Monday, 18 April 2016

Wireshark for Security Testing

Wireshark is a network packet analyzer. A network packet analyzer will try to capture network packets and tries to display that packet data as detailed as possible.

Steps to capture and analyse network traffic using Wireshark
  1. Download & Install Wireshark from here: http://www.wireshark.org/download.html
  2. Capture -> Interfaces -> Select an interface which is active or whose traffic is expected to be sniffed
  3. Filter the traffic and analyse
wireshark1

Filter Options

  • Network traffic captured in Wireshark is color coded. For instance, all DNS requests are Blue colored and all HTTP requests are Green colored.
  • “Filter” option on the top is user friendly. When we type some text in the text box, it displays clues on correct options. It remains in Red color until a correct option is selected. It turns Green when a correct option is selected.
  • We can also sort by Source or Destination or Protocol.
  • To display only DNS requests: Type “dns” in Filter
  • To filter packets from a particular source IP address: Type “ip.src == 10.176.185.37” in Filter
  • And operator in filters: dns && ip.src==10.176.185.34
  • Find by string: Edit -> Find Packet -> Find By “String”

What to do with the captured traffic?

If your application is sending TCP to the destination server, you can use “Follow TCP Stream” option to see the packets in readable format.
  • Select the TCP packet to be analysed.
  • Right click and select “Follow TCP Stream” to view requests in a new window.
  • We can see requests in readable format. Analyse session management and data transmission between servers.
  • Unfortunately, the request and response body in TCP stream is compressed in gzip format and I could not find a way to unzip it in Wireshark.

References:

No comments:

Post a Comment