Wireshark Tips and Tricks
If you were tasked to put together a forensic toolkit with 25 tools or less, chances are Wireshark would be one of those tools--especially if you planned on dealing with packet captures. Because it is free, open source, and cross-platform, Wireshark makes a great packet capture and analysis tool for just about any forensic toolkit. Never the less, this staple tool has been around for so long (think back to the days of Ethereal) that we sometimes take it for granted. In this article we will explore a few tips and tricks that highlight why we like this tool so much.
Obtaining the software
This seems easy enough, right? Many Linux distributions come with Wireshark installed as a default
package and Windows has an easy point and click install package. But did you know there is a PortableApps release of Wireshark? How about a U3 release as well?
The PortableApps and U3 downloads allow you to run Wireshark from a USB stick without the needing to install the software on the listening machine. Instead, when you insert the USB stick, you are good to go. There are some caveats that exist so be sure to read the fine print. In any event, this provides a flexible and portable option for running Wireshark on other machines.
Working with pcaps
Again, this is another topic that seems self-explanatory. However, when we teach classes on capturing and analyzing traffic we seem to get this question: “I have several interfaces, how do I know which interface in which to listen?” The reason for this question stems from the main screen, which allows users to select an interface, but it does not show which interface(s) are seeing traffic. The work around is to click capture à Interfaces. This menu option shows you the interfaces in real time so you can see which are live and receiving traffic.
Opening pcaps that were saved or created in other programs is as easy as dragging and dropping them into Wireshark, but did you know you can easily merge pcaps by doing the same thing? By default dragging and dropping multiple pcaps into Wireshark will cause it to merge the pcaps chronologically. You can also merge pcaps by going to File à Merge where you can select different options to merge the pcaps (prepend, append, or chronologically). This is useful if you collect from multiple sensors or interfaces and want to see the complete picture.
Need a few pcaps to work with? How about viewing some more interesting protocols than what is most likely found on your home network? The wiki at Wireshark.org has lots of pcaps to pick and choose from: http://wiki.wireshark.org/SampleCaptures.
Display filters
Since traffic on a busy pipe can be overwhelming, Wireshark provides the capability to use capture and display filters. However, in most cases, for troubleshooting or quick analysis it is best to capture unfiltered traffic and then identify packets of interest using display filters. It is inevitable though that sooner or later you will have to learn a few basic display filters. Start off with easy ones such as the following:
The simple filters above should be enough to meet most basic requirements, however if a more complex display filter is needed, the Wireshark Expression button is very helpful. It is located right next to the display filter field and acts as a sort of a wizard for building display filters.
You can also check out this page for more good ideas: http://wiki.wireshark.org/DisplayFilters.
High to low level
At times you may be given a pcap with no background knowledge about the protocols or data captured. One of the easiest ways to gain a quick understanding of the situation is by using Wireshark’s statistics features. Our favorite option for drilling down on protocols is Statistics à Protocol Hierarchy.
Not only does this give you an excellent OSI breakdown, but you can right click on a protocol to apply a filter to look at only those packets of interest.
Extracting files
There are plenty of methods/tools to extract files from a pcap, including: foremost (http://foremost.
sourceforge.net) and Network Miner (http://sourceforge.net/projects/networkminer) – however, Wireshark can also be used to extract files. Some would say that you have to follow the stream and export raw bytes to extract a file. While this is one possible method, depending on the protocol, you may still have to use a hex editor to clean up the resulting file. Wireshark can extract objects from supported protocols by using: File à Export Objects <Protocol>. In our example, we are exporting from HTTP – which is very common. It makes exporting binaries, zip files, images, and even JavaScript and applets easy.
Generating firewall rules
Lastly, an interesting feature of Wireshark is that it can generate firewall rules (for different vendors) so you can prevent further unwanted traffic from traversing your network boundary. Just select a packet of interest and click Tools à Firewall ACL Rules. The product drop down allows you to select from the following vendors:
• Cisco IOS (standard)
• Cisco IOS (extended)
• IP Filter (ipfilter)
• IPFirewall (ipfw)
• Netfilter (iptables)
• Packet Filter (pf)
• Windows Firewall (netsh)
Then select the IP of interest and decide which IP address, inbound or outbound, and if you want to deny or permit the traffic.
