Network Forensics (wireshark) Cybersecurity HS Summer Camp
Packet Sniffer a packet sniffer captures ( sniffs ) messages being sent/received from/by your computer; it will also typically store and/or display the contents of the various protocol fields in these captured messages.
Packet sniffer structure The packet capture (pcap) library receives a copy of every link-layer frame that is sent from or received by your computer.
Packet sniffer structure The packet analyzer displays the contents of all fields within a protocol message
Wireshark Wireshark is the world's foremost network protocol analyzer. It is the de facto (and often de jure) standard across many industries and educational institutions. https://www.wireshark.org/
Wireshark?
Initial wireshark screen
Wireshark components Command menus Filters
Command menus Standard pulldown menus Of interest to us now are the File and Capture menus The File menu allows you to save captured packet data or open a file containing previously captured packet data
Wireshark components Command menus Filters List of captured packets
Packet listing window displays a one-line summary for each packet captured the time at which the packet was captured the packet s source and destination addresses the protocol type, and protocol-specific information contained in the packet.
Wireshark components Command menus Filters List of captured packets Details of selected packet
Packet Header detail window provides details about the packet selected (highlighted) in the packetlisting window. These details include information about the Ethernet frame and IP datagram that contains this packet. If the packet has been carried over TCP or UDP, TCP or UDP details will also be displayed
Wireshark components Command menus Filters List of captured packets Details of selected packet Packet content in hex and ASCII
packet-contents window Displays the entire contents of the captured frame, in both ASCII and hexadecimal format
Broadcast channels In the past network devices known as hubs broadcasted all the packets it received to all the machines connected. Such devices were substituted by switches that do not broadcast the packets. Therefore you can only listen to broadcast packets, and packets destined to your computer.
Broadcast channels Many switches can be configured to assign one or more of its ports as a mirror port. Such mirror port receives copies of all the packets received in the switch.
Broadcast channels WiFi Channels are by default broadcast channels. You can t control the direction of frequency waves. Thus all the packets in a Wireless router are received in all the wireless network interfaces. However modern WiFi protocols encrypt the packets in such a way that you do receive the packets but they can t be interpreted by all the machines.
Broadcast channels The WEP protocol use the same encryption key for all the packets in its network, thus all the computers connected to the same WEP WiFi router can see all the packets in the network. WPA and WPA2 use different encryption keys per computer in the network, therefore it is hard or impossible to decrypt the packets of other computers.
Broadcast channels The WEP protocol is the most vulnerable WiFi protocol and it is very easy to steal the key needed to join the network.