Tutorial: Network Monitoring
Network traffic analysis
When working in cybersecurity, it’s common that you may need to review network activity. Whether you’re a penetration tester looking for sensitive information in traffic, or a SOC analyst looking for malicious activity, the ability to analyze network communications is crucial!
In this tutorial, we’re going to take a look at Wireshark, a freely available network analysis tool with support for Mac, Linux, and Windows operating systems.
Prior to installing Wireshark, you’ll want to make sure your computer is able to run the software. Fortunately, Wireshark is extremely efficient and does not require much from your computer. Check system requirements for more information.
Once you’ve verified your system can run Wireshark, you can download the tool from the official download page.
Depending on your operating system, you may need to install additional components built into Wireshark. Below are the official guides for installing Wireshark:
Once installed, run the software as an administrator.
- Windows: Right click the Wireshark application and click “Run as Administrator”.
- Linux: Type
sudo wiresharkin your terminal.
- macOS: Run an
execfile that lives inside the Wireshark package contents. This can be done from the terminal. Make sure Wireshark is also in your
Applicationsfolder, and run the following command to be prompted for your password by
[email protected] ~ % sudo /Applications/Wireshark.app/Contents/MacOS/WiresharkPassword:
Once Wireshark is running, you’ll see a screen displaying multiple interface collection network data. Next to each interface will be a graph displaying the current activity. A flat line means there is no activity while a changing line shows there is activity.
In order to analyze our traffic, we need to choose the correct Interface. Depending on your computer’s settings you are likely using either the Wi-Fi or Ethernet interface. If neither of those interfaces appears choose on the graph with the most activity.
As soon as we chose an interface by double-clicking on it, we’ll see traffic start flooding in. While this may seem overwhelming, the key to network analysis is filtering out noise.
Filter for ARP
Let’s perform a basic search to see some common network traffic.
ARP, also known as Address Resolution Protocol, is used to translate MAC addresses to IP addresses.
To only see ARP traffic, we will use the bar labeled “Apply a display filter.”
In the search bar enter “arp” and press ENTER.
Once our display filter loads, we’ll see only ARP traffic. In these packets, we’ll see examples of requests.
Destination Protocol Length Info Broadcast ARP 42 Who has 192.168.1.254? Tell 192.168.1.226
We will also see examples of responses.
Protocol Length Info ARP 42 192.168.1.254 is at AA:AA:AA:AA:AA:AA
If we click an individual row, we can see in the ARP section (which is below our list of requests and responses) if the associated data was either a “request” or “reply”.
You may notice is that the first portion of a MAC address may be replaced by the manufacturer’s name. Depending on the devices your computer is communicating with you may see something like “IntelCor_FF:FF:FF” or “Roku_FF:FF:FF” referencing an Intel or Roku device respectively.
Filter for DNS
Now that we’ve seen ARP traffic, let’s see some more interesting traffic, starting with DNS. To do this, we’ll travel to a website, and observe the DNS traffic generated by our actions.
With Wireshark still running, open a web browser and type in http://example.com.
After you hit enter, go to Wireshark and type “dns” in the display filter section.
Here, you’ll see various DNS requests from your computer. Find the request referencing example.com (You may need to scroll if your computer is generating a lot of requests). It should look similar to the sample below:
278 6.630952 192.168.1.226 192.168.1.254 DNS 71 Standard query 0x7dc8 A example.com
Once you’ve found the packet, right-click on it, click “Follow”, and then click “UDP Stream”.
This will focus in on our DNS requests and show us the raw format of the request in a new window (We can close this window).
278 6.630952 192.168.1.226 192.168.1.254 DNS 71 Standard query 0x7dc8 A example.com 27 6.655470 192.168.1.254 192.168.1.226 DNS 87 Standard query response 0x7dc8 A example.com 184.108.40.206
From this, we can see the domain name, example.com, points to the IP
Note: This value may change over time.
Filter for HTTP
HTTP generally runs on TCP port
80. Let’s try to focus in on this traffic:
While we could type “http” in the display filter, we’re going to use a slightly different filter. Since we know requests sent to “example.com” are sent over TCP port
80, let’s filter for that port.
To do this, we’ll type “tcp.port == 80” and press ENTER. This will tell Wireshark to only display TCP connections destined for port
We want to focus in on the requests where the “Destination” is set to
220.127.116.11or whatever IP we found in our earlier DNS request.
If we want to drill down into these requests further, we can Right-Click the first packet with “GET / HTTP/1:1” in it. From here chose “Follow” and then “HTTP Stream.” This is very similar to what we did for our DNS requests.
Once loaded, you’ll see a screen showing the HTTP request.HOST: example.comConnection: keep-alive...HTTP/1.1 200 OKContent Encoding: gzipAccept Ranges: bytes...
From this packet, we can see the GET request sent to the server as well as the response! While this request is basic, more complex sites may pass content such as credentials, files, and session data.
After you’re done reviewing this, close the window with the “X.”
In this tutorial, we learned how to interact with Wireshark, create custom filters, and follow streams. With these skills, we can perform basic network analysis and review traffic we are familiar with.
You can watch a video walkthrough of this tutorial below:
Continue to play around with Wireshark! The best way to learn any tool is to practice with it. Explore the options, and look at the official documentation for answers to any questions.