Network security 2018-19

Wireshark
Project report submitted
In partial fulfilment of the requirement for the Diploma of
Network security
By
Amar Tripathi (1614110724)
Himanshu Kumar (1614110740)
Sandeep Kumar Sinha (1614110734)

Under the Guidance of

Prof. SUCHITA JHADAV

DEPARTMENT OF NETWORK
SECURITY
BHARATI VIDYAPEETH
(Deemed to be University)COLLEGE OF
ENGINERING ,PUNE -411043

Wireshark
 Network security 2018-19

(2018-19)
BHARATI VIDYAPEETH DEEMED TO BE
UNIVERSITY,
COLLEGE OF ENGINEERING,PUNE-43

CERTIFICATE
This is to certify that the project report titled WIRESHARK,
has been carried out by the following students-
1.Amar Tripathi
2.Himanshu Kumar
3.Sandeep Kumar Sinha

Under the supervision of Suchita Jadhav in partial fulfilment

of the diploma in Network security of Bharati Vidyapeeth
(Deemed to be University), College of Engineering, Pune
during the academic year 2018-19.

Guide: NS Co-ordinator
Place:
Date:
Wireshark
 Network security 2018-19

ACKNOWLEDGEMENTS
It gives me pleasure in presenting the project report for my project on
”WIRESHARK”
I would like to take this opportunity to thank my guide Prof. Suchita
Jadhav for giving me all the help and guidance I needed .I am really
grateful to him for her kind support throughout the project .Her
valuable criticism and suggestions were very helpful.

I am grateful to PROF ANAND R BHALERAO ,PRINCIPAL

BHARATI VIDYAPEETH (Deemed to be University )COLLEGE
OF ENGINEERIRNG ,Pune for his indispensable support ,priceless
Suggestions and for most valuable time lent as and when required .

In the end my special thanks to Prof P.S CHAVAN for providing

sources such as equipped laboratory with all needed software
platforms, continuous internet connection for my project work.

Amar Tripathi(1614111344)
Himanshu Kumar(1614111141)
Sandeep Kumar Sinha(1614111117)

Wireshark
 Network security 2018-19

Table of content

CHAPTER - 1 INTRODUCTION

CHAPTER -2 REVIEW OF LITERATURE

CHAPTER -3 CAPTURING DATA PACKETS

CHAPTER -4 IDENTIFYING AND ANALYSING

PROTOCOLS

CHAPTER -5 ISOLATING AND IDENTIFYING

SOURCE AND DESTINATION
TRAFFIC

CHAPTER -6 INSPECTING THE CONTENTS

OF DATA PACKETS

CHAPTER -7 SUMMARY AND CONCLUSION

Wireshark
 Network security 2018-19

Chapter -1

Introduction
Wireshark is a free and open-source packet analyzer. It is used
for network troubleshooting, analysis, software and communications
protocol development, and education. Originally named Ethereal, the project
was renamed Wireshark in May 2006 due to trademark issues.

Wireshark is cross-platform, using the Qt widget toolkit in current releases to

implement its user interface, and using pcap to capture packets; it runs
on Linux, macOS, BSD, Solaris, some other Unix-like operating systems,
and Microsoft Windows. There is also a terminal-based (non-GUI) version called
TShark. Wireshark, and the other programs distributed with it such as TShark,
are free software, released under the terms of the GNU General Public License.

Wireshark is the world’s foremost and widely-used network protocol analyzer. It

lets you see what’s happening on your network at a microscopic level and is the
de facto (and often de jure) standard across many commercial and non-profit
enterprises, government agencies, and educational institutions. Wireshark
development thrives thanks to the volunteer contributions of networking experts
around the globe and is the continuation of a project started by Gerald Combs in
1998.
Features
• Deep inspection of hundreds of protocols, with more being added all the
time
• Live capture and offline analysis
• Standard three-pane packet browser
• Multi-platform: Runs on Windows, Linux, macOS, Solaris, FreeBSD,
NetBSD, and many others
• Captured network data can be browsed via a GUI, or via the TTY-mode
TShark utility
• The most powerful display filters in the industry
• Rich VoIP analysis
• Read/write many different capture file formats: tcpdump (libpcap), Pcap
NG, Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network
Monitor, Network General Sniffer® (compressed and uncompressed),
Sniffer® Pro, and NetXray®, Network Instruments Observer, NetScreen
snoop, Novell LANalyzer, RADCOM WAN/LAN Analyzer,
Wireshark
 Network security 2018-19

Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks Visual

UpTime, WildPackets EtherPeek/TokenPeek/AiroPeek, and many others
• Capture files compressed with gzip can be decompressed on the fly
• Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM,
Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending
on your platform)
• Decryption support for many protocols, including IPsec, ISAKMP,
Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2
• Coloring rules can be applied to the packet list for quick, intuitive analysis
• Output can be exported to XML, PostScript®, CSV, or plain text.

Functionality

Wireshark is very similar to tcpdump, but has a graphical front-end, plus some
integrated sorting and filtering options.

Wireshark lets the user put network interface controllers into promiscuous mode
(if supported by the network interface controller), so they can see all the traffic
visible on that interface including unicast traffic not sent to that network interface
controller's MAC address. However, when capturing with a packet analyzer in
promiscuous mode on a port on a network switch, not all traffic through the
switch is necessarily sent to the port where the capture is done, so capturing in
promiscuous mode is not necessarily sufficient to see all network traffic. Port
mirroring or various network taps extend capture to any point on the network.
Simple passive taps are extremely resistant to tampering[citation needed].

On GNU/Linux, BSD, and macOS, with libpcap 1.0.0 or later, Wireshark 1.4 and
later can also put wireless network interface controllers into monitor mode.

Wireshark
 Network security 2018-19

Chapter -2
REVIEW OF LITERATURE

In the late 1990s, Gerald Combs, a computer science graduate of the University
of Missouri–Kansas City, was working for a small Internet service provider. The
commercial protocol analysis products at the time were priced around $1500 and
did not run on the company's primary platforms (Solaris and Linux), so Gerald
began writing Ethereal and released the first version around 1998. The Ethereal
trademark is owned by Network Integration Services.

In May 2006, Combs accepted a job with CACE Technologies. Combs still held
copyright on most of Ethereal's source code (and the rest was re-distributable
under the GNU GPL), so he used the contents of the Ethereal Subversion
repository as the basis for the Wireshark repository. However, he did not own the
Ethereal trademark, so he changed the name to Wireshark.In 2010 Riverbed
Technology purchased CACE and took over as the primary sponsor of Wireshark.
Ethereal development has ceased, and an Ethereal security advisory
recommended switching to Wireshark.

Wireshark has won several industry awards over the years including eWeek
InfoWorld, and PC Magazine.It is also the top-rated packet sniffer in the
Insecure.Org network security tools survey and was the SourceForge Project of
the Month in August 2010.

Combs continues to maintain the overall code of Wireshark and issue releases of
new versions of the software. The product website lists over 600 additional
contributing authors.

Wireshark
 Network security 2018-19

Chapter -3
CAPTURING DATA PACKETS

If a remote machine captures packets and sends the captured packets to a machine
running Wireshark using the TZSP protocol or the protocol used by OmniPeek,
Wireshark dissects those packets, so it can analyze packets captured on a remote
machine at the time that they are captured.

Once Wireshark finishes loading you will see a window similar to the above. In
the foreground we have three separate sections:
Here you may open capture files that you have captured from Wireshark
previously or from other capture tools. Wireshark uses the default file format of
.pcapng
Capture …using this filter:

Wireshark
 Network security 2018-19

In this combo text box you may add filters using the BPF (Berkley Packet Filter)
syntax to tell Wireshark exactly what kind of packets you would like it to capture,
but for now we are going to leave this blank. Underneath this text box you will
see a list of the interfaces on your computer that Wireshark is capable of
interacting with followed by a line-graph that will display any activity detected
on those interfaces.

In this section are useful links to get directly to the manual, wiki, Q&A and
mailing lists.

