💡 Este tutorial está traducido por IA desde la versión en inglés. Para ver la versión original, puedes hacer clic aquí
In the field of Cybersecurity, understanding and identifying suspicious network activities is crucial for maintaining a secure and resilient network infrastructure. This tutorial will guide you through the process of using Wireshark, a powerful network protocol analyzer, to detect and analyze potential threats in your network environment.
Wireshark is a powerful, open-source network protocol analyzer that allows you to capture and inspect data traveling back and forth on a network in real-time. Security professionals use it to:
Let's start by installing Wireshark on our Ubuntu system. Open a terminal and execute the following commands:
sudo apt update
sudo apt install -y wiresharkDuring the installation, you will be asked if non-superusers should be able to capture packets. Select "Yes" for convenience in this lab environment.
The installation may take a few minutes. Once completed, you should see output indicating that Wireshark has been successfully installed.
To capture packets without running Wireshark as root, we need to add our user to the wireshark group:
sudo usermod -a -G wireshark $USERFor the changes to take effect, we need to log out and log back in, but for this lab, we can apply the changes immediately with the following command:
newgrp wiresharkLet's verify that Wireshark has been installed correctly:
wireshark --versionYou should see output similar to:
Wireshark 3.6.2 (Git v3.6.2 packaged as 3.6.2-2)
Copyright 1998-2022 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later <https://www.gnu.org/licenses/>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with Qt 5.15.3, with libpcap, with POSIX capabilities
(Linux), with libnl 3, with Lua 5.2.4, with GLib 2.72.1, with zlib 1.2.11,
with Snappy, with libpcap 1.10.1, with GNUTLS 3.7.3, with Gcrypt 1.9.4.Now let's start Wireshark with the graphical interface:
wireshark &The Wireshark application will open in a new window. You will see the main interface with a list of network interfaces available for packet capture.
Take a moment to familiarize yourself with the Wireshark user interface:
In the next step, we will learn how to capture network traffic using Wireshark.
Before we can capture network traffic, we need to understand which network interface to monitor. In a typical system, you might have several interfaces:
eth0 or ens33: Ethernet (wired) connectionwlan0: Wi-Fi connectionlo: Loopback interface (local traffic)Let's check the available network interfaces on our system:
ip aThis command will display all network interfaces. Look for interfaces like eth0, ens33, or other network interfaces (the exact name depends on your system configuration).
To ensure we have some network traffic to analyze, let's generate some basic HTTP traffic by making a few web requests:
## Create a directory to save our captures
mkdir -p ~/wireshark_lab
## Generate some HTTP traffic
curl -s http://example.com > /dev/null
curl -s http://google.com > /dev/nullNow, let's capture some network traffic using Wireshark:
wireshark &In the Wireshark main window, find your primary network interface (likely eth0 or ens33 - use the interface you identified earlier with the ip a command).
Double-click on the network interface to start capturing packets.
You will see packets starting to appear in the main window as they are captured:
Let's generate some more network traffic while Wireshark is capturing:
## Open a new terminal window and execute:
ping -c 5 google.comGo back to Wireshark, and you should see the ICMP ping packets appearing in the capture.
To stop the capture, click on the red square button in the toolbar or go to Capture > Stop.
Now that we have captured some network traffic, let's save it for further analysis:
In Wireshark, go to File > Save or press Ctrl+S.
Navigate to the ~/wireshark_lab directory we created earlier.
Name your file basic_capture.pcapng and click Save.
## Verify that the capture file was saved
ls -la ~/wireshark_lab/You should see your basic_capture.pcapng file in the output.
Let's practice opening our saved capture file:
In Wireshark, go to File > Open or press Ctrl+O.
Navigate to ~/wireshark_lab/basic_capture.pcapng and open it.
The captured packets should now be displayed in Wireshark, ready for analysis.
In the next step, we will learn how to filter and analyze this captured traffic to identify specific types of network activities.
Wireshark display filters allow you to view only the packets that match specific criteria. This is essential when analyzing large packet captures to find relevant information.
The basic syntax for Wireshark display filters is:
protocol.field == valueFor example:
ip.addr == 192.168.1.1 - Shows packets with this IP addresstcp.port == 80 - Shows packets with TCP port 80http - Shows all HTTP packetsLet's practice applying some basic filters to our captured traffic:
wireshark ~/wireshark_lab/basic_capture.pcapng &Locate the filter bar at the top of the packet list (it says "Apply a display filter..." when empty).
Let's filter for DNS traffic. Type the following in the filter bar:
dnsYou should now see only DNS packets in the display. These are domain name resolution requests and responses.
httpApply the filter and observe the HTTP packets.
ip.addr == [replace_with_an_ip_from_your_capture]For example: ip.addr == 93.184.216.34 (if you see traffic to example.com)
You can combine filters using logical operators:
&& or and for AND operation|| or or for OR operation! or not for NOT operationLet's try a combined filter:
http && ip.addr == [replace_with_an_ip_from_your_capture]This will show HTTP traffic only to/from the specified IP address.
