Wireshark: a godsend for a spy

[Father]

Wireshark is well-known to anyone who has anything to do with traffic analysis. On the one hand, it is a professional, free, open-source traffic analyzer for computer networks of absolutely various types and protocols.

It allows you to study network activity, intercept, filter, decode, and visualize network packets in real time or from saved files.

Yuri Shvets
Associate Professor, Department of Economic Theory, Financial University under the Government of the Russian Federation

Wireshark can be used for various purposes, such as debugging and testing network applications, detecting and solving network problems, studying network protocols, training and education, monitoring and auditing network security, and so on. The program is available for various operating systems, such as Windows, Linux, macOS, and others. It is distributed under the GNU GPL license and is one of the most popular and respected tools in the field of network analysis.

Users believe that Wireshark has a very comfortable and intuitive graphical user interface that shows detailed information about each field of the protocol at any level. It also supports various statistical and graphical functions for analyzing network activity.

That is why the program is popular all over the world, including in Russia, but many employers prohibit its use on work devices. In addition, in some countries, the use of such programs may become a crime. Let's try to understand the inconsistency of the Wireshark sniffer.

Wireshark: instructions​

Wireshark has three main capture modes – communication mode, monitoring mode, and normal mode. Each of them performs certain functions and allows you to perform specific tasks.

Capture Modes:

1. Promiscuous mode. In this mode, the network card captures all packets that pass through the network, regardless of who they are addressed to. It is useful for analyzing all traffic in a network segment or for detecting unauthorized devices or packets.
2. Monitor mode. In this mode, the network card captures all packets that pass through the network, including control and service packets. It is useful for analyzing wireless networks or for detecting hidden or encrypted sessions.
3. Normal mode. In this mode, the network card captures only those packets that are addressed to it, either broadcast or multicast. This mode is useful for analyzing your own traffic or avoiding network or computer congestion.

To configure filters and capture modes in Wireshark, you need to select the network card interface from which you want to capture packets. Click on the "Configure" (Options) button next to the selected interface. In the Capture Options window that opens, you can specify the capture filter in the Capture Filter field, select the capture mode in the Mode field, and configure other parameters such as file size or capture time limits.

Traffic analysis can solve a large number of network problems. To understand what to pay attention to first, you need to clearly understand the purpose of the analysis.

Dmitry Zarudnev
Head of the Application Solutions Department, Angels IT Company

From the point of view of analyzing the network as a whole, it is worth paying attention to the packet lifetime (TTL). A low value of this parameter indicates a large number of intermediate nodes in the network, which negatively affects its overall performance. You should also pay attention to the number of broadcast packets, the so-called broadcast packets. If there are a large number of such packets in the local network, then it is possible that this is some kind of virus scanning the network and it is necessary to analyze it.

When you use Wireshark to analyze network traffic, you should pay attention to the number of packets that are not addressed on your network – these are either external sources that users actually access, or they are some kind of virus that tries to scan the network and look at the number and numbering of ports that network devices access. That is, how much they correspond to the tasks that are performed in the infrastructure of your network.

From the point of view of network protection, if all ports are searched, this may indicate that there is a malicious program on the network.

In the wrong hands​

Wireshark traffic interception is a network diagnostic tool that can also be used for passive analysis of network infrastructure. For example, find out the details of the network topology or the names and addresses of servers that are usually inaccessible to users. Like any network analysis tool, it can be used for both legitimate and malicious purposes.

Evgeny Gryaznov
Leading information security consultant at R-Vision

One of the most important features is the Wireshark architecture. It uses the Npcap network packet capture driver to access the network. This driver requires administrator rights to work, but is often configured so that even ordinary users can use it. This opens up space for both an attack using vulnerabilities in the driver itself, and the ability to use it unnoticed by the user in order to analyze network traffic by an attacker. In this case, the attacker does not need administrator rights on the machine.

Sergey Polunin
Head of the Infrastructure IT Protection Group at Gazinformservis

The main "harm" is that a potential attacker can detect something in the intercepted traffic that will help to compromise the organization's information system in the future. This can be anything from intercepted passwords or API keys, to detecting the use of unreliable data transfer protocols and errors in the business logic of applications.

