Network analyzer. Network packet analyzers. Capabilities of modern network analyzers

Each member of the ][ team has their own preferences regarding software and utilities for
pen test. After consulting, we found out that the choice varies so much that it is possible
create a real gentleman's set of proven programs. That's it
decided. In order not to make a hodgepodge, we divided the entire list into topics - and in
This time we’ll touch on utilities for sniffing and manipulating packets. Use it on
health.

Wireshark

Netcat

If we talk about data interception, then Network Miner will be taken off the air
(or from a pre-prepared dump in PCAP format) files, certificates,
images and other media, as well as passwords and other information for authorization.
A useful feature is to search for those sections of data that contain keywords
(for example, user login).

Scapy

Website:
www.secdev.org/projects/scapy

A must-have for any hacker, it is a powerful tool for
interactive packet manipulation. Receive and decode packets of the most
different protocols, respond to the request, inject the modified and
a package created by yourself - everything is easy! With its help you can perform a whole
a number of classic tasks such as scanning, tracorute, attacks and detection
network infrastructure. In one bottle we get a replacement for such popular utilities,
like: hping, nmap, arpspoof, arp-sk, arping, tcpdump, tetheral, p0f, etc. At that
it's about time Scapy allows you to perform any task, even the most specific
a task that can never be done by another developer already created
means. Instead of writing a whole mountain of lines in C to, for example,
generating the wrong packet and fuzzing some daemon is enough
throw in a couple of lines of code using Scapy! The program does not have
graphical interface, and interactivity is achieved through the interpreter
Python. Once you get the hang of it, it won’t cost you anything to create incorrect
packets, inject the necessary 802.11 frames, combine different approaches in attacks
(say, ARP cache poisoning and VLAN hopping), etc. The developers themselves insist
to ensure that Scapy's capabilities are used in other projects. Connecting it
as a module, it’s easy to create a utility for various types of local area research,
search for vulnerabilities, Wi-Fi injection, automatic execution of specific
tasks, etc.

packeth

Website:
Platform: *nix, there is a port for Windows

An interesting development that allows, on the one hand, to generate any
ethernet packet, and, on the other hand, send sequences of packets with the purpose
bandwidth checks. Unlike other similar tools, packeth
has a graphical interface, allowing you to create packages as simply as possible
form. Further more. The creation and sending are especially elaborated
sequences of packets. You can set delays between sending,
send packets at maximum speed to test throughput
section of the network (yep, this is where they’ll be filing) and, what’s even more interesting -
dynamically change parameters in packets (for example, IP or MAC address).

tcpdump

The main tool for almost all network traffic collections is tcpdump. This is an open source application that installs on almost all Unix-like systems. operating systems. Tcpdump is an excellent data collection tool and comes with a very powerful filtering engine. It's important to know how to filter data during collection to end up with a manageable piece of data for analysis. Capturing all the data from a network device, even on a moderately busy network, can create too much data for simple analysis.

In some in rare cases tcpdump allows you to output the output directly to your screen, which may be enough to help you find what you're looking for. For example, while writing an article, some traffic was captured and it was noticed that the machine was sending traffic to an unknown IP address. It turns out that the machine was sending data to the Google IP address 172.217.11.142. Since no Google products were launched, the question arose as to why this was happening.

A system check showed the following:

Leave your comment!

Original: 8 best packet sniffers and network analyzers
Author: Jon Watson
Date of publication: November 22, 2017
Translation: A. Krivoshey
Transfer date: December 2017

Packet sniffing is a colloquial term that refers to the art of analyzing network traffic. Contrary to popular belief, things like emails and web pages do not travel across the Internet in one piece. They are broken into thousands of small data packets and thus sent over the Internet. In this article, we will look at the best free network analyzers and packet sniffers.

There are many utilities that collect network traffic, and most of them use pcap (on Unix-like systems) or libcap (on Windows) as their core. Another type of utility helps analyze this data, since even a small amount of traffic can generate thousands of packets that are difficult to navigate. Almost all of these utilities differ little from each other in collecting data, the main differences being in how they analyze the data.

Analyzing network traffic requires understanding how the network works. There is no tool that can magically replace an analyst's knowledge of network fundamentals, such as the TCP "3-way handshake" that is used to initiate a connection between two devices. Analysts also need to have some understanding of the types of network traffic on a normally functioning network, such as ARP and DHCP. This knowledge is important because analytics tools will simply show you what you ask them to do. It's up to you to decide what to ask for. If you don't know what your network typically looks like, it can be difficult to know that you've found what you need in the mass of packages you've collected.

