30-04-2021

Wireshark



  1. Wireshark Ip.host
  2. Wireshark Ip Puller
  3. Wireshark
  4. Wireshark Command Line
Wireshark
Original author(s)Gerald Combs[1]
Developer(s)The Wireshark team
Initial release1998
Stable release
3.4.4 / March 10, 2021; 42 days ago[2]
Repository
Written inC, C++
Operating systemCross-platform
TypePacket analyzer
LicenseGPLv2[3]
Websitewww.wireshark.org

Wireshark is a free and open-sourcepacket analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, the project was renamed Wireshark in May 2006 due to trademark issues.[4]

Wireshark is cross-platform, using the Qtwidget toolkit in current releases to implement its user interface, and using pcap to capture packets; it runs on Linux, macOS, BSD, Solaris, some other Unix-like operating systems, and Microsoft Windows. There is also a terminal-based (non-GUI) version called TShark. Wireshark, and the other programs distributed with it such as TShark, are free software, released under the terms of version 2 of the GNU General Public License.

Wireshark is the world’s foremost and widely-used network protocol analyzer. It lets you see what’s happening on your network at a microscopic level and is the de facto (and often de jure) standard across many commercial and non-profit enterprises, government agencies, and educational institutions. Wireshark is an essential tool for network administrators, but very few of them get to unleash its full potential. Having all the commands and useful features in the one place is bound to boost productivity. Home Wireshark Review WinPcap FAQS Common Issues Wifi Terminology Blog What is a network protocol analyzer? A network protocol analyzer is a combination of programming and hardware and in certain cases, a separate hardware device that can be installed in a network or computer in order to improve its security level against viruses. Wireshark Portable is a very popular, completely free and highly recommended network protocol analyzer. It can view data in real-time and also log the data being sent on a network to a file on disk. As a portable application, Wireshark Portable can be run from virtually anywhere and does not need to be installed; that means no leftovers when.

Functionality[edit]

Wireshark is very similar to tcpdump, but has a graphicalfront-end, plus some integrated sorting and filtering options.

Wireshark lets the user put network interface controllers into promiscuous mode (if supported by the network interface controller), so they can see all the traffic visible on that interface including unicast traffic not sent to that network interface controller's MAC address. However, when capturing with a packet analyzer in promiscuous mode on a port on a network switch, not all traffic through the switch is necessarily sent to the port where the capture is done, so capturing in promiscuous mode is not necessarily sufficient to see all network traffic. Port mirroring or various network taps extend capture to any point on the network. Simple passive taps are extremely resistant to tampering[citation needed].

On Linux, BSD, and macOS, with libpcap 1.0.0 or later, Wireshark 1.4 and later can also put wireless network interface controllers into monitor mode.

If a remote machine captures packets and sends the captured packets to a machine running Wireshark using the TZSP protocol or the protocol used by OmniPeek, Wireshark dissects those packets, so it can analyze packets captured on a remote machine at the time that they are captured.

History[edit]

In the late 1990s, Gerald Combs, a computer science graduate of the University of Missouri–Kansas City, was working for a small Internet service provider. The commercial protocol analysis products at the time were priced around $1500[5] and did not run on the company's primary platforms (Solaris and Linux), so Gerald began writing Ethereal and released the first version around 1998.[6] The Ethereal trademark is owned by Network Integration Services.

In May 2006, Combs accepted a job with CACE Technologies. Combs still held copyright on most of Ethereal's source code (and the rest was re-distributable under the GNU GPL), so he used the contents of the Ethereal Subversion repository as the basis for the Wireshark repository. However, he did not own the Ethereal trademark, so he changed the name to Wireshark.[7] In 2010 Riverbed Technology purchased CACE[8] and took over as the primary sponsor of Wireshark. Ethereal development has ceased, and an Ethereal security advisory recommended switching to Wireshark.[9]

Wireshark has won several industry awards over the years,[10] including eWeek,[11]InfoWorld,[12][13][14][15][16] and PC Magazine.[17] It is also the top-rated packet sniffer in the Insecure.Org network security tools survey[18] and was the SourceForge Project of the Month in August 2010.[19]

Combs continues to maintain the overall code of Wireshark and issue releases of new versions of the software. The product website lists over 600 additional contributing authors.

Wireshark

Features[edit]

Wireshark is a data capturing program that 'understands' the structure (encapsulation) of different networking protocols. It can parse and display the fields, along with their meanings as specified by different networking protocols. Wireshark uses pcap to capture packets, so it can only capture packets on the types of networks that pcap supports.

