Tutorial: Network Monitoring

In this tutorial, you will analyze network traffic to identify interesting activity.

Network traffic analysis

When working in cybersecurity, it’s common that you may need to review network activity. Whether you’re a penetration tester looking for sensitive information in traffic, or a SOC analyst looking for malicious activity, the ability to analyze network communications is crucial!

In this tutorial, we’re going to take a look at Wireshark, a freely available network analysis tool with support for Mac, Linux, and Windows operating systems.

Installing Wireshark

Prior to installing Wireshark, you’ll want to make sure your computer is able to run the software. Fortunately, Wireshark is extremely efficient and does not require much from your computer. Check system requirements for more information.

Once you’ve verified your system can run Wireshark, you can download the tool from the official download page.

Depending on your operating system, you may need to install additional components built into Wireshark. Below are the official guides for installing Wireshark:

Once installed, run the software as an administrator.

  • Windows: Right click the Wireshark application and click “Run as Administrator”.
  • Linux: Type sudo wireshark in your terminal.
  • macOS: Run an exec file that lives inside the Wireshark package contents. This can be done from the terminal. Make sure Wireshark is also in your Applications folder, and run the following command to be prompted for your password by sudo:
yourname@YourMac ~ % sudo /Applications/Wireshark.app/Contents/MacOS/Wireshark
Password:

Running Wireshark

Once Wireshark is running, you’ll see a screen displaying multiple interface collection network data. Next to each interface will be a graph displaying the current activity. A flat line means there is no activity while a changing line shows there is activity.

In order to analyze our traffic, we need to choose the correct Interface. Depending on your computer’s settings you are likely using either the Wi-Fi or Ethernet interface. If neither of those interfaces appears choose on the graph with the most activity.

Wi-Fi:en0 has the most traffic

As soon as we chose an interface by double-clicking on it, we’ll see traffic start flooding in. While this may seem overwhelming, the key to network analysis is filtering out noise.

Filter for ARP

Let’s perform a basic search to see some common network traffic.

ARP, also known as Address Resolution Protocol, is used to translate MAC addresses to IP addresses.

  1. To only see ARP traffic, we will use the bar labeled “Apply a display filter.”

    The "apply a display filter"

    In the search bar enter “arp” and press ENTER. The search for "arp"

  2. Once our display filter loads, we’ll see only ARP traffic. In these packets, we’ll see examples of requests.

    Destination Protocol Length Info
    Broadcast ARP 42 Who has 192.168.1.254? Tell 192.168.1.226

    We will also see examples of responses.

    Protocol Length Info
    ARP 42 192.168.1.254 is at AA:AA:AA:AA:AA:AA
  3. If we click an individual row, we can see in the ARP section (which is below our list of requests and responses) if the associated data was either a “request” or “reply”.

    You may notice is that the first portion of a MAC address may be replaced by the manufacturer’s name. Depending on the devices your computer is communicating with you may see something like “IntelCor_FF:FF:FF” or “Roku_FF:FF:FF” referencing an Intel or Roku device respectively.

Filter for DNS

Now that we’ve seen ARP traffic, let’s see some more interesting traffic, starting with DNS. To do this, we’ll travel to a website, and observe the DNS traffic generated by our actions.

  1. With Wireshark still running, open a web browser and type in http://example.com.

  2. After you hit enter, go to Wireshark and type “dns” in the display filter section.

  3. Here, you’ll see various DNS requests from your computer. Find the request referencing example.com (You may need to scroll if your computer is generating a lot of requests). It should look similar to the sample below:

    278 6.630952 192.168.1.226 192.168.1.254 DNS 71 Standard query 0x7dc8 A example.com
  4. Once you’ve found the packet, right-click on it, click “Follow”, and then click “UDP Stream”.

    This will focus in on our DNS requests and show us the raw format of the request in a new window (We can close this window).

    278 6.630952 192.168.1.226 192.168.1.254 DNS 71 Standard query 0x7dc8 A example.com
    27 6.655470 192.168.1.254 192.168.1.226 DNS 87 Standard query response 0x7dc8 A example.com 93.184.216.34

    From this, we can see the domain name, example.com, points to the IP 93.184.216.34.

Note: This value may change over time.

Filter for HTTP

HTTP generally runs on TCP port 80. Let’s try to focus in on this traffic:

  1. While we could type “http” in the display filter, we’re going to use a slightly different filter. Since we know requests sent to “example.com” are sent over TCP port 80, let’s filter for that port.

    To do this, we’ll type “tcp.port == 80” and press ENTER. This will tell Wireshark to only display TCP connections destined for port 80.

    The search for "tcp.port == 80"

  2. We want to focus in on the requests where the “Destination” is set to 93.184.216.34 or whatever IP we found in our earlier DNS request.

  3. If we want to drill down into these requests further, we can Right-Click the first packet with “GET / HTTP/1:1” in it. From here chose “Follow” and then “HTTP Stream.” This is very similar to what we did for our DNS requests.

  4. Once loaded, you’ll see a screen showing the HTTP request.

    HOST: example.com
    Connection: keep-alive
    ...
    HTTP/1.1 200 OK
    Content Encoding: gzip
    Accept Ranges: bytes
    ...

    From this packet, we can see the GET request sent to the server as well as the response! While this request is basic, more complex sites may pass content such as credentials, files, and session data.

  5. After you’re done reviewing this, close the window with the “X.”

Review

In this tutorial, we learned how to interact with Wireshark, create custom filters, and follow streams. With these skills, we can perform basic network analysis and review traffic we are familiar with.

You can watch a video walkthrough of this tutorial below:



Continue to play around with Wireshark! The best way to learn any tool is to practice with it. Explore the options, and look at the official documentation for answers to any questions.

Author

Codecademy Team

'The Codecademy Team, composed of experienced educators and tech experts, is dedicated to making tech skills accessible to all. We empower learners worldwide with expert-reviewed content that develops and enhances the technical skills needed to advance and succeed in their careers.'

Meet the full team