How to identify network abuse with wireshark
Today’s Best Tech Deals
Picked by PCWorld’s Editors
Top Deals On Great Products
Picked by Techconnect’s Editors
Ethernet networks can run remarkably well for long periods of time, lulling IT admins into a false sense of security. Unfortunately, disaster can strike at anytime, and to the under-equipped, network issues can be downright debilitating.
Some of the most serious network problems can include broadcast storms, in which a defective or misconfigured network device floods the network with traffic. Broadcast storms tend to amplify themselves until they completely shut down your network, which is bad. Another common threat is a malware-infected computer, which can send a barrage of e-mail or attempt to replicate to computers on your LAN or across the internet. An infected computer can slow down internet traffic and put you on bad terms with your ISP.
And sometimes a single user can use so much bandwidth that it affects other users on the network. Perhaps they’re using peer-to-peer file sharing software, consuming excessive streaming audio or video, or just downloading lots of large files.
Fully understanding everything that’s happening on your Ethernet network is truly a herculean task, but with common sense and some practical tools, a jack-of-all-trades IT person can track down these basic problems.
Wireshark captures all of the activity on your network and lets you sort through it at your leisure. Select ‘Statistics’, ‘Conversations’, and then open the ‘IPv4’ tab to see data listed for such criteria as ‘Bytes’. One network tool that every IT person should know about is Wireshark (previously Ethereal). Wireshark is a freeware network packet analyzer that captures network packets and displays detailed packet data. It’s a very cool tool, and it will give you a new found respect for just how much and how varied the data that traverses your cat 5e cable is.
When first launching Wireshark, it’s easy to become intimidated. It’s extremely powerful and offers a myriad of options. However, there are only a few basics that you need to know before you begin.
First, you need to know what traffic you’re actually monitoring. Back in the day when hubs were common, all traffic was transmitted to all ports. As you can imagine, that didn’t scale very well. Switches are a refinement of hubs in that they discover the hardware addresses associated with each port and only transmit relevant traffic between ports. This means if you just plug your computer running Wireshark into any available switch port, you’ll only be able to see traffic to and from your computer and broadcast/multicast traffic; Interesting, but not always useful.
In order to examine traffic on an ethernet port other than the one your computer is plugged into, you need to mirror your ports. Port mirroring is a feature on managed switches that allows traffic from one or more ports to be mirrored onto an alternate port for the purpose of monitoring. Depending on the situation, you may want to mirror all ports on a switch or just one relevant one (like the port your Internet connection is plugged into). You’ll need to consult the documentation for your particular switch, but on my 24-port Netgear switch, I was able to mirror the necessary ports using a simple browser interface.
After installing and launching Wireshark, you’ll want to capture some network traffic. Choose Capture and then Options. Select the correct interface, and click Start. Once you have an idea of what kind of traffic you’re looking for, you can use the filters feature to capture specific packet types or omit specific traffic types. On the Options menu, you can also specify the amount of time or amount of data you want Wireshark to capture before stopping. This is useful since if Wireshark is run for an extended period of time, the file sizes can become unmanageably large. Click Start, and you’ll see traffic flowing in real time. If you haven’t configured an automatic stop, stop Wireshark when you’ve captured as much data as you want.
The challenge now is to figure out what to do with all this data. If you’re looking for something that’s bringing your network to a halt, the key task is to pinpoint the source of traffic. One way to do this is to select Statistics and then Conversations. Click the IPv4 tab, and from here you can sort by a number of things including ‘Bytes’ (which you can use this figure to pinpoint a computer that’s generating an inordinate amount of traffic). If you’re looking for a particular type of traffic, you can choose Analyze and then Enabled protocols, and check only the specific protocols you’re trying to locate.
There’s really a ton you can do with Wireshark. It’s an incredibly flexible and useful tool that can help you locate problems in your network, and also educate you about the kinds of traffic you’ve got traversing your wires. It can be a handful at first, but this tool is worth learning and having at your beck and call.
