WireShark for Protocol Analysis and Troubleshooting

What is a protocol analyzer? It is basically a tool for seeing the bits and bytes flowing through a network in human readable form. Without it, understanding a network communication exchange would be practically impossible. As you may know, network protocol is broken down into 7-layers (see the OSI 7-layer model). The part that WireShark deals with is layer 2 up to 7. Most well know protocols can be decoded by WireShark.

One of the most obvious applications of WireShark is the ability to capture network traffic and look at it from the perspective of learning. What better way to learn network protocols than to actually see them in action! For example, if you are learning how the TCP protocol works (check TCP/IP for Absolute Beginners), capture traffic from your computer when you visit a web site. In the captured trace file, you will see every detail of the network communication exchange including the details of the well known 3-way connection handshake (Explanation of the Three-way Handshake via TCP/IP).

When "black box" approach to network troubleshooting doesn't cut it, it is time to use WireShark. At work, we had an issue where a computer was unable to connect to a particular address on the Internet. We checked everything! The Internet site was OK because people can get to it from outside our network, but from within out network, they could not reach this particular site. Normal troubleshooting approach didn't cut it. We had to use WireShark to capture the network traffic being exchanged by our computer and the network. The capture revealed that our computer was getting a TCP RESET--thus the connection would not go through. As it turns out, out company web filter was sending a TCP RESET to block us from reaching that particular site! Without WireShark, there was no way we could have figured this out. Solving network issues is probably the best use of WireShark.

Did you know most network protocols designed for the Internet aren't secure? For example, TELNET, FTP, and HTTP are all non-secure protocols. If you were at a place where they provided free WI-FI, and you logged in to the a site using one of these protocols, someone with WireShark capturing your login session can read your login and password using WireShark! Below is an illustration of an FTP session captured using WireShark. Note that the actual account and password has been distorted for security reasons.

click to enlarge

Did you know that SMTP and POP--both email protocols--are also not secure? So if you were at a free WI-FI hot spot and you were sending or receiving email using your Outlook Express, someone running WireShark could capture your email session and read exactly the text portion of your email. Scary huh?

Yes WireShark is a protocol analyzer, and you can do at least three things with it:

• Learn the details of how network protocols work
• Solve network problems
• Use it to hack

If you want to learn more about it just visit WireShark's home page--http://www.wireshark.org/.