To begin our first capture you may double click on the interface that you would
like to capture from or highlight it and click the blue shark-fin button under the
file menu on the main toolbar. If you’re connected to a network that has any
activity you will start to see some packets being captured. Let the sniff run for
awhile to collect some packets and then press the red square button or Capture >
Stop from the menu to stop the capture.
Wireshark sniffs packets in promiscuous mode by default, but can also sniff in
monitor mode on compatible wireless interfaces. By selecting the
Capture>Options menu, by clicking the capture options button on on the toolbar
you may open the Capture Options window. Monitor mode may then be enabled
by clicking the checkbox under the Monitor Mode column in the input tab.
Note: When running a packet capture, Wireshark will continue to capture packets
until it runs out of memory, at which time the program will crash. You may
specify file size parameters for Wireshark to follow while making captures in the
Capture Options window under the output tab.
So in the body of the main window is three stacked frames, each containing
different data. The top frame has a table which contains many rows, each row
representing one captured packet and seven columns by default: No. - the number
in order of the received packets, Time – the time since the capture was initiated
that each packet was captured, Source – the IP address of the packet source,
Destination – the IP address of the packet destination, Protocol – the protocol that
the packet is using, Length – the total length of the packet in bytes and Info – a
summary of what is contained in the packet.
These columns are configurable in many different ways by right clicking the top
of the column and selecting “Edit Column” or by clicking the menu Edit >
Preferences and selecting Columns under the Appearances menu. Here you may

Wireshark
 Network security 2018-19

add columns, remove columns, or change the label or data format that appears.
Right click on the top of the Time column and select Edit Column and change the
time format to any UTC time using the combo box. This combo box which will
show you all of the possible data types that can be displayed. After changing the
time format click OK on the right side of the toolbar. The time displayed should
now be in UTC rather than time since the capture was initiated. The captured
packets table color scheme can also be edited by clicking View > Coloring Rules.
You may also create several different profile schemes for different type of work
by clicking the menu Edit > Configuration Profiles.

Wireshark
 Network security 2018-19

Chapter -4
IDENTIFYING AND ANALYSING PROTOCOLS

Here we use filter tool for identifying and analysing protocols. Wireshark’s real
power comes in the way in which it can filter data, allowing you to find exactly
what you’re looking for quickly. There are two different types of filters used in
Wireshark, and it is important to understand their uses and differences. Display
Filters allow you to filter all of the captured packets in based on many components
of the packet and also using expressions which can be saved for future use easily
as buttons by typing the expression and then clicking the + button. In the next
screenshot notice that under the main toolbar I have added two buttons. One is
labled DST.239, which will automatically apply the display filter expression
located in the filter text box and another to clear all display filters.
Notice how applying this filter has removed all packets from the display frame
except for those that have a destination ip as specified. Display filters are a robust
tool that can allow you to quickly find the information your looking for. The
complete syntax of these expressions can be found in the Wireshark manual, but
we will cover a few basic ones to get you started.
ip.addr == 192.168.1.3 && dns
This filter displays any captured packets that come from or go to the ip address
192.168.1.3 and also use the DNS protocol.

ip.addr != 192.168.1.2 && dns

This filter displays any DNS protocol packets that neither originate from nor go
to the ip address referenced. This would be useful to omit your device from the
results if you are looking for problems or interesting packets elsewhere.
http && ip.src==192.168.1.3 && ip.dst==172.217.4.77
This filter displays only packets that are using the http protocol, originate from
192.168.1.3 and are also sent to 172.217.4.77
Note: Display Filters and Capture Filters are not the same thing. Capture Filters
use the BPF syntax and prevent Wireshark from capturing any packets other than
those specified in the filter.

