Basic intro to network sniffers and WireShark

If you haven’t spent any time with network or server infrastructure, you may not have a deep understanding of how networks actually communicate information. Although it may seem complicated, it’s not really – it’s just tedious. If you learn the basics of how data is transmitted, that can start to reveal some interesting aspects of data security too.

Where do we start? Well, first we need some software. The “protocol analyzer”, or “network sniffer” software that is currently popular is WireShark. You can get it for free from here: https://www.wireshark.org/

One you install and and run it (must be run as Administrator), it will start showing you a crazy list of things:image

So, what is this craziness and why should I care?

Well, this can be useful for a few reasons – but first, let’s start off with what this is. Your network is kind of like the streets in your neighborhood. Normally, you only answer the door or look out front – if someone rings your doorbell. This is how network cards work – as it sees traffic go by, it ignores that traffic unless it is addressed to your machine.

When you use a protocol analyzer like WireShark, it puts your card in “promiscuous mode”. This means that instead of ignoring packets that aren’t addressed to you – it actually looks at EVERY packet that travels past your network card.

This means that your network card can monitor all the traffic on your segment (your street, to continue the metaphor from above). That is what you are seeing on this screen – all the network packets that are traveling across your network – decoded from raw bytes, into something semi-meaningful.

There are two immediate ways this is useful: 1) seeing what is going on in your network and 2) understanding the security risk of using public Wi-Fi.

Monitoring Your Network:
I kept hearing my other computers hard drive go crazy. It didn’t look like anything unusual was going on, on the machine itself. So, I brought up WireShark and started watching network traffic going to and from JUST that machine. After looking up some IP addresses, the computer was just downloading some updates.

By the way, when you are in WireShark, you can right-click on most things and choose “Apply as filter” and exclude that traffic if you already know what it is. For example, I may want to exclude all DNS lookups, I don’t care about those. If you want to keep building up the filter to filter out more and more “noise”, keep right-clicking on items (protocol, source address, destination address, etc) and choose Apply as filter –> “…and not selected” to append on that filter to what you already have.

Once you have filtered much of the “noise”, this will be must more useful to you. if you don’t know what things are – look them up! If you see a source or destination address that you don’t recognize, either type “tracert 223.202.36.46” from the command-line. This command shows all the routers that are between you and that foreign address – which can help narrow down who that address belongs to. Or you can use web tools like http://ipaddress.is/ to gather more details.

The Dangers of Public Wi-Fi:
This is important from a security standpoint. Knowing what you know now – how would you feel about using public Wi-Fi?

What if someone is at your McDonalds, Starbucks, or Panera Bread running WireShark in the background? They would pick up all of the network traffic of EVERYONE using the WiFi there. I opened up www.bing.com and typed in “what is wireshark” – and here’s what I was able to capture in WireShark:

mx35375

This becomes a problem when you think of how much information is NOT sent over SSL. For example, still many mail providers don’t require encryption when you send credentials. Why is that important?

The Vulnerability of E-mail:
If your e-mail is compromised, much of your digital life is compromised. All social media sites, all financial institutions all allow you to reset your password, by sending you an e-mail. So, if I have access to your e-mail (and immediately change the password to lock you out) – I can now attempt to ‘reset my password’ on every site I can think of. This can give me access to almost all of your electronic data within several minutes – all while you are locked out.

So, the point of this post is to encourage you to dabble in using WireShark on your home network to get a feel for what is actually going on. And secondly, for you to understand that these tools are free and pretty easy to use – and that can (and are) used at public Wi-Fi hotspots to gather identity and digital information – so be careful!

Posted in Cloud Computing, Computers and Internet, Infrastructure, Professional Development, Security, Uncategorized

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Archives
Categories

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 2 other followers

%d bloggers like this: