Wireshark Functionality

Practice Labs Module
Time
1 hour
Difficulty
Intermediate

The "Wireshark Functionality" module provides you with the instructions and devices to develop your hands-on skills in the following topics: Packet Processing Explained, GUI Interface Tour, Import and Export Features.

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Overview

Introduction

The Wireshark Functionality module provides you with the instructions and devices to develop your hands-on skills in the following topics.

  • Packet Processing Explained
  • GUI Interface Tour
  • Import and Export Features

Lab time: It will take approximately 1 hour to complete this lab.

Exercise 1 - Packet Processing Explained

Wireshark uses a core engine made up of the capture engine that looks to the network and the Wiretap library that explains and interprets the information seen into the display filter which is passed to the graphical toolkit. The graphical side uses GIMP GTK+ to process details and present user-friendly interface.

The capture engine is capable of working in Promiscuous Mode, where your network interface can receive all the traffic arriving at the listening port even when the traffic is not addressed the Wireshark device. For example, a device with the IP address 10.75.80.34 is attempting to communicate to a device with the IP 10.75.80.35 on the same network segment, if you are in Promiscuous Mode, you should be able to see the conversation even if it is not for you.

However, the network traffic visibility will be reduced if your network switch is strictly performing its job by sending data only from device A to device B with no form of broadcast or leaks in any manner. This is excellent in a security environment but to take advantage, it's sometimes necessary to configure the switch to repeat all the traffic to a SPAN port or use a HUB to connect the devices.

When Promiscuous Mode is disabled or switched off, you will only be able to see direct and addressed traffic sent to you, broadcast and multicast traffic.

Packets contain data which is formatted in general against the OSI model which is layer specific information.

Wireshark collects and parsers packets presenting the information loosely in terms of the OSI model (obviously without the physical layer).

  • Datalink Layer: PPP, Ethernet
  • Network Layer: IP, IPX, ICMP
  • Transport Layer: TCP, UDP
  • Session Layer: Apple Talk
  • Presentation Layer: Jpeg, Mpeg, Gif
  • Application Layer: FTP, HTTP, SMTP

Exercise 2 - GUI Interface Tour

The Wireshark graphical user interface or GUI is quite comprehensive. At first glance, to a new user, it can be overwhelming, as it displays a lot of information with a lot of options to configure and use specific functions against that information.

In this exercise you will complete the following tasks:

  • Run through the Menu System
  • Tour of the Filters, Packet Lists, Details, Bytes and Status
  • Status, Information Expert and Capture Annotation

Exercise 3 - Export Features

There will often be times when importing a variety of files for analysis such as logs will be a necessary requirement. Wireshark is commonly the tool of choice when reviewing due to its user interface being easily accessible.

Exporting files such as either pcap in a different format or more interestingly exporting out the contents of packets will be key to learning more about what content was being exchanged over the network.

In this exercise you will complete the following tasks:

  • Exporting a File
  • Export the packet contents to text file
Learning Partner
Comprehensive Learning

See the full benefits of our immersive learning experience with interactive courses and guided career paths.