Wireshark
is a free and open-source packet analyzer. It is used for network
troubleshooting, analysis, software and communications protocol development,
and education. Originally named Ethereal, in May 2006 the project was renamed Wireshark
due to trademark issues.
Wireshark
is cross-platform, using the GTK+ widget toolkit to implement its user
interface, and using pcap to capture packets; it runs on various Unix-like
operating systems including Linux, OS X, BSD, and Solaris, and on Microsoft
Windows. There is also a terminal-based (non-GUI) version called TShark.
Wireshark, and the other programs distributed with it such as TShark, are free
software, released under the terms of the GNU General Public License.
Functionality
Wireshark
is very similar to tcpdump, but has a graphical front-end, plus some integrated
sorting and filtering options.
Wireshark
allows the user to put network interface controllers that support promiscuous
mode into that mode, in order to see all traffic visible on that interface, not
just traffic addressed to one of the interface's configured addresses and
broadcast/multicast traffic. However, when capturing with a packet analyzer in
promiscuous mode on a port on a network switch, not all of the traffic travelling
through the switch will necessarily be sent to the port on which the capture is
being done, so capturing in promiscuous mode will not necessarily be sufficient
to see all traffic on the network. Port mirroring or various network taps
extend capture to any point on the network. Simple passive taps are extremely
resistant to tampering[citation needed].
On
Linux, BSD, and OS X, with libpcap 1.0.0 or later, Wireshark 1.4 and later can
also put wireless network interface controllers into monitor mode
History.In the late
1990s, Gerald Combs, a computer science graduate of the University of
Missouri–Kansas City, was working for a small Internet service provider. The
commercial protocol analysis products at the time were priced around $1500 and
did not run on the company's primary platforms (Solaris and Linux), so Gerald
began writing Ethereal and released the first version around 1998. The Ethereal
trademark is owned by Network Integration Services.
In
May 2006, Combs accepted a job with CACE Technologies. Combs still held
copyright on most of Ethereal's source code (and the rest was re-distributable
under the GNU GPL), so he used the contents of the Ethereal Subversion
repository as the basis for the Wireshark repository. However, he did not own
the Ethereal trademark, so he changed the name to Wireshark.[6] In 2010
Riverbed Technology purchased CACE and took over as the primary sponsor of
Wireshark. Ethereal development has ceased, and an Ethereal security advisory
recommended switching to Wireshark.
Wireshark has won
several industry awards over the years, including eWeek, InfoWorld, and PC
Magazine. It is also the top-rated packet sniffer in the Insecure.Org network
security tools surveyand was the SourceForge Project of the Month in August
2010.
Combs continues to
maintain the overall code of Wireshark and issue releases of new versions of
the software. The product website lists over 600 additional contributing
authors.
Features
Wireshark
is software that "understands" the structure of different networking
protocols. Thus, it is able to display the encapsulation and the fields along
with their meanings of different packets specified by different networking
protocols. Wireshark uses pcap to capture packets, so it can only capture the
packets on the types of networks that pcap supports.
·
Data can be captured "from the
wire" from a live network connection or read from a file that recorded
already-captured packets.
·
Live data can be read from a number of
types of network, including Ethernet, IEEE 802.11, PPP, and loopback.
·
Captured network data can be browsed via
a GUI, or via the terminal (command line) version of the utility, TShark.
·
Captured files can be programmatically
edited or converted via command-line switches to the "editcap"
program.
·
Data display can be refined using a
display filter.
·
Plug-ins can be created for dissecting
new protocols.
·
VoIP calls in the captured traffic can
be detected. If encoded in a compatible encoding, the media flow can even be
played.
·
Raw USB traffic can be captured.
·
Wireshark's native network trace file
format is the libpcap format supported by libpcap and WinPcap, so it can
exchange files of captured network traces with other applications using the
same format, including tcpdump and CA NetMaster. It can also read captures from
other network analyzers, such as snoop, Network General's Sniffer, and
Microsoft Network Monitor.
