Practical 17

Aim: To study Wireshark packet sniffing tool and understand it’s features.
Packet sniffing means intercepting data packets as they pass through a network, just like looking
inside envelopes in the mail. Experts use tools like Wireshark and tcpdump to track, troubleshoot,
or secure networks. The packet analyzer Wireshark, or just Shark for short, functions as a
magnifying glass; it captures and organizes the packets so you can gyrate over them looking for
bugs in order to squash those wicked computer programs. tcpdump is even faster than sharks at
grabbing data off of lines that run into walls. It doesn't have an interface but In general, packet
sniffing tools offer close monitoring of network data flow and protect networks.
Primary Terminologies
1. Packet
A packet is like a courier carrying data in two forms actual information being sent and very
important delivery instructions. It contains the soul of its message and is something like a return
address on an envelope. Just as a postal service ensures that the content of a letter and its address
remain separate for better processing and onward routing, dividing data from instructions
guarantees efficient delivery across networks.

2. Packet sniffing
Packet sniffing is a sort of digital investigator among computer networks. It can listen in on
conversations flowing across the network like a surveillance camera. It catches and records data
packets, giving a glimpse into what they contain to network managers and security experts. This
tool makes it easier to detect anomalies, fix network problems, and configure security
vulnerabilities. But it should remain subject to legal and ethical constraints, so as not to violate
the privacy rights of individuals or take data without authority.

3. Wireshark
Wireshark becomes the wizard's crystal ball, a way to examine in depth how computer networks
actually work. It decodes network protocols, capturing live data streams and translating them into
human-readable formats for troubleshooting and analysis. It offers a closer look at network
operations, like x-ray glasses for the digital world. But it should be used in a responsible, legal
manner; otherwise, the result could be uncontrolled data interception which infringes on
individuals 'privacy rights.

4. Tcpdump
Tcpdump is a digital detective inside computer systems, capturing and presenting real-time data
traffic in text commands. It is similar to observing traffic at an intersection in the sense that it
intercepts and displays data packets which are human-readable, making network problems easy to
identify. Although it does not have a graphical interface like Wireshark, its efficiency and speed
combined with the fact that is runs on Unix-based systems has made Tcpdump popular among
seasoned network professionals at least those who already know their way around transceivers.
Step-by-Step Process
Using Wireshark:
1. Download and Install Wireshark:
∙ Go to the Wireshark website to download the version that is compatible with your operating
system.
∙ Adhere to the website's installation instructions.
2. Begin Packet Capturing:
∙ Open Wireshark and choose the network interface from which to begin collecting packets.

∙ The display filter in Wireshark. The display filter in Wireshark's default configuration is a bar
that sits right above the column display. Here is where we enter expressions to narrow down
what we can see in a pcap file, be it Ethernet frames, IP packets, or TCP segments.
∙ There are several local interfaces available; please choose one.

∙ Press the Start button.

∙ In essence, you are recording and intercepting data packets as they pass through a network
interface when you capture packets.
3. Analyze Packets:
∙ Wireshark will show packets as they come through the chosen interface in real time. ∙ To limit
the packets that are shown based on parameters such as source, destination, protocol, etc., you
can apply filters.
Wireshark – Packet Capturing and Analyzing
Why sniff around?
If you have prior experience with securing systems, you can not emphasize enough the
importance of reconnaissance. And if you are new, just know that it is very important. Packet
sniffing is an
essential form of network recon as well as monitoring. It’s equally useful for students and IT
professionals.
Wireshark captures the data coming or going through the NICs on its device by using an
underlying packet capture library. By default, Wireshark captures on-device data only, but it can
capture almost all the data on its LAN if run in promiscuous mode. Currently, Wireshark uses
NMAP’s Packet Capture library(called npcap).
Assignment:
1. What Is Wireshark?

Wireshark is a widely-used, open-source network protocol analyzer that allows users to capture
and inspect the data packets traveling over a network in real-time. It provides detailed visibility
into the network's traffic, allowing network administrators, security professionals, and developers
to troubleshoot issues, analyze performance, and detect potential security vulnerabilities.

