×
Community Blog Installing Wireshark on Alibaba Cloud

Installing Wireshark on Alibaba Cloud

In this tutorial, we are going to see how to use Wireshark, one of the best protocol analyzer to monitor our traffic.

By Colince Azeye, Alibaba Cloud Tech Share Author. Tech Share is Alibaba Cloud's incentive program to encourage the sharing of technical knowledge and best practices within the cloud community.

When it comes to checking for what is going on through your network, or checking if some configurations you did are OK, you may be easily overwhelmed with the abundance of information. Knowing what you are looking for will keep you safe and efficient. To know what you are looking for when you are using a network analyzer, you need some basic understanding on network before knowing how to use the tool. In this tutorial, after explaining the basics of networking, we are going to see how to use Wireshark, one of the best protocol analyzer to monitor our traffic.

Obviously, if we want to talk about networking in detail, we won't be able to cover it here, but we are going to briefly talk about the network protocol that make the world goes round: TCP/IP.

TCP/IP Protocol

A protocol is a set of rules and procedures for how systems interact with one another. The TCP/IP protocol is a set of rules and procedure used to transmit data from one computer to another. Whether you're system administrator, security engineer, forensic investigator, network engineer, understanding these protocol is necessary if you want to be efficient. TCP/IP is the most common protocol used on the internet for communication.

1
TCP/IP protocol

The image above summarize all what TCP/IP is.

1- History

TCP/IP created by Vinton Gray "vint" Cerf and Robert Elliot Kahn in 1974, implemented by RFC's( Request For Comment) definitely adopted in 1982. It is not own by any organisation that's make it a universal protocol.

2- Layers

Instead of OSI model that describes network protocol in 7 layers, TCP/IP combine several layers into a single layer therefore it has 4 layers

  • Datalink layer: this layer provide error control and framing. Like example of Datalink layer we have: Ethernet, Token Ring
  • Internet layer: also known as network layer, it role is to accept and deliver packets for the network. This protocol include other protocols such as : Internet protocol(IP), Address Resolution Protocol (ARP) and the Internet Control Message Protocol( ICMP).
  • Transport Layer: this is the layer that ensures that packets arrives in sequences without errors: this layer is ensured by two protocols: Transmission Control Protocol( TCP) and User Datagram Protocol(UDP)
  • Application Layer: this layer defines standard internet services and network applications used by anyone. Example of application layer protocols are: ftp,smtp, dns, www.

3- Protocol

  • TCP: this protocol ensure that data send on the network is arrived on the destination. It's considered as a reliable connection-oriented protocol.
  • UDP: This protocol provide data-gram delivery services. It does not verify the connection between receiving and sending host. it's considered as non reliable connection-oriented protocol
  • IP: this is one of the most significant protocol of the entire TCP/IP suite. IP is responsible for the following:
  • IP addressing
  • Packet formatting
  • Fragmentation
  • ARP: this stand for Address Resolution Protocol. This protocol exist between the data-link and internet layers. He assists IP in directing datagrams to the appropriate receiving host by mapping his mac address to known IP address.
  • ICMP:This stand for Internet Control Message Protocol. He detect and reports network errors conditions. The main role of this protocol is to verify that host is reachable on a network.

4- Port

Ports are use to access the right services on the devices ( server, desktop , etc). Let's say that IP address allow you to access the right computer and port allow to access the right services on that computer. We have some standard services such as web services(www) running on port 80, ftp running on port 21, dns running on port 53, etc.

5- Flags

Flags are used within the TCP packet transfers to indicate a particular connection state or provide additional information. They can also be use for troubleshooting purpose or to control how a particular connection is handled.

6- PDUs

PDU is single unit of information transmitted among peer entities of a computer network. He is composed of protocol specific control information and user data. By simple way we can say that PDU is user data + header encapsulation for the layer.

7- Header

The header allow you to know who is sending the packet and where it is going.

Now that we have a basic understanding of tpc/ip protocol we can use wireshark to monitor ours traffics

Prerequisites

For this tutorial, I have already set my FTP server online using Alibaba Cloud Elastic Compute Service (ECS).

