Go deep Network Protocol Analyzer Mircea Stan IAG

“Go deep!” • Network Protocol Analyzer Mircea Stan – IAG 7641 Security Class Networking Tool Presentation 1

I. Introduction: What is Wireshark ? • Wireshark is the world's foremost network protocol analyzer. It lets you see what's happening on your network at a microscopic level. It is the de facto (and often de jure) standard across many industries and educational institutions. Originally named Ethereal, the project was renamed Wireshark in May 2006 due to trademark issues. • Wireshark is cross-platform, using the Qt widget toolkit in current releases to implement its user interface, and using pcap[1] to capture packets; it runs on Linux, mac. OS, BSD, Solaris, some other Unix-like operating systems, and Microsoft Windows. There is also a terminal-based (non-GUI) version called TShark. Wireshark, and the other programs distributed with it such as TShark, are free software, released under the terms of the GNU General Public License. [1] In the field of computer network administration, pcap (packet capture) consists of an application programming interface (API) for capturing network traffic. Unix-like systems implement pcap in the libpcap library; Windows uses a port of libpcap known as Win. Pcap. Monitoring software may use libpcap and/or Win. Pcap to capture packets travelling over a network. 2

II. Feature List Wireshark has a rich feature set which includes the following: • Deep inspection of hundreds of protocols, with more being added all the time • Live capture and offline analysis • Standard three-pane packet browser • Multi-platform: Runs on Windows, Linux, OS X, Solaris, Free. BSD, Net. BSD, and many others • Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility • The most powerful search and display filters in the industry • Rich Vo. IP analysis • Read/write many different capture file formats: tcpdump (libpcap), Pcap NG, Catapult DCT 2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer® (compressed and uncompressed), Sniffer® Pro, and Net. Xray®, Network Instruments Observer, Net. Screen snoop, Novell LANalyzer, and many others • Capture files compressed with gzip can be decompressed on the fly • Live data can be read from Ethernet, IEEE 802. 11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platform) • Decryption support for many protocols, including IPsec, SSL/TLS, WEP, and WPA/WPA 2 • Coloring rules can be applied to the packet list for quick, intuitive analysis • Output can be exported to XML, Post. Script®, CSV, or plain text 3

III. Tool History • In late 1997 Gerald Combs needed a tool for tracking down network problems and wanted to learn more about networking so he started writing Ethereal (the original name of the Wireshark project) as a way to solve both problems. • Ethereal was initially released after several pauses in development in July 1998 as version 0. 2. 0. Within days patches, bug reports, and words of encouragement started arriving and Ethereal was on its way to success. • Not long after that Gilbert Ramirez saw its potential and contributed a low-level dissector to it. In October, 1998 Guy Harris was looking for something better than tcpview so he started applying patches and contributing dissectors to Ethereal. • In late 1998 Richard Sharpe, who was giving TCP/IP courses, saw its potential on such courses and started looking at it to see if it supported the protocols he needed. While it didn’t at that point new protocols could be easily added. So he started contributing dissectors and contributing patches. The list of people who have contributed to the project has become very long since then, and almost all of them started with a protocol that they needed that Wireshark or did not already handle. So they copied an existing dissector and contributed the code back to the team. • In 2006 the project moved house and re-emerged under a new name: Wireshark. • In 2008, after ten years of development, Wireshark finally arrived at version 1. 0. This release was the first deemed complete, with the minimum features implemented. It also coincided with the first Wireshark Developer and User Conference, called Sharkfest. • In 2015 Wireshark 2. 0 was released, which featured a new user interface. 4

IV. System Requirements The amount of resources Wireshark needs depends on your environment and on the size of the capture file you are analyzing. The values below should be fine for small to medium-sized capture files no more than a few hundred MB. Larger capture files will require more memory and disk space. If Wireshark runs out of memory it will crash. See https: //wiki. wireshark. org/Known. Bugs/Out. Of. Memory for details and workarounds. Although Wireshark captures packets using a separate process the main interface is single-threaded and won’t benefit much from multi-core systems. 1. 2. 1. Microsoft Windows • The current version of Wireshark should support any version of Windows that is still within its extended support lifetime. At the time of writing this includes Windows 10, 8, 7, Vista, Server 2016, Server 2012 R 2, Server 2012, Server 2008 R 2, and Server 2008. • Any modern 64 -bit AMD 64/x 86 -64 or 32 -bit x 86 processor. • 400 MB available RAM. Larger capture files require more RAM. • 300 MB available disk space. Capture files require additional disk space. • 1024× 768 (1280× 1024 or higher recommended) resolution with at least 16 bit color. 8 bit color should work but user experience will be degraded. Power users will find multiple monitors useful. • A supported network card for capturing • Ethernet. Any card supported by Windows should work. See the wiki pages on Ethernet capture and offloading for issues that may affect your environment. • 802. 11. See the Wireshark wiki page. Capturing raw 802. 11 information may be difficult without special equipment. • Other media. See https: //wiki. wireshark. org/Capture. Setup/Network. Media Older versions of Windows which are outside Microsoft’s extended lifecycle support window are no longer supported. It is often difficult or impossible to support these systems due to circumstances beyond our control, such as third party libraries on which we depend or due to necessary features that are only present in newer versions of Windows (such as hardened security or memory management). Wireshark 1. 12 was the last release branch to support Windows Server 2003. Wireshark 1. 10 was the last branch to officially support Windows XP. See the Wireshark release lifecycle page for more details. 1. 2. 2. UNIX / Linux Wireshark runs on most UNIX and UNIX-like platforms including OS X and Linux. The system requirements should be comparable to the Windows values listed above. Binary packages are available for most Unix and Linux distributions including the following platforms: • Apple OS X • Debian GNU/Linux • Free. BSD • Gentoo Linux • HP-UX • Mandriva Linux • Net. BSD • Open. PKG • Red Hat Enterprise/Fedora Linux • Sun Solaris/i 386 • Sun Solaris/SPARC 5

V. Where to get it from ? • Windows (x 86/x 64) : https: //www. wireshark. org/download. html • Linux: type “sudo apt-get install wireshark” within your distribution’s terminal, followed by “dpkg-reconfigure wireshark-common” command in order to start Wireshark without super-users permissions needed to capture packages. • For more information about installation, configuration process and more, check the official Wireshark FAQ: https: //www. wireshark. org/faq. html 6

VI. Wireshark In Action • As described already, Wireshark’s main function is to intercept packets (packages) that flow through the desired interface. In the attached video, you can see how easy it is to intercept the credentials from a login form over the Internet with just a few clicks of a button. • This is why using open Wi-Fi networks is a very dangerous idea, when making bank transactions or logging on social media (Facebook, Twitter, Instagram and so on), as they are extremely exposed to such data interceptions. 7

VII. Bibliography http: //www. wireshark. org/about. html http: //en. wikipedia. org/wiki/Wireshark http: //whatis. techtarget. com/definition/Wireshark 8