stelomptam-com

Just another WordPress site

About Me

Dashy

Hello word I am dashy Guy

Analyze Network Packets with Wireshark: A Short Tutorial
Digital Marketing

Analyze Network Packets with Wireshark: A Short Tutorial
admin
5 mins

Anyone fascinated with computer networks and how they have enabled connectivity between remote locations around the world must have wondered how this was possible. Tiny bytes of data are continually flowing through tiny wires, perhaps even without wires and soon you’ll have Wikipedia displaying all the information known to mankind. When you type google.com in your favorite browser, what kind of data is sent? How are you smelling? If you want to see “packet data” in action, what you need is a network analyzer or sniffer.

For a developer, this software is quite useful as it captures live data and shows what kind of data is being sent. Although sniffers have more useful/evil purposes, this article will cover how we can use a software called “Wireshark” to analyze the network data being sent.

The software is available for both Windows and *nix. The good thing is that it is open source software, but it is updated regularly.

If you’re going to be using Windows, just download the setup and install it. Wireshark comes bundled with WinPcap, a set of libraries that allows Wireshark to capture packets in real time. During the installation, a message will appear suggesting

“Start the WinPcap service “NPF” at startup-“

Allowing npf at startup would allow users without admin privileges to run it. However, the latter option requires the user to start the NPF service manually by typing the following command at a command prompt with administrator privileges each time before running Wireshark

npf net start

The following command stops the service.

npf net stop

Ubuntu users just type Wireshark into the synaptic software manager and let it do the rest. Other Linux/UNIX users should refer to the official documentation provided on their website. Linux users need to run wireshark as root privileges.

To capture live packets, click on the network interface you want Wireshark to connect to, or if you’re not sure which interface is being used, go to options and click on the interface. A small window will open showing the number of packets received on each interface. The one with the most packets will probably connect to your local LAN or directly to the Internet.

Once you’ve selected the correct Wireshark interface, it will begin to display all the packets your computer is sending or receiving. When you have configured Wireshark to capture packets from the correct interface, it will correctly display the frames being received and sent on that particular interface.

You can view package details by clicking on a package. Details are displayed as seen, that is, in a logically encapsulated form. So the Ethernet frame would appear first, then the IP header, and so on.

Please note that Wireshark cannot capture wireless data and special hardware (such as a wireless USB adapter) is required to capture wireless data. Cace Technologies has developed such a product called airPcap.

FILTERS:

If you want to see packets of a particular protocol, IP address or port number and/or a variety of other parameters, you can set up a ‘filter’, ie a set of commands that would filter and display only the requested traffic.

Programmers, especially C/C++ users, will find it quite easy to create filters due to the similarity in syntax.

For example, if only TCP traffic is to be displayed, simply enter tcp in the filter field and click apply. If TCP is not required while all other protocols are added to! before TCP. Almost all major protocols are supported, at least the upper layer protocols.

What if traffic is required from a particular IP address? Just use the ip.src or ip.dst command

For example, if traffic from 192.168.32.1 should be filtered and displayed, enter

ip.src==192.168.32.1; Note the use of two = signs

Suppose we want to see only tcp traffic coming from 192.168.32.1. Here we want two conditions to be true simultaneously, hence the && operator. The input to the filter field becomes

ip.src==192.168.32.1 && tcp

Also, if we want to see tcp or udp traffic coming from 192.168.32.1, then we have a slightly complex situation where either the packet must be tcp and the source IP must be 192.168.32.1 OR the protocol must be udp and the IP from origin should be 192.168. 32.1, here the use of OR operatot ie || He will also come to play. The filter will become:

ip.src==192.168.32.1 && (tcp || udp)

Basically wireshark will check if ip.src equals 192.168.32.1, if it is true then it will check if the protocol is tcp or udp, if it turns out to be true then the boolean output will be true and that particular packet will be displayed.

As a final example, if we want tcp traffic to be displayed with the source port as 100 or 200 and the destination port as 121 or 221, the filter would become:

ip.src==192.168.32.1 && tcp && ( tcp.srcport == 100 || tcp.port==200) && (tcp.dstport== 121 || tcp.dstport == 221 )

go with a flow

One of the best features of Wireshark is the ability to “follow” a transmission. When a TCP connection is established, a two-way virtual channel is created and the two endpoints communicate. This function displays the current application layer data being exchanged in a strict chronological order. This can be very useful for analyzing what kind of data is being exchanged at the application layer.

search data

With the packet search option, you can search for a particular string in the captured packets. The option is neatly hidden in the Find package and string radio button.

promiscuous fashion

Another great feature that made this software one of the most popular sniffer and network analysis tools (previously known as Ethereal). These two interesting topics deserve a proper explanation and a new page!

Share :

Leave a Reply

Your email address will not be published. Required fields are marked *