W3-1/3 Wireshark(7/9)
On Monday I was told to explore Wireshark and just
mess around with it to get a basic feel of the program. Wireshark sees a lot of
use throughout the computer science industry. It’s a free open source
cross-platform packet analyzer that is good at trouble shooting and actively
monitoring network traffic; it’s basically tcpdump with a GUI and some extra
bells & whistles. Due to it being free and easily accessible it is a
tempting tool for any user who needs to analyze packets. Thus, experience
with Wireshark can be quite useful on a resume and a good skill for anyone
doing network analysis. Wireshark is great to use for incidence response and
firewall testing. My previous post on application identification in network
traffic can easily be applied to Wireshark.
First a
user could check using a display filter command (tcp.port == 20 or tcp.port==21
or tcp.port == 23) for any traffic among those forbidden ports I mentioned
previously 20, 21, &23/tcp (FTP data, FTP, and Telnet). Notice that display
filters and capture filters are written differently and work differently.
Capture filters are not a dynamic feature and it must be set before the investigation
begins, as it will capture all incoming traffic to wherever it has been
commanded to. Whereas display filters are few just for viewing dynamically and
only affects what is displayed to the user. I think the thing I find most
convenient about the filter feature is that reserved ports usually have aliases
(e.g. tcp.port== 80 vs HTTP). This makes it easier to search filter critical
servers like SMTP, DNS, HTTP, etc. For example if you assumed there was a DDoS
attack you could check for external recursive queries via “udp port 53 and
(udp[10] & 1 == 1) and src net not X and src net not Y” (X and Y are
variables for specifying network addresses) or if you were check for DNS
amplification attacks you could check for large packets with something like “smtp.ip.len
<= 4000” (just a big number as an example). (udp[10] & 1 == 1) meaning
if udp index 10 address 1 is equal to 1. Since Wireshark is effectively
tcpdump it can also be used for banner grabbing of course. An analyst could
easily check for brute force attacks by looking for spamming of requests. An analyst
could also check any of the dark IPs on his network to make sure no traffic is
going through there.
For the most part
I just played around with the display filter and checked the critical and
obsolete ports. I also looked through all the detail options when looking
through a packet (e.g. making data displayed as raw or hex). I also tried to
familiarize myself with color code and the general tabs and buttons. I looked
through a few tutorials as well just to get a better idea of the software.
I find Wireshark
to be an easy software to use that can really help someone become more familiar
with network traffic in general. Its Argus-like versatility makes it a great
addition to any computer scientist’s tool box. I’m going to try to get
some additional practice with Wireshark. I really want to familiarize myself
with its application. I think it could be an invaluable skill to me in the
future. I think I will also try to familiarize myself with the programming
language it uses in its filters (Lua).
Comments
Post a Comment