All your internet traffic arrives broken up into ‘packets’. They all come labelled as different types, depending on whether they were for email, or web, or other services connected to your network… some of them are bits of pictures or videos which get reassembled at the other end, just like Mike TV from Charlie and the Chocolate Factory.
Wireshark lets you look at packets travelling through your network, either in real time or from a recording. You can look at the traffic flow of lots of packets, or the inner contents of individual packets.
Looking at the flow of lots of packets at once (traffic analysis) can let you know if someone is trying to flood your network with a particular type of packet, or if an unusual packet type is arriving, or if loads of packets are coming from, or going to one particular place. So it lets you spot unusal things in the overall packet traffic. Of course, to do this, you need to have an idea about what is normal and expected, or what particular attack types look like.
Looking at the inside contents of individual packets can give more detailed information about whether they have some unusual or unexpected content. Again, this requires you to understand what you might expect to see on the inside, so you can identify what shouldn’t be there.
Another reason you might want to look at traffic flow or the insides of packets is to try to forensically piece together what someone was trying to do, or what information they were trying to get into or out of your network. You can also work out exactly what information is being transmitted to or from one particular device.
This can be a whole lot of really technical information though, and an absolute flood of packets all at once! It’s really overwhelming even if you do understand all the protocols and acronyms. But don’t worry, Wireshark is built to help you. Just have patience, it’s normal to be confused at first! A really powerful part of Wireshark is it’s filters, so learning how to use them well is the best thing you can do to to improve your skills with this program. You can filter types of packets in lots of ways, but also filter all the traffic from one source, or to one source. You can also extract data from packets, in case you would like to export and reconstruct images, for example.
To start with it’s probably best not to connect Live to your own network because you’ll feel overwhelmed looking at all the packets. Try a pre-recorded capture of packets (a PCAP file) to have a look and get your bearings. Here is a small one to start you off: https://www.cloudshark.org/captures/0012f52602a3
- Can you find the HTTP get request?
- Have a look at all the information you can find out about the User Agent (browser) in the HTTP section.
- When you look at the contents in CloudShark you will get the raw Hypertext protocol text, but in Wireshark it will helpfully tell you at the bottom which frame the Response is in.
- In Wireshark, if you Choose File -> Export Objects -> HTTP, you can save the file which was transferred.
You can try more PCAPs from http://packetlife.net/captures/ or by Googling, and by trying it out on your own network. Have a look and see if you can identify the devices on your network. Starting small is the key, and practising with the filters!
Here’s a useful video giving you some filter tips: Top 10 Wireshark Filters