Michael Scalisi is an IT manager based in Alameda, California.
Posted by: Mohammed Semari | Published: March 27, 2017| Updated: March 27, 2017
Wireshark is the Swiss Army knife of network analysis tools. Whether you’re looking for peer-to-peer traffic on your network or just want to see what websites a specific IP address is accessing, Wireshark can work for you.
We’ve previously given an introduction to Wireshark. and this post builds on our previous posts. Bear in mind that you must be capturing at a location on the network where you can see enough network traffic. If you do a capture on your local workstation, you’re likely to not see the majority of traffic on the network. Wireshark can do captures from a remote location — check out our Wireshark tricks post for more information on that.
Identifying Peer-to-Peer Traffic
Wireshark’s protocol column displays the protocol type of each packet. If you’re looking at a Wireshark capture, you might see BitTorrent or other peer-to-peer traffic lurking in it.
You can see just what protocols are being used on your network from the Protocol Hierarchy tool, located under the Statistics menu.
This window shows a breakdown of network usage by protocol. From here, we can see that nearly 5 percent of packets on the network are BitTorrent packets. That doesn’t sound like much, but BitTorrent also uses UDP packets. The nearly 25 percent of packets classified as UDP Data packets are also BitTorrent traffic here.
We can view only the BitTorrent packets by right-clicking the protocol and applying it as a filter. You can do the same for other types of peer-to-peer traffic that may be present, such as Gnutella, eDonkey, or Soulseek.
Using the Apply Filter option applies the filter “bittorrent.” You can skip the right-click menu and view a protocol’s traffic by typing its name directly into the Filter box.
From the filtered traffic, we can see that the local IP address of 192.168.1.64 is using BitTorrent.
To view all the IP addresses using BitTorrent, we can select Endpoints in the Statistics menu.
Click over to the IPv4 tab and enable the “Limit to display filter” check box. You’ll see both the remote and local IP addresses associated with the BitTorrent traffic. The local IP addresses should appear at the top of the list.
If you want to see the different types of protocols Wireshark supports and their filter names, select Enabled Protocols under the Analyze menu.
You can start typing a protocol to search for it in the Enabled Protocols window.
Monitoring Website Access
Now that we know how to break traffic down by protocol, we can type “http” into the Filter box to see only HTTP traffic. With the “Enable network name resolution” option checked, we’ll see the names of the websites being accessed on the network.
Once again, we can use the Endpoints option in the Statistics menu.
Click over to the IPv4 tab and enable the “Limit to display filter” check box again. You should also ensure that the “Name resolution” check box is enabled or you’ll only see IP addresses.
From here we, can see the websites being accessed. Advertising networks and third-party websites that host scripts used on other websites will also appear in the list.
If we want to break this down by a specific IP address to see what a single IP address is browsing, we can do that too. Use the combined filter http and ip.addr == [IP address] to see HTTP traffic associated with a specific IP address.
Open the Endpoints dialog again and you’ll see a list of websites being accessed by that specific IP address.
This is all just scratching the surface of what you can do with Wireshark. You could build much more advanced filters, or even use the Firewall ACL Rules tool from our Wireshark tricks post to easily block the types of traffic you’ll find here.
Wireshark is the Swiss Army knife of network analysis tools. Whether you’re looking for peer-to-peer traffic on your network or just want to see what websites a specific IP address is accessing, Wireshark can work for you.
We’ve previously given an introduction to Wireshark. and this post builds on our previous posts. Bear in mind that you must be capturing at a location on the network where you can see enough network traffic. If you do a capture on your local workstation, you’re likely to not see the majority of traffic on the network. Wireshark can do captures from a remote location — check out our Wireshark tricks post for more information on that.
Identifying Peer-to-Peer Traffic
Wireshark’s protocol column displays the protocol type of each packet. If you’re looking at a Wireshark capture, you might see BitTorrent or other peer-to-peer traffic lurking in it.
You can see just what protocols are being used on your network from the Protocol Hierarchy tool, located under the Statistics menu.
This window shows a breakdown of network usage by protocol. From here, we can see that nearly 5 percent of packets on the network are BitTorrent packets. That doesn’t sound like much, but BitTorrent also uses UDP packets. The nearly 25 percent of packets classified as UDP Data packets are also BitTorrent traffic here.
We can view only the BitTorrent packets by right-clicking the protocol and applying it as a filter. You can do the same for other types of peer-to-peer traffic that may be present, such as Gnutella, eDonkey, or Soulseek.
Using the Apply Filter option applies the filter “bittorrent.” You can skip the right-click menu and view a protocol’s traffic by typing its name directly into the Filter box.
From the filtered traffic, we can see that the local IP address of 192.168.1.64 is using BitTorrent.
To view all the IP addresses using BitTorrent, we can select Endpoints in the Statistics menu.
Click over to the IPv4 tab and enable the “Limit to display filter” check box. You’ll see both the remote and local IP addresses associated with the BitTorrent traffic. The local IP addresses should appear at the top of the list.
If you want to see the different types of protocols Wireshark supports and their filter names, select Enabled Protocols under the Analyze menu.
You can start typing a protocol to search for it in the Enabled Protocols window.
Monitoring Website Access
Now that we know how to break traffic down by protocol, we can type “http” into the Filter box to see only HTTP traffic. With the “Enable network name resolution” option checked, we’ll see the names of the websites being accessed on the network.
Once again, we can use the Endpoints option in the Statistics menu.
Click over to the IPv4 tab and enable the “Limit to display filter” check box again. You should also ensure that the “Name resolution” check box is enabled or you’ll only see IP addresses.
From here we, can see the websites being accessed. Advertising networks and third-party websites that host scripts used on other websites will also appear in the list.
If we want to break this down by a specific IP address to see what a single IP address is browsing, we can do that too. Use the combined filter http and ip.addr == [IP address] to see HTTP traffic associated with a specific IP address.
Open the Endpoints dialog again and you’ll see a list of websites being accessed by that specific IP address.
This is all just scratching the surface of what you can do with Wireshark. You could build much more advanced filters, or even use the Firewall ACL Rules tool from our Wireshark tricks post to easily block the types of traffic you’ll find here.
Introduction
In this post, I’ll discuss how to identify suspicious network traffic using Wireshark and Process monitor.
The case
I’ve started the packet capture on my PC with WireShark and one thing captured my attention. I’ve seen many packets intended to a pc that doesn’t exist anymore in the network sent by the file server!
So why the file server with the IP address 10.x.x.6 is sending NBNS queries (NetBios Name Service) to the host BOULWA-XP asking for his IP address?
WireShark can show me packets sent from the file server to the specific host, but it can’t tell me which program or service running in the file server that is responsible for this traffic.
To find this program or service I’ve used Process Monitor from SysInternals tool. So I started the capture for a few seconds, then I searched for the string “BOULWA-XP”. In the result we can see the process name at the origin of the query, in this case, it’s spoolsv.exe. Next, I’ve applied a filter to have only the traces related to spoolsv.exe
In the filtred trace, we can see also the spoolsv.exe process accessing the “HKCU\Printers\Connections\, BOULWA-XP, Microsoft XPS Document Writer” registry key. This means that there is a connection to the printer “Microsoft XPS Document Writer” on the host BOULWA-XP. It can be verified by opening printers location in the control panel.
The Solution
By deleting this printer from the control panel, the network traffic related to this printer disappears from the network.
I would like to somehow configure wireshark to display the device name (such as Bobs.iPhone or Bob.iMac) rather than the local IP (such as 192.168.1.172) — I’ve already configured Wireshark to resolve external IPs, but can’t figure out how to do the same for local IPs. I don’t have access to the router control panel, and am using a mac.
asked 22 Jul ’17, 19:22
Once you have enabled “Resolve Network Address” under Name Resolution in the View menu, you can right-click on the private IP address and click on “Edit Resolved name”. There you will get an edit bar at the top to display whatever you wish.
answered 22 Jul ’17, 20:56
Rooster_50
238 ● 9 ● 12 ● 18
accept rate: 15%
Thank you for your message — unfortunately, I’m looking for the name to be automatically displayed, as I have no idea what the names of the internal IPs are (I’m sure there’s some way to check using a 3rd party tool, but I’d like it to be automatic, if possible)
unfortunately, I’m looking for the name to be automatically displayed, as I have no idea what the names of the internal IPs are
In order for the name to be automatically displayed:
- somebody has to have an idea what the names of the internal IPs are;
- that somebody has to make that information available in some form that Wireshark can access.
So the first step is to find that somebody and ask them where to get the mappings of IP addresses to names in a form that Wireshark can use (which would either be a hosts file or a DNS server).
If the devices obtain IP address via DHCP, some DHCP servers can set a DNS Dynamic update (A and PTR record). This would allow Wireshark (if querying the local DNS server) to resolve the internal addresses.
I’m completely new to wireshark and I would like to know the correct way to determine all of the protocols the are used on the network in a specific capture, please can someone help me?
asked 24 Apr ’13, 06:23
harry82
1 ● 2 ● 2 ● 3
accept rate: 0%
answered 24 Apr ’13, 06:51
Kurt Knochner ♦
24.8k ● 10 ● 39 ● 237
accept rate: 15%
One should add that the Protocol Hierarchy only shows what Wireshark has been able to determine. So if there is a protocol that Wireshark doesn’t know or which runs on a port it doesn’t recognize, it will not appear in the statistics.
Thank you all for your time, it is most appreciated
Another way (if you’re more command-line oriented) is to use “tshark -T fields -eframe.protocols -nr filename.pcap” and then do some work to sort and unique the output. There’s even a simple script in the Wireshark source code distribution (tools/list_protos_in_cap.sh) that does this for you. Basically what it does (after error checking, etc.) is:
(Note that this is using the *NIX utilities ‘tr’ and ‘sort’ which probably don’t exist on Windows unless you have Cygwin installed.)
answered 24 Apr ’13, 07:19
Follow this question
Once you sign in you will be able to subscribe for any updates here
By RSS:
Answers and Comments
- *italic* or _italic_
- **bold** or __bold__
- link:[text]( “title”)
- image?
- numbered list: 1. Foo 2. Bar
- to add a line break simply add two spaces to where you would like the new line to be.
- basic HTML tags are also supported
You have a trillion packets.
You need to see four of them.
Riverbed Technology lets you seamlessly move between packets and flows for comprehensive monitoring, analysis and troubleshooting.
Riverbed is Wireshark’s primary sponsor and provides our funding.
question asked: 24 Apr ’13, 06:23
question was seen: 6,585 times
last updated: 24 Apr ’13, 10:26
Don’t have Wireshark?
What are you waiting for? It’s free! Wireshark documentation and downloads can be found at the Wireshark web site.
What is HTTP?
First is all the full form of HTTP is HyperText Transfer Protocol. HTTP is an application layer protocol in ISO or TCP/IP model. See below picture to find out HTTP which resides under application layer.
HTTP is used by the World Wide Web (w.w.w) and it defines how messages are formatted and transmitted by browser. So HTTP define reules what action should be taken when a browser receives HTTP command. And also HTTP defines rules for transmitting HTTP command to get data from server.
For example, when you enter a url in browser (Internet explorer, Chrome, Firefox, Safari etc) it actually sends an HTTP command to server.And server replies with appropiate command.
HTTP Methods:
There are some set of methods for HTTP/1.1 (This is HTTP version)
GET, HEAD, POST, PUT, DELETE, CONNECT, OPTION and TRACE.
We will not go in details of each method instead we will get to know about the methods which are seen quite often.Such as
GET: GET request asks data from web server. This is a main method used document retrival. We will see one practical example of this method.
POST: POST method is used when it’s required to send some data to server.
HTTP is Wiresahark:
Let’s try something practical to understand how HTTP works ?
So in this example we will download “alice.txt” (Data file present in server) from “gaia.cs.umass.edu” server.
Setps:
- Open the URL [We know the full url for downloading alice.txt] in computer browser.
- Now we see the downloaded file in browser. Here is the screenshot
- In parallel we have capture the packets in Wireshark.
HTTP packets exchanges in Wireshark:
Before we go into HTTP we should know that HTTP uses port 80 and TCP as transport layer protocol [We will explain TCP in another topic discussion].
Now let’s see what happens in network when we put that URL and press enter in browser.
Here is the screenshot for
TCP 3-way handshake ——-> HTTP OK ——-> TCP Data [content of alice.txt] ——->
Now let’s see what’s there inside HTTP GET and HTTP OK packets.
Note: We will explain TCP exchanges in another topic discussion.
HTTP GET:
After TCP 3-way handshake [SYN, SYN+ACK and ACK packets] is done HTTP GET request is sent to the server and here are the important fields in the packet.
1.Request Method: GET ==> The packet is a HTTP GET .
2.Request URI: /wireshark-labs/alice.txt ==> The client is asking for file alice.txt present under /Wireshark-labs
3.Request version: HTTP/1.1 ==> It’s HTTP version 1.1
4.Accept: text/html, application/xhtml+xml, image/jxr, */* ==> Tells server about the type of file it [client side browser] can accept. Here the client is expecting alice.txt which is text type.
5.Accept-Language: en-US ==> Accepted language standard.
6.User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko ==> Client side browser type. Even if we used internet explorer but we see it always/maximum time says Mozilla
7.Accept-Encoding: gzip, deflate ==> Accepted encoding in client side.
8.Host: gaia.cs.umass.edu ==> This is the web server name where client is sending HTTP GET request.
9.Connection: Keep-Alive ==> Connection controls whether the network connection stays open after the current transaction finishes. Connection type is keep alive.
Here is the screenshot for HTTP-GET packet fields
HTTP OK:
After TCP data [content of alice.txt] is sent successfully HTTP OK is sent to the client and here are the important fields in the packet.
1. Response Version: HTTP/1.1 ==> Here server also in HTTP version 1.1
2.Status Code: 200 ==> Status code sent by server.
3.Response Phrase: OK ==> Response phrase sent by server.
So the from 2 and 3 we get 200 OK which means the request [HTTP GET] has succeeded.
4.Date: Sun, 10 Feb 2019 06:24:19 GMT ==> Current date , time in GMT when HTTP GET was received by server.
5.Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16 mod_perl/2.0.10 Perl/v5.16.3 ==> Server details and configurations versions.
6.Last-Modified: Sat, 21 Aug 2004 14:21:11 GMT ==> Last modified date and time for the file “alice.txt”.
7.ETag: “2524a-3e22aba3a03c0” ==> The ETag indicates the content is not changed to assist caching and improve performance. Or if the content has changed, etags are useful to help prevent simultaneous updates of a resource from overwriting each other.
8. Accept-Ranges: bytes ==> Byte is the unit used in server for content.
9.Content-Length: 152138 ==> This is the total length of the alice.txt in bytes.
10. Keep-Alive: timeout=5, max=100 ==> Keep alive parameters.
11.Connection: Keep-Alive ==> Connection controls whether the network connection stays open after the current transaction finishes. Connection type is keep alive.
12.Content-Type: text/plain; charset=UTF-8 ==> The content [alice.txt] type is text and charset standard is UTF-8.
Here is the screenshot for different fields of HTTP OK packet.
So now we know what happens when we request for any file that is present in web server.
Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software, and communications protocol development. It lets you see what’s happening on your network at a microscopic level and is the de facto (and often de jure) standard across many commercial and non-profit enterprises, government agencies, and educational institutions. Wireshark is a cross-platform tool that runs on Linux, Microsoft Windows, macOS, BSD, Solaris, and other Unix-like operating systems.
Table of Contents
How To Install Wireshark In Linux?
To install Wireshark just enter the following command in your terminal – sudo apt-get install Wireshark Wireshark will then be installed and available for use. If you run Wireshark as a non-root user (which you should) at this stage you will encounter an error message which says.
“No interface can be used for capturing in this system with the current configuration”.The following steps will rectify this.
Create a Wireshark group.
Add your username to the Wireshark group –
Change the group ownership of file dumpcap to wireshark –
Change the mode of the file dumpcap to allow execution by the group wireshark –
Grant capabilities with setcap –
Verify the change –
What Wireshark Is Used For?
Wireshark has quite an extensive application or use. Here are a few examples of what people use Wireshark for:
- Network administrators use it to troubleshoot network problems
- Network security engineers use it to examine security problems
- Developers use it to debug protocol implementations
- Others use it to learn network protocol internals
Features At A Glance
The following are some of the many features Wireshark provides:
- Capture live packet data from a network interface.
- Open files containing packet data captured with tcpdump/WinDump, Wireshark, and a number of other packet capture programs.
- Import packets from text files containing hex dumps of packet data.
- Display packets with very detailed protocol information.
- Save packet data captured.
- Export some or all packets in a number of capture file formats.
- Filter packets on many criteria.
- Search for packets on many criteria.
- Colorize packet display based on filters.
- Create various statistics.
How To Use Wireshark To Inspect Network Packets In Linux?
Capturing Packets
After downloading and installing Wireshark, you can launch it and click the name of an interface under Interface List to start capturing packets on that interface. For example, if you want to capture traffic on the wireless network, click your wireless interface. You can configure advanced features by clicking Capture Options.
As soon as you click the interface’s name, you’ll see the packets start to appear in real time. Wireshark captures each packet sent to or from your system. If you’re capturing on a wireless interface and have promiscuous mode enabled in your capture options, you’ll also see other the other packets on the network.
Color Coding
You’ll probably see packets highlighted in green, blue, and black. Wireshark uses colors to help you identify the types of traffic at a glance. By default, green is TCP traffic, dark blue is DNS traffic, light blue is UDP traffic, and black identifies TCP packets with problems — for example, they could have been delivered out-of-order.
Conclusion
As I mentioned earlier, Wireshark is available on all platforms but none of these other platforms has the feature parity of Linux.
Wireshark is an extremely powerful tool, and this tutorial is just scratching the surface of what you can do with it. Professionals use it to debug network protocol implementations, examine security problems and inspect network protocol internals. Check out this official DOCUMENTATION for more of what you can do with Wireshark.
LinuxAndUbuntu hosting is sponsored by massiveGRID
” means nesting-related): – Failed at: @displayUserCertifications user_id [in template “custom.author-acclaim-certifications” at line 4, column 9] ——>
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
I need to capture switchport’s packets and see if a correct VLAN is set.
Capture packets don’t have VLAN IDs – whole header is missing.
Workstation is Windows 10 with latest Intel driver and the driver has working VLAN support.
Also tried ASUS USB ethernet adapter with VLAN support with no success.
I initiate communication with a device (to access web conf GUI), which is plugged in gi1/0/1.
The device is wireless AP, where VLAN 20 is management and VLAN 10 is data.
The Device does not support wireless VLAN tagging and therefore VLAN 20 is tagged and VLAN 10 untagged.
interface gigabitethernet 1/0/1
switchport mode trunk
switchport encapsulation dot1q
switchport trunk native vlan 10
switchport trunk alloved vlan 10,20
interface gigabitethernet 1/0/2
switchport mode trunk
switchport encapsulation dot1q
monitor session 1 source interface gi1/0/1 both
monitor session 1 destination interface gi1/0/2 encapsulation replicate
