An Essential Sys Admin and Security Tool
Wireshark
Wireshark fills the gap between security and system administration for those who need to know more about what’s flowing through the wires or over the airwaves in the corporate network.
Special Thanks: This article was made possible by support from Linux Professional Institute
Wireshark is an essential system administrator and security tool for any network. That broad statement covers a lot of ground, but it is true nonetheless. Even on the Wireshark website, the About page refers to it as “the world’s foremost and widely-used network protocol analyzer.” It began life in 1998 with the name Ethereal, but the authors had to change it a few years later due to a trademark problem for the original author, Gerald Combs. Wireshark is cross-platform, free, and open source.
Before getting too far into this discussion, you must obtain permission to run Wireshark on your network. On many enterprise networks, it is forbidden to run protocol analyzers and to sniff network traffic unless you are part of a security group or have special permission to do so.
Understanding Wireshark
Wireshark is a network protocol analyzer -- sometimes referred to as a packet analyzer or as a network sniffer (see the “Caution” box). It offers live network packet capture and offline analysis. If you’ve ever used Wireshark, or any network sniffer, you know that it only takes a few minutes to capture thousands of packets. For this reason, Wireshark has a very powerful display filter, which you’ll learn to love, because who really needs to see thousands of “Who has” Address Resolution Protocol (ARP) messages, unless that’s what you’re looking for in a capture?
So what does one find when “sniffing” the network? In other words, what can you do with Wireshark? I’ve seen many lists that attempt to show Wireshark’s many facets, and here’s another one:
- Find network communications sent in clear text.
- Find evidence of attacks or probes.
- Discover clandestine or forbidden applications.
- Read captures from other programs, such as tcpdump.
- Take snapshots of traffic during peak periods.
- Establish a baseline of “normal” network traffic.
- Capture traffic to or from specific hosts.
- Look at attempts to connect to your wireless networks.
There are many other tasks one can perform with Wireshark, but these are the ones most often listed by legitimate users (see the “Hackers Beware” box).
Another word of caution to you would-be hacker types: Before you sniff around on public WiFi access points, such as those in local coffee shops or Internet cafes, don’t do it. It’s a crime.
A final word on what Wireshark is not. It is not a security information and event management (SIEM) suite nor should it be “sold” to management as such. It is no substitute for a SIEM, although its data can be used for some of the same activities, such as event correlation and forensic packet analysis.
Wireshark is a powerful tool that should be part of a system or security administrator’s arsenal of tools. However, be cautious of relying too heavily on any single tool for complete analysis. Such reliance reminds me of the Indian parable of the blind men and the elephant, where each man experiences a different part of the elephant and makes assumptions about the entire animal based on limited information. Gather as much information about an incident and network behavior as possible with different tools and from different perspectives.
Installing Wireshark
The first thing you need to do is install Wireshark. For Red Hat Linux-based systems, installing is easy with:
sudo yum –y install wireshark-gnome
Yes, I suggest that you install the graphical version. You can install the command-line-only version with:
sudo yum –y install Wireshark
You actually get the command-line version when you install the wireshark-gnome package. You also download and install any dependencies, which is usually just the libsmi package but could vary depending on your personal installation.
For Debian-based systems, use:
sudo apt install wireshark
This command installs both the command-line version and the graphical version.
If your system can’t find Wireshark, use these commands and try again:
sudo add-apt-repository ppa:wireshark-dev/stablesudo apt-get update
Up and Running
Now that you have Wireshark installed, it’s time to launch it and grab some network traffic. Although Wireshark’s installation program provides you with a handy program link under Applications | Internet, don’t use it unless you’re logged in as root. Open a Terminal window and enter:
sudo wireshark &
Wireshark should launch and look similar to Figure 1.
I know you want to get right to it, so click Capture on the menubar and select Interfaces from the dropdown list as shown in Figure 2.
The first step in capturing packets is to set up listening interfaces.
Note: You must either run Wireshark as root or use sudo to run it. There are ways around this, but for simplicity, run it with elevated privileges. You can run Wireshark as a regular user, but you won’t be able to capture traffic.
Figure 3 displays a list of local interfaces. Select those appropriate for your network.
Click Start to begin capturing network packets on your selected network interface. Figure 4 shows a capture in progress.
Figure 5 shows a system being scanned by a port scanner (we will look at this again later).
And finally, Figure 6 is a demonstration of a ping flood.
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Fedora Asahi Remix 41 Available for Apple Silicon
If you have an Apple Silicon Mac and you're hoping to install Fedora, you're in luck because the latest release supports the M1 and M2 chips.
-
Systemd Fixes Bug While Facing New Challenger in GNU Shepherd
The systemd developers have fixed a really nasty bug amid the release of the new GNU Shepherd init system.
-
AlmaLinux 10.0 Beta Released
The AlmaLinux OS Foundation has announced the availability of AlmaLinux 10.0 Beta ("Purple Lion") for all supported devices with significant changes.
-
Gnome 47.2 Now Available
Gnome 47.2 is now available for general use but don't expect much in the way of newness, as this is all about improvements and bug fixes.
-
Latest Cinnamon Desktop Releases with a Bold New Look
Just in time for the holidays, the developer of the Cinnamon desktop has shipped a new release to help spice up your eggnog with new features and a new look.
-
Armbian 24.11 Released with Expanded Hardware Support
If you've been waiting for Armbian to support OrangePi 5 Max and Radxa ROCK 5B+, the wait is over.
-
SUSE Renames Several Products for Better Name Recognition
SUSE has been a very powerful player in the European market, but it knows it must branch out to gain serious traction. Will a name change do the trick?
-
ESET Discovers New Linux Malware
WolfsBane is an all-in-one malware that has hit the Linux operating system and includes a dropper, a launcher, and a backdoor.
-
New Linux Kernel Patch Allows Forcing a CPU Mitigation
Even when CPU mitigations can consume precious CPU cycles, it might not be a bad idea to allow users to enable them, even if your machine isn't vulnerable.
-
Red Hat Enterprise Linux 9.5 Released
Notify your friends, loved ones, and colleagues that the latest version of RHEL is available with plenty of enhancements.