Wireshark
Daniel Compton, Auburn University
Auburn University Information Assurance Center
www.eng.auburn.edu/users/hamilton/security/
1
Overview
• Wireshark Overview
– General Overview and Uses
– GUI Introduction
• Wireshark Exercise 1: Reading HTTP Traffic from
PCAP file
• Wireshark Exercise 2: Extracting Images from
PCAP file
• Defeating Wireshark
• Conclusion
Auburn University Information Assurance Center
www.eng.auburn.edu/users/hamilton/security/
2
Wireshark Overview
• Wireshark (originally Ethereal) is an open source
packet analyzer
• Packets can be captured and analyzed on a live
network or saved in PCAP format for later
analysis
• Useful for network troubleshooting, software and
communications protocol development,
malware/digital forensics, and education
• Also utilized for network snooping and
information gathering
Auburn University Information Assurance Center
www.eng.auburn.edu/users/hamilton/security/
3
Wireshark Overview: GUI
Auburn University Information Assurance Center
www.eng.auburn.edu/users/hamilton/security/
4
Wireshark Overview: GUI
• The capture interfaces panel displays the
available network cards capable of
capturing/analyzing packets on the network.
• The IP, number of packets seen per second, and
total number of packets seen on the interfaces
are displayed in the far right columns.
Auburn University Information Assurance Center
www.eng.auburn.edu/users/hamilton/security/
5
Wireshark Overview: GUI
• The capture
options panel
allows for
enabling
promiscuous
mode
• Additionally, a
PCAP output file
can be selected in
the Capture
Files(s) section
Auburn University Information Assurance Center
www.eng.auburn.edu/users/hamilton/security/
6
Wireshark Overview: GUI
• Capture Filters
allow for filtering
of specific
protocols in
capture and
search.
Auburn University Information Assurance Center
www.eng.auburn.edu/users/hamilton/security/
7
Wireshark Overview: GUI
• In the sample capture above, note the time of
successive captures, along with the protocol and
info columns.
Auburn University Information Assurance Center
www.eng.auburn.edu/users/hamilton/security/
8
Wireshark Exercise 1: HTTP Traffic
• A search on www.yahoo.com was performed,
using the keywords “auburn information
assurance group”
• A PCAP file containing all internet traffic captured
while the Yahoo search was performed is located
on the Desktop
Auburn University Information Assurance Center
www.eng.auburn.edu/users/hamilton/security/
9
Wireshark Exercise 1: HTTP Traffic
• Open Wireshark, Click on File and Open
Auburn University Information Assurance Center
www.eng.auburn.edu/users/hamilton/security/
10
Wireshark Exercise 1: HTTP Traffic
• Click Desktop, click on file “ia_http_cap.pcapng”
• Click Open
Auburn University Information Assurance Center
www.eng.auburn.edu/users/hamilton/security/
11
Wireshark Exercise 1: HTTP Traffic
• Type in “http” in Filter text field
• Press Enter
Auburn University Information Assurance Center
www.eng.auburn.edu/users/hamilton/security/
12
Wireshark Exercise 1: HTTP Traffic
• Filtered results will include HTTP and HTTP-derived
network activity, which narrows our search
Auburn University Information Assurance Center
www.eng.auburn.edu/users/hamilton/security/
13
Wireshark Exercise 1: HTTP Traffic
• To find the packet containing our Yahoo search
– Hold down ‘control’+’f’, Choose String, type “information”
– Click on Find
Auburn University Information Assurance Center
www.eng.auburn.edu/users/hamilton/security/
14
Wireshark Exercise 1: HTTP Traffic
• The packet containing our Yahoo search will be
highlighted in the packet capture window
Auburn University Information Assurance Center
www.eng.auburn.edu/users/hamilton/security/
15
Wireshark Exercise 2: JPEG Extraction
• When images are transmitted via the HTTP
protocol, they are spit up into packets, which
form a HTTP stream.
• Objects (e.g. JPEG Images) from this stream can
be extracted via the Object Extraction Tool,
located under “File”, “Export Objects”, “HTTP”
• We begin by opening a PCAP file from the
Desktop.
Auburn University Information Assurance Center
www.eng.auburn.edu/users/hamilton/security/
16
Wireshark Exercise 2: JPEG Extraction
• Open Wireshark, Click on File and Open
Auburn University Information Assurance Center
www.eng.auburn.edu/users/hamilton/security/
17
Wireshark Exercise 2: JPEG Extraction
• Click Desktop, click on file “ia_img_cap.pcapng”
• Click Open
Auburn University Information Assurance Center
www.eng.auburn.edu/users/hamilton/security/
18
Wireshark Exercise 2: JPEG Extraction
• In order to extract images searched online, we
use the HTTP Object Extractor
• Click Open
Auburn University Information Assurance Center
www.eng.auburn.edu/users/hamilton/security/
19
Wireshark Exercise 2: JPEG Extraction
• Scroll through extracted objects to find Packet
#533, which consists of an image/jpeg object
Auburn University Information Assurance Center
www.eng.auburn.edu/users/hamilton/security/
20
Wireshark Exercise 2: JPEG Extraction
• Select Desktop, type in desired file name,
• Click on Save
Auburn University Information Assurance Center
www.eng.auburn.edu/users/hamilton/security/
21
Wireshark Exercise 2: JPEG Extraction
• From the Desktop, Double-click on the image file
Auburn University Information Assurance Center
www.eng.auburn.edu/users/hamilton/security/
22
Defeating Wireshark
• Wireshark provides anyone on your network with
an easy way to snoop on network traffic
• To help ensure data confidentiality, always utilize
secure protocols, like HTTPS, such that your data
is encrypted.
• Never utilize unencrypted wifi without a VPN or
similar service
• Always, ensure physical security over your
network. Ethernet cables can be tapped.
Auburn University Information Assurance Center
www.eng.auburn.edu/users/hamilton/security/
23
Conclusion
• Wireshark is a useful tool with a wide range of
malicious and non-malicious uses.
• Any unencrypted traffic sent on a given network
can be sniffed.
• Ensure that you utilize secure protocols and/or a
VPN service when interacting on questionable
networks!
Auburn University Information Assurance Center
www.eng.auburn.edu/users/hamilton/security/
24
Questions?
Auburn University Information Assurance Center
www.eng.auburn.edu/users/hamilton/security/
25