Wireshark is a free, open source and one of the best network packer analyzers which is used to present captured packet data in as much detail as possible. It is a cross platform tool and thus available for Linux, Windows and Mac OS. It is widely used for trouble shooting network problems and also to examine security problems by doing malware traffic analysis for digital incident response.
Click on https://www.wireshark.org/download.html to download for Windows, Linux or Mac.
After downloading the software, run it as administrator.
Choose a network medium for which you want to do network analysis. To choose WiFi as my network medium, simply click on the WiFi option in the Wireshark screen as below.
Wireshark UI consist of 4 main features which are as below :
- Display filter
- Column display
- Frame details
- Hexadecimal view
We customize wireshark column display according to our specific needs for network traffic analysis although the default column display of wireshark is good.
Customizing column display are as follows :
- Hiding columns
- Removing columns
- Adding columns
- Changing time to UTC
What we usually require as columns in our wireshark display are as follows :
- Date & time in UTC
- Source IP and source port
- Destination IP and destination port
- HTTP host
- HTTPS server
Hiding columns which we don’t require :
Right-click on any of the column headers to bring up the column header menu. Then left-click any of the listed columns to uncheck them.
Removing columns which we don’t use :
To remove columns, right-click on the column headers you want to remove. Then select “Remove this Column…” from the column header menu.
Adding new columns which we require :
Right-click on any of the column headers, then select “Column Preferences”. Scroll down and there is a plus sign to add new columns and minus sign to remove columns. Click on plus sign and entry title as “new column” on left and “numbers’ ‘ on the right appears.
Add 4 subsequent new columns with their numbers as below :
NEW COLUMNS NUMBERS
- Source Port Scr port (unresolved)
- Destination Port Dest port (unresolved)
Drag the “source port” under “source” and drag the “destination port” under “destination.”
Final custom column preferences will look like below :
Changing time to UTC :
Go to the “Time Display Format” option in the view menu and change the value from “Seconds Since Beginning of Capture” to “UTC Date and Time”. Then resolution from automatic to seconds.
Display after custom column preferences and changing time to UTC :
Based on the frame details window, wireshark allows us to add custom columns. We can add a “host” column for http traffic and a “server name” column for https traffic. To do that, first we need to know what wireshark display filters are.
Wireshark display filters
Wireshark display filter bar is where you type expressions to filter the frames, IP packets, or TCP segments that Wireshark displays from a pcap. It helps us to simplify our network capture by filtering out network traffic we don’t want/require to monitor.
Expression in the display filter bar results either in a red colored bar or a green colored bar.
Red colored bar : Expression is incorrect and thus not accepted.
Green colored bar : Expression is correct and thus accepted.
Some wireshark display filters are as follows :
To filter only http network traffic : http.request
To filter only https network traffic : ssl.handshake.type == 1
To filter both http and https network traffic : http.request or ssl.handshake.type == 1
To filter both http and https network traffic excluding traffic over UDP port 1900 which is Simple Service Discovery Protocol :
(http.request or ssl.handshake.type == 1) and !(udp.port eq 1900)
OR (http.request or ssl.handshake.type == 1) and !(ssdp)
!(udp.port eq 1900) is the same as !(ssdp)
UDP PORT 1900 : It is a Simple Service Discovery Protocol which is a protocol used to discover Plug & Play devices such as printers and other plugable network accessories.
To find domains used in HTTP traffic, use the Wireshark filter http.request and examine the frame details window. Expand the line titled “Hypertext Transfer Protocol” in the frame details window. Scroll down and select “host”. Right click on “host” option and choose “apply as column”
To find domains used in HTTPS traffic, use the Wireshark filter ssl.handshake.type == 1 and examine the frame details window. Expand the line titled “Secure Socket Layer” then expand “TLS record layer” and further expand “Handshake Protocol” in the frame details window.
Scroll down and expand the sequence of line as below :
“Extension: server_name.” > “Server Name Indication extension” > “Server Name:”
Right click on “Server Name:” option and choose “apply as column”
Final output with “host” and “server name” columns added with ( http.request or ssl.handshake.type == 1) display filter is as shown below :
Final output with “host” and “server name” columns added with (http.request or ssl.handshake.type == 1) and !(udp.port eq 1900) display filter is as shown below :