TechNinjutsu‎ > ‎

Wireshark and IP analysis

posted Dec 10, 2010, 1:13 AM by d graham   [ updated Dec 17, 2010, 10:33 PM ]

As with all computing, the Internet is, at its core, 1's and 0's. If information is coming into your computer, or going out from your computer, it can be logged. There are many tools out there, some free and some paid, which enable a user to more closely inspect and log internet activities.

To understand the internet, you first have to have an understanding of protocols being stacked on top of each other. To abstract away the details, the internet is divided into a series of “Layers”. The application layer, which the familiar HTTP belongs to is the highest layer. Below the application layer sits the transport layer.

Although I am certainly not an expert at http/tcp/udp/ip etc. I will try to provide an introduction to the kinds of things a tool for analyzing network traffic might be useful for. After that I will try to provide an introduction to how a tool like this might be used by someone in a way thats downright scary if you don't know it exists, and an to why you really should know about tools like Wireshark, Cain and Able, the metasploit project and Etherreal.

I recently began using google documents alot. I mean. ALOT. I've got so many files without any folders it boggles the mind and troubles me a bit every time I venture to these documents through the google docs interface. Now a reasonable man would probably just put these documents in folders, but, reasonable I am not. So I decided to code a solution. I've looked into the google docs spreadsheet API and although I am thankful for its existance, I'm probably going to have to look at it a little closer and take a while to understand the whole atom feed paradigm before I could really produce anything. And I want results yesterday. SO... I assumed that the submit part of a google doc's form was just common type of packet called an HTTP POST.

After setting up a google form and filling it out, you could fire up your copy of Wireshark( ) turn on logging on your wifi or ethernet and then submit the form. Now your going to want to do this pretty fast and then stop it, especially if you are on a soho network as there may be lots of other network activity Wireshark will intercept. It's also possible with wireshark to filter your results by type, so for my search I try'd HTTP which just happened to do the trick, after looking through about three packets I was able to see the format required in the HTTP Post and with a little bit of finagling you can reproduce the same HTTP post in .NET or your favorite web language.

Now the reason you should google any of the programs listed above if you don't know about them is because the nature of the Internet doesn't always lend itself to security. Especially if you are on an Open Wifi connection (no password or encryption) or an older WEP encrpyted network, you should know that given enough time it may be possible for a person to collect enough packets "from the air" by sniffing with Wireshark or other tools in what is known as promiscous mode to effectively intercept any communications between your computer and the world wide web. I highly recommend WPA2 with really long passphrases or connecting through a VPN if you must use open connections.

Wireshark available at: is an IP logging and analysis tool which can be downloaded freely from the internet.

Etheral avaible at is another network analysis tool I've heard good things about although I haven't had reason to use yet.  Is a website with a pretty comprehensive list of tools available for network analysis and monitoring.