Wireshark Basics

Wireshark (Ethereal)

It's a GUI-based tool that produces detailed, color-coded reports of network activity.

Install wireshark on graphical interface
yum install wireshark-gnome

Each protocol that Wireshark monitors shows up as a different color. When you've captured all of the data you want to analyze, you can run it through a user-defined filter so that you can see only what you want to see. You can filter it by protocol, by source IP address, or by numerous other criteria. You can also save your reports for later reference.

In addition to IP packet data, Wireshark will also allow you to read the actual data payload that is being passed. This includes any plain-text data. That's why your network communications should be encrypted. An intruder could use Wireshark to gather any plain-text passwords that are passed back and forth, thereby gaining access to all of your resources.

Here, you see a packet capture in progress. Note the graph bars that let you know what kind of packets you are capturing.

When you're through capturing traffic for your analysis, you may want to filter out certain items to look at. With Wireshark, you can choose to look at only a certain protocol, a certain IP address, or maybe even something else.

Here's the dialog box for choosing a filter.

We've chosen to look at only the TCP packets this time.

Here's a CentOS machine listening to the Bittorrent transfer that's going on a Windows machine.

The monitoring tools that we've discussed can help you monitor security on either your computer or your network. They can also help you in other ways.

As a network administrator, you can use these tools to troubleshoot network problems. If someone complains about traffic on a certain segment of the network being too slow, you can use these tools to monitor that segment to find out where the problem is. Analysis of your packet captures could, for example, lead you to a router that's hung up, and needs to be re-booted.

On the security side, these tools could help you identify the nature of an attack, and help lead you to the attacker.

Take another look at this picture, and you'll see a packet pattern that indicates that someone is performing a port probe of your machine. You'll also see the source IP address of that probe.