Wireshark: A Network Forensic Tool

Everything nowadays is connected to many things through different modes and the internet remains the primary mode of connection, and when something is connected to the internet or any network for that matter there is always a mutual exchange of data. You can send anything to anyone over the internet for example – email, picture, text, etc.

Even though these data is accessed as a whole at both the source and the destination but this data is not sent across the internet as a whole, these are sent separately as different characters or as small packages known as packets, these packets when received at the destination is reassembled in the form of your originally intended message and because there would exchange of a large number of packets via the network there would resulting traffic and this is known as Network Traffic.

This network traffic analysis would give us a number of information like –  the destination and source of communication, amount of data transferred, location of the destination server, any ongoing attacks on the server, and much more that is why a continuous monitoring of the network becomes important.

If a big institution is connected with each other through a network then again the analysis becomes important for the above-mentioned reasons and to gain certain other information like where a major chunk of data is utilized and why this helps the network engineers to clean up the network.

Another reason for analyzing data packets can be understood in two aspects:-

• The first aspect is that we can know the state of the network whether it is built in such a way that an attack is possible or not.
• The second aspect is to diagnose a network in case of an attack.

This data analysis could be easily done if there was any tool for capturing both the incoming and outgoing data and Wireshark is such a tool that helps to capture and observe the incoming and outgoing data. Another such tool is tcpdump but it runs on command line interface hence Wireshark is preferred more which is based on the graphical interface and is open source i.e., free of cost.

But even if the incoming data and outgoing data is recorded and observed it is very difficult to identify and pinpoint each and every communication between servers and then in turn identifying the threats and malicious attacks becomes a tedious job like finding a needle in a haystack. Therefore Wireshark comes with certain features that would help to further narrow down the process and make it easier to protect the network from attacks.

Features of WIRESHARK:

• Filters in Wireshark – It can isolate and show all the different components that are present in a packet and filter out, just the keywords that we want to analyze or something that we are sure is a threat to the network. As I said filter can be applied in every part of the packets including “strings” or even the network protocols like – FTP, TCP, etc. This accomplishes to capture packets selected from the network and also to find interesting packets.
• Live capture and offline analysis – Wireshark allows you to capture and record the inflow and outflow of data live i.e – as the exchange of data is going on between networks and then allows you to analyze that data at any point of time in the future.
• Runs on multiple platforms – It can run on any OS platform like – Windows, Linux, and macOS.
• Read or write from different capture files – It can read and write files that were even captured by other software like tcpdump , cisco secure, PCP, etc. The data can be recorded from Ethernet, ATM, Bluetooth, USB, etc.
• Decryption – The encrypted data from internet protocols like HTTP, FTP, etc. can be decrypted using Wireshark.

Application Of Wireshark  In Network Forensics:

To understand how Wireshark is used for forensic purposes we need to know how it is applied to the network and what all information is accessed through it.

Wireshark can capture data through two modes the first mode is the promiscuous mode via which the packets are captured through the network to which the device is assigned.

The second mode is possible through Linux operating systems which is a wireless interface that captures maximum data possible.

The types of information that can be gathered through Wireshark are:-

• Wireshark can be used to identify who initiated the attack, as we know that in forensic how important it is to identify a culprit or an accused to get the investigation started.
• Wireshark can be used to know how exactly the attack has been implemented on a system.
• Wireshark can be used to identify what all information or Data has been compromised from a device or network.
• It is helpful in finding out if the attacker has left anything in the system like a Trojan horse or a botware which can be used later to compromise the system.
• It also tracks the amount of the data collected and what all has been analyzed and should be analyzed. In short, determines whether there is enough data to analyze the network.

List of attacks on the network – Identified via Wireshark

1. Covert / Hidden network channels – Sometimes the attacker may be able to establish hidden networks through a system and make it complex to be visible easily hence known as a hidden network. These type of network connections can be used to jeopardize a network and obtain valuable information from the network, or even download something malicious.
2. Malicious Downloads – They are also known as Drive-by downloads and an attacker can sometimes illegally download some files into the system. They can happen in two ways i.e – with or without the authorization of the admin. The authorization may be given without knowing the consequences. The objective behind most of these drive-by downloads is information theft in some way. They are the prominent way of attack and there are preventive measures against such codes at the system level but a network analyst should know and identify such threats.
3. ICMP attacks – The internet control message protocol (ICMP) is listed as a core protocol for IP suite and command-line operations are frequently seen because of its importance in network utilities such as diagnostics and control. Hackers can be seen using this in numerous ways and exploiting it even though it is a one-way message sending. Its limitation is that it doesn’t require authorization.
4. DDOS (distributed denial of service) attacks – In these types of attacks the hacker denies the resources on one system or a whole network. Attackers may be able to prevent you from accessing emails, documents, bank accounts, etc. They find various ways to execute this. BitTorrent driven DDos is an example.
5. Port scanning – Attackers use it to find susceptible devices and it is known as port scanning because attackers scan different ports and find open doors through which they can easily enter. Most of these scans cause half-open TCP connections.

Recent  advancements

IoT (internet of things ) network traffic analysis

Internet of  Things refers to billions of small devices like cameras, lights, Television, etc. which are connected to each other over the internet, and I said whenever a network or connection is established there would be a mutual exchange of Data, and this data is exchanged in form of packets. Wireshark helps to collect these packets.

Attackers may use to obtain the personal information both sensitive and non-sensitive and run these data in machine learning systems to get some data. IoT usually communicates with cloud servers more and encryption is based on TLS protocol, etc.

Attackers are found to be using Wireshark to collect data packets and identifying individual devices in a network. They run tests to do so from their own device.

Hence, A forensic Network analyst must be able to identify these tests and ARP spoofing going on through the network, if identified it is easy to identify the attacker and pinpoint their device.

Intercepting security wifi images through Wireshark

 

Most of these cameras etc. connected to the internet may not follow secure protocol and maybe using HTTP protocol which can be easily decrypted and images could be captured.

Even the IP address and location of the destination could be found where these image files are being sent to.

Wireshark is free and a very powerful tool and especially in network forensics it provides data single headedly and in-home networks and devices even though antivirus is installed they are based on signatures that are found before, attacks are becoming more personal and therefore traffic analysis prove to be better in identifying threats, but is of use to network technicians than normal people because network technicians find out easily if anything is not normal with the network.

 

‘By Shijin S Mathew’

Ambitious, Data-driven individual with an excellent grasp of python and search engine optimization. Enthusiastic about applying the knowledge of various programming languages to the field of forensic science. Experienced in designing and developing sites from concept to roll-out, worked with Ecloto Designs as an Intern and assistant web Developer.