A detailed look at the Wireshark protocol analyzer
Greetings, In this article I want to discuss the other powerful tool a systems administrator should know about. It is called Wireshark (from Wireshark.org). Wireshark is in essence a sniffer, in that it can listen in on the packets on the wire and tell you whats what. Officially its called a protocol analyzer which is more true to its mission. In this article I want to share with you a few items of value about Wireshark, and why you should get to know this tool better.
I think that as technical people we get lulled into a dull sense of safety with tools, for example a reliance on a control panel tool that identifies bad guys by their actions and blocks their IP’s. This is for sure a good thing, but it is not the only thing. With tools like Wireshark, we can peer into the activity of our server and see what is going on at the packet level. A client some months ago came to JoomlaRescue.com and was having a problem with continually being hacked. We tracked it down to a compromised (vulnerable) FTP software that had allowed them in. However we found they were using FTP through the use of Wireshark.
This is important because if you were unfortunate enough to have a bad guy insert this INTO your network he could eavesdrop on everything you do. However – in this use case, it is being demonstrated as diagnostic tool.
For the purposes of this article I ran Wireshark on MY personal machine only. It was never allowed outside my network, so in other words, everything you see here came to my machine using normal, everyday browsing techniques.
When you first start Wireshark you’ll see a screen similar to this:
This start up screen will take you anywhere you need to go in the system. For our purposes where going to go to the top menu bar, select a ETHERNET interface on this machine and START CAPTURE.
Here is a RAW capture:
Given our limited screen size in this article its at best – an Eye Chart – however in the real use of this tool, I can see ALL packets originating from our being sent to this machine. As a for instance, if I were to type a CLEARTEXT password in and Wireshark were running, it would show the password to me. I think you can easily extrapolate the implications. However looking at eye charts is boring and tedious.
Let’s dive into a real example. For this article I started the Wireshark capture and visited Google.com. Here is a selection of a few packets.
From this trace snippet I see that Google is responding to my browsers request for information, providing different IP’s, so on. I can drill into ONE packet and see its contents. I chose the very bottom on – the CNAME youtube-ui.l.google.com A 220.127.116.11 line.
The partial contents of that packet contain:
As you can see if I were troubleshooting a connection to my server or a remote server, this will tell me immediately much of what I need to know. On the ‘good’ side of this tools use is troubleshooting bad packets, routing issues, ports bad on a switch, slow networks and much, much more. I have seen this tool used to track down bad ‘cables’ in a data center – [which was amazing to me that it was that sensitive]. This was typified by the damaged packets showing up in Wireshark. Replacing the cables fixed it.
After I reached Google – I searched for Joomla and was presented with several options, the first being Joomla.org. I selected the URL that Google offered and was sent very quickly to the Joomla website. My browser popped open with the Joomla home page, I browsed for some extensions and then closed the window. While showing everything that my computer (packet wise) saw is beyond the scope of this article, however here are a few items of interest.
Upon opening (early in the page load) I see that there are three sub-domains (more actually but..) presented to me community, resources and docs. If I were the admin and people were complaining they couldn’t see docs.joomla.org, I could use this to verify that the path TO the server is there. In this case, all is well.
In this packet snip, we see that as the page is loading, its referencing (to my browser) opensourcematters.org, rochenhost.com and mosets.com. Again, this is easy to discover simply by watching the web-page as it loads, however drilling into each packet for the purpose of troubleshooting is very, very valuable.
Here is the same packet, only enlarged for easier reading.
What our servers put out there as STANDARD PROTOCOL is often quite a bit of information. Our servers expose (refer back to my previous nmap articles, here and here) a LOT of information, and through the use of Wireshark, you can examine your own servers to determine whats what!
Another feature of Wireshark is taking the traces (the capture of packets) it produces and reconstructing a picture. In a forensics examination, or trying to track down something on a large network, this is a must have! There are millions of lines of traces in a busy network. Wireshark offers a feature that allows you to reconstruct the entire “conversation” between the client machine and the web server. Here is a reconstruction of my request between my machine and the website:
The top half is Google handing my browsers off to this server. I can see the ‘cookie’ that Joomla is placing on my browser, a bit about it’s web server and of course the very important, details needed for a web session to actually happen – the internals of the TCP/IP conversation. While this may not make great ice-breaker talk at a party, it is valuable if your server is having issues and you need a place to start.
Knowing at least the basics of Wireshark is very important if you have any management control over a server at all. Take some time to read a few basic tutorials on it. In my book Joomla! WebSecurity I cover Wireshark in more detail, and you can read the very comprehensive online documentation at Wireshark.org.
Remember – this tool is meant for GOOD, while it could be used for evil purposes it should never be. Use it ONLY for your network for its intended purpose.
Until next time stay safe and Merry Christmas!