The best packet sniffers and network analyzers

Industrial tools

Let's start at the top and then work our way down to the basics. If you are dealing with an enterprise level network, you will need big gun. While almost everything uses tcpdump at its core (more on that later), enterprise-level tools can address certain complex problems, such as correlating traffic from multiple servers, providing intelligent queries to identify problems, alerting about exceptions and creating good graphs, which is always required by management.

Enterprise-level tools are typically geared toward streaming network traffic rather than assessing the contents of packets. By this I mean that the main focus of most system administrators in the enterprise is to ensure that the network does not have performance bottlenecks. When such bottlenecks occur, the goal is usually to determine whether the problem is caused by the network or an application on the network. On the other hand, these tools can usually handle so much traffic that they can help predict when a network segment will be fully loaded, which is a critical management point. throughput networks.

This is a very large set of IT management tools. In this article, the Deep Packet Inspection and Analysis utility, which is its integral part. Collecting network traffic is quite simple. With tools like WireShark, basic analysis is also not a problem. But the situation is not always completely clear. On a very busy network, it can be difficult to determine even very simple things, such as:

What application on the network is generating this traffic?
- if an application is known (say a web browser), where do its users spend most of their time?
- which connections are the longest and overload the network?

Most network devices use each packet's metadata to make sure the packet goes where it needs to go. The contents of the packet are unknown to the network device. Another thing is deep packet inspection; this means that the actual contents of the package are checked. In this way, critical network information that cannot be gleaned from metadata can be discovered. Tools, similar topics, which are provided by SolarWinds, can provide more meaningful data than just traffic flow.

Other technologies for managing data-intensive networks include NetFlow and sFlow. Each has its own strengths and weaknesses,

You can learn more about NetFlow and sFlow.

Network analysis in general is an advanced topic that is based on both acquired knowledge and practical work experience. You can train a person to have detailed knowledge of network packets, but unless that person has knowledge of the network itself and experience identifying anomalies, they won't do very well. The tools described in this article should be used by experienced network administrators who know what they want but are not sure which utility is best. They can also be used by less experienced system administrators to gain day-to-day networking experience.

Basics

The main tool for collecting network traffic is

It is an open source application that installs on almost all Unix-like operating systems. Tcpdump is an excellent data collection utility that has a very sophisticated filtering language. It is important to know how to filter data when collecting it in order to end up with a normal set of data for analysis. Capturing all the data from a network device, even on a moderately busy network, can generate too much data that is very difficult to analyze.

In some rare cases, it will be enough to print tcpdump captured data directly to the screen to find what you need. For example, while writing this article, I collected traffic and noticed that my machine was sending traffic to an IP address that I didn't know. It turns out that my machine was sending data to the Google IP address 172.217.11.142. Since I didn't have any Google products and Gmail wasn't open, I didn't know why this was happening. I checked my system and found the following:

[ ~ ]$ ps -ef | grep google user 1985 1881 0 10:16 ? 00:00:00 /opt/google/chrome/chrome --type=service

It turns out that even when Chrome is not running, it remains running as a service. I wouldn't have noticed this without packet analysis. I captured a few more data packets, but this time I gave tcpdump the task of writing the data to a file, which I then opened in Wireshark (more on this later). These are the entries:

Tcpdump is a favorite tool of system administrators because it is a utility command line. Running tcpdump does not require a GUI. For production servers, the graphical interface is rather harmful, as it consumes system resources, so command line programs are preferable. Like many modern utilities, tcpdump has a very rich and complex language that takes some time to master. A few very basic commands involve selecting a network interface to collect data from and writing that data to a file so it can be exported for analysis elsewhere. The -i and -w switches are used for this.

# tcpdump -i eth0 -w tcpdump_packets tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes ^C51 packets captured

This command creates a file with the captured data:

File tcpdump_packets tcpdump_packets: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 262144)

The standard for such files is the pcap format. It is not text, so it can only be analyzed using programs that understand this format.

3.Windump

Most useful open source utilities end up being cloned into other operating systems. When this happens, the application is said to have been migrated. Windump is a port of tcpdump and behaves in a very similar way.

The most significant difference between Windump and tcpdump is that Windump needs the Winpcap library installed before Windump runs. Even though Windump and Winpcap are provided by the same maintainer, they must be downloaded separately.

