Packet Sniffing with Wireshark - Doing It Yourself
(Page 3 of 4 )
The installation procedure for Wireshark is really straightforward. The Windows version is based on WinPcap. It is a set of libraries that offer network monitoring and packet capturing capabilities. Thankfully, it is high-performing, reliable, and portable. But if you don’t have WinPcap, don’t worry; Wireshark can install it during its setup process.
Download the latest version of Wireshark from this official page. The latest version at the time of writing is 1.0.6. During the installation process you are asked whether you’d like to set the NPF service to automatically start with Windows. This would give users with non-administrator rights the ability to use Wireshark and capture packets. Without this service, only administrators have the necessary permissions.
After successful installation you should be able to launch Wireshark. It’s going to pop up an empty window, but with extensive menus and a toolbar. Its GUI is built on top of GTK+, so you *nix enthusiasts ought to recognize this right away! All right, now as for your first sniffing action plan: just navigate to the Capture -> Interfaces menu. This opens up a window with NICs listed. Make your choice (the current one in use).
Click on Start, and everything begins. Chances are, some kind of traffic happens when you do this; if not, then just visit a site or two, send a file, a new mail, or simply write an IM to your friend and say hey, what’s up! You should notice that the window becomes fairly populated during the process. The main window is split into three panes, and each of them gets filled.
The first pane (the top one) enumerates the intercepted packets. Each line stands for an individual packet. You can watch as they are counted with No. and their specs are listed, too, such as Time (when it happened, with microsecond precision), Source, Destination, Protocol, Info, etc. As you select one of these rows, the other two panes are going to display the contents of the packet and other information regarding your choice.
On the middle pane you can use those “+” to expand entire categories. In order to show you an example, we captured some of the incoming/outgoing traffic while loading the Developer Shed website. On the top pane we picked an HTTP GET that requires the global.css file. The middle pane looks similar to this.
As you can see, we’ve expanded the Hypertext Transfer Protocol. And there the entire content of the packet is analyzed and understood, segmented into the appropriate parts. You can, therefore, find out various information regarding the type of content that flows through your NICs. The bottom pane displays the content of the packet in Hexadecimal (HEX) and typical ASCII representations. These are useful too, sometimes.
It should be noted that wireless packet sniffing works exactly in the same fashion as wired. However, in the case of Broadcom wireless cards, you may want to check out this thread – it’s about the special BRCM wireless driver that’s WildPackets. Thanks to this, you will be able to capture all kinds of wireless packets flowing across your network. If you don’t want to fiddle with non-digitally signed drivers, then you will just capture encrypted packets, and then encryption ought to be done manually.
Next: Final Thoughts >>
More Web Hosting Security Articles
More By Barzan 'Tony' Antal
