Capture and analyze network traffic with Wireshark

Wireshark, a real-time network analysis tool, captures packets and protocols in real time and displays them in graphical format and listings.
Wireshark is a packet analyzer that circulates on a network, this software can be run on Linux, Windows, OS X, Solaris.
We can download the software from the official Wireshark page, if we want to install it on Linux it already comes in the repositories.

From Windows it is installed like any program, in this tutorial we will install for Linux, from the terminal window we will write the following commands:

 sudo apt-get install wireshark 

If you want to install it on a server and manage the software in text form we have the option to install it in text mode and the software is called Tshark. To install it from a terminal window we write the following commands:

 sudo apt-get install tshark 

Next we must run Wireshark with administrator privileges since you will need to have permissions to access the network and be able to monitor the packages that we indicate. In our case to start either from the menu or from the terminal we will use the following command:

 gksudo wireshark 

This will request the username and password to access in administrator or root mode.

At the beginning we can see a List of Interfaces that are the available networks, in the example we have a wlan0 wifi network and an eth0 ethernet, there we can select which network or interfaces we want to analyze.

Below the list of interfaces we have Capture Options or Capture Options. Options include analysis in promiscuous mode and capture mode, etc.
Within the capture options we can configure which protocols and service to monitor to see what processes and platforms are receiving and sending data within the network.

Create a tracking filter

In the Filter bar we can configure the type of tracking we want to perform, for example, we select eth0 in the list of interfaces and press Start, a window will open and we will see how the software captures all the packages, for a user there are many. The software captures many protocols including system ones, that is, internal messages from devices and operating systems.
Example we press Filtrer and then select HTTP, so we filter the traffic only from the http protocol, ie web pages queries for port 80.
We open the browser and search Google for the Solvetic.com website, Wireshark will show us the http and tcp data that is produced to make the connection as we see the tcp and http protocols are used for the search and then show the web.

Here we can see the requests made. Within the http filter we can see different protocol options such as requests, responses, etc. Applying the http.request filter it is possible to obtain all the requests and the responses received with the GET and POST that are made in the browser or in all the computers of the network, analyzing the requests we can detect possible malicious activities.
Next we will analyze the captured data, when we click on each captured item we will see information about the data packet, the Frame field that identifies the size of the captured packet, the time it took, when it was sent and by which interfaces.
The Ethernet II field belongs to the data that is generated in the data link layer if we see the OSI Model, here we have the origin and destination, the ip, the mac addresses and the type of protocol used.
The Internet Protocol field will show us the IP datagram with the IP addresses, the Transmission Control Protocol or TPC field completes the TCP / IP transmission protocol. Then we have the HTTP headers where we receive the rendered data of the web communication.
We will see an example where we configure to capture all the networks and connections, when we show the list we filter and look for incoming pop bone connections.

We see that POP connections are all to an IP that is to a VPS where the email accounts are, so it communicates there.
If we send some emails and then filter by smtp protocol we will see all the messages sent from the server or each computer of the network with its respective ip from where it was sent and where it was sent, we can always use the web //www.tcpiputils.com, to determine the data of a specific ip.
Another filter that we can apply is the DNS filter to be able to see which are the DNS queries that generate traffic.

In this case we did several searches and we can see the DNS of Google, those of Google maps, Google fonts, addons.mozilla and a DNS of a Facebook chat, we will verify the IP.

We detect that a computer in our network is connected to the Facebook chat and we know exactly what time it was connected.
Next we will track the queries to a Mysql server. Network administrators usually do not have a record of queries that are made to a database, but using Wireshark you can track all the queries and save this record and display a list as a query log. To filter the mysql packages we must use the Mysql or mysql.query filter if we only want to see the SELECT or a particular statement.
We will try to make some query to the local database server, and using the Sakila test database that is free and open source, database that we use in the MySQL tutorial combinations with Inner Join.
We perform an SQL query and Wireshark will register each query, the source ip of the query, the destination ip, the sql query, the user who logged in.

$config[ads_text5] not found

Also, if we see one of the packages it tells us that it was accessed with a software called Heidisql.exe and is an insecure or suspicious program.
Although remote databases can be managed with this software, it is not recommended as external connections to the server should be allowed.

Wireshark filters are many and cover all the protocols of a network and also the most popular website protocols.
As packages are intercepted, we can analyze what is happening with the network traffic, we just have to click on the package we want to analyze to show us the data.
If we apply an HTTP filter on a POST package and right click on that package and then in the drop-down menu select the option Follow TCP Stream or Follow the TCP Flow, this means seeing everything that occurs when making a web request to the server.
As a result we get all the code and the html transactions that are made in the request, if the user entered any password to access a website, through this method we can see the password and the user that I use.

$config[ads_text6] not found

Taking into account that Wireshark monitors a large number of protocols and services in a network and all packets that enter and leave, the risk of an error in the analyzer code could jeopardize the security of the network if we do not know what is happening with each package, therefore it is important to know how to correctly interpret the information that Wireshark gives us.

• 
• 0