Protocol analyzers are tools that we use to analyze the network traffic coming in and out of a specific host computer. Usually, although not necessarily required, the one we're sitting at at any given moment, I've never really liked the word protocol analyzer. To me, they're more like network analyzers or network traffic analyzers. And these are critical tools that any good IT security person should know extremely well. Now, the one I'm going to concentrate on today is the very, very famous Wireshark. Now Wireshark has been around for two dice 20 years, if not 20, close to it, and has been a powerful go to tool for that entire time.
Wireshark is completely free. And Wireshark is specifically mentioned on the security plus. So if we're talking about protocol analyzers, we need to know about Wireshark. Now before I start opening one up and letting you look at it, you need to understand that there are two things very separate pieces to any protocol analyzer. The first piece is what I'm going to call the sniffer. The sniffer is some type of software.
And it's usually as a name like p cap, like when P cap or NP cap or when 10 p cap. And these are tools that are actually grabbing all the data that's going in and out of a particular interface. And when I say grabbing all the data, I mean, all of the data, so all the Ethernet information, all the IP information, all the application information, it's all there. And these tools grab it. So a sniffer grabs all this information, and then the sniffer is going to do one of two things. It's either first going to save it into a file, or it's going to make a live feed directly into the protocol analyzer.
So the protocol analyzer really just reads pcap data. And then and here's where the term comes from, analyzes it in a way that we can look at it. The best way to see this is to see it in action. So let's fire up Wireshark So what I've done here is I've just started Wireshark up for us. And you'll see that on this particular system, it sees three different interfaces. I want to keep it simple and just go to my Ethernet interface.
So I'm going to click on that, and then I click on capture. And let's start it up. I'll make it fullscreen as soon as it starts. Great. Now let's take a look at this. So what's happening is in real time, we are grabbing lots and lots of packets.
So what I'd like to do is I'm just going to scroll up and arbitrarily pick something. You know what I'm gonna stop it. There we go. So what I'm going to do is I'm going to pick one of these. So what you're seeing right here is the 146 packet that it's picked up in this capture so far. So when I click on this, what we're looking at here at the bottom is the raw binary values in hex.
People don't use that very often. So I'm going to scroll that down. It's because this middle part is where things are the most. Interesting. So you'll notice what I've clicked on is some kind of command. Let's go down one more, because that's an ARP, I know what that is.
Oops. I was there all the time. Okay. So what you can do here is by clicking on these guys, is you can get information. So here's basically this is Wireshark information. When was this picked up?
How big is it, stuff like that. But the next one down is where things get interesting. You'll notice it says Ethernet two. So this is all layer two information. So you'll see the destination and source MAC addresses. You'll see what type of data it is, in this case, it's a simple ARP.
And then we go in a little bit deeper, and then we see the information that's being carried by an ARP. Now, if you're not familiar with ARP ARP is designed, if somebody asks what an IP addresses, whatever device with that IP address responds back with its MAC address, so ARP resolves IP addresses to MAC addresses. So knowing that if we Take a look in here, we can see what it's saying is, here's my IP address, here's the Mac, here's my IP address. And then here's the Mac. So this is a perfect example of a ARP taking place without us having to do much. Now the downside to all this is that you get tremendous amounts of information.
So what I'm going to do is I'm going to start another capture. It's asking if I want to save that, I'm going to say no. And I'm going to sit here and let it capture for a while. So at this point, it's going to start grabbing a tremendous amount of data. And the challenge we're going to run into is trying to find what data is what. So let's just let it run for a little bit.
So you can see now I'm up to 7000 different packets. So there's a lot of information in here. And what I want to be able to do and this is a really powerful feature of Wireshark is the ability to filter data. So what I want to do is go through and let's look for some certain things. For example, One of the things I'd like to find is has there been any DHCP traffic going on. So what I'm going to do is way up here in the left hand corner, I'm going to type in.
