PACKET ANALYSIS WITH WIRESHARK

ITAS 175 LOCAL AREA NETWORKS

MATTHEW BROWN, YEAR ONE

FEBRUARY 16TH, 2009

TABLE OF CONTENTS
INTRODUCTION ANALYSIS CONCLUSION REFERENCES 3 3 5 6

INTRODUCTION
It is sometimes necessary to analyze network traffic to assess security risks and vulnerabilities or to assess if clients are using the network infrastructure for its intended purpose. Wireshark is a free network analysis application that is relatively lightweight and provides a vast array of analysis tools. The program is used to capture traffic on the network in the form of individual packets of data. The design of Wireshark allows captured packets to be easily organized based on protocol, source IP, destination IP or one of a number of additional characteristics. The ability to capture and organize packets in this way makes Wireshark an invaluable tool to a network analyst or security enthusiast.

ANALYSIS
Image One (Windows)

Frame number 42 and 44 in Image One represents a DHCP offer that is being broadcast from my home router to my machine and my machines acknowledgement of the offer. This offer was initiated by opening the command prompt and entering ipconfig /release and then ipconfig /renew. There is a timestamp on the packet as well as a source IP address, which, for a DHCP offer, will usually be the IP address of the router. The destination IP of 255.255.255.255

means that the destination address of the packet to be routed must exactly match the Network Address for this route to be used.1 In the area of the Image One directly below the list of packets, there is some more detailed information about the packet listed. The first line lists the frame number, the size of the packet as is travels along the CAT6 line and the size of the packet as capture by Wireshark. In this example we can see that the size of the packet on-wire matches the amount of data captured by Wireshark, which means that the packet was fully captured. We can also see the source and destinations MAC and IP address as well as the source and destination ports.

Image Two (Ubuntu)

Wiresharks Ubuntu version looks almost identical to the Windows copy. Packets are captured and sorted in the same ways and the data read-out from the captures is laid out in a similar manner. In Ubuntu, I started instant messaging with a friend while capturing MSNMS packets to reconstruct the conversation. The screenshot above shows a selection of the packets I captured from the brief conversation. Frame 43 (highlighted in the image) contained data that clearly states text of the message wireshark is the same in ubuntu as can be seen in the bottom 3 lines of text in Image Two. The Ubuntu version of Wireshark provides the same IP, port and size information as the Windows version.

I used Wiresharks filtering capabilities to select only the packets using the MSNMS protocol. From there, by opening the Analyze menu and selecting Follow TCP Stream, the program can be used to rebuild the conversation, the results of which can be dumped to a text file that will look something like Image Three.

Image Three (MSN text dump)

The results may look somewhat cryptic but once you know what youre looking for, its quite easy to piece together the original conversation that took place. The message contents have been outlined in red for this example.

CONCLUSION
This assignment has taught me the power and versatility of Wireshark. Its ability to catch and finely filter network traffic means that it can be incredibly powerful and informative in the hands of a skilled user. Wireshark can be used for anything from simple exploration to serious network security analysis. The amount of information the application captures is quite amazing. Im sure I have barely scratched the surface of what the program can do and I look forward to (white-hat!) experimenting with it more in the future.

REFERENCES
1

TCP/IP Routing Basics for Windows NT. February 20, 2007. Microsoft, Inc. 2009

<http://support.microsoft.com/kb/140859>