Packet Sniffing with Wireshark - What’s Sniffin’ About?
(Page 2 of 4 )
Communication over digital networks happens via data streams. These streams of data are basically nothing but a sequence of coherent packets, which can be either encrypted or unencrypted. This is the simplest definition of the way data is transferred and received. As you may guess, this is the process that goes on while you surf the Internet, send and receive mails, talk over IM, and download photos from MySpace.
Chances are that by now you already have an idea of what packet sniffing may be. It is all about intercepting the flow of data that goes over and through your network interface(s). The packets are sniffed, and they are also analyzed (thus, network protocol analyzer). The software, therefore, is able to understand a multitude of protocol types (by knowing their structure). If necessary, it also decodes immediately.
(Image Courtesy of Post Fix Virtual)
The entire data flow is split into millions of packets. Each has a specific size and structure. These structures are different for each protocol type. Therefore, packets not only contain the data that’s being transferred; they also contain lots of extra information, such as version, header length, type of service, total length, identifier, flags, fragment offsets, TTL (time to live), protocol, header checksum, source address, destination address, options + padding, and these would be all in the case of IP packets.
The packet sniffer application practically acts like a passive dog that does nothing but capture and analyze. However, it should be noted that the packets aren’t sent to the sniffer; it just observes them itself without being addressed. Furthermore, its analyzer component is “smart,” since it knows the structure of each type of packet. Therefore, it’s able to split the packets into their segments and report.
Before we begin with Wireshark, let’s also analyze the advantages of capturing and analyzing packets. One might pretty much ask – why should we sniff packets at all? It’s pretty clear, though. Analyzing network problems, detecting network intrusion attempts and their detail, monitoring and logging network usage, filtering specific kinds of suspect content, reverse engineering specific protocols, debugging client/server apps, other network implementations, and finally… collecting sensitive information if necessary.
Systems administrators and security analysts are always using their trusty Wireshark (or Ethereal, as it was called back then) to figure out the scheme of intrusion attempts or other malicious activities that are oh-so-frequent in the case of a big corporate environment; denial-of-service attacks, for instance. You can figure out its type, and then you’re able right away to implement countermeasures with your firewall.
We’re going to use Wireshark for our experiments because it is clearly one of the best, if not the best. It is also cross-platform, works on any UNIX or UNIX-like machine and also on Windows operating systems. It supports both wired and wireless (802.11) networks, token-ring, FDDI, serial (PPP, SLIP), and even Asynchronous Transfer Mode.
More Web Hosting Security Articles
More By Barzan 'Tony' Antal