Article by Mark Boyd www.simpleit.tumblr.com
Thursday, 23 June 2011 Page 1
Using Wireshark for traffic analysis
Most al l of the informat ion in this below wri t ing piece is informat ion disseminated f rom www.sans.org and i ts
af f i l iates. My experience is in the Managed Services Provider sector, more specif ical ly, the Educat ion vert ical
Troubleshooting Network Problems: Wireshark
We have all been there, two servers not talking to each other, two domain controllers not replicating
information, workstations getting some policies but not others, workstations not getting out to the
internet.
At a lower level, we have all had the complaint “The internet is slow” or “The network is slow” You
know that is such a subjective sentence that it enrages you, whether on a limited budget or a huge
budget, you know that throwing money at a network infrastructure refresh might not solve the
problem, you might be the I.T Manager / I.T admin because no one else in the organisation was
knowledgeable enough to do it. Who’s to say throwing money at a network refresh will solve these
problems? Do you know how many users are out there? Do you know the origins of the network
traffic? Do you configure your switches to prioritise traffic, do you even know if your switches are
configured? Do you know if your switches are capable of being configured?
First up we will look at Wireshark ™, formerly Ethereal. Wireshark can be daunting, the information
you see can be look foreign, alien even, or worse, like programming code. Who likes programming?
No one that is who. Any resemblance Wireshark packet captures have to programming is enough to
scare me away. Here is a screenshot of a standard Wireshark packet capture:1
So, right now, you are about to close this document and say “No way…I am out, not doing this, no
way I am going to be a part of this, what is this madness? What is this Crazy alien output I am
seeing?
1 To install and or configure Wireshark, and for perhaps better examples of how to use it visit here
Article by Mark Boyd www.simpleit.tumblr.com
Thursday, 23 June 2011 Page 2
In the words of Professor Farnsworth (Futurama) “Good news everybody!” do not worry, you don’t
have to know everything there is to this program, you don’t need to understand every bit and byte
of a packet capture. Below is a single sentence, the one statement that could help you troubleshoot
any and all network problems you may have now or in the future.
Ask yourself 1. What you know, 2. What you are expecting to see and 3. What should be happening?
Alright, so we have a statement, now for the scenario, you want to troubleshoot your inability to use
Microsoft Remote Desktop™ to a given server. It simply isn’t working. So, let’s analyse.
What do you know about Remote Desktop?
- It uses port 3389 to connect to the desired server / workstation
- You can connect using an I.P Address or a computer name
- There might be multiple hops along the way.
- You already know what IP Addresses exist between you and your destination
- You don’t know where it is failing when you try to RDP
Enter Wireshark. Remember that screenshot above, all the letters, numbers, all the TCP this and ACK
that? Well, you need to know none of it, all you need to know, is the single most important element
critical to RDP functioning, in this case, traffic across port 3389, or even more important, traffic with
the destination of the server you are trying to connect to. See screenshot below.
See what we did there, we applied a filter. It is as simple as that, a filter shows us all traffic to and
from our intended destination, if the destination never appears, traffic is blocked somewhere
My contention is that armed with some common filters, you can discover what is happening with
your traffic. There are quite literally thousands of built in filters and expressions, where you can’t
find anything in Wireshark help, remember, Google is your friend.
Click here or here for a more comprehensive guide, or, use the help system in Wireshark
The moral of the story, don’t be afraid, Wireshark is brilliant under every scenario, and you don’t
need to have a Bachelor of Computer Science (a mostly worthless piece of paper anyway) to
understand what the outputs say. All you need is some practice, the application of some “common
I.T knowledge” and an appreciation of how the filters work.
This article was inspired by the following case study
http://www.sans.org/reading_room/whitepapers/casestudies/simple-traffic-analysis-ethereal_1631
Next article: Building a secure network, the fundamentals, the high level concepts