyze network traffic regardless of its destination . its like a fly on a wall watching office activity. While this empowers IT professionals to perform a quick and thorough diagnosis of network security, in the wrong hands. Wireshark could be used for cyberattack reconnaissance campaigns.
Because you can download Wireshark for free, cybercriminals have liberal access to it, so it’s best security practice to assume the software is currently being used with hostile intentions. Luckily, there are some security measures you can implement to protect against network sniffing.
Uses case of Wireshark
Packet analysis software like Wireshark is used by entities that must remain informed about the state of security of their network, as such, the software is commonly used by governments, schools, and technology businesses.
Common Wireshark use cases include:
- Identify the cause of a slow internet connection
- Investigating lost data packets
- Troubleshooting latency issues
- Detecting malicious network activity
- Identify unauthorized data exfiltration
- Analyzing bandwidth usage
- Tracing voice over Internet (VoIP) calls over the network
- Intercepting Man-in-the-Middle (MITM) attacks
Wireshark makes all of the above use cases possible by rendering and translating traffic into readable formats – saving users the frustrations of having to translate binary information manually. All of this is done in real-time so that detected issues can be rapidly addressed before they develop into a service outage, or worse, a data breach.
How to Use Wireshark ?
Before following a Wireshark tutorial, it’s important to understand how networking systems work.
The OSI model (Open Systems Interconnection Model) is a framework that represents how network traffic is transferred and displayed to an end-user. It’s comprised of 7 layers
- Application (Layer 7) – Displays the graphical User Interface (UI) – what the end-user sees
- Presentation (Layer 6) – Formats data to achieve effective communication between networked applications
- Session Layer (Layer 5) – Ensures connections between end-points are continuous and uninterrupted.
- Transports Layer (Layer 4) – Proxy servers and firewalls reside on this layer. Ensures error-free data transfer between each endpoint by processing TCP and UDP protocols. At this layer, Wireshark can be used to analyze TCP traffic between two IP addresses
- Network Layer (Layer 3) – Ensures routing data for routers residing on this network are error-free.
- Data Link Layer (Layer 2) – Identifies physical servers through two sub-layers, Media Access Control (MAC), and Logical Link Control (LLC).
- Physical Layer (Layer 1) – Comprised of all the physical hardware that processes network activity
To use correctly use Wireshark, you must be aware of the different proctors being processed at each OSI layer. This will help you decide which layer should be analyzed for each specific diagnostic requirement.
How wireshark used in OSI layer
Here’s a run-through of the protocols being processed at each OSI layer:
- Application (Layer 7) – SMTP, HTTP, FTP, POP3, SNMP
- Presentation (Layer 6) – MPEG, ASCH, SSL, TLS
- Session Layer (Layer 5) – NetBIOS, SAP
- Transports Layer (Layer 4) – TCP, UDP
- Network Layer (Layer 3) – IPV5, IPV6, ICMP, IPSEC, ARP, MPLS.
- Data Link Layer (Layer 2) – RAPA, PPP, Frame Relay, ATM, Fiber Cable, etc.
- Physical Layer (Layer 1) – RS232, 100BaseTX, ISDN, 11.
Each layer is stacked on top of the other and information flows between each layer during network activity.
Even with just a surface-level understanding of the different functions of each layer, you can perform a high-level assessment of networking issues.
For example, if you’re having issues browsing the internet, you can assume that there’s likely an error on the Network Layer (layer 3) since it processes router data.
Wireshark can then be used to further investigate such an assumption. It can confirm which layer is failing and the specific protocols that contain errors.Now that you’ve established some foundational background knowledge, you will get the most value from the following Wireshark tutorial
How to Protect Against Network Sniffing
The probability of an organization suffering a data breach is rising, and from this, we can infer that network sniffing is also on the rise since they facilitate cyberattacks.
Keep Antivirus Software Updated
Network sniffers are usually delivered through trojans, worms, viruses, and malware. Antivirus software could block such hostile payloads before they have a chance to deploy a sniffing campaign.
To increase the chances of successful protection, it’s important to keep antivirus software updated so that it’s configured to detect the latest cyber threats.
Encrypt All Network Data
When network data is encrypted, it’s difficult for cybercriminals to glean sensitive information from it in a sniffing campaign.
There are different types of encryption methods available, but for the highest degree of obfuscation, the Advanced Encryption Standards (AES) should be used.
This encryption algorithm is impervious to almost all forms of cyberattacks (except brute force attacks), this is why it’s the preferred encryption method of the United States government.
Use a VPN
Virtual Private Networks (VPNs) secure all internal traffic in an encrypted tunnel. They also secure remote connections to sensitive internal networks, so that businesses can maintain a remote workforce without compromising on security.
For the best results, choose a VPN that uses AES encryption and couple it with antivirus software that’s always kept updated.
Disable UPnP
Universal Plug and Play (UPnP) could allow cybercriminals to connect to your router and deploy network sniffing software. These connections could occur autonomously, outside of your control, because that’s what UPnP is designed to do
Most new routers come with UPnP already enabled, so you could currently be exposing your network to sniffing attacks without knowing it.
Do Not Connect to Public Wi-Fi
The security of public Wi-Fi can never be confirmed. You can never be certain that they even encrypt their data. Cybercriminals often set up malicious free Wi-Fi hotspots so that they can monitor the activity of connected devices.
DIscovering a Wi-Fi hotspot that doesn’t require a password may seem like a life-saver, but their potential security risks greatly outweigh any of the benefits they might offer. Best to avoid all public Wi-Fi hotspots.