Security
Capturing
raw network traffic from an interface requires elevated privileges on some
platforms. For this reason, older versions of Ethereal/Wireshark and
tethereal/TShark often ran with superuser privileges. Taking into account the
huge number of protocol dissectors that are called when traffic is captured,
this can pose a serious security risk given the possibility of a bug in a
dissector. Due to the rather large number of vulnerabilities in the past (of
which many have allowed remote code execution) and developers' doubts for
better future development, OpenBSD removed Ethereal from its ports tree prior
to OpenBSD 3.6.
Elevated
privileges are not needed for all of the operations. For example, an
alternative is to run tcpdump, or the dumpcap utility that comes with
Wireshark, with superuser privileges to capture packets into a file, and later
analyze the packets by running Wireshark with restricted privileges. To make
near real time analysis, each captured file may be merged by mergecap into
growing file processed by Wireshark. On wireless networks, it is possible to
use the Aircrack wireless security tools to capture IEEE 802.11 frames and read
the resulting dump files with Wireshark.
As of Wireshark 0.99.7,
Wireshark and TShark run dumpcap to do traffic capture. On platforms where
special privileges are needed to capture traffic, only dumpcap needs to be set
up to run with those special privileges: neither Wireshark nor TShark need to
run with special privileges, and neither of them should be run with special
privileges.
PACKER
SNIFFER
The basic tool for
observing the messages exchanged between executing protocol entities is called a packet sniffer. As the name
suggests, a packet sniffer captures (“sniffs”)
messages being sent/received from/by your computer; it will also
typically store and/or display the
contents of the various protocol fields in these captured messages. A packet
sniffer itself is
passive. It observes messages being sent and received by applications and
protocols running on your computer, but never sends packets itself. Similarly,
received packets are never explicitly addressed to the packet sniffer. Instead,
a packet sniffer receives a copy of packets that are sent / received from/by
application and protocols executing on your machine.
Figure
shows the structure of a packet sniffer. At the right of Figure 1 are the
protocols (in this case, Internet protocols) and applications (such as a web
browser or ftp client) that normally run on your computer. The packet sniffer,
shown within the dashed rectangle in Figure 1 is an addition to the usual
software in your computer, and consists of two parts. The packet capture
library receives a copy of every link-layer frame that is sent from or received
by your computer. Messages exchanged by higher layer protocols such as HTTP,
FTP, TCP, UDP, DNS, or IP all are eventually encapsulated in link-layer frames
that are transmitted over physical media such as an Ethernet cable. In Figure
1, the assumed physical media is an Ethernet, and so all upper layer protocols
are eventually
encapsulated within an
Ethernet frame. Capturing all link-layer frames thus gives you all messages
sent/received from/by all protocols and applications executing in your
computer.
The
second component of a packet sniffer is the packet analyzer, which displays the
contents of all fields within a protocol message. In order to do so, the packet
analyzer must “understand” the structure of all messages exchanged by
protocols. For example, suppose we are interested in displaying the various
fields in messages exchanged by the HTTP protocol in Figure 1. The packet
analyzer understands the format of Ethernet frames, and so can identify the IP datagram
within an Ethernet frame. It also understands the IP datagram format, so that
it can extract the TCP segment within the IP datagram. Finally, it understands
the TCP segment structure, so it can extract the HTTP message contained in the
TCP segment. Finally, it understands the HTTP protocol and so, for example,
knows that the first bytes of an HTTP message will contain the string “GET,”
“POST,” or “HEAD
Running
Wireshark
When
you run the Wireshark program, the Wireshark graphical user interface shown in
Figure 2 will de displayed. Initially, no data will be displayed in the various
windows.
The
command menus are standard pulldown menus located at the top of the
window. Of interest to
us now are the File and Capture menus. The File menu
allows you to save
captured packet data or open a file containing previously
captured packet data,
and exit the Wireshark application. The Capture menu
allows you to begin
packet capture.
The
packet-listing window displays a one-line summary for each packet
captured, including the
packet number (assigned by Wireshark; this is not a
packet number contained
in any protocol’s header), the time at which thepacket
was captured, the
packet’s source and destination addresses, the protocol type,
and protocol-specific
information contained in the packet. The packet listing can
be sorted according to
any of these categories by clicking on a column name. The protocol type field
lists the highest level protocol that sent or received this packet,
i.e., the protocol that
is the source or ultimate sink for this packet.
No comments:
Post a Comment