What term best describes the Wireshark tool program?
What is Wireshark?Wireshark is an open-source packet analyzer, which is used for education, analysis, software development, communication protocol development, and network troubleshooting. Show
It is used to track the packets so that each one is filtered to meet our specific needs. It is commonly called as a sniffer, network protocol analyzer, and network analyzer. It is also used by network security engineers to examine security problems. Wireshark is a free to use application which is used to apprehend the data back and forth. It is often called as a free packet sniffer computer application. It puts the network card into an unselective mode, i.e., to accept all the packets which it receives. Uses of Wireshark:Wireshark can be used in the following ways:
What is a packet?A packet is a unit of data which is transmitted over a network between the origin and the destination. Network packets are small, i.e., maximum 1.5 Kilobytes for Ethernet packets and 64 Kilobytes for IP packets. The data packets in the Wireshark can be viewed online and can be analyzed offline. History of Wireshark:In the late 1990's Gerald Combs, a computer science graduate of the University of Missouri-Kansas City was working for the small ISP (Internet Service Provider). The protocol at that time did not complete the primary requirements. So, he started writing ethereal and released the first version around 1998. The Network integration services owned the Ethernet trademark. Combos still held the copyright on most of the ethereal source code, and the rest of the source code was re-distributed under the GNU GPL. He did not own the Ethereal trademark, so he changed the name to Wireshark. He used the contents of the ethereal as the basis. Wireshark has won several industry rewards over the years including eWeek, InfoWorld, PC Magazine and also as a top-rated packet sniffer. Combos continued the work and released the new version of the software. There are around 600 contributed authors for the Wireshark product website. Functionality of Wireshark:Wireshark is similar to tcpdump in networking. Tcpdump is a common packet analyzer which allows the user to display other packets and TCP/IP packets, being transmitted and received over a network attached to the computer. It has a graphic end and some sorting and filtering functions. Wireshark users can see all the traffic passing through the network. Wireshark can also monitor the unicast traffic which is not sent to the network's MAC address interface. But, the switch does not pass all the traffic to the port. Hence, the promiscuous mode is not sufficient to see all the traffic. The various network taps or port mirroring is used to extend capture at any point. Port mirroring is a method to monitor network traffic. When it is enabled, the switch sends the copies of all the network packets present at one port to another port. What is color coding in Wireshark?The packets in the Wireshark are highlighted with blue, black, and green color. These colors help users to identify the types of traffic. It is also called as packet colorization. The kinds of coloring rules in the Wireshark are temporary rules and permanent rules.
Features of Wireshark
Installation of Wireshark SoftwareBelow are the steps to install the Wireshark software on the computer:
On the network and Internet settings option, we can check the interface connected to our computer. If you are Linux users, then you will find Wireshark in its package repositories. By selecting the current interface, we can get the traffic traversing through that interface. The version used here is 3.0.3. This version will open as: The Wireshark software window is shown above, and all the processes on the network are carried within this screen only. The options given on the list are the Interface list options. The number of interface options will be present. Selection of any option will determine all the traffic. For example, from the above fig. select the Wi-Fi option. After this, a new window opens up, which will show all the current traffic on the network. Below is the image which tells us about the live capture of packets and our Wireshark will look like: The above arrow shows the packet content written in hexadecimal or the ASCII format. And the information above the packet content, are the details of the packet header. It will continue listening to all the data packets, and you will get much data. If you want to see a particular data, then you can click on the red button. The traffic will be stationary, and you can note the parameters like time, source, destination, the protocol being used, length, and the Info. To view in-depth detail, you can click on that particular address; a lot of the information will be displayed below that. There will be detailed information on HTTP packets, TCP packets, etc. The red button is shown below: The screen/interface of the Wireshark is divided into five parts:
You can also select the connection to which your computer is connected. For example, in this PC, we have chosen the current network, i.e., the ETHERNET. After connecting, you can watch the traffic below: In view option on the menu bar, we can also change the view of the interface. You can change the number of things in the view menu. You can also enable or disable any option according to the requirements. There is a filter block below the menu bar, from where a large amount of data can be filtered. For example, if we apply a filter for HTTP, only the interfaces with the HTTP will be listed. If you want to filter according to the source, right-click on the source you want to filter and select 'Apply as Filter' and choose '...and filter.' Steps for the permanent colorization are: click on the 'View' option on the menu bar and select 'Coloring Rules.' The table will appear like the image shown below: For the network administrator job, advanced knowledge of Wireshark is considered as the requirements. So, it is essential to understand the concepts of the software. It contains these 20 default coloring rules which can be added or removed according to the requirements. Select the option 'View' and then choose 'Colorize Packet List,' which is used to toggle the color on and off. Note: If you are not sure about the version of your desktop or the laptop, then you can download the 32-bit Wireshark which will run almost 99% on every type of computersNow let's start with this basics- Basic concepts of the Network TrafficIP Addresses: It was designed for the devices to communicate with each other on a local network or over the Internet. It is used for host or network interface identification. It provides the location of the host and capacity of establishing the path to the host in that network. Internet Protocol is the set of predefined rules or terms under which the communication should be conducted. The types of IP addresses are IPv4 and IPv6.
