What is Wireshark and what do hackers and penetration testers use it for? Imagine you wanted to break into a company's network and were able to gain access to their offices. Unfortunately, that's stopping you NAC (Network Access Control) allows you to connect directly via LAN and access network resources. However, you will find a printer that you connect to your laptop via LAN. Now you can use Wireshark, for example, to read the MAC address of the printer. You can then pretend to be this printer and gain access to the internal network.
This is just one possible application scenario for the Network sniffer Wireshark. What else the tool can do and how you can do it Filter You can find out how to use Wireshark efficiently in this article.
Wireshark is an open source network sniffer developed in 2006, which is mainly used for Protocol analysis, network monitoring and troubleshooting is used.
The software allows reading, recording and analyzing data traffic on various communication interfaces. Wireshark shows both when recording Protocol header as well as the transferred one Content (payload) at. These are evaluated graphically, which makes tracking network traffic much easier and clearer.
Wireshark uses e.g. for network analysis. B. on the so-called “pcap” (packnowledge Postal Codeture) API to access packets directly on the network interface. The pcap API also supports listing all available network interfaces and the ability to save “overheard” packets to a file. These files are given the extension “.pcap”. You can then use these files to evaluate all collected data using Wireshark.
Wireshark is not the only packet sniffer that uses the pcap interface. Other examples are tcpdump, tshark or Snort and Suricata.
Both Black Hat and White Hat Chippers and Penetration testeruse Wireshark to display the results of Man-in-the-middle attacks to evaluate. The aim here is to sensitive information such as VoIP calls, LLDP, STP, HSRP and VRRP or even basic authentication.
However, Wireshark is not only used in (simulated) attacks, but is also used by System administrators used. In this case the goal is Understand network problems and fix.
Why does that make sense? Wireshark provides the ability to inspect all network traffic received over the medium and analyze all network packets exchanged on these connections - as long as the traffic is not encrypted. This makes it very easy to find the cause of problems.
Wireshark's user interface is in several sections divided. When you start the application, the first thing you land on is the selection Interfaces / network interfaces.
In this selection you specify on which interface the tool should record the data traffic. You also set the here Capture filters. This way you limit which packet types should be caught.
By double-clicking on one of these interfaces you can access the respective interface view details.
In the detailed view, the Live Packet view particularly stands out. In this view will be all network packages that Wireshark is currently receiving.
Here you will find, among other things Source & Destination IP of the package and the one used Minutes. You can filter all packages shown here through the display.
As soon as you click on a package, you will see it Protocol header as well as the entire Payload, which you can also find summarized in the “Info” section of the Live Packet view. The entire network package is located again under the Header & Payload protocol Hexadecimal & ASCII format.
It should be noted here that representation using ASCII characters only occurs if the information can be represented using this character set.
If you've ever had the difficulty of finding relevant information in a large amount of data in the past, you can probably imagine why filters are a very important part of Wireshark.
Capturing all types of traffic can quickly result in millions of packets, making it much more difficult to find the network traffic you're looking for.
Fortunately, Wireshark offers an extensive filter system that allows you to filter out data traffic that is unimportant to your question. There are two options here: Capture filters and display filters.
You already set capture filters before starting a packet capture firmly. You cannot adjust it while it is being captured. Packets that do not match the filter are not even recorded.
Here is a list of possible capture filters in Wireshark:
| Filter | purpose of use |
| && | AND parameters. Used to chain multiple filters together. |
| hosts 192.168.13.37 | Only record packets that have 192.168.13.37 as sender or receiver. |
| net 192.168.13.0/24 | Only record packets from one IP range. |
| SRC Net 192.168.13.0/24 | Only record packets that are sent from an IP range. |
| dst net 192.168.13.0/24 | Only record packets that are sent to an IP range. |
| port 80 | Record packets that use port 80. |
| ! (Arp or icmp) | Capture all packets except ARP or ICMP. Very useful for eliminating uninteresting traffic. |
Display filters allow you to in the current recording to search for specific content using parameters.
This is a list of possible display lists in Wireshark:
| Filter | purpose of use |
| && | AND parameters. Used to chain multiple filters together. |
| ip.addr == 192.168.13.37 | Only show packets that have 192.168.13.37 as sender or receiver. |
| ip.src == 192.168.13.37 | Only show packets that have 192.168.13.37 as a transmitter. |
| tcp.dst == 192.168.13.37 | Show only TCP packets that have 192.168.13.37 as the recipient. |
| tcp.port == 80 | Show packets which use TCP port 80. |
| udp.port == 5353 | Show packets that use UDP port 5353. |
| ! (Arp or icmp) | Show all packets except ARP or ICMP. Very useful for eliminating uninteresting traffic. |
The question “What is Wireshark?” You can now answer the question comprehensively: The network sniffer is used by system administrators, hackers and penetration testers to record packets in network traffic directly on interfaces. The information collected can be used either for troubleshooting or for unauthorized intrusion into networks. Filters help limit the amount of information available to what is relevant to your application.
