Review: Wireshark Attacks Network Issues

There are a host of fancy packet sniffers and protocol analyzers available to aid in diagnosing network traffic problems. Yet, one tool that is powerful in its own right, and is free to boot, is Wireshark, formerly called Ethereal.

Wireshark version 1.0.2 is the latest version available for download. Wireshark is a network analyzer with a graphical interface that makes network traffic analysis relatively easy to decipher.

The utility is truly cross-platform—it runs on Windows, Linux and Mac OS X. Installation is simple, and the only prerequisite for install is the network libpcap library, needed to capture network packets. For this review, the Windows-based library WinPcap was installed.

Once Wireshark is installed, the next step is to choose the interface to be monitored. Wireshark will detect all local interfaces. On an IBM ThinkPad connected to the internet via Wi-Fi, Wireshark discovered the following interfaces: adapter for generic dialup and VPN capture, Ethernet adapter, Wi-Fi adapter and NOC Extranet access adapter.

Capturing the Wi-Fi adapter, Wireshark picked up on ARP requests. All activity on the adapter is detected, including TCP, HTTP and DNS traffic. Conversations or traffic information between endpoints are displayed in a detailed and comprehensive view. Protocol specific network statistics can be viewed from the menu. Some of the protocol-specific information viewable includes: RTP (Realtime Transfer Protocol), Service Response Time and VoIP calls.

A useful feature is the ability to follow TCP streams. It's a simple thing to do with Wireshark; select a TCP packet in the packet listing of streams/connections, and then choose the Follow TCP Stream option from the Wireshark Tools menu. The application also has the ability to follow UDP and SSL streams.

This utility also will work with other packet-capturing tools. If you have a switch that will generate SNMP traps, that collected information can be viewed and analyzed with Wireshark. Wireshark has an import/export function to transfer packet data to and from other capture software.

You can define and save filters, and can really get a granular level of configuration by adding expressions to build custom filter strings.

A great feature, particularly for the novice, is Expert Info. This feature will log potentially problematic network behavior. It is used as a way to find network problems quicker rather than by chance through manually going through packet information. By default, activity is color-coded to represent the severity level: gray indicates normal workflow, cyan is reserved for activity that should be noted but is not dire (an HTTP 404 error code, for example), yellow is a critical warning and red is a critical error.

Wireshark supports a number of command-line parameters. Parameters allow for the configuration of a myriad of tasks, among them, having the application stop writing to a capture file after a defined number of seconds, stop writing to a capture file after it has reached a defined size, the maximum number of packets to catch when catching live data and the interfaces on which Wireshark can capture and exit.

For even greater customization, Wireshark has a Lua interpreter. (Lua is a lightweight programming language and can be used to create custom taps and dissectors.)

One drawback is the limitation in saving captured packet information to an editable file. The default file format is libpcap, which is legible to read, but not conducive to editing (for example, if you wanted to add comments to the information). There are other file formats as well, but the Wireshark developers are working on a new, more flexible file format called PCAP Next Generation Dump File Format.

Hardware packet sniffers, although very precise and thorough tools, can be expensive and take time mastering. Wireshark Version 1.0.2 is a great tool for administrators who need to troubleshoot, developers debugging their applications or users who simply want to find out more about network traffic and protocols.