Wireshark Tutorial: Network and Password Analyzer

8 May 2023 6 minutes Author: Cyber Witcher

How to use Wireshark?

Computers communicate using networks. These networks can be on a local LAN or connected to the Internet. Network sniffers are programs that collect low-level data on packets that are transmitted over a network. An attacker can analyze this information to discover valuable information such as user IDs and passwords. Wireshark is a powerful network analyzer that can be used to analyze traffic passing through a computer’s network interface. This may be necessary to identify and resolve network problems, debug your web applications, network applications, or sites. Wireshark allows you to fully view the content of a packet at all levels, so you can better understand how the network works at a low level. All packets are intercepted in real-time and provided in a human-readable format. The program supports a very powerful filtering system, color highlighting and other features that will help you find the packages you need. In this tutorial, we’ll look at how to use Wireshark to analyze traffic. The developers have recently moved on to work on the second branch of Wireshark 2.0, which has introduced many changes and improvements, especially to the interface.

We will use it in this article. Remember that Wireshark has display filters and capture filters. Here I look at the display filters that are entered in the main window of the program in the upper field immediately below the menu and icons of the main functions. To fully understand the meaning of the filters and what it shows, you need to understand how the network works. To familiarize yourself with the principles of network operation and protocols, it is recommended to study the cycle of computer networks.

What is network sniffing?

Computers communicate by broadcasting messages on a network using IP addresses. Once a message has been sent across the network, the recipient’s computer with the corresponding IP address responds with its MAC address. Network analysis is the process of intercepting data packets sent over a network. This can be done using special software or hardware.

Sniffing can be used to:

  • Collect sensitive data such as login credentials:

  • Listening to chat messages:

  • Capture files are transferred over the network.

Below are the protocols that are vulnerable to interception:

  • Telnet

  • Rlogin

  • HTTP

  • SMTP

  • NNTP

  • POP

  • FTP

  • IMAP

The above protocols are vulnerable if the login credentials are sent in plain text:

Passive and active sniffing

Before we look at passive and active interception, let’s take a look at the two main devices used to connect computers to a network; hubs and switches.

A hub works by sending broadcast messages to all output ports on it except the one that sent the broadcast message. The recipient’s computer responds to the broadcast message if the IP address matches. This means that when the hub is in use, all computers on the network can see the broadcast message. It operates at the physical layer (layer 1) of the OSI model.

The diagram below shows how the hub works.

The switch works differently; it maps IP/MAC addresses to physical ports on it. Broadcast messages are sent to physical ports that match the recipient computer’s IP/MAC address configurations. This means that broadcast messages are seen only by the recipient’s computers. Switches operate at the link layer (layer 2) and network layer (layer 3).

The diagram below shows how the switch works.

Passive interception is the interception of packets transmitted through a network that uses a hub. It is called passive sniffing because it is difficult to detect. This is also easy to do because the hub sends broadcast messages to all the computers on the network.

Active interception is the interception of packets transmitted over a network that uses a switch. There are two main methods used to sniff connected network switches: ARP Poisoning and MAC Flooding.

Hacking: intercepting network traffic

In this hands-on scenario, we are going to use Wireshark to sniff data packets as they are transmitted over the HTTP protocol. For this example, we’ll analyze the network with Wireshark and then log into a web application that doesn’t use a secure connection. We will enter the web application at:

http://www.techpanda.org/

Login address – [email protected] , and password – Password2010 .

Note: We will log into the web application for demonstration purposes only. The technique can also sniff data packets from other computers that are on the same network as the one you are using to sniff. Sniffing is not only limited to techpanda.org, but also all HTTP and other protocol data packets.

Network sniffing with Wireshark

The picture below shows the steps you should follow to complete this exercise without confusion.

Download Wireshark from this link  http://www.wireshark.org/download.html

Open Wireshark:

You will get the following screen:

Select the network interface you want to sniff. Note that we are using a wireless network connection for this demonstration. If you are on a local network, you should select the LAN interface.

Click the “Start” button:

Open a web browser and type http://www.techpanda.org/

The login email is [email protected] and the password is Password2010

Click the send button:

A successful login should present you with the following dashboard:

Return to Wireshark and stop live recording:

Filter HTTP results using only the filter text field:

Immediately below the log entries there is a panel with a summary of the received data. Search for a summary specifying textual data based on rows:

application/x-www-form-urlencoded:

You should be able to view the text values of all POST variables sent to the server via HTTP.

What is MAC Flooding?

MAC address flooding is a network analysis technique that fills a switch’s MAC address table with fake MAC addresses . This overloads the memory of the switch and forces it to act as a hub. When a switch has been compromised, it sends broadcast messages to all computers on the network. This allows you to sniff data packets as they are sent across the network.

Countermeasures against MAC flooding

  • Some switches have a port protection feature. This feature can be used to limit the number of MAC addresses on ports. It can also be used to maintain a secure MAC address table in addition to the one provided by the switch.

  • Authentication, authorization and accounting servers can be used to filter discovered MAC addresses.

Sniffing countermeasures

  • Limiting network physical media greatly reduces the likelihood of a network sniffer being installed

  • Encrypting messages while in transit over a network greatly reduces their value because they are difficult to decipher.

  • Changing your network to a Secure Shell (SSH) network also makes it less likely that your network will be intercepted.

Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.