Wireshark: Packet Capturing & Network Traffic Analysis

Overview: 

In this Guided Project from Coursera, I delve into the Complexities of packet analysis using the powerful tool, Wireshark, on the Ubuntu platform. The journey is marked by foundational setups, capturing packets, filtering for specific protocols, and ultimately, crafting nuanced filters for smart packet analysis. This documentation recounts my journey, sharing the ups, downs, and lessons from this adventure.

Wireshark Introduction:

Wireshark is a popular open-source packet analyzer and network protocol analyzer. It allows users to capture and interactively browse the traffic running on a computer network in real-time. Wireshark can capture data from a live network or read data from a file, and it supports a wide range of protocols. It provides detailed information about each captured packet, including header details, payload, and any errors or issues detected.

Key Terminologies:

Packet: It is a small unit of data that is transmitted over a network. It is the fundamental unit of information in network communication and is used to encapsulate data for transmission from one device to another.

Super user: The term "superuser" typically refers to a user account with elevated privileges or permissions beyond those of regular users. In different contexts, this concept is known by different names, such as "root" in Unix and Linux systems or "Administrator" in Windows systems.

Protocol: A protocol refers to a set of rules governing the secure transfer of data between two parties

Ethernet: Refers to the data link layer protocol used for local area network communication.

HTTP: It stands for Hyper Text Transfer Protocol. It is the foundation of data communication on the World Wide Web and is used for transmitting hypertext—media and text—between web browsers and servers.

HTTPs: Hyper Text Transfer Protocol Secure, is an extension of the HTTP protocol that is designed to provide a secure communication channel over the Internet. It adds a layer of encryption to the data transmitted between a user's web browser and the website's server.

Display filter: It is a mechanism used to selectively view network traffic based on specific criteria. Display filters allow you to focus on the packets that are relevant to your analysis and hide the ones that are not.

Task 1: Getting Started:

Installed and configured Wireshark on Ubuntu

Navigating through the sea of online guides, I recently set up Wireshark on my Ubuntu system for better network analysis. I added the stable Wireshark repository using sudo add-apt-repository ppa:wireshark-dev/stable command to easily install or update Wireshark to the stable releases. Noted the importance of not running Wireshark as a superuser for security, and included my user in the Wireshark group using sudo usermod -aG wireshark $USER command to add packet capture capabilities.

Setting up permissions for superusers

Adding user to the group

First window after configuring Wireshark

Task 2: Captured Packets on an Ethernet port

I captured data on the 'en0' Ethernet port. The wired interface includes the ethernet packet capture, which begins with ‘en’ in Wireshark. Start capturing packet and then stopped the capture. Saved all the gathered information into a file called 'capture1.pcap'.

Selecting wired interface

Capturing and stopping packets

Saving captured packets in a file

Task 3: Detected HTTPS packets using display filter

To display certain packets in an existing packet capture, I used a filter tcp.port == 443 to see only HTTPS traffic, isolating it from the crowd.

 Applying display filter

Task 4: Detected IP address using display filter of a visited website

Detecting a website visit and finding its IP address was like solving a mystery. Used a TLS handshake display filter tls.handshake.type == 1 to detect a website visit in a packet list, I traced the communication and then filtered for the website's IP address (---.---.---.---).

Applying display filter

Task 5: Located all HTTPS packets from a capture not containing a certain IP address

Applied conditional statements to include and eliminate packets from a Wireshark capture.

!(ip.addr == -.--.--.--) and (tcp.port == 443) This filter captures network packets where the IP address is -.--.--.--, and the TCP port is 443.
A compound conditional statement !(ip.addr == -.--.--.--) and (tcp.port == 80 or tcp.port == 443) It includes packets that do not have the source or destination IP address equal to -.--.--.-- and have a TCP destination port equal to either 80 or 443.

Applying conditional statement

Applying compound conditional statement

Lessons Learned:

The first challenge presented itself when I sought to install the latest stable version. Navigating through the sea of online guides, I learned not to run Wireshark as a super user for security purposes.

I was initially trying to observe the flood of packets then realized I needed to stop first to truly see.

A compound statement should include parentheses to avoid order of execution errors.

Conclusion:

The journey highlighted lessons in installation, packet analysis nuances, and the significance of well-structured conditional statements. Overall, this project enhanced my technical skills and understanding of network security through practical experience with Wireshark.

CERTIFICATE OF COMPLETION