W3-1/3 Wireshark(7/9)


   On Monday I was told to explore Wireshark and just mess around with it to get a basic feel of the program. Wireshark sees a lot of use throughout the computer science industry. It’s a free open source cross-platform packet analyzer that is good at trouble shooting and actively monitoring network traffic; it’s basically tcpdump with a GUI and some extra bells & whistles. Due to it being free and easily accessible it is a tempting tool for any user who needs to analyze packets.  Thus, experience with Wireshark can be quite useful on a resume and a good skill for anyone doing network analysis. Wireshark is great to use for incidence response and firewall testing. My previous post on application identification in network traffic can easily be applied to Wireshark.

     First a user could check using a display filter command (tcp.port == 20 or tcp.port==21 or tcp.port == 23) for any traffic among those forbidden ports I mentioned previously 20, 21, &23/tcp (FTP data, FTP, and Telnet). Notice that display filters and capture filters are written differently and work differently. Capture filters are not a dynamic feature and it must be set before the investigation begins, as it will capture all incoming traffic to wherever it has been commanded to. Whereas display filters are few just for viewing dynamically and only affects what is displayed to the user. I think the thing I find most convenient about the filter feature is that reserved ports usually have aliases (e.g. tcp.port== 80 vs HTTP). This makes it easier to search filter critical servers like SMTP, DNS, HTTP, etc. For example if you assumed there was a DDoS attack you could check for external recursive queries via “udp port 53 and (udp[10] & 1 == 1) and src net not X and src net not Y” (X and Y are variables for specifying network addresses) or if you were check for DNS amplification attacks you could check for large packets with something like “smtp.ip.len <= 4000” (just a big number as an example). (udp[10] & 1 == 1) meaning if udp index 10 address 1 is equal to 1.  Since Wireshark is effectively tcpdump it can also be used for banner grabbing of course. An analyst could easily check for brute force attacks by looking for spamming of requests. An analyst could also check any of the dark IPs on his network to make sure no traffic is going through there.

    For the most part I just played around with the display filter and checked the critical and obsolete ports. I also looked through all the detail options when looking through a packet (e.g. making data displayed as raw or hex). I also tried to familiarize myself with color code and the general tabs and buttons. I looked through a few tutorials as well just to get a better idea of the software.

   I find Wireshark to be an easy software to use that can really help someone become more familiar with network traffic in general. Its Argus-like versatility makes it a great addition to any computer scientist’s tool box.  I’m going to try to get some additional practice with Wireshark. I really want to familiarize myself with its application. I think it could be an invaluable skill to me in the future. I think I will also try to familiarize myself with the programming language it uses in its filters (Lua).


Comments

Popular posts from this blog

W7-2/3 On Being Prepared & Further Recommendations (8/11)

W2-2/3 Network Mapping (7/5)

W1-2/3 Prioritization (6/27)