Doing Useful Stuff with the Wireshark Network Analyzer

Anyone interested in network programming and general hackery will eventually come into contact with Wireshark.  This is because Wireshark is an insanely useful and well built tool for network analysis.  Essentially what Wireshark does is something called “packet sniffing”,  but to describe this very useful function requires that we understand just a little bit of background knowledge.

osi_model

The International Standards Organization/Open System Interconnection (ISO/OSI), better known as simply the “OSI model”, displays the seven theoretical levels of network organization. For more information click on this image.

Whenever you send data over a network there is a necessary and complex process of encoding additional meta-data (data that describes data) which is used by routers to determine how and where to send the data.  Furthermore, additional meta-data is needed to instruct the receiving computer on how to handle the data, such as displaying the data as a web page, or a flash video, etc. etc.  There is also meta-data and special protocols required to negotiate between the computer sending the data and the computer receiving, to make sure that the data intended to be sent was in fact sent, and how to go about sending that data.  It is not uncommon for there to be more additional meta-data generated on how to send data, than the actual data that the user intends to send!

However, I think it is better to leave the course in data networks to the far better educators at MIT, who can teach you this for free and much better than me!  Basically the point I’m trying to make is that when you send even a small message over a network, it requires a lot of additional data to describe it.  Obviously all of this data cannot be sent in one pass, because it would be a real strain on the network (AND WOULD BREAK THE INTERNETS).  Also, what would happen if you sent all that crap and it wound up getting lost along the way?  That would suck, right?  So basically your computer chops up all this data into multiple pieces called datagrams or more informally, packets.

Wireshark basically reads all the packets received by your computer’s NIC (Network Interface Card) and displays all the information in a well-organized form allowing you to monitor your computer’s communications with other computers on your LAN (Local Area Network) and the Internet.  Often this traffic is conversations between your computer and another computer on your network or a server on the internet, although it can also include broadcast transmissions such as ARP packets (Address Resolution Protocol).  These packets are sent out to all computers in a network, for example ARP packets are sent out so a computer can determine where another computer is on the network.  Not unlike a person entering an office and asking each person “Hey are you Bob?”, until they find Bob. Obviously computers are a lot more patient than people.  With wireless communication the medium requires that all communications are broadcast to all computers within the range of the wireless access point.

Typically your NIC drops the packets of any broadcast transmission not intended for your computer.  This can be changed by setting your NIC into promiscuous mode (or as I like to call it “whore mode”).  Whore mode is particularly useful on wireless networks as you can monitor all traffic between each computer on the network and the wireless access point.  This is why you should always be careful on unencrypted networks, because any unencrypted packets you send can be read by any dick with Wireshark.  Unfortunately, some of the more prudish OS’s, such as windows, do not support whore mode with some wifi NIC’s.

Wireshark_Icon

Wireshark. For when you need to find out how you broke your network or just because you want to be a dick at Starbucks but can’t bring yourself to pretend to write a screenplay.

With that out of the way, let’s crack open a wee bit of the shark and see what we can do with it.  You can download Wireshark binaries for Windows and Apple, as well as source code here.  With Linux you can either directly compile the source code or use a package manager such as yum or aptitude, although I’m pretty sure Linux users already know this.  The Wireshark page is a vast trough of information on all things Wireshark, and I’d recommend going there for Wireshark related questions.

So once you install Wireshark, you should be ready to go.  Now you need to start capturing packets, you can do this by going to capture -> interfaces.  At the menu you can see all the NIC’s present on your computer including two special interfaces “any” and “lo”.  As any suggests it captures traffic from all of your NIC’s at once which could come in handy if you want to sniff traffic on a wireless and wired network at the same time, among other possibilities.  Lo stands for “local” and doesn’t actually capture packets on the network.  Instead lo captures inter-process communications within your own computer, essentially allowing you to view programs talking to other programs on your local machine.  You can also set options such as capture filters which can be used to block out certain types of traffic that you aren’t interested in, which is a subject for it’s own post.

 Here is an example of where Wireshark can be used for good.  You know when you’re connecting to an encrypted wireless network and it gives you a bunch of options for authentication like PEAP, TLS, WTF, ETC?  I was having trouble connecting to my university’s (go Knights!) wireless network and wasn’t sure why it was being such a bitch.  This is what Wireshark does.

MAC Addresses redacted to protect me from the NSA.  Click the image to be directed to a page with this enlarged to readable size.

So, I started up Wireshark and started capturing network packets on my wireless card.  What you can see from the image to the left (when enlarged anyway) is my computer’s NIC (“TwinhanT”) attempting to negotiate my use of the university’s WPA encrypted network with the wireless access point (“Cisco_16:e7:12”).  As you can see by the packets marked “Failure”, my NIC is not having much success getting our friend Cisco to let us onto the network so we can be snarky on Facebook.  This shall not stand!

What is happening in this exchange is that TwinhanT and Cisco are trying to negotiate which authentication protocol to use.  The clue to what is going wrong can be seen in the “info” portion of packets numbers 3, 8, and 13; namely the “Request, PEAP”.  We only need to dig slightly deeper to find the problem.

Click the image to be directed to a page with this enlarged to readable size.

The reason for the aforementioned problem can be seen in the highlighted portion of the image to the right.  Basically, Cisco is all like, “Yo TwinhanT mang, I’m down with the PEAP let’s use that for authenticating our secret convo”.  However, TwinhanT is saying, “You know I’m really more into EAP-TTLS, myself”.  So then Cisco is all like, “NAH BRAH, REJECTED GTFO!!1!”.  Long story, short, I switched the authentication method to PEAP and everything was sunshine and puppies.

Pictured: sunshine, puppies, and the beginning of a beautiful friendship.

That pretty much wraps up what I hope was a useful introduction into what Wireshark is, and the good / evil that can be done with it.  If you fractured pieces of humanity in the screaming void of madness and trolls that people refer to as “the Internet” appreciated this rambling nonsense I would be more than happy to waste more of my time fabricating more rambling nonsense for you to jam into your dirty mind holes.  Please feel free to point out all the mistakes I made in this column and how much it sucks, but be forewarned that I will almost certainly ignore you.

Advertisements