Install Wireshark

  • For windows users, just go to the official Wireshark link and download the latest version.
  • For Linux users, you can install it by entering the apt-get install wireshark (for ubuntu user). Or you can download the tar file, decompress it and install it.

Where to Use Wireshark

Wireshark can be used to monitor your traffic from your computer to another computer (online server, computer on the same network) or use to monitor all traffic on the network. Most of the time, hackers use this tool when performing man in the middle attacks (MITM attack).

How to Use Wireshark

There are two way to use Wireshark

  • By importing the packet file captured you have captured with another traffic sniffer like tcpdum.
  • By active packet sniffing directly in Wireshark.

1) Import File in Wireshark

In this case, imagine you want to know what is going on your server but don't have time at the moment. You can install and start tcpdum to save all network traffic history in a file so you can analyze it after when you are free.

For example, I have configure my FTP server on my ECS instance and created rule to allow me connect on port 21 so I can make a non encrypted connection on my server.

2

On the left side of the above image, my server is capturing traffic and saving it in a file name "savetraffics" that I will analyze afterwards with Wireshark. In the right side of the image, I have connected to my server by FTP on port 21, which is a non protected traffics. After that, I download the savetraffics on my desktop to further analyzing. So let's open it with wireshark and see what was going on in the server at that time.

To start wireshark, you can just enter the command "wireshark" if you are on Linux distribution or just double click and start wireshark if you are on windows.

Once wireshark has started, to import our file, click on file on the left corner then click open, a page will appear asking you where you file you want to import is locate. Navigate where you file is locate and select the file, or if you on the location already just enter the file name and click to open the file.

3

The image above shows the importing process of my save traffics file that I have captured in my online server on wireshark.

Now that I have import my file I can analyze it to see what was going on on my server.

4

The image above shows the contents of my saved traffics file.

Before analyzing our file let see some important fields in wireshark.

We have

  • source: for where packets are coming from
  • Destination: for where data is destined,
  • protocols : it can be ( ivp4 or ipv6) ,
  • Length: the packet length,
  • infos: is packet send

If I scroll down, I will see my username and password entered when login into my ftp server.

In the screenshot when login, I first enter wrong credentials. In the image bellow we are seeing that we can see that some one try to connect on our ftp server and the login was incorrect. So if after analyzing packets I see that the same source IP address have try many time with different credentials I can conclude that I maybe a password brute-force attack.

2) Active Packet Monitoring

When you start your wireshark for active traffic monitoring, you first have to chose the network interface where you want listen to your traffic. After that, you can click on the blue icon at the left corner to start.

5

When you start your wireshark, you will be quickly overwhelm with information; knowing some wireshark features will save you for headache. So let's see some wireshare features for quick traffics analyzing.

3) Filter

Filter are wireshark features allowing to concentrate on the packets you are interested.

Let's say we want to filter only TCP packets.

6

Now imagine you want just packets between your server and your desktop computer. The filter will be something like this: ip.addr== your_ip_addr and ip.addr== your_server_ip.

7

Now imagine you don't need packet from ssh, you will have something like this:

(ip.addr== your_ip_addr and ip.addr== your_server_ip.) and not tcp==22.

8

Let's finish with another filter. If we want to see all connections (80, 21, 22), then the filter can be something like this:

(ip.addr==192.168.43.19 && ip.addr==47.88.59.212) and tcp.port in {22 80 21}.

9

Following a stream can allow you to see in real time packets flow. To start a stream follow, click on analyze, click on follow then click on TCP stream to start. A box will appear and you will watch data flow in real time.

10

Conclusion

We have quickly learned about TCP/IP and have seen how we can use one of the most network analyzer tools to monitor our network. But there's still a lot more to discover with Wireshark. I highly encourage you to install it on your ECS server and explore its various features to see what is going in our network and protect your ECS server if necessary.

0 0 0
Share on

Alibaba Clouder

1,233 posts | 198 followers

You may also like

Comments