  • Data can be captured 'from the wire' from a live network connection or read from a file of already-captured packets.
  • Live data can be read from different types of networks, including Ethernet, IEEE 802.11, PPP, and loopback.
  • Captured network data can be browsed via a GUI, or via the terminal (command line) version of the utility, TShark.
  • Captured files can be programmatically edited or converted via command-line switches to the 'editcap' program.
  • Data display can be refined using a display filter.
  • Plug-ins can be created for dissecting new protocols.[20]
  • VoIP calls in the captured traffic can be detected. If encoded in a compatible encoding, the media flow can even be played.
  • Raw USB traffic can be captured.[21]
  • Wireless connections can also be filtered as long as they traverse the monitored Ethernet.[clarification needed]
  • Various settings, timers, and filters can be set to provide the facility of filtering the output of the captured traffic.

Wireshark's native network trace file format is the libpcap format supported by libpcap and WinPcap, so it can exchange captured network traces with other applications that use the same format, including tcpdump and CANetMaster. It can also read captures from other network analyzers, such as snoop, Network General's Sniffer, and Microsoft Network Monitor.

Security[edit]

Capturing raw network traffic from an interface requires elevated privileges on some platforms. For this reason, older versions of Ethereal/Wireshark and tethereal/TShark often ran with superuser privileges. Considering the huge number of protocol dissectors that are called when traffic is captured and recognizing the possibility of a bug in a dissector, a serious security risk can be posed. Due to the rather large number of vulnerabilities in the past (of which many have allowed remote code execution) and developers' doubts for better future development, OpenBSD removed Ethereal from its ports tree prior to OpenBSD 3.6.[22]

Elevated privileges are not needed for all operations. For example, an alternative is to run tcpdump or the dumpcap utility that comes with Wireshark with superuser privileges to capture packets into a file, and later analyze the packets by running Wireshark with restricted privileges. To emulate near realtime analysis, each captured file may be merged by mergecap into growing file processed by Wireshark. On wireless networks, it is possible to use the Aircrack wireless security tools to capture IEEE 802.11 frames and read the resulting dump files with Wireshark.

As of Wireshark 0.99.7, Wireshark and TShark run dumpcap to perform traffic capture. Platforms that require special privileges to capture traffic need only dumpcap run with those privileges. Neither Wireshark nor TShark need to or should be run with special privileges.

Color coding[edit]

Wireshark can color packets based on rules that match particular fields in packets, to help the user identify the types of traffic at a glance. A default set of rules is provided; users can change existing rules for coloring packets, add new rules, or remove rules.

Simulation packet capture[edit]

Wireshark can also be used to capture packets from most network simulation tools such as ns, OPNET Modeler and NetSim.[23]

See also[edit]

Notes[edit]

  1. ^'Wireshark - About'. The Wireshark Foundation. Retrieved January 30, 2018.
  2. ^'Wireshark 3.4.4 and 3.2.12 Released'. The Wireshark Foundation. March 10, 2021. Retrieved March 10, 2021.
  3. ^'Wireshark FAQ License'.
  4. ^'Wireshark FAQ'. Retrieved December 31, 2011.
  5. ^'Gussied-up NetXRay takes on enterprise features'. InfoWorld. The price is at the top right of the page. November 17, 1997.CS1 maint: others (link)
  6. ^'Q&A with the founder of Wireshark and Ethereal'. Interview with Gerald Combs. protocolTesting.com. Archived from the original on March 7, 2016. Retrieved July 24, 2010.
  7. ^'What's up with the name change? Is Wireshark a fork?'. Wireshark: Frequently Asked Questions. Retrieved November 9, 2007.
  8. ^'Riverbed Expands Further Into The Application-Aware Network Performance Management Market with the Acquisition of CACE Technologies'. Riverbed Technology. October 21, 2010. Retrieved October 21, 2010.
  9. ^'enpa-sa-00024'. Ethereal. November 10, 2006. Archived from the original on October 23, 2012. Retrieved June 8, 2010.
  10. ^'Awards and Accolades'. Wireshark: About. Retrieved September 20, 2010.
  11. ^eWEEK Labs (May 28, 2012). 'Wireshark'. The Most Important Open-Source Apps of All Time. eWEEK. Retrieved August 12, 2012.
  12. ^Yager, Tom (September 10, 2007). 'Best of open source in networking'. InfoWorld. Retrieved December 1, 2014.
  13. ^'Best of open source software awards: Networking'. InfoWorld. August 5, 2008. Retrieved April 28, 2015.
  14. ^Mobley, High (September 18, 2012). 'Bossie Awards 2012: The best open source networking and security software'. InfoWorld. Retrieved April 28, 2015.
  15. ^Ferrill, Paul (September 17, 2013). 'Bossie Awards 2013: The best open source networking and security software'. InfoWorld. Retrieved April 28, 2015.
  16. ^Garza, Victor R. (September 29, 2014). 'Bossie Awards 2014: The best open source networking and security software'. InfoWorld. Retrieved April 28, 2015.
  17. ^Lynn, Samara. 'Wireshark 1.2.6'. Wireshark 1.2.6 Review & Rating. PC Magazine. Retrieved September 20, 2010.
  18. ^'Wireshark is No. 1 of Top 14 Packet Sniffers'. Insecure.Org. Retrieved August 12, 2012.
  19. ^'Wireshark, SourceForge Project of the Month, August 2010'. SourceForge. Retrieved August 12, 2012.
  20. ^'Dissector compilation example'. OmniIDL. Retrieved April 18, 2013.
  21. ^'USB capture setup'. Wireshark Wiki. Retrieved December 31, 2011.
  22. ^'CVS log for ports/net/ethereal/Attic/Makefile'. Openbsd.org. Retrieved June 8, 2010.
  23. ^'Wireshark opnet | Transmission Control Protocol | Internet Protocols'. Scribd. Retrieved January 14, 2018.