Let's create and save a filter for TCP traffic:
tcpApply the filter. You should see only TCP packets.
Let's save this filter for future use. Click on the "+" button at the right side of the filter bar.
In the dialog that appears, enter:
TCP TraffictcpClick on "Save" to save this filter.
Wireshark provides a helpful visualization of the protocols in your capture:
Go to Statistics > Protocol Hierarchy.
This shows a breakdown of protocols by percentage and packet count.
Close this window when done reviewing.
Let's save a filtered view of our capture:
Apply a filter of your choice (e.g., http or dns).
Go to File > Export Specified Packets.
Ensure "Displayed" is selected in the "Packet Range" section.
Navigate to ~/wireshark_lab/ and save as filtered_capture.pcapng.
Verify the file was saved:
ls -la ~/wireshark_lab/You should see both your original and filtered capture files.
In the next step, we'll use these filtering techniques to identify suspicious network activities.
When analyzing network traffic for security purposes, certain patterns and behaviors may indicate suspicious or malicious activities:
For learning purposes, let's simulate some suspicious network activities that we can detect with Wireshark:
## Create a directory for our security analysis
mkdir -p ~/wireshark_lab/security_analysis
## Simulate a port scan (limited to a few ports for demonstration)
nmap -p 80,443,22,21,25 scanme.nmap.org > ~/wireshark_lab/security_analysis/scan_results.txt 2>&1Note: The nmap command above performs a scan on common ports of the scanme.nmap.org server, which is specifically set up for testing nmap.
wireshark &In Wireshark, double-click on your primary network interface to start capturing.
In a separate terminal, run the simulation command:
## Simulate another port scan while capturing
nmap -p 80,443,22,21,25 scanme.nmap.org > /dev/null 2>&1After the command completes, stop the Wireshark capture by clicking the red square button.
Save this capture as suspicious_traffic.pcapng in the ~/wireshark_lab/security_analysis/ directory.
Port scanning is a common reconnaissance technique used by attackers to discover services running on a system. Let's identify the port scanning activity in our capture:
tcp.flags.syn == 1 && tcp.flags.ack == 0This filter shows TCP SYN packets, which are used to initiate connections. A large number of these packets to different ports on the same host is indicative of port scanning.
tcp.flags.syn == 1 && tcp.flags.ack == 0 && ip.addr contains scanme.nmap.orgLet's document our findings in a simple security analysis report:
## Create a report file
nano ~/wireshark_lab/security_analysis/security_report.txtAdd the following content to the file:
Security Analysis Report
=======================
Date: [Current Date]
Findings:
1. Port Scanning Activity Detected
- Source: [Your IP address]
- Target: scanme.nmap.org
- Targeted Ports: 80, 443, 22, 21, 25
- Evidence: TCP SYN packets to multiple ports
2. Analysis Method:
- Used Wireshark to capture network traffic
- Applied filter: tcp.flags.syn == 1 && tcp.flags.ack == 0
- Identified pattern of systematic connection attempts
3. Recommended Actions:
- Monitor for unauthorized scanning activities
- Implement firewall rules to limit outbound scanning
- Consider implementing network intrusion detection systemsSave the file by pressing Ctrl+O, then Enter, and exit nano with Ctrl+X.
Let's create a custom filter for detecting potential security issues:
(tcp.flags.syn == 1 && tcp.flags.ack == 0) || (dns.qry.type == 1 && dns.qry.name contains "suspicious") || (http.request && ip.addr == 192.168.0.1)This complex filter looks for:
Save this filter:
Security MonitoringExport this filter configuration for future use:
## First, open your Wireshark profile directory to find the saved filters
ls -la ~/.config/wireshark/Let's verify our security analysis artifacts:
## List all the files we've created
ls -la ~/wireshark_lab/security_analysis/You should see:
scan_results.txt - Output from our nmap scansuspicious_traffic.pcapng - Wireshark capture of suspicious activitiessecurity_report.txt - Our analysis reportThese files represent a basic cybersecurity analysis workflow:
In a real security environment, you would continue to refine your detection techniques, create more sophisticated filters, and integrate Wireshark analysis with other security tools for comprehensive threat detection and response.
In this lab, you have gained hands-on experience with Wireshark, a powerful network protocol analyzer widely used in cybersecurity. You have learned how to:
These skills form the foundation of network traffic analysis for cybersecurity purposes. By understanding how to effectively use Wireshark, you can monitor network traffic, detect anomalies, and identify potential security threats before they cause significant damage.
As you continue your cybersecurity journey, you can build upon these basics by learning more advanced filtering techniques, developing custom detection rules, and integrating Wireshark with other security tools to create comprehensive network monitoring solutions.
