How To Go From 0 to Sniffing Packets in 10 Minutes
Image: Shutterstock/Evdokimov Maxim
Right around the time I was learning the fine art of packet sniffing in an intro to computer networks class, my home internet network started going completely to hell. Sometimes it was fine, but, increasingly, it was slowing to a sub-dial-up trickle of around 20 Kbps. Given that I live out here in the woods, my whole world is online, from school to work to maintaining social relationships. Having my network (effectively) go down on a regular basis was making me nuts.
The thing is that I share said network (which is cable-based and theoretically quite fast) with a handful of residences: a few apartments, cabins, and RVs. It's a pseudo-public network administered by the landlord. It requires users to click a login button, but does not require them to provide a username or password.
So, to get to the bottom of things, I turned to my friend Wireshark, which is what I'm going to explain below.
Wireshark is a packet sniffing tool, a network packet analyzer. Its basic operation is to take an internet connection—or any network connection really—and register the packets traveling back and forth across it. It gives you everything: packet origin and destination, contents, protocols, messages. I've barely begun to scratch the surface of its capabilities myself, but to do basic packet sniffing, up to and including spying on usernames and passwords, all it takes is a couple of clicks.
0) Network traffic 101
The internet communicates in packets. These are small discrete units of data that are sent from place through the mess of routers and switches that is the network of networks that is this here internet. A packet contains both the info needed to get it from place to place (IP addresses and ports), but also data. Data might mean data itself, like HTML, or it might mean data about how data is to be handled, such as via the transport-layer protocols TCP and UDP. There are a lot of protocols, but everything is still just packets.
1) Download and Install Wireshark
Wireshark has versions for Windows and OSX all ready to go with installers. Linux users have to download the source code and build it themselves. Yes, it's free.
A bit more on what Wireshark is for. Network admins use it to diagnose traffic issues (like mine) or just to collect network data, while security engineers use it to uncover sketchy network traffic (that might indicate keylogging, for example) and-or network vulnerabilities (like exposed passwords). Developers use it to build and debug networking applications, while people like me (mostly) use it to understand how networks and their many, many protocols work. It can absolutely be used for evil.
Note that everything Wireshark is about to tell you is already available without Wireshark. Network traffic isn't top secret. Fundamentally, all Wireshark does is provide a bunch of analysis tools, a GUI, and a quick way in.
2) Run Wireshark and pick a network
The first thing you'll be confronted with is a list of your computer's network adapters. Pick the network of interest (probably WiFi). Even if you're the only user, just seeing what all gets passed and forth between you and your machine and the greater internet is pretty interesting. But, yeah, the presence of other users on the same network can make things pretty fun.
It will look something like this:
3) Be promiscuous
Under Wireshark's preferences dialog, go to the "capture" option. Here you'll see a checkbox for "capture packets in promiscuous mode." You'll probably want this at some point.
Understand that when you're on a public network like mine, your computer is really receiving every packet being sent and received by every other user on the network. That is, you're all one IP address. All of the non-you stuff just gets filtered out by your network adapters, which are looking only for matching MAC (media access control) addresses. Through Wireshark, you can disable this, which puts your computer into promiscuous mode where every packet gets forwarded along to your CPU and not just those with a matching MAC address.
4) Be overwhelmed
The feed you see before you is your computer's (or network's) relationship to the internet, basically. Every packet is accounted for. It's very cool, but also very confusing.
In the beginning, you probably want to turn off promiscuous mode as you're getting a feel for things. With this feature unchecked, you're just seeing your own traffic. It's still a lot, but much more reasonable.
The Wireshark Wiki offers a billion sample capture files for a billion different internet protocols, but you should probably start with a simple HTTP GET request. This is how a browser asks a server for a specific resource via the HTTP protocol. It's just a small message with a few lines.
So, let's navigate to this HTTP proxy server at the University of Southern California. Do it while Wireshark is capturing packets and, once you're there, stop Wireshark. Go to the filter line and type in "http." Now, you should see something like this:
Two GET requests should show up, both to the page linked above. The second one is for the page's background image.
Click on a packet, and now below the packet list you'll see the packet's exact literal contents in hexadecimal form and also the text translation of those contents. That's the GET request.
5) Name names
When I first started Wiresharking, I was going packet by packet and tapping IP addresses into Whois. This isn't very efficient and it turns out to be unnecessary. Go back under preferences and under "name resolution" check the box for "resolve IP addresses." Now, instead of strings of numbers, you have domain names.
6) Being evil
Don't actually be evil, of course, but you should know what a vulnerability looks like. The HTTPS protocol is encrypted, but HTTP, not so much. Nonetheless, there are still password-protected sites that don't use HTTPS.
The basic idea is the same as what we did the HTTP GET request above. We're just looking at the message contents for logins and passwords. We're also looking at them for cookies, which are unique identifiers assigned to users by some websites that allow those sites to remember their users. It's possible to grab a cookie from some packet and use it to pretend to be the user that cookie is intended to identify. This is a potential for evilness.
Here's a good quick tutorial on password sniffing from Lifehacker:
Wiresharking goes so, so much deeper, but you at least have a taste. Even if you uninstall the thing now, you should at least have a better appreciation for why you should always, always being using HTTPS.
As for my network troubles, the problem is just that there are too many users. I was hoping to find maybe some interesting network flooding, either from a virus or some misconfigured software, but it's just people watching movies and porn or whatever. On the plus side, I got to know my neighbors a lot better.