Wireshark is a network packet sniffer that allows you to capture packets and data in real time using a variety of different interfaces in a customizable GUI. It is also a great tool to analyze, sort and export this data to other tools. It is used by network administrators to troubleshoot networks and by cybersecurity professionals to find interesting connections and packets for further analysis, or protocols in use on the network that could be exploited. Wireshark is a robust and highly configurable passive tool for packet data analysis, capable of filtering data in a variety of ways both during and after a packet capture. Wireshark is not an intrusion detection system, and as a passive tool it does not manipulate the data that it captures in transit. In this tutorial I am going to show you how to install and configure Wireshark, capture some packets from an interface, sort the packets using a display filter, analyse the packets for interesting activity, and then were going to run a Man in the Middle attack using ettercap to see how this affects the packets being received by Wireshark. Lets get started by installing Wireshark.
Installation
Wireshark is an open-source application with versions that run on Linux, Windows and Mac. It is preinstalled on Kali Linux and also is available to install from most Linux repositories. Not all features of Wireshark are available on all operating systems, so for the purposes of this tutorial we will be running the demos using Wireshark 2.2 on Debian 9 and Kali Linux. You can download Wireshark compiled for your OS or in source code from: https://www.wireshark.org/download.html
Dependencies: Wireshark depends on the libpcap package in Linux, and Winpcap in Windows.
Note: Wireshark has an excellent manual that details exactly how to use it’s many features available at: https://www.wireshark.org/docs/ There is also a wiki available at https://wiki.wireshark.org/
that features thousands of downloadable sample captures that you can review.
To install Wireshark on Debian Linux, we will simply open a terminal and type the command:
sudo apt-get install wireshark
Installing Wireshark using apt ensures that we also download automatically any dependencies that may exist and also get a version of Wireshark that is compatible with our operating system.
Once the installation is finished, Wireshark is added to the Applications > Internet sub-menu or can be run from the command line simply by issuing the command: wireshark
Once Wireshark finishes loading you will see a window similar to the above. In the foreground we have three separate sections:
Open
Here you may open capture files that you have captured from Wireshark previously or from other capture tools. Wireshark uses the default file format of .pcapng
Capture …using this filter:
In this combo text box you may add filters using the BPF (Berkley Packet Filter) syntax to tell Wireshark exactly what kind of packets you would like it to capture, but for now we are going to leave this blank. Underneath this text box you will see a list of the interfaces on your computer that Wireshark is capable of interacting with followed by a line-graph that will display any activity detected on those interfaces.
Learn
In this section are useful links to get directly to the manual, wiki, Q&A and mailing lists.
To begin our first capture you may double click on the interface that you would like to capture from or highlight it and click the blue shark-fin button under the file menu on the main toolbar. If you’re connected to a network that has any activity you will start to see some packets being captured. Let the sniff run for awhile to collect some packets and then press the red square button or Capture > Stop from the menu to stop the capture.
Wireshark sniffs packets in promiscuous mode by default, but can also sniff in monitor mode on compatible wireless interfaces. By selecting the Capture>Options menu, by clicking the capture options button on on the toolbar you may open the Capture Options window. Monitor mode may then be enabled by clicking the checkbox under the Monitor Mode column in the input tab.
Note: When running a packet capture, Wireshark will continue to capture packets until it runs out of memory, at which time the program will crash. You may specify file size parameters for Wireshark to follow while making captures in the Capture Options window under the output tab.
So in the body of the main window is three stacked frames, each containing different data. The top frame has a table which contains many rows, each row representing one captured packet and seven columns by default: No. - the number in order of the received packets, Time – the time since the capture was initiated that each packet was captured, Source – the IP address of the packet source, Destination – the IP address of the packet destination, Protocol – the protocol that the packet is using, Length – the total length of the packet in bytes and Info – a summary of what is contained in the packet.
These columns are configurable in many different ways by right clicking the top of the column and selecting “Edit Column” or by clicking the menu Edit > Preferences and selecting Columns under the Appearances menu. Here you may add columns, remove columns, or change the label or data format that appears. Right click on the top of the Time column and select Edit Column and change the time format to any UTC time using the combo box. This combo box which will show you all of the possible data types that can be displayed. After changing the time format click OK on the right side of the toolbar. The time displayed should now be in UTC rather than time since the capture was initiated. The captured packets table color scheme can also be edited by clicking View > Coloring Rules. You may also create several different profile schemes for different type of work by clicking the menu Edit > Configuration Profiles.
