Welcome back, my aspiring network forensics investigators!
In my previous post in this series, I introduced you to the most widely-used network forensics tool in the world, Wireshark. No network forensic investigator can do without it this valuable tool!
In this tutorial, we will try to advance your knowledge and understanding of Wireshark to the level where you can use it's many features in an actual network forensic investigation.
Step #: Start Wireshark
The first step is to start Wireshark and start the packet capture on the appropriate network interface.
Step #2: Name Resolution
Data on any network you are analyzing often has indecipherable names. IPv4 addresses are 4 octets of decimal data such as 192.168.1.101 and MAC addresses are 6 hexadecimal units such as "00.AA.CD.11.EF.23" . Often it is easier to decipher and analyze this data if it's converted to a human-readable name rather than a number, much like DNS does for us when we are browsing the Internet. Wireshark has the capability to do just that for us automatically.
In Wireshark, there are three types of name resolution;
1. MAC Addresses
2. Network Name
3. Transport Name
To enable name resolution, click Capture -> Options (the capture must be stopped first).
From the Capture Interfaces window, click on the 3rd tab, Options. There you will see the "Name Resolution" box and the three options.
To see name resolution at all three levels, click all three boxes. This should definitely make your analysis at bit easier.
Step #3: Protocol Dissection
Often, our analysis of network traffic will require some protocol dissection to illuminate what was actually happening on the network. For instance, we may want to see which IP packets are fragmented or which TCP packets a have the RST flag set. We can do this by creating the appropriate filter and dissecting these packets using the middle window in Wireshark.
For instance, if we want to see which IP packets have been fragmented, we will want to create a filter for the field in the IP header often referred to as flags or more fragments (MF). When this flag is set, it means the packet has been fragmented and needs reassembly at the target system (attackers will often fragment packets in an attempt to bypass firewalls and IDS's).
We can find fragmented packets by clicking on the Expression tab and opening the Display Filter Expression window like below.
Here we can select the IP protocol and expand it until we find ip.flags.mf (more fragments) and then selecting == and setting the value to 1. Now, Wireshark will only display packets where the IP flag is set to MF or fragmented packets. The displayed packets will be fragmented packets. These can happen in the normal course of transmission or may be an indication an attacker is trying to bypass detection from a IDS or firewall.
Unlike the IP flag, TCP has its own flags. These flags signal the intention of the TCP packet sender, such as initiate a connection (SYN) or breakdown a session (FIN). If we want to see all the packets that are initiating a TCP session, we can set the Wireshark filter to;
tcp.flags.syn == 1
This will filter out packets except those initiating a TCP session. When we select one of those packets, we can dissect it in the middle window and see that it has the SYN flag set.
The same can be done for any of the six flags in TCP (SYN, ACK, FIN, PSH, URG, RST). The RST flag is used by TCP to signal a "hard close" of a connection or a packet has arrived at the wrong port or IP. To find those packets, we can use the following filter;
Step #4: Following Streams
Often in doing our network traffic analysis, we may want to follow TCP streams. Rather than view tiny bits of data stretched across multiple packets, TCP streams enables the combination of this data to indicate what is actually happening at the application layer (layer 7) to the end user. This may be necessary to follow chat or IM messaging.
To create a TCP stream, right click a packet and select Follow and then TCP Stream.
This will then open window with all the information of that stream in ASCII (default).
Step #5:Statistics Window
When we are analyzing large amounts of data, it is often useful to get statistics on the volume of packets utilizing each of the protocols such a TCP, UDP, DNS, ICMP, etc. This can be a useful strategy for developing a baseline snapshot of what your normal traffic looks like making it easier when a problem arises to identify anomalous traffic. Obviously, if you don't know what your normal traffic looks like, you can NOT identify anomalous traffic.
To view the protocol statistics, click Statistics tab at the top menus and then select Protocol Hierarchy.
As you can see, Wireshark now creates a display window with all the data on the various protocols. If you have this data from normal traffic before there are problems, you can take another snapshot when problems arise and compare them to try to identify changes and possibly the source of the problem or issue.
Step #6: Viewing Endpoints
Sometimes when doing traffic analysis, we want to see where the traffic ends. In other words, we want to see the endpoints of communication. This may be a IP address or a MAC address.
To see the communication endpoints with their statistics, we can select Statistics and then Endpoints.
In addition, we can filter this data by protocol by clicking on the Endpoint Types button in the lower right corner and selecting the protocol we want to filter for.
Step #7: Conversations
While analyzing network traffic, at times we may want to see data on a conversation between two endpoints. We can do that by selecting Statistics and then Conversations.
Wireshark will pop up a window like that above, showing each conversation and then statistics relative to that conversation such number of packets, bytes, duration of the conversation etc.
Every network forensic investigator MUST be conversant in Wireshark. This powerful tool enables us to dissect network traffic down to finest granular detail. Investment in your knowledge of this tool will pay significant dividends in your forensics career!
For more on Wireshark and network forensics, see my Network Forensics series and my upcoming Network Forensics live training!