Sniffing the Network with Wireshark / Ethereal Packet Sniffer

Wireshark analyzer is a network protocol for Unix and Windows. It examines data from a live network or from a capture file on disk. You can then navigate interactively on the captured data. Wireshark is also commonly known as Ethereal. I may use each name, but it means exactly the same thing. The purpose of this tutorial is to help you capture frames. What is a frame? It is a block of information transmitted over a data link, level 2 of the OSI model, between two transmission controllers. If you do not know what the OSI model is you can search Wikipedia to find out. Here is the official website:

http://www.wireshark.org

Step 1: Install Wireshark / Ethereal

Once you've downloaded Ethereal run the executable. The installation is very simple as you can see it consists of two packages "Ethereal" and "WinPCAP" both grouped under the same installation file.

Step 2: Using Wireshark / Ethereal

You should now be at the main interface of Ethereal. To capture frames go to the Capture menu and click Options

Select the interface on which you want to "listen".

By default the space for data collection (Buffer size) is set to 1MB. That should be enough. Otherwise increase it to what you see fit.

Enable the capture of packets in promiscuous mode. In fact this option allows the network adapter to read and intercept all traffic on the network.

Leave the Capture Filter empty. We will explore this section later.

Finally click Start. The capture process is underway.

For example I left the capture on for 30 seconds when surfing web pages. To stop the capture click Stop. Ethereal will then display frames received by the NIC in a readable format.

The window is divided into three parts as you can see.

In the first part you can see all the frames that Ethereal has captured. IP addresses of all the machines are present.

For example, I updated the home page of Google. You can see that a communication has been established between my machine and the web server for Google. We notice that there have been many exchanges and this is normal. It also includes all the protocols used in the exchange of such data.

The second part of the window shows the seven layers of the OSI model. It depends on the type of frames and protocol used for sending them.

The third and last part is a vision of the grid in hexadecimal code. For example, you can see the hexadecimal code of your IP address. An IP address is most often represented in binary.

Various frames are displayed:

- The first column is the number of the frame.

- The second column is the time elapsed since the start of the capture and the arrival of the frame.

- The third column is the IP address (source) or name of the issuing machine.

- The fourth column is the IP address (destination) or name of the machine.

- The fifth column is the protocol used between the two machines.

- The sixth column corresponds to additional information.

Note that the amount of frames captured can quickly become significant particularly in the case of several communications at the same time when demanding several websites. We will see how to filter these frames later. Now click capture filters.

Imagine two machines on your network. Where the catch has the IP address 192.168.1.32. We want to capture only the frames between it and the second machine with the IP address 192.168.1.33.

To do this, in the name Filter field enter the name of your filter and then in the Filter field string enter "host 192.168.1.33". Finally click Save.

Go back to the Capture menu and click Start.

Repeat the same options as before.

Click the Capture Filter button and select your filter.

Then click Start to start the capture with the filter in question.

Another method is to capture all the frames at first and filter thereafter. The advantage of this solution is to always capture every frame.

To do this, after the capturing frames, go to the Analyze menu and then click Display Filters.

Repeat the same operations as before but this time indicate the value "ip.addr == 192.168.1.33" in the Filter String:

Finally click Save. You will see more than the desired frames. Note that there is a faster method: You have a bar named Filter at the top of the window. You can enter "ip.addr == 192.168.1.33" as before and Apply. This is the same thing. To return to the initial capture just click on the Clear button.

Now we will see some options in more detail. Right click on one of the frames.

An interesting feature is Follow TCP Stream. It helps from a selected IP (source or destination) to follow the dialogue "clear" in a window. Warning: this function becomes illegal use if people do not give permission, which is tantamount to the violation of private correspondence! So make sure you have permission to do this, or do this on your own network only.

Now we focus to the function Print. It actually allows us to save a file on all the information on one or more frames, on the three parties described above. For example you want to keep the information from two or more frames. By right clicking on them select "Mark Packet" (toggle) for each frame and then click Print.

Check Output to file and choose a location and then save the file. You could very well name the file extension. "Txt". Marked select packets only. If you are interested in hexadecimal code check Packet bytes. Finally, click on Print, your file is then created!

We have now seen how frames are captured with Wireshark / Ethereal. This software is particular good as it is totally free!

It is used to monitor the network but can also be used to troubleshoot, in some cases, but this scenario is aimed mostly at people with good concepts of computer networks. Note that we have just seen the main function of the software. I could go on to explore the wonderful plethora of options, but I'll leave that to you.