It is a calm quiet evening. You are reviewing your favorite film at the computer. And small icons of network activity in the tray attract your attention:
It is strange... May be a browser? It is closed. A favorite messenger? It is off. Maybe the operating system have been updating? But it is not — Update Service icon is located in the same taskbar notification area.
What is the cause of network activity? Network protocol analyzer Wireshark will help us to solve this riddle...
Wireshark® is available under the GNU General Public License. It is the most widely used free software license.
You can download the installation package from the corresponding section at official website http://www.wireshark.org/download.html. Linux users can easily find this program in package manager:
Wireshark portable will be interesting for users of Windows OS. It requires no installation and can be easily moved on any other computer with the help of USB flash drive. We will consider this version of program.
The self-extracting archive that is offered to download is a little over 18 megabytes in size. When running, the program displays the following window:
And then it asks the folder to install the program:
After installation we go to the specified folder and run the executable file "WiresharkPortable.exe". An unpleasant surprise waits for us:
In order to capture and analyze network packets, we need WinPcap. WinPcap consists of a driver that extends the operating system by providing low-level network access, and a library that is used to easily access the low-level network layers. More information about this library can be found on the official website http://www.winpcap.org.
So, install this tool. Then, finally, we can see a window of Wireshark:
Let us leave for self-study the section "Capture Help" and go on to capture packets. At first, you have to select the network interface, which we will control. An interface list for capture will vary for different systems. The previous screenshot shows the interfaces of my virtual machine. For a netbook with Wi-Fi this list looks as follows:
Select Fast Ethernet Controller and see:
There is a batch of numbers, time in seconds from the moment of launch sniff, source, destination, protocol and summary information about the packet in the columns.
It is already possible to get some information about network activity. For example, check what Internet resource is located on IP address "74.125.106.145". It is Google. That's right, because I looked for useful information when I was writing this text. Strings highlighted in gray are a request to the IP address "209.85.137.125". It is also Google, but only the server responsible for service Google Talk. That's true too - my Pidgin sometimes sends a request to the server to obtain contact info about my contacts and to send my own status.
Let's look at the captured data in details. We click the right mouse button on the necessary line and select "Follow TCP Stream":
Wireshark kindly follows all selected TCP-stream, not just this specific packet and shows it in the following form:
Here we can see the type of request - GET. Also that a request was sent to av-school.ru. There is an information about the browser - Shiretoko/3.5.5pre. In general, they are all the attributes of the usual HTTP request to the site.
The blue text is an answer from the server. It contains the information about the server and the code page. Take a note that the code page is passed without compression. Sending request to the Google we get the stream compressed by gzip:
It is impossible to describe all the features of Wireshark in one article. The program has a rich feature set which includes the following: deep inspection of hundreds of protocols, with more being added all the time; live capture and offline analysis; standard three-pane packet browser;
Multi-platform: Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others;
captured network data can be browsed via a GUI or via the TTY-mode TShark utility; the most powerful display filters in the industry; rich VoIP analysis; read/write many different capture file formats; capture files compressed with gzip can be decompressed on the fly and many other features. Consider just some of them. For example, if you already know the address on which the requests are sent, you can filter out all unnecessary using the pattern "ip.addr eq <address>":
In addition, you can see only requests are sent by your computer to this address. For this purpose use the filter "ip.dist == <address>:
So you can get the full link to download malicious or just a suspicious program.
Well, you can save a report and close the program after the work is completed.
When it closed, the program displays the following window:
Here's everything fell into place - a program answers to a portable software philosophy. This ensures that it leaves as little as possible superfluous data in the system after work is completed. If you are going to continue using Wireshark, then press "Cancel" and the next time you will not have to install WinPcap, the window with the offer to uninstall will not be displayed.
Keep network under control
