Wednesday, June 30, 2010

Wireshark as a network Sniffer or network analyzer

The last two posts(links at the end) on wireshark were about installation and using it for basic analysis and troubleshooting network traffic. This article explains why this software is so famous among hacker circles. Wireshark supports promiscuous mode which basically allows the host to view other hosts' traffic!

Detailed working of Wireshark

Nowadays Ethernet has emerged as the most widely used LAN data link and physical layer standard. To support hardware communication between many machines at the same time the concept of MAC addressing was introduced. When data is put on the cable for transmission all the other hosts receive that data and pass it to its NIC also known as the Ethernet card or LAN card. This data is then passed to its upper layer , the data link layer which checks whether the destination MAC /hardware address matches with its own (remember, MAC address of a machine is unique throughout the globe). If a match is found the packet is passed to the upper layer else the packet is discarded. Wireshark with the help of WinPcap library captures the frames from the interface (Ethernet, token ring networks are supported) regardless of the destintion MAC address therefore displaying packets meant for other hosts as well.

The only problem is that you might not capture any one's traffic if switched topology is being used instead of hubs. The reason lies in the way how switches and hubs propagate packets to end systems.

When a hub receives a packet on its physical interface is pushes out that packet through all of its other port. Consider this scenario

When the gateway sends a packet to the hub it forwards it to all its connected interfaces , as shown above.

Now consider a scenario in which a switch is being used instead of a hub

A switch silently learns the mac address of the end system and maps it to the physical port to which it is connected to. Therefore when a switch receives a packet it checks the destination MAC address and searches its table. If there is match, it forwards that packet through that particular port else floods it through all of the connected ports. It is clear that after a switch has built its table the packets are forwarded to the correct destination and the other connected hosts do not receive that packet. Therefore if Wireshark is run in a switched environment you will rarely be able to capture other's data. You might receive other hosts' data but that happens only when the switch has not completely built its table.

Here is an example of a switch's table where fa represents fastEthernet ports.

Finally, I tried to access my router's webpage through VMware XP running in bridged connection mode ( in bridging mode all the virtual pc's data is forwarded to the real machine which starts acting as a bridge) and ran Wireshark on my PC. Upon filtering data here is some juicy info

The authorization process has been captured by Wireshark; 'basic' implies that a very weak Base64 encoding has been applied. Decoding the string is very easy and can be done online , one such is link is provided at the bottom. The example above decodes to nando:nando which means a username and password of nando was entered.


Detecting this activity in a hub environment is nearly impossible and although a few tests can be done they are meant for older Windows versions ( 98,NT) and Linux kernels, therefore it is recommended that network administrators should implement switches as they not only provide security but also better network performance. Users should use encryption during important data communication.

If you are not able to see others traffic make sure the promiscuous mode is set. Go to Capture->options , set the correct interface and tick the "capture in promiscuous mode field".

Also Windows users should ensure that npf be up and running, Linux users need to run wireshark with root privileges. If the problem persists then chances are that a switched network is being used.

To sniff a switched network a few more software and a deeper understanding of certain mechanisms is needed, which will be covered in some future article.

Wireshark has established itself as the leading packet sniffer software and a network analyzer. You can even use it to troubleshoot any DdoS attacks or malicious packets in your LAN. More on it in a future article.

Wireshark Installation
Configuring and using various options
Download Wireshark
Wireshark manual
Online Base64 encoder/decoder

No comments:

Post a Comment