Winpcap is a library that must be pre-installed. But Windump is an exe file that doesn't need to be installed, so you can just run it. This is something to keep in mind if you are using a Windows network. You don't have to install Windump on every machine as you can just copy it as needed, but you will need Winpcap to support Windup.

As with tcpdump, Windump can display network data for analysis, filter it in the same way, and also write the data to a pcap file for later analysis.

4. Wireshark

Wireshark is the next most famous tool in a system administrator's toolbox. It not only allows you to capture data but also provides some advanced analysis tools. Additionally, Wireshark is open source and has been ported to almost all existing server operating systems. Called Etheral, Wireshark now runs everywhere, including as a standalone, portable application.

If you're analyzing traffic on a server with a GUI, Wireshark can do everything for you. It can collect data and then analyze it all right there. However, GUIs are rare on servers, so you can collect network data remotely and then examine the resulting pcap file in Wireshark on your computer.

When you first launch Wireshark, you can either load an existing pcap file or run a traffic capture. In the latter case, you can additionally set filters to reduce the amount of data collected. If you don't specify a filter, Wireshark will simply collect all network data from the selected interface.

One of the most useful features of Wireshark is the ability to follow a stream. It's best to think of a thread as a chain. In the screenshot below we can see a lot of data captured, but what I was most interested in was Google's IP address. I can right click and follow the TCP stream to see the entire chain.

If the traffic was captured on another computer, you can import the PCAP file using the Wireshark File -> Open dialog. The same filters and tools are available for imported files as for captured network data.

5.tshark

Tshark is a very useful link between tcpdump and Wireshark. Tcpdump is superior at data collection and can surgically extract only the data you need, however its data analysis capabilities are very limited. Wireshark is great at both capture and analysis, but has a heavy user interface and cannot be used on servers without a GUI. Try tshark, it works on the command line.

Tshark uses the same filtering rules as Wireshark, which should not be surprising since they are essentially the same product. The command below only tells tshark to capture the destination IP address, as well as some other fields of interest from the HTTP portion of the packet.

# tshark -i eth0 -Y http.request -T fields -e ip.dst -e http.user_agent -e http.request.uri 172.20.0.122 Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox /57.0 /images/title.png 172.20.0.122 Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 /images/styles/phoenix.css 172.20.0.122 Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 /images/code/jquery_lightbox/jquery_lightbox/js/jquery-1.2.6.pack.js 172.20.0.122 Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox /57.0 /images/styles/index.css 172.20.0.122 Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 /images/images/title.png 172.20.0.122 Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 /favicon.ico 172.20.0.122 Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 /favicon.ico

If you want to write the traffic to a file, use the -W option to do so, and then the -r (read) switch to read it.

First capture:

# tshark -i eth0 -w tshark_packets Capturing on "eth0" 102 ^C

Read it here, or move it to another place for analysis.

# tshark -r tshark_packets -Y http.request -T fields -e ip.dst -e http.user_agent -e http.request.uri 172.20.0.122 Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox /57.0 /contact 172.20.0.122 Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 /reservations/ 172.20.0.122 Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20 100101 Firefox/ 57.0 /reservations/styles/styles.css 172.20.0.122 Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 /res/code/jquery_lightbox/jquery_lightbox/js/jquery-1.2.6.pack. js 172.20.0.122 Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 /res/styles/index.css 172.20.0.122 Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20 100101 Firefox/57.0 /res/images/title.png

This is a very interesting tool that falls more into the category of network forensic analysis tools rather than just sniffers. The field of forensics typically deals with investigations and evidence collection, and Network Miner does this job just fine. Just as wireshark can follow a TCP stream to reconstruct an entire packet transmission chain, Network Miner can follow a stream in order to recover files that have been transferred over a network.

Network Miner can be strategically placed on the network to be able to observe and collect traffic that interests you in real time. It will not generate its own traffic on the network, so it will operate stealthily.

Network Miner can also work offline. You can use tcpdump to collect packets at a network point of interest and then import the PCAP files into Network Miner. Next, you can try to recover any files or certificates found in the recorded file.

Network Miner is made for Windows, but with Mono it can be run on any OS that supports the Mono platform, such as Linux and MacOS.

Eat free version, entry-level, but with a decent set of functions. If you need additional features such as geolocation and custom scripts, you will need to purchase a professional license.

7. Fiddler (HTTP)

It's not technically a network packet capture utility, but it's so incredibly useful that it makes it onto this list. Unlike the other tools listed here, which are designed to capture network traffic from any source, Fiddler is more of a debugging tool. It captures HTTP traffic. While many browsers already have this capability in their developer tools, Fiddler is not limited to browser traffic. Fiddler can capture any HTTP traffic on a computer, including non-web applications.

Many desktop applications use HTTP to connect to web services, and other than Fiddler, the only way to capture such traffic for analysis is to use tools like tcpdump or Wireshark. However, they operate at the packet level, so analysis requires reconstructing these packets into HTTP streams. It can be a lot of work to do simple research, and that's where Fiddler comes in. Fiddler will help you detect cookies, certificates, and other useful data sent by applications.

Fiddler is free and, like Network Miner, it can be run in Mono on almost any operating system.

8. Capsa

The Capsa network analyzer has several editions, each with different capabilities. At the first level, Capsa is free, and it essentially allows you to simply capture packets and perform basic graphical analysis on them. The dashboard is unique and can help an inexperienced system administrator quickly identify network problems. The free tier is for people who want to learn more about packages and build their analysis skills.

The free version allows you to control more than 300 protocols, suitable for monitoring Email, as well as saving email content, it also supports triggers that can be used to trigger alerts when certain situations occur. In this regard, Capsa can be used as a support tool to some extent.

Capsa is only available for Windows 2008/Vista/7/8 and 10.

Conclusion

It is easy to understand how a system administrator can create a network monitoring infrastructure using the tools we have described. Tcpdump or Windump can be installed on all servers. A scheduler, such as cron or the Windows scheduler, starts a packet collection session at the right time and writes the collected data to a pcap file. The system administrator can then transfer these packets to the central machine and analyze them using wireshark. If the network is too large for this, enterprise-grade tools such as SolarWinds are available to turn all network packets into a manageable data set.

Read other articles about intercepting and analyzing network traffic :

• Dan Nanni, Command Line Utilities for Monitoring Network Traffic on Linux
• Paul Cobbaut, Linux System Administration. Intercepting network traffic
• Paul Ferrill, 5 Tools for Network Monitoring on Linux
• Pankaj Tanwar, Packet capture using libpcap library
• Riccardo Capecchi, Using filters in Wireshark
• Nathan Willis, Network Analysis with Wireshark
• Prashant Phatak,

The need to analyze network traffic may arise for several reasons. Monitoring computer security, debugging the local network, monitoring outgoing traffic to optimize the operation of a shared Internet connection - all these tasks are often on the agenda of system administrators and ordinary users. To solve them, there are many utilities called sniffers, both specialized, aimed at solving a narrow area of ​​​​tasks, and multifunctional “harvesters”, providing the user with a wide choice of tools. This article introduces one of the representatives of the latter group, namely the CommView utility produced by the company. The program allows you to clearly see the full picture of the traffic passing through a computer or local network segment; a customizable alarm system allows you to warn about the presence of suspicious packets in traffic, the appearance of nodes with abnormal addresses in the network, or an increase in network load.

CommView provides the ability to maintain statistics on all IP connections, decode IP packets up to low level and analyze them. The built-in filter system based on several parameters allows you to configure tracking exclusively for the necessary packages, which makes their analysis more efficient. The program can recognize packets from more than seven dozen of the most common protocols (including DDNS, DHCP, DIAG, DNS, FTP, HTTP, HTTPS, ICMP, ICQ, IMAP, IPsec, IPv4, IPv6, IPX, LDAP, MS SQL, NCP, NetBIOS, NFS, NLSP, POP3, PPP, PPPoE, SMB, SMTP, SOCKS, SPX, SSH, TCP, TELNET, UDP, WAP, etc.), and also save them to files for subsequent analysis. A variety of other tools, such as identifying the network adapter manufacturer by MAC address, HTML reconstruction, and remote packet capture using the optional CommView Remote Agent utility, can also be useful in certain cases.

Working with the program

First you need to select the network interface on which traffic will be monitored.

CommView supports almost any type of Ethernet adapter - 10, 100 and 1000 Mbit/s, as well as analog modems, xDSL, Wi-Fi, etc. By analyzing Ethernet adapter traffic, CommView can intercept not only incoming and outgoing, but also transit packets addressed to any computer on the local network segment. It is worth noting that if the task is to monitor all traffic on a local network segment, then it is required that the computers in it be connected through a hub, and not through a switch. Some modern switch models have a port mirroring function, which allows them to also be configured for network monitoring using CommView. You can read more about this. Having selected the desired connection, you can begin capturing packets. The start and stop capture buttons are located near the interface selection line. To work with a remote access controller, VPN and PPPoE, you must install the appropriate driver when installing the program.

