Data is transmitted over a network using packets. Packet Sniffer is used to capture these packets, it is a troubleshooting and network analyzing tool that is very useful and important to master. Also used for dissecting network attacks, or gathering basic data.
But the use of a packet sniffer is not limited to troubleshooting, it can also be used to help train, design and operate devices on a network.
The job of a sniffer is to capture network traffic. It is simply in-dispensable for those who wish to examine packets being transferred over a network – good or bad.
Fortunately, there’s a plethora of books, self-study courses, and in-person training sessions – as well as certifications – for Wireshark tool. In this article I’ll discuss the basic operation of a packet sniffer.
Packet Sniffing Background
The basic tool for observing the messages exchanged between executing protocol entities is called a packet sniffer. A packet sniffer itself is passive. Please note for wireless packet capture, in case of Wireshark the computer must also be logged onto the wireless network with an appropriately assigned IP address.
Make sure your computer is properly connected to the network to be sniffed. At its most basic, a packet sniffer captures traffic directly from a network interface and allows the user the ability to interpret the information contained within this traffic.
A quick help guide to Wireshark display filters is here: https://wiki.wireshark.org/DisplayFilters
Figure 1 below shows an example of a capture being done while browsing the web using the HTTP over TLS (HTTPS). The window is divided into 3 sections:
- Packet List: displays one line summaries of every packet captured.
- Packet Details: provides a tree-like interface for viewing the packet currently highlighted in the Packet List.
- Packet Bytes: shows the raw packet data of the packet highlighted in the Packet List.
Open the Capture > Options box from the menu.
In the capture dialog box, make sure to select the correct network interface to listen on.
Under Options ensure the Resolve network names check box is unchecked. This will prevent Wireshark from doing inverse DNS queries and thus, adding traffic back onto the cabling system.
Press the Start button and watch the packets stream in.
Note: If you don’t see any traffic being captured, open a Web browser and connect to a web site.
When you are finished capturing, click Capture > Stop and make sure to save the packets to a .pcap file by clicking File > Save As.
Review captured data using Wireshark.
In Wireshark, open a trace file by clicking: File > Open
Browse to the folder where you saved http.pcap.
This capture file will show a basic HTTP session between two computers, including the DNS lookup, three-way handshake, and GET request for a web page.
- Which IP address is requesting the web page information?
- What is the FQDN from which the web page is being requested?