Display Filters
Wireshark’s real power comes in the way in which it can filter data, allowing you to find exactly what you’re looking for quickly. There are two different types of filters used in Wireshark, and it is important to understand their uses and differences. Display Filters allow you to filter all of the captured packets in based on many components of the packet and also using expressions which can be saved for future use easily as buttons by typing the expression and then clicking the + button. In the next screenshot notice that under the main toolbar I have added two buttons. One is labled DST.239, which will automatically apply the display filter expression located in the filter text box and another to clear all display filters.
Notice how applying this filter has removed all packets from the display frame except for those that have a destination ip as specified. Display filters are a robust tool that can allow you to quickly find the information your looking for. The complete syntax of these expressions can be found in the Wireshark manual, but we will cover a few basic ones to get you started.
ip.addr == 192.168.1.3 && dns
This filter displays any captured packets that come from or go to the ip address 192.168.1.3 and also use the DNS protocol.
ip.addr != 192.168.1.2 && dns
This filter displays any DNS protocol packets that neither originate from nor go to the ip address referenced. This would be useful to omit your device from the results if you are looking for problems or interesting packets elsewhere.
http && ip.src==192.168.1.3 && ip.dst==172.217.4.77
This filter displays only packets that are using the http protocol, originate from 192.168.1.3 and are also sent to 172.217.4.77
Note: Display Filters and Capture Filters are not the same thing. Capture Filters use the BPF syntax and prevent Wireshark from capturing any packets other than those specified in the filter.
Individual packets of interest can be opened in a separate window by double-clicking on them. You can also follow a stream of packets by right-clicking on a packet and clicking Follow and then selecting the type of stream(s) that the packet is a part of.
Sniffing for a Man in the Middle
Now we are going to initiate a Man in the Middle (MitM) attack while using Wireshark to sniff for TLS/SSL exchanges and browser cookies that could be used to hijack a browser session. In a MitM attack the attacker tricks two devices into sending all of their packets to the attacker’s device instead of directly to each other while the attacker is actively eavesdropping on and then forwarding these packets to avoid interrupting the connection. In this part of the tutorial I will be using the Linux tool ettercap to automate the process of ARP-Cache poisoning to create a MitM between a target device and a wireless router. Before we initiate an ARP-Cache Poisoning attack we need to ensure that our interface is set to forward packets by issuing the following command: sysctl -w net.ipv4.ip_forward=1
We then start a new capture in Wireshark and open ettercap to initiate the ARP -Poisoning
Upon opening ettercap I select Hosts > Scan for Hosts on the menu bar. After ettercap has finished identifying hosts I want to CTRL+click my target computer’s ip (192.168.1.3, in this instance) and the router’s IP and then on the menu click Mitm > Arp Poisoning.
A window appears and I will check Sniff remote connections.
Now that I am attempting ARP-Poisoning I will go to Wireshark and see if there are any interesting packets.
You will notice the ARP Poisoning packets telling the Router and the Target device the misleading information. Now that we are eavesdropping on the connections between the router and the target we can search for vulnerabilities using Wireshark. In this instance I am using the display filter:
ip.addr == 192.168.1.3 && ssl
This will display for me packets captured from the MitM target involving SSL.
The Exploit
There are several ways in which attackers exploit a target once a MitM has been established. Hijacking the cookies of a browser session can allow an attacker to login to accounts associated with the target device with ease, exposing the target to a significant security breach. This type of attack is known as Session Hijacking. One of the more common methods to facilitate this attack is to use the Linux packages ferret and hamster. In this exploit we have three tools performing activities that enable the compromise. Ettercap initiates an ARP-Poisoning attack, tricking the target and the router to forward all packets through the attacker’s device. Ferret sniffs the cookies during this transaction, stealing the target’s cookies. Then finally hamster is used to replace the attackers cookies with the target’s, giving the attacker hijacked browser sessions for any of the cookies that were compromised.
Conclusion
Wireshark is a great way to get familiar with the communication processes that happen behind the scenes in networks. I encourage you to further familiarize yourself with Wireshark by checking out the manual, wiki and even the man page on Linux. Wireshark’s functionality is also not limited to just Ethernet and Wifi, it is also capable of sniffing on a bluetooth interface and any radio signals through an SDR (Software Defined Radio) interface. Knowing how to use Wireshark effectively can make network troubleshooting easier. Understanding how packets flow through interfaces and what it looks like when malicious activity is occurring is a skill that cybersecurity experts must master. Using Wireshark often and in a variety of network configurations and environments is a quick way to learn how to keep networks safe and where their vulnerabilities are.