If you were tasked to put together a forensic toolkit with 25 tools or less, chances are Wireshark would be one of those tools--especially if you planned on dealing with packet captures. Because it is free, open source, and cross-platform, Wireshark makes a great packet capture and analysis tool for just about any forensic toolkit. Never the less, this staple tool has been around for so long (think back to the days of Ethereal) that we sometimes take it for granted. In this article we will explore a few tips and tricks that highlight why we like this tool so much.
Obtaining the software
This seems easy enough, right? Many Linux distributions come with Wireshark installed as a default
package and Windows has an easy point and click install package. But did you know there is a PortableApps release of Wireshark? How about a U3 release as well?
The PortableApps and U3 downloads allow you to run Wireshark from a USB stick without the needing to install the software on the listening machine. Instead, when you insert the USB stick, you are good to go. There are some caveats that exist so be sure to read the fine print. In any event, this provides a flexible and portable option for running Wireshark on other machines.
Working with pcaps
Again, this is another topic that seems self-explanatory. However, when we teach classes on capturing and analyzing traffic we seem to get this question: “I have several interfaces, how do I know which interface in which to listen?” The reason for this question stems from the main screen, which allows users to select an interface, but it does not show which interface(s) are seeing traffic. The work around is to click capture à Interfaces. This menu option shows you the interfaces in real time so you can see which are live and receiving traffic.
Opening pcaps that were saved or created in other programs is as easy as dragging and dropping them into Wireshark, but did you know you can easily merge pcaps by doing the same thing? By default dragging and dropping multiple pcaps into Wireshark will cause it to merge the pcaps chronologically. You can also merge pcaps by going to File à Merge where you can select different options to merge the pcaps (prepend, append, or chronologically). This is useful if you collect from multiple sensors or interfaces and want to see the complete picture.
Need a few pcaps to work with? How about viewing some more interesting protocols than what is most likely found on your home network? The wiki at Wireshark.org has lots of pcaps to pick and choose from: http://wiki.wireshark.org/SampleCaptures.
Display filters
Since traffic on a busy pipe can be overwhelming, Wireshark provides the capability to use capture and display filters. However, in most cases, for troubleshooting or quick analysis it is best to capture unfiltered traffic and then identify packets of interest using display filters. It is inevitable though that sooner or later you will have to learn a few basic display filters. Start off with easy ones such as the following:
The simple filters above should be enough to meet most basic requirements, however if a more complex display filter is needed, the Wireshark Expression button is very helpful. It is located right next to the display filter field and acts as a sort of a wizard for building display filters.
You can also check out this page for more good ideas: http://wiki.wireshark.org/DisplayFilters.
High to low level
At times you may be given a pcap with no background knowledge about the protocols or data captured. One of the easiest ways to gain a quick understanding of the situation is by using Wireshark’s statistics features. Our favorite option for drilling down on protocols is Statistics à Protocol Hierarchy.
Not only does this give you an excellent OSI breakdown, but you can right click on a protocol to apply a filter to look at only those packets of interest.
Extracting files
There are plenty of methods/tools to extract files from a pcap, including: foremost (http://foremost.
sourceforge.net) and Network Miner (http://sourceforge.net/projects/networkminer) – however, Wireshark can also be used to extract files. Some would say that you have to follow the stream and export raw bytes to extract a file. While this is one possible method, depending on the protocol, you may still have to use a hex editor to clean up the resulting file. Wireshark can extract objects from supported protocols by using: File à Export Objects <Protocol>. In our example, we are exporting from HTTP – which is very common. It makes exporting binaries, zip files, images, and even JavaScript and applets easy.
Generating firewall rules
Lastly, an interesting feature of Wireshark is that it can generate firewall rules (for different vendors) so you can prevent further unwanted traffic from traversing your network boundary. Just select a packet of interest and click Tools à Firewall ACL Rules. The product drop down allows you to select from the following vendors:
• Cisco IOS (standard)
• Cisco IOS (extended)
• IP Filter (ipfilter)
• IPFirewall (ipfw)
• Netfilter (iptables)
• Packet Filter (pf)
• Windows Firewall (netsh)
Then select the IP of interest and decide which IP address, inbound or outbound, and if you want to deny or permit the traffic.