With every internet connection, our computers and mobile devices send and receive data. Who wants to pursue this traffic needs a tool like Wireshark for network analysis. I give you tips for getting started.
While computers without a network connection were sold at the beginning of this millennium, this is hardly conceivable today. Operating systems, desktop software, and mobile apps are often programmed to use the Internet and automatically call home. This supports the hardware with activated WLAN chip and the urge to set up immediately a mobile connection with a new Smartphone with inserted Sim map. Whether the software asks for updates, syncs user data or even spy out financial data, contacts and passwords is not visible to the user without tools.
Network tools are necessary
Network tools, such as Wireshark, allow you to capture and analyze the data traffic that runs over your computer. Without these network tools, you hardly have a chance to master the tide of packages, as thousands of thousands are coming together. In addition, basic network technology is an advantage and additional tools such as sslstrip are necessary to hack encrypted connections.
Data traffic with Wireshark
Before you can analyze the traffic, it has to be recorded. This can be done directly with Wireshark. However, you have to start Wireshark as an administrator and of course have fulfilled all the system requirements that you will find in our entry to Wireshark - otherwise you will not see an interface that you could cover.
Opens the "Capture" or "Capture" menu after the Data Sniffer has been started. The desired interfaces can now be selected under the options. Click the appropriate checkboxes and then the start button. In my test, this was sometimes defy the correctly set hook disabled. If this is also the case with you, something plays with the setting and removal of the hook around until it is active and then sets the appropriate hooks at the desired interfaces before starting the recording.
The package list
When you record traffic with Wireshark, for example, under Ubuntu from the Ethernet interface "enp1s0", the Sniffer shows all packages immediately in the window area of the package list, each line for a package. This list contains a column for the source and one for the target, so you can see where your computer receives data and where it is sent.
If you do not know your own IP address, you can find it if you enter the command "ipconfig" under Microsoft Windows and the "ifconfig" in the command prompt or in the terminal. Here you can find, among other things, the IPv4 and, if necessary, the IPv6 address of your computer. Alternatively, you can find the IP address under Windows in the "network and sharing center" under the public network. On Ubuntu and Linux, for example, the network manager also provides the connection information.
Outgoing connections
If you know your IP address and want to know where your computer is connected, you have to display the packages that are exchanged with a domain server. A domain server is important because it calls the computer the IP address to a computer name. For example, the web server www.xxx.xx has the IPv6 address 2a02: 2e0: 3fe: 1001: 7777: 772e: 2: 85. If you enter "ip.src == [YourIPAddresse] && dns" into the display filter and press Enter, Wireshark will display the packages your computer sends to the DNS server. In the package details the "Queries" is the generated computer name. "Ip.addr == [YourIPAddresse] && dns" also contains the DNS server's answers in the package list. In the "Standard query response" packages, you will find the computer name under "Answers" and the IP address provided by the DNS server behind "addr".
Surfing data
If you are connected to the Internet, you use a browser that connects to a web server as a client, in order to receive a web page from this website. These connections use the HTTP protocol, which is often used to download files. If you want to know what your computer sent or received in this context, you must enter the "ip.addr == [YourIPAddresse] && http" ad filter and start the search for the recorded packages.
Security of the connection
Especially with critical activities, such as the transfer of passwords over the Internet, a secure encrypted connection is required. Such SSL / TLS connections can not be found via the display filter command "http" but "ssl". For example, if Wireshark captures the traffic between the browser and the web server https://www.xyz.com/, the sniffer may find this encrypted traffic if their "ipv6.addr == 2a02: 2e0: 3fe: 1001: 7777: 772e: 2: 85 && ssl "in the display filter. In the "Protocol" column is "TLSv1.2", indicating a secure encrypted connection. To check this, simply click on one of these entries in the package list and open the section "Secure Sockets Layer" under the package details. There you can see version "TLS 1.2", which corresponds to the current security standard.
It may happen that the TLS version of the TLSv1.2 packages is quite the older version TLS 1.0. This occurred during the test on this blog during the handshake, when the browser and server negotiate an encrypted connection, which is used later to transport the data. For handshake packets, the Info column shows "Client Hello" and "Server Hello", with the client telling the server what the highest TLS version it understands is. Firefox knows the current TLS 1.2, so that, for example, the website data from https://www.xyz.com/ during transport to the browser after the handshake with TLS 1.2 are securely encrypted.
Refine your search
You can refine your search by selecting "Edit> Find package ...". An additional line appears below the display filter. If you choose "Package Details", "Narrow & Wide" and "String", you can search for a word in the displayed packages, which you must enter in the field "String". It is up to you whether the case is case sensitive. With this method, you can find out which packages your e-mail address appears in. This can occur in packages with the SMTP protocol that is used to send e-mails.
Log all traffic
Wireshark records only the traffic of the used device. If you want to log your entire Internet traffic, you need a different solution. For the house use is already a Raspberry Pi, over which the entire data traffic must run into the Internet.
To realize this you can for example connect the Raspberry Pi to the router, which is connected to you with the Internet. Other devices you should not connect to the router, because otherwise their Internet traffic does not run over the Raspberry Pi. A second router can be connected to the mini-computer via a USB network card adapter. With this, the computers and mobile devices must then be connected via LAN cable or WLAN. Their Internet traffic runs from the second router over its WAN connection to the Raspberry Pi and from there over the first router into the Internet.
On the Raspberry Pi, you can use an operating system such as Raspbian or Kali-Linux, to use the network tool tcpdump to record all packets that pass through the mini-computer. The protocol must write tcpdump to a file, which allows the command "sudo tcpdump -s 65535 -w tcpdump.dump" in the terminal. You have to copy the log file "tcpdump.dump" for analysis to the computer on which you have Wireshark to open it.
In addition to this example, there are other ways to capture the traffic. If you only want to record the data traffic of mobile devices, you do not need a second router, because the Raspberry Pi 3 with Raspbian can also be configured as a hotspot.
Observe data protection
If you record not only your own but also the network traffic of other people, you have to ask them for permission. Because you spy on their Internet and network activities and read their private data and texts, if the connection is not encrypted.
Conclusion
If you want to control your traffic, Wireshark is a good tool. Nevertheless, the analysis remains complex, as many connections are established on Internet connections and quickly several thousand data packages for data analysis come together. That's why Wireshark is primarily aimed at network professionals who want to find and fix problems on their LAN.
Comments
Post a Comment