The main window of the program is divided into several tabs responsible for one or another area of ​​work. The first of them, "Current IP connections", displays detailed information about the current IP connections of the computer. Here you can see the local and remote IP address, the number of transmitted and received packets, the direction of transmission, the number of established IP sessions, ports, host name (if the DNS recognition function is not disabled in the program settings), and the name of the process receiving or transmitting the packet for this sessions. The latest information is not available for transit packages or on computers running Windows 9x/ME.

Current IP Connections Tab

If you right-click on any connection, a context menu will open where you can find tools that make it easier to analyze the connections. Here you can see the amount of data transferred within the connection, full list ports used, detailed information about the process receiving or transmitting packets for this session. CommView allows you to create aliases for MAC and IP addresses. For example, by specifying aliases instead of cumbersome digital addresses of machines on a local network, you can get easily readable and memorable computer names and thus facilitate connection analysis.

To create an alias for an IP address, you need to select “Create an alias” and “using local IP” or “using remote IP” in the context menu. In the window that appears, the IP address field will already be filled in, and all that remains is to enter a suitable name. If a new IP name entry is created by right-clicking on a packet, the name field is automatically populated with the hostname (if available) and can be edited. The same is true for working with MAC aliases.

From the same menu, by selecting SmartWhois, you can send the selected source or destination IP address to SmartWhois, a standalone application from Tamosoft that collects information about any IP address or host name, such as network name, domain, country, state or province, city, and provides it to the user.

Second tab, "Packages", displays all packets intercepted on the selected network interface and detailed information about them.

Packages Tab

The window is divided into three areas. The first of them displays a list of all intercepted packets. If you select one of the packages by clicking on it with the mouse pointer, the remaining windows will show information about it. This displays the packet number, protocol, Mac and IP addresses of the sending and receiving host, the ports used, and the time the packet appeared.

The middle area displays the contents of the package - in hexadecimal or text. In the latter case, non-printing characters are replaced with dots. If several packages are selected simultaneously in the upper area, then the middle window will show total selected packets, their total size, as well as the time interval between the first and last packet.

The lower window displays decoded detailed information about the selected package.

By clicking on one of the three buttons in the lower right part of the window, you can choose the location of the decoding window: at the bottom, or aligned to the left or right. The other two buttons allow you to automatically go to the last received package and save the selected package in the visible list area.

The context menu allows you to copy MAC, IP addresses and entire packets to the clipboard, assign aliases, apply a quick filter to select the required packets, and also use the TCP Session Reconstruction and Packet Generator tools.

The TCP Session Reconstruction tool allows you to view the exchange process between two hosts via TCP. To make the content of the session more understandable, you need to select the appropriate “display logic”. This function is most useful for recovering text information such as HTML or ASCII.

The resulting data can be exported as a text, RTF or binary file.

Log Files Tab. Here you can configure the settings for saving captured packets to a file. CommView saves log files in native NCF format; To view them, a built-in utility is used, which can be launched from the “File” menu.

It is possible to enable auto-saving of intercepted packets as they arrive, logging HTTP sessions in TXT and HTML formats, saving, deleting, merging and splitting log files. One thing to remember is that a packet is not saved immediately upon arrival, so if you view the log file in real time, it will most likely not show the most recent packets. In order for the program to immediately send the buffer to a file, you need to click the “Finish capture” button.

In the tab "Rules" you can set conditions for intercepting or ignoring packets.

To facilitate the selection and analysis of the required packages, you can use filtering rules. This will also help significantly reduce the amount of system resources used by CommView.

In order to enable a rule, you need to select the appropriate section on the left side of the window. A total of seven types of rules are available: simple - “Protocols and direction”, “Mac addresses”, “IP addresses”, “Ports”, “Text”, “TCP flags”, “Process”, as well as the universal rule “Formula” " For each of simple rules It is possible to select individual parameters, such as choosing a direction or protocol. The universal Formula Rule is a powerful and flexible mechanism for creating filters using Boolean logic. A detailed reference on its syntax can be found.

Tab "Warnings" will help you configure the settings for notifications about various events occurring in the network segment under study.

