Wireshark has been around since the late 90s and still proves to be a valuable tool for today's security conscious network administrator.
Network security has evolved into a complex endeavor, requiring all sorts of automated tools, applications and appliances for busy administrators to get their bearings on the network landscape. Yet, security proves to be hard to enforce if administrators do not have an understanding of the network foundations. What's more, many of the automated tools lack intuition and the artificial intelligence to uncover what may be glaring security problems on a network.
With that in mind, it is critical for network managers to get their hands dirty in the well of packets that make up communications across today's enterprise networks, a process called "sniffing packets", something any seasoned network manager should be familiar with. However, seasoned managers come and go and sniffing packets has almost become an art form that few understand and less even have time for.
Luckily, for the uninitiated and the seasoned veterans there exists a free tool that goes by the name of Wireshark, which can be used to capture massive amounts of network transactions and allow network engineers to delve into the payload of packets. Wireshark, which has been commonly used for network troubleshooting, brings with it capabilities that those charged with network security will find immensely valuable, especially when looking for security flaws or performing forensics on network traffic.
However, there is a catch - Wireshark is can complex, confusing and also can overwhelm individuals with the massive amount of data it can capture. What's more, analyzing the data captured can be a time consuming, tedious process.
Some simple tricks
One does not have to become an expert with Wireshark to get some value out of it, several use cases exist that can provide quick results with the littlest of effort. Take for example a case where a system may have been compromised - here, all an administrator needs to do is use Wireshark to capture the traffic to and from that machine, and then bring it up in the Wireshark software Protocol Hierarchy window, which will show what applications are communicating on that system. Administrators will need to look for unusual applications such as Internet Relay Chat (IRC) or Trivial File Transfer Protocol (TFTP), and anything simply called "data" directly under the TCP or UDP protocols. That information can then be used to figure out the who/what/when/where of the communications to validate security.
Another use case comes in the form of detecting broadcast storms, in which a defective or misconfigured network device floods the network with traffic. Broadcast storms tend to grown until they completely shut down your network. However, broadcast storms also have a darker side and can be created by malware to bring a network to its knees, impacting access and availability. Wireshark is able to track down the culprit causing the storm and give network managers the evidence needed to hunt down and stop the storm.
Although Wireshark has been around for some time, many potential users have turned away from it, hoping that service providers, appliances and firewalls would be able to do the analytical work for them, an assumption that is often proved wrong. What's more, add-on tools are arriving on the market that can further leverage what Wireshark is capable of - take for example SolarWinds Response Time Viewer for Wireshark, which is a free tool that enhances the user experience for Wireshark. SolarWinds Response Time Viewer provides automatic analysis and calculation of application and network response time, and also charts data and transaction volume from Wireshark packet capture data. That allows network managers to determine if performance issues originate in the network or the application.
Wireshark also supports add-ons in the form of plugins and there are several available. Some worth mentioning include WireShnork - A Snort plugin for Wireshark, OpenFlow Wireshark Dissector, and Microsoft Lync Wireshark Plugin. Of course, there are many other plugins available from other sources as well. That abundance of specialized plugins demonstrates the depth that Wireshark offers for those looking to manage networks, all without having to spend large sums of money to get the packet intelligence they need.