Many organizations prohibit using Wireshark on work devices for several reasons. It can pose a threat to privacy and data security if it is used to intercept or analyze other people's or encrypted traffic without permission or keys. Wireshark can also be used by attackers to intercept or spoof packets.

Working with Wireshark can negatively affect network and computer performance if you capture a large amount or volume of traffic, which can lead to congestion or packet loss.

Yuri Shvets
Associate Professor, Department of Economic Theory, Financial University under the Government of the Russian Federation

The Wireshark sniffer may violate the organization's policies or regulations on the use of network resources or work devices. For example, an organization may prohibit the use of unauthorized software, capture traffic without authorization, store or transmit confidential data, and so on.

Sergey Petrenko
Doctor of Technical Sciences, Head of Information Security at the IT Academy

Wireshark traffic analysis allows you to study the effectiveness of vulnerability scanners used (analyzing network traffic of scanners, determining the percentage of false alarms, etc.) and other information protection tools. This includes tracking responses to anomalies, unusual domains, large DNS responses, and other malware features. As a result, not only security administrators, but also attackers, having gained access to the functionality of the mentioned analyzer, can first examine the strength of the corporate security subsystem, identify its bottlenecks, and then use the identified vulnerabilities and shortcomings to conduct their own cyber attacks.

The functionality of Wireshark-like tools goes far beyond simple traffic capture and analysis. They allow you to recover passwords for Windows, perform attacks to get lost credentials, study in-depth packets and data on the network, analyze packet routing, and much more. For this reason, many organizations prohibit their use to prevent security incidents that may occur as a result of both deliberate and careless user actions.

Sergey Polunin
Head of the Infrastructure IT Protection Group at Gazinformservis

To perform work tasks, an ordinary office employee does not need Wireshark 99 times out of 100, or even a little more often. However, good information security specialists are inherently paranoid, and the very appearance of such a tool in someone's workplace can be the beginning of big problems to come. We never fully understand the level of computer literacy and competencies of those with whom we work. Moreover, training is now available on literally any issues, including practical cybersecurity on the verge of the provisions of the criminal code.

Therefore, if you want to use Wireshark on a work device, you need to get permission from your supervisor or network administrator, and follow all the rules and precautions when working with the program.

And how is it safe?​

According to experts, the main difficulty in how to use Wireshark is absolutely obvious – in order to safely and effectively capture Wireshark traffic, you need to have certain and not simple skills and knowledge, as well as take precautions. In addition, the program allows attackers to intercept passwords.

Evgeny Gryaznov
Leading information security consultant at R-Vision

There is only one way to protect yourself from password interception : do not transmit passwords over the network. Now almost all passwords are transmitted inside HTTPS traffic and cannot be intercepted by any traffic analyzers, not just Wireshark.

It is also a good practice to use certificate authentication technologies instead of passwords, or to additionally use one-time code generators (like Google Authenticator).

When using Wireshark, you need to take precautions:

1. Capture and analyze only traffic that is relevant to your network or application and that you are authorized to see. Don't compromise someone else's privacy or security.
2. Use Wireshark-protected protocols and encryption to transfer or store sensitive or sensitive data. Don't rely on Wireshark not being able to decrypt your traffic.
3. Limit the amount and volume of captured traffic to avoid overloading the network or computer.
4. Use Wireshark packet capture filters and modes to select only the desired packets.
5. Store and process files with captured traffic in a secure location. Do not give access to them to unauthorized persons or programs.
6. Delete or destroy files that are no longer needed.

Yuri Shvets
Associate Professor, Department of Economic Theory, Financial University under the Government of the Russian Federation

Wireshark filters and capture modes allow you to choose which packets will be captured and displayed in the program. They help you reduce the amount of traffic and focus on the data you're interested in. Capture filters are applied before packets reach Wireshark. They determine which packets will be captured by the network card and stored in a file or memory. Capture filters are based on the Berkeley Packet Filter (BPF) syntax and can use various criteria, such as source and destination addresses, port numbers, protocol types, etc.

Display filters are applied after packets have already been captured and uploaded to Wireshark. They determine which packages will be displayed in the list and details. Display filters are based on the Wireshark Display Filter (WDF) syntax and can use various criteria, such as protocol field values, data strings or bytes, expressions and functions, and so on. Capture modes determine how packets will be captured from the network card.

