Networking / Beginners

Using a GUI Sniffer

If you search on Google for a network sniffer, one of the first hits will be Ethereal. Ethereal is one of the oldest, most full-featured, and functional sniffers available for free. While Ethereal still has a Web site up at www.ethereal.com, the project has taken a new turn and is now known as Wireshark (www.wireshark.org). Wireshark has some features not found in many of the other free sniffers that are available, such as conversation reassembly and a capture display/filter syntax that is more advanced than most. Wireshark does require the WinPCap drivers. The WinPcap drivers enable a greater degree of access and control to the network communications at the packet level than is available by going through the Windows network drivers. For this reason, many third-party utilities that do heavy packet manipulation make use of WinPcap. Follow these steps to install Wireshark on a Windows system.

  1. Go to www.wireshark.org and download the Windows installer file.
  2. Run the setup executable. During the installation, you will be asked if you want to install the WinPcap drivers. Unless you already have the latest WinPcap drivers installed, leave the default checked, which will install the WinPcap drivers.
  3. Start Wireshark manually or allow the Setup Wizard to start Wireshark when it completes.
  4. If you have more than one interface, navigate to Capture | Interfaces.This will provide you a listing of interfaces Wireshark can use.
  5. Choose the one you wish to capture on and click Capture.

You are now sniffing the network. Remember, in a switched network you will only see traffic going to or from your machine, and broadcast traffic.You will need to enable port mirroring to see all traffic going through a switch. Wireshark will show a small window with statistics on the traffic it has collected.

When you click Stop, the statistics window will close and the capture window will be populated with the data you have collected.The layout of Wireshark is similar to most packet capture programs.The top pane, or packet list pane, shows an entry for each packet, with some high-level information like source and destination hosts, protocol, and some other basic information. The second (middle) pane, known as the packet details pane, shows the packet contents, by header. Each header can be expanded to show more detail, which also enables you to expand the next header. The bottom pane, or packet bytes pane, shows the raw packet data in hex and ASCII (plain text).

The packets will be color coded by protocol. A useful feature of Wireshark is the conversation reassembly. You will notice packet number 12 is the initial packet on a Telnet connection. If you right-click one of the Telnet packets and select Follow TCP Stream,Wireshark will use the protocol information and sequence numbers to compile a list of the packet data pertaining to that conversation. If you would rather see the packets pertaining to that conversation and not just the data, right-click on a Telnet packet and select Conversation Filter| TCP. This will change the display filter to show only the packets involved in the Telnet conversation. These can be very powerful and save a lot of time when trying to follow a conversation and see where an error might be.

Many Linux distributions come with Ethereal installed by default. Ethereal is the previous version of Wireshark and in most cases will do what you want without needing to upgrade. If you want the most recent version, you can install Wireshark. Unlike Windows systems, which are pretty consistent when it comes to installing software, on Linux there are many different methods that can be used for installing software. Some are specific to that distribution, while others may be found on many different distributions. One of the most common methods for installing software from the command line is by using the RPM Package Manager (RPM). RPM is supported on distributions that are based on Red Hat Linux and its various flavors.This will include a large number of distributions including some live CDs.You can view a list of all installed packages by entering:

rpm -q -a

To install the Wireshark package on Linux, you need to first obtain the package file itself (from www.redhat.com/download/mirror.html, for example) or use the RPMs that were included on the installation CDs for your distribution. Different distributions may have packages specific to their configuration, or a given distribution may not support the newest version of a given piece of software.The first step is to research the latest version of Wireshark your Linux distribution can use and download the .RPM file. Then enter the following command to install Wireshark (for this example, it is Wireshark version 0.99.2-1):

rpm -i wireshark-0.99.2-1.src.rpm

If the installation is successful, you should see output similar to the following:

Preparing... 	       ####################################### [100%]
1: wireshark-0.99.2-1  ####################################### [100%]

You can even install a package directly from the Internet by specifying the full FTP or HTTP path as the path to the RPM as follows.

rpm -i ftp://somesite.com/5/i386/RPMS/wireshark-0.99.2-1.src.rpm

To uninstall the package you must use the package name, which is not the same as the name of the RPM file.To uninstall wireshark-0.99.2-1, enter the following command, using the -e switch for erase:

rpm -e wireshark-0.99.2-1

TIP Due to the number of different methods to support software installation on the different versions of Linux, I couldn't possibly discuss them all here. The home page for your particular distribution will be the best place to start when it comes to getting instructions on installing new software packages. As just one example, here is a brief summary of the many tools available for software installation on just Fedora Core 5. You will need to research which methods are available on the distribution you are using.

  • pup GUI tool for updating software, accessed at Applications | System Tools | Software Updater.
  • pirut GUI tool for managing software packages, accessed at Applications | Add/Remove Software.
  • RPM Command-line tool for managing software packages.
  • yum (Yellowdog Updater, Modified) command-line tool for managing software packages.
  • yum Extender A GUI for yum (install with yum install yumex).