The Alerts tab allows you to create, edit, delete alert rules, and view current events that match these rules

In order to set a warning rule, you need to click the “Add...” button and select in the window that opens the necessary conditions, upon the appearance of which a notification will be triggered, as well as a method for notifying the user about this.

CommView allows you to define the following types of events to monitor:

• "Detect a package" matching the specified formula. The formula syntax is described in detail in the user manual;
• "Bytes per second." This alert will trigger when the specified network load level is exceeded;
• "Packets per second." Triggered when the specified level of packet transmission frequency is exceeded;
• "Broadcasts per second." The same, only for broadcast packets;
• "Multicasts per second" - the same for multicast packets.
• "Unknown MAC address." This alert can be used to detect new or unauthorized equipment connecting to the network by first defining a list of known addresses using the Setup option;
• The “Unknown IP address” warning will be triggered when packets with unknown sender or recipient IP addresses are intercepted. If you pre-specify a list of known addresses, this alert can be used to detect unauthorized connections through your corporate firewall.

CommView has a powerful tool for visualizing the statistics of the traffic under study. In order to open the statistics window, you need to select the item of the same name from the “View” menu.

Statistics window in “General” mode

In this window you can view network traffic statistics: here you can see the number of packets per second, bytes per second, distribution of Ethernet, IP protocols and subprotocols. Charts can be copied to the clipboard, which will help when you need to compile reports.

Availability, cost, system requirements

The current version of the program is CommView 5.1. From the Tamosoft website you can, which will function for 30 days.

The developer offers customers two license options:

• Home License ( home license), costing 2,000 rubles, gives you the right to use the program at home on a non-commercial basis, while the number of hosts available for monitoring on your home network is limited to five. Within of this type license is not allowed to work remotely using Remote Agent.
• Enterprise License (corporate, cost - 10,000 rubles) provides the right to commercial and non-commercial use of the program by one person who personally uses the program on one or several machines. The program can also be installed on one workstation and used by several people, but not simultaneously.

The application works in operating rooms Windows systems 98/Me/NT/2000/XP/2003. Required for work network adapter Ethernet, Wireless Ethernet, Token Ring with NDIS 3.0 support or a standard remote access controller.

Pros:

• localized interface;
• excellent help system;
• support different types network adapters;
• advanced tools for analyzing packets and identifying protocols;
• statistics visualization;
• functional warning system.

Minuses:

• too high cost;
• lack of presets for interception and warning rules;
• not a very convenient mechanism for selecting a package in the “Packages” tab.

Conclusion

Thanks to its excellent functionality and user-friendly interface, CommView can become an indispensable tool for local network administrators, Internet service providers and home users. I was pleased with the developer’s careful approach to the Russian localization of the package: both the interface and the help guide are very well designed high level. The picture is somewhat clouded by the high cost of the program, but a thirty-day trial version will help a potential buyer decide on the advisability of purchasing this utility.

Wireshark is a powerful network analyzer that can be used to analyze the traffic passing through your computer's network interface. You may need it to detect and solve network problems, debug your web applications, network programs or sites. Wireshark allows you to fully view the contents of a packet at all levels, so you can better understand how the network works at a low level.

All packets are captured in real time and provided in an easy-to-read format. The program supports very powerful system filtering, color highlighting, and other features that will help you find the packages you need. In this tutorial, we'll look at how to use Wireshark to analyze traffic. Recently, the developers began working on the second branch of the Wireshark 2.0 program, many changes and improvements were made to it, especially for the interface. This is what we will use in this article.

Before moving on to considering ways to analyze traffic, you need to consider what features the program supports in more detail, what protocols it can work with and what it can do. Here are the main features of the program:

• Capture packets in real time from wired or any other type of network interfaces, as well as read from a file;
• The following capture interfaces are supported: Ethernet, IEEE 802.11, PPP and local virtual interfaces;
• Packets can be filtered based on many parameters using filters;
• All known protocols are highlighted in the list different colors, such as TCP, HTTP, FTP, DNS, ICMP and so on;
• Support for capturing VoIP call traffic;
• Decryption of HTTPS traffic is supported if a certificate is available;
• Decryption of WEP and WPA traffic of wireless networks with a key and handshake;
• Displaying network load statistics;
• View package contents for all network layers;
• Displays the time of sending and receiving packages.

The program has many other features, but these were the main ones that might interest you.

