Part I | Exercises
Lab | Wireshark Setup and Warmup
Wireshark is a free application used to capture and view data traveling on a network. It provides the ability to drill down and read the contents of each packet and may be filtered to meet specific needs. It is commonly used to troubleshoot network problems and to develop and test software. This open-source protocol analyzer is widely accepted as the industry standard, winning its fair share of awards over the years. Originally known as Ethereal, Wireshark can display data from hundreds of different protocols on all major network types. Data packets can be viewed in real time or analyzed offline. Wireshark supports dozens of capture/trace file formats.
Step 01: Install Wireshark
In this lab, we will download and install Wireshark, then investigate some of its basic functionality. Wireshark is available at no cost from the Wireshark Foundation website for Windows, macOS, and Linux operating systems (Wireshark comes prepackaged with most Linux distributions). StationX provides instructions for all three operating systems: How to Install Wireshark.
Download the latest stable release for your computer at the Wireshark Download page. After completing the installation process, the Welcome screen will launch. Identify which operating system you are using for Wireshark work, and confirm that you were able to install and launch it successfully.
Step 02: Capturing Packets
On your launch of Wireshark, the list of available network connections on your current device displays an EKG-style line graph that represents live traffic on that respective network. Most likely, your Wi-Fi interface or Ethernet connection is the most active, depending on how you connect to the Internet. Choose the most active interface, and double-click on it to start network traffic capture. To capture a rich set of traffic, make sure your browser is open and pointed to at least a couple of sites, for example, the Internet Assigned Numbers Authority (IANA) website and the U.S. Space Force website.
To begin capturing packets, select one of the active network interfaces (Wi-Fi or Ethernet, whichever shows the most activity) by clicking on the interface description. Click on Capture in the main menu located toward the top of the Wireshark interface. When the drop-down menu appears, select the Start option. You can also initiate packet capturing via one of the following shortcuts.
- Keyboard: Press Ctrl + E.
- Mouse: To capture packets from one particular network, double-click on its name.
- Toolbar: Click on the blue shark fin button on the far-left side of the Wireshark toolbar. Wireshark displays packet details as they are recorded during live capture.
To stop capturing:
- Keyboard: Press Ctrl + E
- Toolbar: Click on the red Stop button next to the shark fin on the Wireshark toolbar.
Now that you have recorded some network data, look at the captured packets. The captured data interface has three main sections: the packet list pane, packet details pane, and packet bytes pane. You may wish to resize these windows by clicking and dragging on the separator bar between them. Below is a description of these sections.
Packet List
The packet list pane, located at the top of the window, shows all packets found in the active capture file. Each packet has its own row and corresponding number assigned to it by Wireshark (not a packet number contained in any protocol’s header), along with each of these data points.
- Time: Timestamp of when the packet was captured is displayed in this column. The default format is the number of seconds since the capture file was created. To change it to something more useful, like time of day, select the Time Display Format option from the View menu.
- Source: This column contains the address (IP or other) where the packet originated.
- Destination: This column contains the address that the packet is being sent to.
- Protocol: The packet’s protocol name, such as TCP, can be found in this column. The protocol type field lists the highest-level protocol that sent or received this packet.
- Length: The packet length, in bytes, is displayed in this column.
- Info: Additional details about the packet are presented here. The contents of this column can vary greatly depending on packet contents.
When a packet is selected in the top pane, you may notice one or more symbols appear in the first column. Open or closed brackets and a straight horizontal line indicate whether a packet or group of packets are all part of the same back-and-forth conversation on the network. A broken horizontal line signifies that a packet is not part of said conversation.
Packet Details
The details pane, in the middle, presents the protocol fields of the selected packet in a collapsible format. In addition to expanding each selection, you can apply individual Wireshark filters based on specific details and follow streams of data based on protocol type via the details context menu, which is accessible by right-clicking your mouse on the desired item in this pane.
Packet Bytes
At bottom is the packet bytes pane, displaying raw data of the selected packet in hexadecimal view. This hex dump has 16 hexadecimal bytes and 16 ASCII bytes alongside the data offset. Selecting a specific portion of this data automatically highlights its corresponding section in the packet details pane and vice versa. Any bytes that cannot be printed are represented by a period.
You can choose to show this data in bit format as opposed to hexadecimal by right-clicking anywhere within the pane and selecting the appropriate option from the context menu. Note the Source and Destination columns and their IP address data. Can you locate your computer’s IP address? You can find the IP address of your Windows machine using these instructions from LSU. Include a screenshot of your Wireshark window with this IP address highlighted.
Step 03: Making a Configuration Profile
Create a custom configuration profile under Edit/Configuration Profile. Please follow these steps.
- Copy the default profile and then modify/add the following fields. Click okay to select that profile.
- Change the Time Display Format UTC year, day of year, time of day View/Time Display Format).
- Add a Delta field to display the time elapsed (See Palo Alto Bran Duncan’s post on this topic).
- Add Source and Destination Ports fields.
Sort these fields as you’d like.
Step 04: Colors and Conversations
Note the rows in the top pane display in different colors. To find out the details behind this color coding, go to View/Coloring Rule. Here you’ll see the default coloring rules for this profile, along with the filters that are used to define the rule. You can edit these rules and colors as you wish, and/or create new rules for a specific project. For now, we’ll leave as is. You can also view a “conversation” with a specific protocol Analyze/Conversation Filter. Select three rows of different colors and identify the name and filter. Select a row (Likely TCP or UDP) and then try to follow the conversation in the top pane.
Do you see any color filters that could be more narrowly defined? Why or why not? (There are no right or wrong answers). Include a screenshot to enhance your explanation.
Step 05: Identify Protocols and Layers
Examine the Protocol column in the Packet List pane. Simply by scrolling through the packets, what protocol seems to be listed the most? You can also take a look at various statistics in the Statistics menu, for example, in the Protocol Hierarchy tab.
Scroll down toward the middle of the packet capture and highlight one of the packets in the Packet List pane. Examine the information displayed in the Packet Details pane. Without expanding any of the rows, look at the information provided.
Which layers of the OSI Models correspond to rows 2, 3 and 4?
We will examine Wireshark packets in more detail in other labs. This is simply an introduction to the tool!
