Wireshark is a graphical network protocol analyzer that allows us to make an in-depth analysis of the individual packets available on the network.
The Wireshark can be used to receive Ethernet, wi-fi, Bluetooth and many other types of traffic packages.
It can decode different protocols it sees, so you could, for example, eavesdrop on the sound of Voice over IP (VoIP) phone calls.
Let's take a look at the basics of using Wireshark to capture and analyze network traffic.
Start of Wireshark: You must run Wireshark in an account with sufficient privileges to receive packages, or you must grant the account in which you use Wireshark enough privileges to be able to record network traffic. The way it is done differs from one operating system to another.
In windows, the WinPcap driver (called NPF) loads from Wireshark when it starts recording live data. This requires administrator privileges. Once the driver is loaded, any local user can record the traffic.
Here are some of the features of Wireshark:
- It supports more than 1.000 protocols
- Ability to do live download and analysis offline
- It has the most powerful display filters in the industry
- Logged network data can be displayed via the GUI or through a command line tool, TShark
- Ability to read / write many different log formats, such as tcpdump (libpcap), Network General Sniffer, Cisco Secure IDS iplog, Microsoft Network Monitor and more
- You can read live data from IEEE 802.11, Bluetooth and Ethernet
- The export can be done in XML, Postscript, CSV documents or plain text
In our case, we are connected to LAN (Ethernet), so we will see it in a connection Ethernet.
In the case of Linux, you can start Wireshark by typing "sudo wireshark”In your terminal and select your interface to start the data download process.
Here, Wireshark sees all the network traffic and downloads the packages. Therefore, to download POST data, you must use a filter within the Wireshark filter module bar. To stop the download, you can click on the fourth icon at the top titled “Stop running the live capture ” or you can go to “Capture | Stop".
Let's open any login page and send a POST request to a server. The sheer volume of network traffic recorded by Wireshark can be a bit chaotic because, apart from HTTP traffic, every other packet is logged to or from the system.
To find specific packages that interest us, we can use Wireshark filters. The Filters field is located in the upper left corner of the Wireshark GUI. As a very simple first example of Wireshark filtering, let's look at all the traffic that HTTP uses.
You should see the packets in Wireshark from the system with IP address 10.228.xxx.xxx to 10.228.xxx.xxx and vice versa, with the Protocol field marked as HTTP.
Filter: http.request.method == “POST”
Filter: http contains POST
You can now analyze this POST data by right-clicking and selecting the option Follow -> TCP Stream
Wireshark filters recorded packets to display only those that use the HTTP protocol. We can see the entire movement of HTTP packets, including connection elements, in plain text.
Even after the traffic is filtered, there may be many HTTP connections recorded over the same period of time, so it would be difficult to understand what is going on. But once we find a package that interests us, such as the beginning of an HTTP connection, we can find out by searching deeper by right-clicking on the package and selecting "Follow TCP Stream" as shown below:
We can use more advanced filters to further improve the returned packages.
For example, we can use the filter ip.dst == 10.228.xxx.xxx to return only packets with the destination IP address being 10.228.xxx.xxx.
We can even connect filters together, such as using the filter ip.dst == 10.228.xxx.xxx and http to find only HTTP traffic intended for ip 10.228.xxx.xxx.