How to use Wireshark

I assume that you already have the program installed, but if not, you can install it from the official repositories. To do this, type the command in Ubuntu:

sudo apt install wireshark

After installation, you can find the program in the main menu of the distribution. You need to run Wireshark with superuser rights, because otherwise it will not be able to analyze network packets. This can be done from the main menu or via the terminal using the command for KDE:

And for Gnome/Unity:

The main window of the program is divided into three parts: the first column contains a list of network interfaces available for analysis, the second - options for opening files, and the third - help.

Network traffic analysis

To start analysis, select a network interface, for example eth0, and click the button Start.

After this, the following window will open, already with a stream of packets that pass through the interface. This window is also divided into several parts:

• Top part- these are menus and panels with various buttons;
• List of packages- then the flow of network packets that you will analyze is displayed;
• Package Contents- just below is the contents of the selected package, it is divided into categories depending on the transport level;
• Real performance- at the very bottom the contents of the package are displayed in real form, as well as in HEX form.

You can click on any package to analyze its contents:

Here we see a DNS request packet to get the site's IP address, in the request itself the domain is sent, and in the response packet we receive our question as well as the answer.

For more convenient viewing, you can open the package in a new window by double-clicking on the entry:

Wireshark filters

Manually going through packages to find the ones you need is very inconvenient, especially with an active thread. Therefore, for this task it is better to use filters. There is a special line under the menu for entering filters. You can click Expression to open the filter designer, but there are a lot of them, so we’ll look at the most basic ones:

• ip.dst- target IP address;
• ip.src- sender's IP address;
• ip.addr- IP of the sender or recipient;
• ip.proto- protocol;
• tcp.dstport- port of destination;
• tcp.srcport- sender port;
• ip.ttl- TTL filter, determines the network distance;
• http.request_uri- the requested site address.

To specify the relationship between a field and a value in a filter, you can use the following operators:

• == - equals;
• != - not equal;
• < - less;
• > - more;
• <= - less or equal;
• >= - more or equal;
• matches- regular expression;
• contains- contains.

To combine multiple expressions you can use:

• && - both expressions must be true for the package;
• || - one of the expressions may be true.

Now let's take a closer look at several filters using examples and try to understand all the signs of relationships.

First, let's filter all packets sent to 194.67.215.. Type a string in the filter field and click Apply. For convenience, Wireshark filters can be saved using the button Save:

ip.dst == 194.67.215.125

And in order to receive not only sent packets, but also those received in response from this node, you can combine two conditions:

ip.dst == 194.67.215.125 || ip.src == 194.67.215.125

We can also select transferred large files:

http.content_length > 5000

By filtering the Content-Type, we can select all the pictures that have been uploaded; Let's analyze Wireshark traffic, packets that contain the word image:

http.content_type contains image

To clear the filter, you can press the button Clear. It happens that you do not always know all the information necessary for filtering, but just want to explore the network. You can add any field of a package as a column and view its contents in the general window for each package.

For example, I want to display the TTL (time to live) of a packet as a column. To do this, open the package information, find this field in the IP section. Then call the context menu and select the option Apply As Column:

In the same way, you can create a filter based on any desired field. Select it and bring up the context menu, then click Apply as filter or Prepare as filter, then select Selected to display only the selected values, or Not selected to remove them:

The specified field and its value will be applied or, in the second case, inserted into the filter field:

In this way, you can add a field of any package or column to the filter. There is also this option in the context menu. To filter protocols, you can use more simple conditions. For example, let's analyze Wireshark traffic for the HTTP and DNS protocols:

Another interesting feature of the program is the use of Wireshark to track a specific session between the user's computer and the server. To do this, open the context menu for the package and select Follow TCP stream.

A window will then open in which you will find all the data transferred between the server and the client:

Diagnosing Wireshark problems

You may be wondering how to use Wireshark 2.0 to detect problems on your network. To do this, there is a round button in the lower left corner of the window; when you click on it, a window opens Expet Tools. In it, Wireshark collects all error messages and network problems:

The window is divided into tabs such as Errors, Warnings, Notices, Chats. The program can filter and find many network problems, and here you can see them very quickly. Wireshark filters are also supported here.

Wireshark traffic analysis

You can very easily understand what users downloaded and what files they viewed if the connection was not encrypted. The program does a very good job of extracting content.

To do this, you first need to stop traffic capture using the red square on the panel. Then open the menu File -> Export Objects -> HTTP: