Wireshark

Presented by Quang and Nikolas

(Image source)

Background

In 1998, Gerald Combs wanted a tool to help him investigate network problems and learn more about networking in general. Disappointed by the lack of available options at the time, he decided to create his own. He called it Ethereal. (1)

Combs made Ethereal’s code open-source and the application was freely available for anyone to use or modify. The project steadily gained traction among network professionals who were looking for a tool to solve similar problems. Over time, the project gained contributors who implemented new functionality to cover different use cases related to network analysis. In 2006, the project changed its name to Wireshark. (1)

Today, Wireshark is one of the most widely used network protocol analyzers, and remains freely available for anyone to use. Since its inception, over 700 people from around the world have contributed to the project. (2)

Wireshark’s source code can be found on Gitlab and the application can be downloaded from Wireshark’s official website.

What does Wireshark do?

Wireshark is a packet analyzer (or “sniffer”). Before diving into the details of what it does, let’s first understand what a packet is.

The OSI Model and packets

The OSI Model is divided into 7 layers and is meant to provide a conceptual understanding of how data is transmitted across a network. Depending on which layer you are referring to, data can be represented in one of five different ways:

  1. Application Layer -> Data in its full form
  2. Transport Layer -> Segments
  3. Network Layer -> Packets
  4. Data Link Layer -> Frames
  5. Physical Layer -> Bits

For the purposes of understanding Wireshark, we will concern ourselves with the Network layer (number 3). For a large number of cases, data is too large to be sent as a whole. At the Network layer, data is divided into smaller components called packets. Each packet has two components: information and payload. The payload can be thought of as the data itself (e.g. webpage, image, etc.). The information component is kind of like metadata. It contains details such as the sender’s IP address, the recipient’s IP address, how to send the data, and more. It is common to compare a packet to an envelope. The contents of the envelope (i.e. what’s inside) is the payload. Whereas the address and postage stamp are part of the information component. (3)

Wireshark is capable of intercepting and logging these packets as they flow across a network.

You can specify whether you would like to capture the entire packet or only the information component. Once captured, the data can be presented into a human readable format (assuming it is not encrypted).

How does Wireshark work?

In your computer, you have a piece of hardware called a Network Interface Controller (NIC). The NIC is responsible for connecting your computer to a network. Every NIC has a unique MAC address assigned to it at the time of production. Usually your NIC will only capture packets that are destined for your MAC address. (4)

Wireshark places your device’s NIC into “promiscuous mode”. This allows your NIC to capture all packets in your network regardless of whether they are intended for your device. The network traffic gets forwarded to the CPU, and Wireshark is able to store and display this data using a Graphical User Interface. Data can be captured from Wi-Fi, Ethernet, Bluetooth and more. (5)

(Image source)

If you’re interested, the Wireshark engineering team provides a more in-depth explanation of the application’s architecture. You can learn more by visiting this link: https://www.wireshark.org/docs/wsdg_html_chunked/ChWorksOverview.html

To summarize the figure above:

  • GUI is reponsible for handling I/O.
  • Enhanced Packet Analyzer (EPAN) analyzes the network packets using the four APIs shown in the figure (e.g. Protocol-Tree).
  • Wiretap reads and writes captured packets from hard disk storage.
  • Capture and Dumpcap Capture Engine can also be used to read packets depending on the user’s platform.

Why is Wireshark useful?

From the very beginning, Wireshark has been designed to be an educational and professional tool for network analysis. Common use cases are: (6)

  • Network administrators investigating issues (e.g. congestion).

  • Network security engineers seeking to discover misuse or vulnerabilities.

  • Quality-assurance engineers who want to assess the quality of network applications.

  • Developers who need to debug network protocols.

  • Students learning about network protocols, network (in)security, and more.

Wireshark can also be used as a tool for hackers. This usually involves reading and writing data transmitted over an unsecure or compromised network. Nefarious actors may seek out confidential data such as credit-card information, passwords, search queries, private messages, emails, financial transactions, and more. Data is sent over an unsecure network (such as Telnet, FTP, HTTP) in plain text form.

For good reason, these network protocols are becoming less relied upon today and are being replaced by an encrypted alternative (7). These secure protocols include HTTPS, SSH, SFTP, and more. However, if someone is able to retrieve the private cryptographic key for a particular user, their data can be easily unecrypted. Wireshark allows you to enter private keys when analyzing packets making the payload visible in plain text form.

Regardless of what protocol you use, information such as IP addresses, domain names, and size of payload can be seen.

How to protect yourself against packet capture

  • Avoid public Wi-Fi: Hackers connected to the same network can potentially view all your online activity.
  • Use a Virtual Private Network (VPN): VPNs encrypt transmitted data and hides your IP address.
  • Avoid unsecure protocols: Outdated protocols such as HTTP, Telnet and FTP should be replaced with their encrypted alternative.

References

  1. https://www.wireshark.org/docs/wsug_html_chunked/ChIntroHistory.html
  2. https://github.com/wireshark/wireshark/graphs/contributors
  3. https://en.wikipedia.org/wiki/Network_packet
  4. https://en.wikipedia.org/wiki/Network_interface_controller
  5. https://en.wikipedia.org/wiki/Wireshark
  6. https://www.avg.com/en/signal/what-is-sniffer
  7. https://etherealmind.com/percentage-of-https-tls-encrypted-traffic-on-the-internet/
  8. [Chapter 6 How Wireshark works](https://www.wireshark.org/docs/wsdg_html_chunked/ChWorksOverview.html)
  9. Wireshark User Interface (GUI) Overview