References[edit]

  • Orebaugh, Angela; Ramirez, Gilbert; Beale, Jay (February 14, 2007). Wireshark & Ethereal Network Protocol Analyzer Toolkit. Syngress. p. 448. ISBN978-1-59749-073-3.
  • Sanders, Chris (May 23, 2007). Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems. No Starch Press. p. 192. ISBN978-1-59327-149-7.
  • Chappell, Laura (March 31, 2010). Wireshark Network Analysis: The Official Wireshark Certified Network Analyst Study Guide. Protocol Analysis Institute, dba “Chappell University”. p. 800. ISBN978-1-893939-99-8.
  • Cheok, Roy (July 1, 2014). 'Wireshark: A Guide to Color My Packets'. SANS Institute.Cite journal requires |journal= (help)

External links[edit]

Wikimedia Commons has media related to Wireshark.
  • Official website
Retrieved from 'https://en.wikipedia.org/w/index.php?title=Wireshark&oldid=1018037838'

By

Category: Unit 42

Tags: pcap, tutorial, Wireshark, Wireshark Tutorial

This post is also available in: 日本語 (Japanese)

As a Threat Intelligence Analyst for Palo Alto Networks Unit 42, I often use Wireshark to review packet captures (pcaps) of network traffic generated by malware samples. To better accomplish this work, I use a customized Wireshark column display as described my previous blog about using Wireshark. Today's post provides more tips for analysts to better use Wireshark. It covers display filter expressions I find useful in reviewing pcaps of malicious network traffic from infected Windows hosts.

Pcaps for this tutorial are available here. Keep in mind you must understand network traffic fundamentals to effectively use Wireshark. And you should also have a basic understanding of how malware infections occur. This is not a comprehensive tutorial on how to analyze malicious network traffic. Instead, it shows some tips and tricks for Wireshark filters. This tutorial covers the following areas:

  • Indicators of infection traffic
  • The Wireshark display filter
  • Saving your filters
  • Filters for web-based infection traffic
  • Filters for other types of infection traffic

This tutorial uses examples of Windows infection traffic from commodity malware distributed through mass-distribution methods like malicious spam (malspam) or web traffic. These infections can follow many different paths before the malware, usually a Windows executable file, infects a Windows host.

Indicators consist of information derived from network traffic that relates to the infection. These indicators are often referred to as Indicators of Compromise (IOCs). Security professionals often document indicators related to Windows infection traffic such as URLs, domain names, IP addresses, protocols, and ports. Proper use of the Wireshark display filter can help people quickly find these indicators.

Wireshark's display filter a bar located right above the column display section. This is where you type expressions to filter the frames, IP packets, or TCP segments that Wireshark displays from a pcap.

Figure 1. Location of the display filter in Wireshark.

If you type anything in the display filter, Wireshark offers a list of suggestions based on the text you have typed. While the display filter bar remains red, the expression is not yet accepted. If the display filter bar turns green, the expression has been accepted and should work properly. If the display filter bar turns yellow, the expression has been accepted, but it will probably not work as intended.

Figure 2. Wireshark's display filter offering suggestions based on what you type.

Figure 3. Wireshark's display filter accepts an expression, and it works as intended.

Figure 4. Example of Wireshark's display filter accepting an expression, but it does not work as intended.

Wireshark's display filter uses Boolean expressions, so you can specify values and chain them together. The following expressions are commonly used:

  • Equals: or eq
  • And: && or and
  • Or: || (double pipe) or or

Examples of these filter expressions follow:

  • ip.addr eq 192.168.10.195 and ip.addr 192.168.10.1
  • http.request && ip.addr 192.168.10.195
  • http.request || http.response
  • dns.qry.name contains microsoft or dns.qry.name contains windows

When specifying a value exclude, do not use != in your filter expression. For example, if you want to specify all traffic that does not include IP address 192.168.10.1, use !(ip.addr eq 192.168.10.1) instead of ip.addr != 192.168.10.1 because that second filter expression will not work properly.

As noted in my previous tutorial on Wireshark, I often use the following filter expression as a way to quickly review web traffic in a pcap:

http.request or ssl.handshake.type 1.

The value http.request reveals URLs for HTTP requests, and ssl.handshake.type 1 reveals domains names used in HTTPS or SSL/TLS traffic.

My previous tutorial contains web traffic generated when a user viewed a URL from college.usatoday[.]com in August 2018. In the pcap, the user was on a Windows 10 computer using Microsoft's Edge web browser. Filtering on http.request or ssl.handshake.type 1 outlines the flow of events for this web traffic.

Figure 5. Filtering on web traffic using the previous tutorial's pcap.

However, I also generate pcaps of traffic using Windows 7 hosts, and this traffic includes HTTP requests over UDP port 1900 during normal activity. This HTTP traffic over UDP port 1900 is Simple Service Discovery Protocol (SSDP). SSDP is a protocol used to discover Plug & Play devices, and it is not associated with normal web traffic. Therefore, I filter this out using the following expression:

(http.request or ssl.handshake.type 1) and !(udp.port eq 1900)

You can also use the following filter and achieve the same result:

(http.request or ssl.handshake.type 1) and !(ssdp)

Filtering out SSDP activity when reviewing a pcap from an infection on a Windows 7 host provides a much clear view of the traffic. Figure 6 shows Emotet activity with IcedID infection traffic from December 3rd, 2018 on a Windows 7 host. It is filtered on web traffic that contains SSDP requests. Figure 7 shows the same pcap filtered on web traffic excluding the SSDP requests, which provides a clearer picture of the activity.

Figure 6. Reviewing web traffic with Emotet and IcedID infection activity in Wireshark without filtering out SSDP traffic.

Figure 7. Reviewing web traffic with Emotet and IcedID infection activity in Wireshark while filtering out SSDP traffic.

In Figure 7, we see some indicators of infection traffic, but not every indicator of the infection is revealed. In some cases, an infected host may try to connect with a server that has been taken off-line or is refusing a TCP connection. These attempted connections can be revealed by including TCP SYN segments in your filter by adding tcp.flags eq 0x0002. Try the following filter on the same traffic:

(http.request or ssl.handshake.type 1 or tcp.flags eq 0x0002) and !(udp.port eq 1900)

Including the TCP SYN segments on your search reveals the infected host also attempted to connect with IP address 217.164.2[.]133 over TCP port 8443 as shown in Figure 8.

Figure 8. Including TCP SYN segments in your filter can reveal unsuccessful connection attempts by an infected host to other servers.

In some cases, post-infection traffic will not be web-based, and an infected host will contact command and control (C2) servers. These servers can be directly hosted on IP addresses, or they can be hosted on servers using domain names. Some post-infection activity, like C2 traffic caused by the Nanocore Remote Access Tool (RAT), is not HTTP or HTTPS/SSL/TLS traffic.

Therefore, I often add DNS activity when reviewing a pcap to see if any of these domains are active in the traffic. This results in the following filter expression:

(http.request or ssl.handshake.type 1 or tcp.flags eq 0x0002 or dns) and !(udp.port eq 1900)

In Figure 9, I use the above filter expression to review a pcap showing a Nanocore RAT executable file downloaded from www.mercedes-club-bg[.]com to infect a vulnerable Windows host. The initial download is followed by attempted TCP connections to franex.sytes[.]net at 185.163.45[.]48 and franexserve.duckdns[.]org at 95.213.251[.]165. Figure 10 shows the correlation between the DNS queries and the TCP traffic.

Figure 9. Including DNS queries reveals attempted TCP connections to additional domains.

Figure 10. Correlating DNS traffic to the TCP activity.

Some infection traffic uses common protocols that can easily be decoded by Wireshark. Figure 11 shows post-infection traffic caused by this malware executable that generates FTP traffic. Using a standard web traffic search that also checks for DNS traffic and TCP SYN flags, we find traffic over TCP port 21 and other TCP ports after a DNS query to ftp.totallyanonymous[.]com.