Key features of Wireshark include:

1. Packet Capture: Wireshark captures data packets from a network interface, providing a
detailed view of each packet's contents, including headers, protocols, and payloads.
2. Protocol Analysis: It supports a wide range of network protocols, allowing users to
analyze the behavior of protocols such as TCP, UDP, HTTP, DNS, and more, to
understand how data flows through the network.
3. Filtering and Search: Wireshark includes powerful filtering capabilities that enable users
to focus on specific types of traffic or protocol communications. Filters can be applied to
narrow down the analysis to particular IP addresses, ports, or packet types.
4. Real-Time Monitoring: Wireshark offers real-time packet analysis, enabling users to
observe live network traffic and identify issues such as bottlenecks, high latency, or
abnormal traffic patterns.
5. Exporting Data: Captured packets can be saved and exported in various formats for later
analysis, making it easy to share findings or document network behavior.

2. What Is Wireshark Used For?

Wireshark is primarily used for network analysis and troubleshooting. It allows users to capture
and examine network traffic in detail, providing insights into various aspects of network
performance, security, and functionality. Some of the key uses of Wireshark include:

1. Network Troubleshooting: Wireshark helps network administrators identify and resolve

connectivity issues, such as packet loss, high latency, and misconfigurations. By
analyzing captured packets, administrators can pinpoint the source of problems, whether
it's a faulty device, misconfigured network settings, or network congestion.
2. Protocol Analysis: Wireshark is capable of decoding a wide range of network protocols
(e.g., TCP, UDP, HTTP, DNS, ICMP), allowing users to understand how data is
transmitted and processed across the network. This helps in diagnosing issues related to
specific protocols, such as DNS resolution failures or HTTP errors.
3. Security Monitoring: Wireshark is useful for detecting network security issues, including
malicious traffic, unauthorized access attempts, or abnormal behavior. Security
professionals use it to monitor for potential intrusions, malware communications, or
vulnerabilities in the network.
 4. Network Performance Monitoring: By analyzing packet timing and flow, Wireshark
helps assess network performance. It can be used to measure response times, throughput,
and identify bottlenecks or delays in data transmission.
5. Compliance and Forensics: Wireshark can be used in network forensics to investigate
past network events or in compliance audits to ensure that network traffic adheres to
organizational policies and regulatory requirements.
6. Learning and Education: It is widely used in educational environments to teach network
protocols, troubleshooting, and security. By visualizing packet-level data, students and
professionals can better understand how networking works.

3. What are the features of Wireshark?

Wireshark is a robust network protocol analyzer with a variety of features designed to capture,
analyze, and troubleshoot network traffic. Its key features include:

1. Packet Capture: Wireshark can capture live data packets from a network interface,
providing a real-time view of network activity.
2. Protocol Analysis: It supports hundreds of protocols and can decode traffic for detailed
examination. This includes common protocols like TCP, UDP, HTTP, DNS, and
specialized ones.
3. Filtering and Search: Wireshark offers powerful display and capture filters, enabling
users to focus on specific traffic based on criteria such as IP addresses, protocols, or ports.
4. Packet Inspection: Each packet captured can be analyzed in detail, including its headers,
payloads, and protocol-specific details, allowing for in-depth troubleshooting.
5. Real-Time Monitoring: Users can monitor network traffic live, which helps detect
problems such as latency, packet loss, or unusual traffic patterns as they occur.
6. Graphical Visualization: Wireshark provides visual tools like flow graphs and I/O
graphs to help interpret traffic patterns, detect anomalies, and identify bottlenecks.
7. Export and Save: Captured data can be saved in various formats (e.g., .pcap) for further
analysis or reporting and can be shared with team members for collaborative
troubleshooting.
8. Cross-Platform Support: Wireshark is available on multiple platforms, including
Windows, macOS, and Linux, making it accessible for various users.
9. Extensive Customization: It allows for customization through filters, coloring rules, and
plugins to adapt to specific network analysis needs.
10. Expert Info: Wireshark provides an “Expert Info” feature that highlights potential
problems like retransmissions, protocol errors, and malformed packets, simplifying the
troubleshooting process.
11. Open-Source and Free: Being open-source, Wireshark is freely available and benefits
from continuous community-driven updates and enhancements.