Advantages and disadvantages​

Sniffers or traffic analyzers, such as Wireshark or, for example, tcpdump, Kismet, EtherApe, Cain and Abel, provide the ability to detect and fix network security and performance issues in a timely manner at the earliest stages of security incidents.

Sergey Petrenko
Doctor of Technical Sciences, Head of Information Security at the IT Academy

The obvious advantages of Wireshark include: open source code, a reasonable balance between labor intensity and efficiency of data collection and processing, a visual representation of the results of work, a friendly user interface, and the ability to work under all known operating systems of the Linux, Windows, and macOS family.

Pros of using Wireshark:

1. Provides detailed and accurate information about each network packet and its contents, which allows you to better understand the operation of network protocols and applications.
2. It supports a large number of network protocols and file formats, making it a versatile and flexible tool for analyzing different types of networks and traffic.
3. It has powerful filtering, search, statistics, and data visualization functions that make it easier to find and solve network problems, debug and test network applications, monitor and audit network security, and so on.
4. Free and open source software that guarantees availability, reliability, and the ability to be developed and improved by a community of users and developers.

Marat Ilyasov
Head of the Network Analytics team at the Innostage CyberART Center for Countering Cyber Threats

Plus, you have full access to all the data that the network interface of your OS sends and receives, which greatly helps IT specialists in solving problems related to debugging a particular program or checking network connections within the infrastructure. Minus-unconditional access to each sent packet. WireShark software can look "inside", collect the transmitted files (images, documents, programs) from separate bits and bytes. The program can also display credentials for authorization using unencrypted protocols, such as http.

Despite the large list of positive aspects, working with Wireshark has a number of disadvantages, as well as pitfalls. Because of which, in the wrong hands, it can cause trouble, both to the user and to outsiders.

Sergey Petrenko
Doctor of Technical Sciences, Head of Information Security at the IT Academy

The disadvantages of Wireshark are that in practice, packet capture and protocol analysis alone are not enough. Here you need to know and understand the basics of well-known application and network protocols, and most importantly, be able to configure various filters in an automated mode for further research and improvement of data exchange processes. And of course, you need to know and understand at least the general principles of system integration of such tools into the corporate information security system (SIEM, SOC, etc.).

Disadvantages of using Wireshark:

1. It requires a sufficiently high level of knowledge and experience in the field of network technologies and protocols to correctly interpret and use the information received.
2. It can negatively affect network and computer performance if you capture a large amount or volume of traffic, which can lead to congestion or packet loss.
3. It can pose a threat to privacy and data security if you capture or analyze someone else's or encrypted traffic without permission or keys.
4. It can be used by attackers to intercept or spoof packets.

Alexey Yakovlev
Head of Marketing Department at MIMINO outsourcing company

Some network devices may not support Wireshark traffic analysis, which may lead to incorrect analysis results. Wireshark cannot show a complete picture of traffic if traffic is encrypted. In addition, the tool can create a large amount of data that can be difficult to analyze.

Lilia Aleeva
Director of Marketing and Direct Sales at ICL Services, PhD in Economics

Wireshark is a powerful tool used to analyze network traffic. However, it also creates security and privacy risks that organizations must assess to ensure the security of their networks. By applying appropriate security measures and following network analysis guidelines, organizations can mitigate these risks and ensure the smooth operation of the network and data.

In the wrong hands, in the absence of the necessary knowledge and without compliance with security measures, instead of advantages, an attempt to analyze data packets using Wireshark can turn into a tragedy. At best – you just don't have enough knowledge to understand how to analyze Wireshark traffic. In the worst case scenario, a fertile ground will be created for cyber attacks by intruders.

Result​

Wireshark instructions will not help the average user to effectively and safely use the program with all its features – an experienced IT specialist should work with it. The tool can become both a great helper and a weapon placed in the hands of the enemy.

With a strong desire, armed with information from open sources, it is still possible to achieve some goals for analyzing network traffic, even for an amateur. The main thing is to study the security issue and possible risks in detail, especially when it comes to a work device, not a personal one.