To make things more confusing, all the package management systems work slightly differently. Pirut and yum will automatically ensure you have the most current version of a package. Both of these will also automatically check and install any dependencies for the software you install. RPM does not include this functionality; you will need to check for dependencies manually when using rpm. Yum only works on RPM-based systems, and not all systems will have yum available or installed; therefore, it is suggested that you understand how to manage packages with RPM even if you choose not to use RPM for your day-to-day management.

Wireshark offers some features that you would normally have to pay a lot of money for and that the other free sniffers don't have. Let's suppose you have captured some packets and you want to see the Telnet conversation.

Locate any single Telnet packet, either through browsing in the main window, or by using a filter.To filter for all TCP packets with a source or destination port of 23 (Telnet), click in the Filter field and enter tcp.port == 23 followed by Apply. Although the filtering syntax looks pretty intuitive, there will be times when you don't know what key words you need to use.You can construct the filter by clicking the Expression button.This will bring up the window.

Navigate to TCP in the Field name pane, then expand the TCP subtree and select tcp.port. After highlighting a selection in the Field name field, select a logical operator in the Relation field, such as "==" for equals. Finally, enter the desired value (in this case 23) in the Value field.Then click OK.This will place the filter expression in the Filter field.You must then click Apply to apply the filter to the packet display.You should now have a list of only Telnet packets. If you select any one of the Telnet data packets (Wireshark will label them as such in the Info column) and right-click, you can select Follow TCP Stream.

The complete output from the Follow TCP Stream window is included to give you an idea of what a Telnet login looks like.This also illustrates the fact that Telnet does not employ any encryption, making it an insecure choice for remote access except over trusted networks.

..'..%........... ..!..".....
..%........'........
..'.....'..SFUTLNTVER.SFUTLNTMODE....%.......... ..!..".....
.......].........
..'..DISPLAY.Knoppix:0.0....'.....%....
Welcome to Microsoft Telnet Service

login:

password:

.....
....xterm.
.....
....xterm.


*===============================================================
Welcome to Microsoft Telnet Server.
*===============================================================
C:\Documents and Settings\Ben>

Volume in drive C is D1P1_OS
Volume Serial Number is 2037-12FA

Directory of C:\Documents and Settings\Ben
12/08/2003 	06:52 PM 	<DIR> 		.
12/08/2003 	06:52 PM 	<DIR> 		..
05/02/2005 	11:30 PM 	<DIR> 		My Documents
05/02/2005 	11:30 PM 	<DIR> 		Favorites
12/08/2003 	06:44 PM 	<DIR> 		Desktop
12/08/2003 	06:44 PM 	<DIR> 		Start Menu
12/23/2003 	12:15 AM 	<DIR> 		WINDOWS
02/16/2006 	08:46 PM 	<DIR> 		.housecall
06/13/2006 	08:15 PM 	<DIR> 		SecurityScans
06/24/2006 	06:43 PM 	<DIR> 		.ssh
09/19/2006 	03:27 PM 	       	      600 PUTTY.RND
09/04/2006 	04:22 PM 	<DIR> 		Tenable
		   1 File(s) 		      600 bytes
		 11 Dir(s) 	    2,719,571,968 bytes free

C:\Documents and Settings\Ben>

Remove some blank lines to conserve space, but other than that, this is the stream in its entirety.You can see the start of the conversation included DISPLAY.Knoppix, which was the system was connecting from.The next line was a Welcome to Microsoft Telnet Service, which indicated the target host was a Microsoft system running the Telnet service. Prompted for a login ID and a password. After the login was complete, use the dir command to get a directory listing of the remote machine.

You will notice the user name and password are not listed in the follow TCP stream output. Because Telnet is a clear text protocol, the user name and password used is available in the data portions.Telnet will send a packet for each character you type, so with a user ID of "Ben," one packet will contain only an "e" for the data, another an "r," another an "i," and finally a "c."To see this in the Packet Capture window, use the top pane to select a Telnet data packet. In the center packets, you can view the details for the various packet layers. At the bottom will be Telnet. Click the plus sign and it will expand to show the data portion of the packet.

You can also search for a string within the capture by navigating to Edit | Find Packet.You then have the option of searching via a display filter, hex value, or string. If you were to select String and then enter any ASCII string in the provided field, it would search the data portion of all the captured packets.This can help you quickly locate a conversation of interest, such as searching for a URL to find an HTTP conversation you want to inspect. You'll notice that if you were to search for a string containing a Telnet user logon ID "ben," that you would never find it, because it is sent one character at a time. If you didn't know Telnet worked this way, you might be confused and incorrectly conclude that Wireshark did not capture your Telnet session. As you can see, analyzing sniffer data is not really something that you can just read about. Being able to get useful information and troubleshoot issues from a packet capture takes experience and an understanding of the how the protocols in question behave on the network.

[Previous] [Contents] [Next]