Wireshark
 Network security 2018-19

Individual packets of interest can be opened in a separate window by double-

clicking on them. You can also follow a stream of packets by right-clicking on a
packet and clicking Follow and then selecting the type of stream(s) that the packet
is a part of.
Sniffing for a Man in the Middle
Now we are going to initiate a Man in the Middle (MitM) attack while using
Wireshark to sniff for TLS/SSL exchanges and browser cookies that could be
used to hijack a browser session. In a MitM attack the attacker tricks two devices
into sending all of their packets to the attacker’s device instead of directly to each
other while the attacker is actively eavesdropping on and then forwarding these
packets to avoid interrupting the connection. In this part of the tutorial I will be
using the Linux tool ettercap to automate the process of ARP-Cache poisoning to
create a MitM between a target device and a wireless router. Before we initiate
an ARP-Cache Poisoning attack we need to ensure that our interface is set to
forward packets by issuing the following command: sysctl -w
net.ipv4.ip_forward=1
We then start a new capture in Wireshark and open ettercap to initiate the ARP -
Poisoning
Upon opening ettercap I select Hosts > Scan for Hosts on the menu bar. After
ettercap has finished identifying hosts I want to CTRL+click my target
computer’s ip (192.168.1.3, in this instance) and the router’s IP and then on the
menu click Mitm > Arp Poisoning.
A window appears and I will check Sniff remote connections.
Now that I am attempting ARP-Poisoning I will go to Wireshark and see if there
are any interesting packets.
You will notice the ARP Poisoning packets telling the Router and the Target
device the misleading information. Now that we are eavesdropping on the
connections between the router and the target we can search for vulnerabilities
using Wireshark. In this instance I am using the display filter:
ip.addr == 192.168.1.3 && ssl
This will display for me packets captured from the MitM target involving SSL.
There are several ways in which attackers exploit a target once a MitM has been
established. Hijacking the cookies of a browser session can allow an attacker to
login to accounts associated with the target device with ease, exposing the target
to a significant security breach. This type of attack is known as Session Hijacking.

Wireshark
 Network security 2018-19

One of the more common methods to facilitate this attack is to use the Linux
packages ferretand hamster. In this exploit we have three tools performing
activities that enable the compromise. Ettercap initiates an ARP-Poisoning attack,
tricking the target and the router to forward all packets through the attacker’s
device. Ferret sniffs the cookies during this transaction, stealing the target’s
cookies. Then finally hamster is used to replace the attackers cookies with the
target’s, giving the attacker hijacked browser sessions for any of the cookies that
were compromised.

Wireshark
 Network security 2018-19

Chapter -5

ISOLATING AND IDENTIFYING SOURCE AND DESTINATION

TRAFFIC

Test Run for ethernet

1. Start up your favorite web browser.
2. Start up the Wireshark software. You will initially see a window ,except that
no packet data will be displayed in the packet listing, packet-header, orpacket-
contents window, since Wireshark has not yet begun capturing packets. Make
sure you check “Don't show this message again” and press “ok” on the small
dialog box that pops up.
3. To begin packet capture, select the Capture pull down menu and select
Interfaces. This will cause the “Wireshark: Capture Interfaces” window to be
displayed.
4. The network interfaces (i.e., the physical connections) that your computer has
to the network. The attached snapshot was taken from my computer. You may
not see the exact same entries when you perform a capture in the lab. You will
notice that eth0 and eth1 will be displayed. Click “Start” for interface eth0. Packet
capture will now begin - all packets being sent / received from/by your computer
are now beingcaptured by Wireshark!
5. If you started your Web browser on PC1, you can only connect to PC2 and
PC9 If you want to connect to PC2,and identify the IP address of eth0. The IP
address is 10.0.1.3. If you wanted to connect to PC9, the IP address would be
10.0.1.17. While Wireshark is running, enter the URL:
http://10.0.1.3/INTRO.htm to connect to the web server in PC2 and have that
page displayed in your browser. In order to display this page, your browser will
contact the HTTP server at 10.0.1.3(PC2) and exchange HTTP messages with the
server in order to download this page. The Ethernet frames containing these
HTTP messages will be captured by Wireshark.
6. After your browser has displayed the intro.htm page, stop Wireshark packet
capture by
selecting stop in the Wireshark capture window. This will cause the Wireshark
capture window to disappear and the main Wireshark window to display all
Wireshark
 Network security 2018-19

packets captured since you began packet capture. The main Wireshark window
should now look similar You now have live packet data that contains all protocol
messages exchanged between your computer and other network entities! The
HTTP message exchanges with the PC2 web server should appear somewhere in
the listing of packets captured. But there will be many other types of packets
displayed as well (see, e.g., the many different protocol types shown in the
Protocol column in Figure 2). Even though the only action you took was to
download a web page, there were evidently many other protocols running on your
computer that are unseen by the user.
7. Type in “http” (without the quotes, and in lower case – all protocol names are
in lower case in Wireshark) into the display filter specification window at the top
of the main Wireshark window. Then select Apply (to the right of where you
entered “http”). This will cause only HTTP message to be displayed in the packet-
listing window.
8. Select the first http message shown in the packet-listing window. This should
be the HTTP GET message that was sent from your computer(ex. PC1) to the
PC2 HTTP server.When you select the HTTP GET message, the Ethernet frame,
IP datagram, TCP segment, and HTTP message header information will be
displayed in the packet-header window2. By clicking on right pointing and down-
pointing arrows heads to the left side of the packet details window, minimize the
amount of Frame, Ethernet, Internet Protocol, and Transmission Control Protocol
information displayed. Maximize the amount information displayed about the
HTTP protocol. Your Wireshark display should now look roughly as shown in
(Note, in particular, the minimized amount of protocol information for all
protocols except HTTP, and the maximized amount of protocol information for
HTTP in the packet-header window).
9. Exit Wireshark

Wireshark
Network security 2018-19

Wireshark
 Network security 2018-19

Test run for PCAP

• The very first step for us is to open Wireshark and tell it which interface to
start monitoring.
• Next, we will have to decide whether we have to monitor in network or in
workstation.
• Next, after selecting network monitoring, we open selected browser and
open any image or any data input.
• Next, then in a Pcap we found our data(image or inputdata) in an encrypted
format.
• Next, this encrypted form of data can be easily decode in a text format.

Wireshark
Network security 2018-19

Wireshark
Network security 2018-19

Wireshark
 Network security 2018-19

Chapter -6
INSPECTING THE CONTENTS OF DATA PACKETS

Once you have captured some packets or you have opened a previously saved
capture file, you can view the packets that are displayed in the packet list pane
by simply clicking on a packet in the packet list pane, which will bring up the
selected packet in the tree view and byte view panes.

You can then expand any part of the tree to view detailed information about
each protocol in each packet. Clicking on an item in the tree will highlight the
corresponding bytes in the byte view. An example with a TCP packet selected is
shown in with a TCP packet . It also has the Acknowledgment number in the
TCP header selected, which shows up in the byte view as the selected bytes.
You can also select and view packets the same way while Wireshark is
capturing if you selected “Update list of packets in real time” in the “Capture
Preferences” dialog box.

In addition you can view individual packets in a separate window as shown in

“Viewing a You can do this by double-clicking on an item in the packet list or
by selecting the packet in which you are interested in the packet list pane and
selecting View → Show Packet in New Window. This allows you to easily
compare two or more packets, even across multiple files.

Wireshark
 Network security 2018-19

Chapter -7

Conclusion

Wireshark is a great way to get familiar with the communication processes that
happen behind the scenes in networks. I encourage you to further familiarize
yourself with Wireshark by checking out the manual, wiki and even the man page
on Linux. Wireshark’s functionality is also not limited to just Ethernet and Wifi,
it is also capable of sniffing on a bluetooth interface and any radio signals through
an SDR (Software Defined Radio) interface. Knowing how to use Wireshark
effectively can make network troubleshooting easier. Understanding how packets
flow through interfaces and what it looks like when malicious activity is
occurring is a skill that cybersecurity experts must master. Using Wireshark often
and in a variety of network configurations and environments is a quick way to
learn how to keep networks safe and where their vulnerabilities .
Analyzing a packet capture file PCAP is a matter of thinking
about the problem logically, reasoning what information you are looking for, and
then constructing search filters to suit your requirements. Our example was very
basic as it did not require any conversions or decryption, but again, the same
principles would apply.

References
• Wireshark%20Tutorial.pdf
• https://www.wireshark.org/docs
• https://youtu.be/TkCSr30UojM
• https://www.wireshark.org/downloads

Wireshark