IP addresses are assigned to the host either dynamically or static IP address. Most of the private users have dynamic IP address while business users or servers have a static IP address. Dynamic address changes whenever the device is connected to the Internet. Computer Ports: The computer ports work in combination with the IP address directing all outgoing and incoming packets to their proper places. There are well-known ports to work with like FTP (File Transfer Protocol), which has port no. 21, etc. All the ports have the purpose of directing all packets in the predefined direction. Protocol: The Protocol is a set of predefined rules. They are considered as the standardized way of communication. One of the most used protocol is TCP/IP. It stands for Transmission Control Protocol/ Internet Protocol. OSI model: OSI model stands for Open System Interconnect. OSI model has seven layers, namely, Application layer, Presentation layer, Session layer, Transport layer, Network layer, Data link layer, and the physical layer. OSI model gives a detail representation and explanation of the transmission and reception of data through the layers. OSI model supports both connectionless and connection-oriented communication mode over the network layer. The OSI model was developed by ISO (International Standard Organization). Most used Filters in WiresharkWhenever we type any commands in the filter command box, it turns green if your command is correct. It turns red if it is incorrect or the Wireshark does not recognize your command. Below is the list of filters used in Wireshark:
Wireshark packet sniffingWireshark is a packet sniffing program that administrators can use to isolate and troubleshoot problems on the network. It can also be used to capture sensitive data like usernames and passwords. It can also be used in wrong way (hacking) to ease drop. Packet sniffing is defined as the process to capture the packets of data flowing across a computer network. The Packet sniffer is a device or software used for the process of sniffing. Below are the steps for packet sniffing:
Apply the filter by the name 'http.' After the filter is applied, the screen will look as: The above screen is blank, i.e.; there is no network traffic as of now. Open the browser. In this example, we have opened the 'Internet Explorer.' You can choose any browser. As soon as we open the browser, and type any address of the website, the traffic will start showing, and exchange of the packets will also start. The image for this is shown below: The above process explained is called as packet sniffing. Username and password sniffingIt is the process used to know the passwords and username for the particular website. Let's take an example of gmail.com. Below are the steps:
In the arrow shown above, the 'show and save data as' has many choices. These options are- ASCII, C Arrays, EBCDIC (Extended Binary Coded Decimal Interchange Code), etc. EBCDIC is used in mainframe and mid-range IBM computer operating systems. Wireshark StatisticsThe Wireshark provides a wide domain of statistics. They are listed below: Below is the list of statistics of Wireshark along with the description:
I/O GRAPHSIt shows the graph for the network traffic. The graph will look similar but changes as per the traffic involved. There is a table below the figure, which has some filters. Using the '+' sign, you can add more filters and use '-sign you can remove the existing filters. You can also change the color. For every particular filter, you can add a colored layer, which increases the visibility of the graph. The tick option under the 'Enabled,' displays the layer according to your requirements. For example, we have applied the filter 'TCP errors' and the changes can be viewed easily. The image is shown below: If you click on the particular point on the graph, you can watch the corresponding packet will be shown on the screen of the network traffic. You can also apply a filter on the particular port. Another category of the graph comes under the option 'TCP Stream graphs.' It gives the visualization of the TCP sequence number with time. Below are the steps to understand the TCP Stream graphs:
Now, as you zoom on the graph, you will notice the points in detail. The lines shown are the packets. The length along the Y-axis shows how big the packet is. You can also see the green line going up and then comes at the same level. This means that the data has been ACK (Acknowledged). Here going up means that more data is being sent. The data is being sent and then ACK, this is the proper use of the TCP. The flat line here signifies that nothing is happening. The green line above is called 'received window.' The gap between the received window and the packet, defines how much space is in the received buffer. FACTS ABOUT WIRESHARK/ IMPORTANT STEPS/ MOST USEDBelow are the facts or points implemented in real life: Adding a delta column: To add any column, below are the steps:
The screen will then look as: Below the captured packets, the data you see in the square brackets is the information that is not available in the packet itself. It is something that Wireshark displays for your benefit. If you want to add anything from this screen to the column area, you can right-click and select 'Apply as column.' That option will be added to the capture screen. The most important is: 3 Way-HandshakeWithout three-way handshake, you cannot view the window scaling factor. Some Facts about Wireshark: TELEPHONYThe Telephony is the option on the menu bar. The image is shown below: The options are explained below:
WIRESHARK DECRYPTIONThe decryption process is used for the data to be in a readable format. Below are the steps for the decryption process. What is the main purpose of Wireshark tool?Wireshark is a packet sniffer and analysis tool. It captures network traffic from ethernet, Bluetooth, wireless (IEEE. 802.11), token ring, and frame relay connections, among others, and stores that data for offline analysis.
Is Wireshark a monitoring tool?Wireshark is a software tool used to monitor the network traffic through a network interface. It is the most widely used network monitoring tool today.
Is Wireshark is a malware analysis tool?Wireshark
Whereas a web proxy such as Fiddler is focused on HTTP/HTTPS traffic, Wireshark allows deep packet inspection of multiple protocols at multiple layers. While analysing packet captures in Wireshark it is even possible to extract files from the pcap that have been downloaded by the malware.
Why is IT called Wireshark?It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, the project was renamed Wireshark in May 2006 due to trademark issues.
...
Wireshark.. |