Viewing Network Communications with Wireshark
This is a summary of the steps required to capture network communications using the Wireshark tool in a VirtualBox lab environment. This uses a Virtual Machines (VM) setup within VirtualBox with Kali Linux installed on the VM. Wireshark, a network packet analyzer [1], is one of the many tools that comes preinstalled in the Kali Linux distribution. The figure below shows how to get to Wireshark from the Applications drop-down in Kali.
This is a summary of the steps required to capture network communications using the Wireshark tool in a VirtualBox lab environment. This uses a Virtual Machines (VM) setup within VirtualBox with Kali Linux installed on the VM. Wireshark, a network packet analyzer [1], is one of the many tools that comes preinstalled in the Kali Linux distribution. The figure below shows how to get to Wireshark from the Applications drop-down in Kali.
This paper provides:
- The steps followed to configure and launch Wireshark.
- Screen captures of IP packets captured.
- Screen captures of TCP segments captured.
- Screen captures of encrypted messages captured.
- Summary on how Wireshark can be used as an effective tool in a security.
Setup – VirtualBox, Kali Linux and Wireshark
There are several ways that a network can be configured within Virtual Box. In module 1 the VM were setup to use a Host-Only adapter [2]. In this networking mode the VM can see the host and other VMs, but if Wireshark is going to be used to view communications with sites on the internet another adapter needs to be setup attached to NAT.
There are several ways that a network can be configured within Virtual Box. In module 1 the VM were setup to use a Host-Only adapter [2]. In this networking mode the VM can see the host and other VMs, but if Wireshark is going to be used to view communications with sites on the internet another adapter needs to be setup attached to NAT.
Capturing PacketsAfter starting Wireshark, the first thing that needs to be done prior to capturing packets is select the interface to run the capture on. See figure 3 below.
For this assignment, the interfaces used are:
ip.addr = = x.x.x.x where x.x.x.x is the source or destination the capture is interested in.
For this assignment, the interfaces used are:
- eth0 is the Host-Only adapter, its ip address is 192.168.122.4 and
- eth1 is the adapter attached to NAT and it has the ip address of 10.0.3.15.
ip.addr = = x.x.x.x where x.x.x.x is the source or destination the capture is interested in.
The following screen capture is of a simple single page site http://www.1112.net/lastpage.html. This was captured on the NAT adapter on 10.0.3.15 that can go out to the internet. The filter applied was of the “last page of the internet” site 172.245.130.175.
The next screen capture is of the WebGoat application running on the CentOS VM within the lab.
The Wireshark capture was done on the Host-Only adapter of the kali VM, capturing the traffic between the browser on the kali VM and the CentOS VM running the WebGoat application during the login process. The ip address of the host running WebGoat is 192.168.122.3. The ip address of the Host-Only adapter on the kali machine is 192.168.122.4.
Again, applying filters on the captured data allows enables focusing on the desired packets. In this case the filter was ip.addr==192.168.122.3, the WebGoat address was applied
Again, applying filters on the captured data allows enables focusing on the desired packets. In this case the filter was ip.addr==192.168.122.3, the WebGoat address was applied
Capturing TCP Segments
The “Packet Details” pane shows the protocols and protocol fields of the packet selected in the “Packet List” pane. It provides information about the headers as well as data segments length.
The “Packet Details” pane shows the protocols and protocol fields of the packet selected in the “Packet List” pane. It provides information about the headers as well as data segments length.
This shows how application data may be segmented. At the Transport Layer the TCP header and data are TCP Segments. [7].
Capturing Encrypted Messages
The following is the capture of logging in to my.sandiego.edu, TLS v1.2 over HTTP (HTTPS). The communication will be encrypted.
The following is the capture of logging in to my.sandiego.edu, TLS v1.2 over HTTP (HTTPS). The communication will be encrypted.
Start capture on Wireshark by clicking on the Fin icon. Then login to mySanDiego portal. Wireshark will capture the following:
By selecting Application Data in the “Packet List” pane and the Secure Socket Layer in the “Packet Details” pane, the encrypted data can be observed in the “Packet Bytes” pane.
Summary
Wireshark is a very powerful tool. It is a packet analyzer that allows a network or security engineer analyze the network to investigate traffic, protocol or any kind of network issues. It allows for investigating or troubleshooting in real-time or after the fact with captured files. It can be used forensic analysis [4], [5], [6]. It is certainly a tool that network and security engineers would benefit from having it in their tool set and being proficient at it.
Summary
Wireshark is a very powerful tool. It is a packet analyzer that allows a network or security engineer analyze the network to investigate traffic, protocol or any kind of network issues. It allows for investigating or troubleshooting in real-time or after the fact with captured files. It can be used forensic analysis [4], [5], [6]. It is certainly a tool that network and security engineers would benefit from having it in their tool set and being proficient at it.
References
[1] wireshark.org. (n.d.). Chapter 1. Introduction. Retrieved from https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs
[2] virtualbox.org. (n.d.). 6.7. Host-only networking. Retrieved from https://www.virtualbox.org/manual/ch06.html#network_hostonly
[3] virtualbox.org. (n.d.). Chapter 6. virtual networking. Retrieved from https://www.virtualbox.org/manual/ch06.html#
[4] Fletcher, D. (2015, July 10). Forensic Timeline Analysis using Wireshark. Retrieved from https://www.sans.org/reading-room/whitepapers/forensics/forensic-timeline-analysis-wireshark-giac-gcfa-gold-certification-36137
[5] Chappel, L. (2013). Sharkfest 2013 - Wireshark network forensics [video]. Retrieved from https://www.youtube.com/watch?v=UXAHvwouk6Q
[6] Kurrus, J. (2016, August 14). Wireshark advanced malware traffic analysis. Retrieve from https://www.youtube.com/watch?v=dk39uVyrS_o
[7] Gordon, S. (2014, November 3). Segmentation and checksum offloading: Turning off with ethtool. Retrieved from https://sandilands.info/sgordon/segmentation-offloading-with-wireshark-and-ethtool
[1] wireshark.org. (n.d.). Chapter 1. Introduction. Retrieved from https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs
[2] virtualbox.org. (n.d.). 6.7. Host-only networking. Retrieved from https://www.virtualbox.org/manual/ch06.html#network_hostonly
[3] virtualbox.org. (n.d.). Chapter 6. virtual networking. Retrieved from https://www.virtualbox.org/manual/ch06.html#
[4] Fletcher, D. (2015, July 10). Forensic Timeline Analysis using Wireshark. Retrieved from https://www.sans.org/reading-room/whitepapers/forensics/forensic-timeline-analysis-wireshark-giac-gcfa-gold-certification-36137
[5] Chappel, L. (2013). Sharkfest 2013 - Wireshark network forensics [video]. Retrieved from https://www.youtube.com/watch?v=UXAHvwouk6Q
[6] Kurrus, J. (2016, August 14). Wireshark advanced malware traffic analysis. Retrieve from https://www.youtube.com/watch?v=dk39uVyrS_o
[7] Gordon, S. (2014, November 3). Segmentation and checksum offloading: Turning off with ethtool. Retrieved from https://sandilands.info/sgordon/segmentation-offloading-with-wireshark-and-ethtool