What is Wireshark
According to Wireshark.org:
Wireshark® is a network protocol analyzer. It lets you capture and interactively browse the traffic running on a computer network.
What does this mean to you? This means Wireshark allows you to view network traffic. The way in which you capture the network traffic further refines this statement, but basically, you can look at network traffic.
What do you mean by capture traffic?
Well, there are two ways to view traffic, live or… well dead I suppose. Live captures can be useful for seeing what is going across your network, or what your machine is doing at that moment, but it’s not easy to analyse live traffic as your interrogation of the data will change at each step.
A recorded live stream is saved off into a .pcapng file, these were formally .pcap files and most people will refer to a saved network stream simply as a “pcap” (pe-cap).
Most analysis is done on a pcap file, whether this is a network forensics looking for illegal activity, a malware specialist looking at command and control traffic or a SOC analyst investigating and intrusion detection signature firing.
Where and how do you capture data?
There are a lot of possible answers to this, but I will give two simple answers.
- On your local machine, capturing your own network interface card
- On a network, aided by a network device, such as a switch with a span port, or specially designed network device known as a tap.
The network traffic is then stored into data files, typically a pcap (pcapng). It is possible to store the data in other formats, but that is outside the scope of this post.
The method of capturing data is not important at this stage. Just bear in mind that Wireshark is used to capture data on a local machine. There is the option of the GUI or command line interface (CLI) version. Previously this was called “tshark” however since version 2 this seems to be the same as typing “wireshark” into the CLI.
Why do you need to capture data?
When a company captures all network traffic entering, leaving and traversing their network, they are said to have “full packet capture”. By having this in place they enable their security analysts to prove if something happened.
Picture the scene:
You are eagerly sat reviewing Arcsight/Logrhythm/, an alert pops up from your Intrusion Detection System (IDS). The alert reads something along the lines of “Bash vulnerability attempt”. Immediately you think of Shellshock and try to remember if that got patched. You ask the IT guy who shrugs at you and mumbles something about patching causing more problems than it fixes. The trigger packet (typically a single packet) on the IDS shows the attack, with a wget calling out to a tools server pulling down a script.
You are at the Schrödinger’s stage of compromise. You are both totally owned and 100% safe all at the same time. Without full packet capture you are now destined to explain to the IT guy why he has to pull log files, patch his server (if it’s not already done) and generally do as you tell him. This requires a booking code, justification, and explaining to various levels of management that you don’t know if the system is compromised or not.
Now let’s assume you have full packet capture.
You get the same alert, you retrieve the packets from your full packet capture system (there are many ways to do this… lets say you have a specialist product for this) and begin to investigate. You see the initial packet…… you see the tell-tale parenthesis of the shellshock, followed by the call out for the script….. did it work? The server only responded with reset (RST) packets. The tools server has not been contacted at all.
You can now escalate this as a true positive (alert fired correctly) that was thwarted by the security tools (OK, it was thwarted by the fact the server wasn’t vulnerable, but hey). The IT guy can carry on eating his doughnuts and the managers can have ten meetings to decide that you are awesome. Well done.
Ok, slightly silly example, but you get the idea.
So why do I care?
As the scenario shows being able to manipulate packets, or network data, whichever term you prefer, can calm a potentially bad situation by having visibility. It takes away the requirement to guess. The program that you would use to investigate the pcaps in this scenario would be Wireshark. It is free, easy to learn and has the depth to challenge even the most experienced analyst.
By understanding the basics of the program, you will be able to find a wealth of information.
My next set of blog posts will take us through Wireshark basics and up to an intermediate level. The posts will be technical in nature and you will need to have a basic understanding of networks.
Until next time🙂