Figure 11. Activity from malware generating FTP traffic.

Realizing this is FTP traffic, you can pivot on ftp for your display filter as shown in Figure 12. When filtering on ftp for this pcap, we find the infected Windows host logged into an FTP account at totallyanonymous.com and retrieved files named fc32.exe and o32.exe. Scroll down to later FTP traffic as shown in Figure 13, and you will find a file named 6R7MELYD6 sent to the FTP server approximately every minute. Further investigation would reveal 6R7MELYD6 contains password data stolen from the infected Windows host.

Figure 12. Using ftp as a filter and finding the name of files retrieved by the infected host when viewing the FTP control channel over TCP port 21.

Figure 13. The FTP control channel over TCP port 21 also shows information stored to the FTP server as a file named 6R7MELYD6.

In addition to FTP, malware can use other common protocols for malicious traffic. Spambot malware can turn an infected host into a spambot designed to send dozens to hundreds of email messages every minute. This is characterized by several DNS requests to various mail servers followed by SMTP traffic on TCP ports 25, 465, 587, or other TCP ports associated with email traffic.

Let's try this filter expression again:

(http.request or ssl.handshake.type 1 or tcp.flags eq 0x0002 or dns) and !(udp.port eq 1900)

When viewing spambot traffic, you'll find DNS queries to mail servers and TCP traffic to SMTP-related ports as previously described.

Figure 14. Wireshark filtered on spambot traffic to show DNS queries for various mail servers and TCP SYN packets to TCP ports 465 and 587 related to SMTP traffic.

If you use smtp as a filter expression, you'll find several results. In cases where you find STARTTLS, this will likely be encrypted SMTP traffic, and you will not be able to see the email data.

Figure 15. Filtering on SMTP traffic in Wireshark when viewing spambot traffic.

In recent years, email traffic from spambots is most likely encrypted SMTP. However, you might find unencrypted SMTP traffic by searching for strings in common email header lines like:

  • smtp contains 'From: '
  • smtp contains 'Message-ID: '
  • smtp contains 'Subject: '

Keep in mind the Wireshark display filter is case-sensitive. When searching spambot traffic for unencrypted SMTP communications, I often use smtp contains 'From: ' as my filter expression as shown in Figure 16.

Wireshark Ip.host

Figure 16. Filtering in Wireshark to find email header lines for unencrypted SMTP traffic.

After filtering for SMTP traffic as show in Figure 16, you can follow TCP stream for any of the displayed frames, and you'll find one of the emails sent from the spambot.

Figure 17. TCP stream showing unencrypted SMTP traffic from a spambot-infected host.

Some filter expressions are very tedious to type out each time, but you can save them as filter buttons. On the right side of the Wireshark filter bar is a plus sign to add a filter button.

Figure 18. Saving a filter expression as a filter expression button in Wireshark.

Click on that plus sign to save your expression as a filter button. You have the following fields:

Wireshark Ip Puller

  • Label
  • Filter
  • Comment

The comment is optional, and the filter defaults to whatever is currently typed in the Wireshark filter bar. Once you have typed your label, then click the OK button as shown in Figure 19.

Figure 19. After typing a filter label, click the OK button.

In the above image, I typed 'basic' for the filter (http.request or ssl.handshake.type 1) and !(udp.port eq 1900) to save as my basic filter. Figure 20 show that filter button labeled 'basic' to the right of the plus sign.

Figure 20. My 'basic' filter button at the far right of the filter bar.

For my normal filter setup in Wireshark, I create the following filter buttons:

  • basic (http.request or ssl.handshake.type 1) and !(udp.port eq 1900)
  • basic+(http.request or ssl.handshake.type 1 or tcp.flags eq 0x0002) and !(udp.port eq 1900)
  • basic+DNS(http.request or ssl.handshake.type 1 or tcp.flags eq 0x0002 or dns) and !(udp.port eq 1900)

Figure 21. Filter buttons I routinely use on Wireshark.

This tutorial covered the following areas:

  • Indicators of infection traffic
  • The Wireshark display filter
  • Filters for web-based infection traffic
  • Filters for other types of infection traffic
  • Saving your filters

Proper use of Wireshark display filters can help security professionals more efficiently investigate suspicious network traffic. Pcaps used in this tutorial can be found here.

Wireshark

Get updates from
Palo Alto
Networks!

Wireshark Command Line

Sign up to receive the latest news, cyber threat intelligence and research from us