And you'll notice he's trying to help me here. DHCP uses the term boot P. And what I'm going to do is I'm going to say filter out everything out of this capture, with the exception of DHCP traffic. And you'll see now that I filtered all this out. You can see I've got two different DHCP keys in there. I've got one DHCP that released itself, and then another DHCP that came in and re established itself. Yes, I did that myself.
But I want you to be able to understand that the real power of Wireshark and this is absolutely amazing, is the way Wireshark can filter information. So let's do this again. Except this time what I want to do is I just want to look at HTTP traffic. So now in this case, you'll see I've just got HTTP information. So what I want is just looking at HTTP doesn't do me much good. But what I can do, and this is another great feature is that Wireshark is smart about, oh, here's one particular session going on.
And this, I could have four or five web browsers open right now. So I can't filter this out. But we're instead going to see if Wireshark can. So I'm going to do is I'm just going to arbitrarily click on any one of these. And I'm going to go down to follow TCP stream. So what you're looking at now is actually the entire web page for that one particular HTTP session that came in.
Now, I don't necessarily know exactly what this is, if I look a little bit, it looks like a JPEG image was brought down. So if I was really interested, I could probably just grab all this I could look at the x if data for that JPEG. So there's a lot of scenarios where I can do some real r&d in terms of what's taking place on any particular session using Wireshark. Now, that's all I want to do on Wireshark. Now, I need to stress to you more than anything else is that Wireshark is an incredibly powerful tool. If you're looking for, for example, what if I was looking for a rogue DHCP server?
In that particular case, I could just look for boopie information. And suddenly, I've got another MAC address for something that isn't my DHCP server Wireshark would be an instant way to know that you've got a rogue DHCP server. What if I had ARP poisoning going on? Instead of just a few ARP commands? What if I was getting zillions of them and doing strange ARP commands like router redirects and stuff like that, which is pretty non standard. I can just do a quick filter on ARP, I can see all those and I can very quickly ascertain the fact that I've probably got an art poisoner out on my network someplace.
The last place where Wireshark is really Handy stuff, for example, like a broadcast storm, what if one person's Nic in the network just breaks and starts sending out all kinds of arbitrary garbage traffic? Well, again, with a tool like Wireshark, I could just filter on a particular IP address, or even the MAC address of the suspect Nic and get all of this ugly information. Yeah, I wouldn't be able to read it. But I would certainly know that that particular system with that particular IP address, and that particular Mac is sending out bad information. At the very least I can zero in on that system and do some diagnosis. So there's tons of places where this really, really comes into play.
If you want to learn about Wireshark. There are books out there that are this thick, and they're actually interesting reading in terms of the power of what Wireshark can actually provide. Hopefully I've got you a little bit interested in you'll take a deeper, this is about as far as security plus goes. The one downside to Wireshark is that Wireshark by itself has great protocol analyzing tools. But a lot of the ways it works is that sometimes it misses a lot of incoming and outgoing packets. Now for casual users like me, it's not that big of a deal.
But for some people, it's incredibly irritating. So what they'll do is instead of using the sniffers that come with Wireshark, they're going to use other tools, and probably one of the most famous is TCP dump, which runs only on Linux. Let me show that to you. Okay, so here I am in my Ubuntu system. And I'm going to do a quick run of TCP dump. So I'm just going to do a pseudo TCP dump.
And I want you to watch this. This looks very similar to what we were seeing earlier with Wireshark. TCP dump is not really a protocol analyzer, although it has some basic tools. What TCP dump does much better than the Wireshark does is sniff It's real slim, it works real well. And it is very rare that this particular tool will miss even a single packet coming in or out of a particular host. So, when it comes to looking for very specific scenarios on your network, things like rogue DHCP servers aren't poisoning, being able to read incoming and outgoing HTTP or SSH or anything type packets.
Your go to tool is going to be a protocol analyzer and my go to tool is Wireshark.