Last updated on 13 February 2025
Introduction
Ever wondered what’s taking place when you connect a device to the internet? With Wireshark, we can capture and analyze internet packets that are sent and received across a device and/or a network. This post is just a quick demonstration on some basic use of Wireshark.
If you too want to get hands on, download Wireshark from here!
Capturing live traffic
Upon opening Wireshark, you’ll be presented with a welcome screen that lets you choose an interface. Because Wireshark can listen to all traffic on a network that the specified interface is connected to, make sure you select the one that contains the device you want to observe. In many home network setups, you will only have one or two interfaces (wired and wireless) and should select the applicable one. For example, if you are on a desktop that has both, and you want to observe traffic involving your laptop on WiFi, choose the wireless interface.
Then, it should start recording the traffic that is sent through this network. You can see the Source/Destination addresses of traffic, the protocol used for communication, the logged packet number, time the packet was sent, and some brief description. Pressing the ‘Stop’ button on the top toolbar will halt the collection process so you can more easily analyze what you have gathered.
Analyzing traffic
For analysis purposes, I’m moving over to a different packet capture file that we used during one of my courses at school.
Wireshark lets you filter out the traffic in numerous ways. For example, you can sort the list by protocol so you can see all of the specific protocol packets clumped together in one spot.
Within certain packet protocols, you can try to discover information about the devices communicating with each other. For example, a DHCP packet can give you source and destination MAC addresses, the server hostname and OS, and the source hostname too. Other packets will give you less straight forward information sometimes within the content of the packet itself. To view content of an HTTP packet, you can right click it, navigate down to the ‘Follow’ item, and select TCP stream. Pictured below we have a TCP stream from an HTTP packet that helps us identify the OS of the device that is connecting to a website:
The TCP stream itself won’t specifically say what OS the client device is, you can view the ‘User-Agent’ field to see what program is being used for the communication. In this example, Mozilla/4.0 (Firefox) is being used, and it is compatible with Windows NT 5.1. Windows NT 5.1 is the identifier for Windows XP!
Through the course of this assignment, we were tasked with finding the cause of bandwidth issues on a network. Most often, this will be a result of some program or device hogging all the bandwidth so the rest of the programs and users cannot use it and efficiently complete their work. When viewing TCP streams, I came across a packet that looked like it could be suspicious. You can see the information for ‘Host’ and ‘User-Agent’ which show that there was a cryptominer program (or, a cryptojacker if it is malware) that was making connections to a remote host.
Another powerful aspect of Wireshark is being able to filter out traffic you don’t need. The top of the packet window features a search bar where you can filter out traffic you don’t want. For example, if we enter “ip.addr==188.173.32.149” into the bar, then we are only seeing packets that contain that IP address, meaning we can see exactly how many packets are being sent and received by this remote host.
Look at the size of that scrollbar on the right! There are a TON of packets involving this IP address. If you think about each packet being a transmission of information across a network, there are a huge amount of traffic to and from this remote address in comparison to other legitimate traffic.
Conclusion
Because this is a school assignment, I cannot definitively make a conclusion here, but I think you can make your own conclusion about the cause of the bandwidth issue.
Regardless of any specifics, I hope this has helped clarify what Wireshark is, and some of the ways it can help you increase the security of your network! Thank you for reading.