Article by Mark Boyd www.simpleit.tumblr.com

Thursday, 23 June 2011 Page 1

Using Wireshark for traffic analysis

Most al l of the informat ion in this below wri t ing piece is informat ion disseminated f rom www.sans.org and i ts

af f i l iates. My experience is in the Managed Services Provider sector, more specif ical ly, the Educat ion vert ical

Troubleshooting Network Problems: Wireshark

We have all been there, two servers not talking to each other, two domain controllers not replicating

information, workstations getting some policies but not others, workstations not getting out to the

internet.

At a lower level, we have all had the complaint “The internet is slow” or “The network is slow” You

know that is such a subjective sentence that it enrages you, whether on a limited budget or a huge

budget, you know that throwing money at a network infrastructure refresh might not solve the

problem, you might be the I.T Manager / I.T admin because no one else in the organisation was

knowledgeable enough to do it. Who’s to say throwing money at a network refresh will solve these

problems? Do you know how many users are out there? Do you know the origins of the network

traffic? Do you configure your switches to prioritise traffic, do you even know if your switches are

configured? Do you know if your switches are capable of being configured?

First up we will look at Wireshark ™, formerly Ethereal. Wireshark can be daunting, the information

you see can be look foreign, alien even, or worse, like programming code. Who likes programming?

No one that is who. Any resemblance Wireshark packet captures have to programming is enough to

scare me away. Here is a screenshot of a standard Wireshark packet capture:1

So, right now, you are about to close this document and say “No way…I am out, not doing this, no

way I am going to be a part of this, what is this madness? What is this Crazy alien output I am

seeing?

1 To install and or configure Wireshark, and for perhaps better examples of how to use it visit here

Article by Mark Boyd www.simpleit.tumblr.com

Thursday, 23 June 2011 Page 2

In the words of Professor Farnsworth (Futurama) “Good news everybody!” do not worry, you don’t

have to know everything there is to this program, you don’t need to understand every bit and byte

of a packet capture. Below is a single sentence, the one statement that could help you troubleshoot

any and all network problems you may have now or in the future.

Ask yourself 1. What you know, 2. What you are expecting to see and 3. What should be happening?

Alright, so we have a statement, now for the scenario, you want to troubleshoot your inability to use

Microsoft Remote Desktop™ to a given server. It simply isn’t working. So, let’s analyse.

What do you know about Remote Desktop?

- It uses port 3389 to connect to the desired server / workstation

- You can connect using an I.P Address or a computer name

- There might be multiple hops along the way.

- You already know what IP Addresses exist between you and your destination

- You don’t know where it is failing when you try to RDP

Enter Wireshark. Remember that screenshot above, all the letters, numbers, all the TCP this and ACK

that? Well, you need to know none of it, all you need to know, is the single most important element

critical to RDP functioning, in this case, traffic across port 3389, or even more important, traffic with

the destination of the server you are trying to connect to. See screenshot below.

See what we did there, we applied a filter. It is as simple as that, a filter shows us all traffic to and

from our intended destination, if the destination never appears, traffic is blocked somewhere

My contention is that armed with some common filters, you can discover what is happening with

your traffic. There are quite literally thousands of built in filters and expressions, where you can’t

find anything in Wireshark help, remember, Google is your friend.

Click here or here for a more comprehensive guide, or, use the help system in Wireshark

The moral of the story, don’t be afraid, Wireshark is brilliant under every scenario, and you don’t

need to have a Bachelor of Computer Science (a mostly worthless piece of paper anyway) to

understand what the outputs say. All you need is some practice, the application of some “common

I.T knowledge” and an appreciation of how the filters work.

This article was inspired by the following case study

http://www.sans.org/reading_room/whitepapers/casestudies/simple-traffic-analysis-ethereal_1631

Next article: Building a secure network, the fundamentals, the high level concepts