One really useful tip for Wireshark that's not as obvious as it should be.
Increasingly often, what you need to debug is a TLS connection. However, that can make debugging more difficult as the contents of the connection are encrypted.
However, if you can access the server key, whether you have access to the production server, or are working in a development environment, or you MITM yourself with mitmproxy, or you're working on some product that ships the same default server keys with every install, you can load the key into Wireshark and then decrypt all of the TLS traffic.
To do so, go to Preferences > Protocols > SSL, and click "Edit" next to "RSA keys list". Then you can load private keys in, and associate them with a host and port, and when you have a TLS connection on that host and port, Wireshark will decrypt the traffic and you can see the inner protocol.
Note that this doesn't work if you use a cipher suite with forward secrecy, though it looks like there is support for that as well if you enable logging of ephemeral keys in your client or server (https://security.stackexchange.com/questions/35639/decryptin...)
If you get a mitmproxy working, you probably won't need the Wireshark bits. Getting ephemeral keys out can be tricky and might not even be worth the trouble.
Sometimes I find it convenient to redirect traffic with iptables. That way, if I can classify which traffic interests me, only that traffic will pass through the proxy for inspection. A warning though, SSL specific problems tend to go away when being looked at that way :).
A third method I know people use is LD_PRELOADing a hook in the application to dump keys (search for sslkeylog.c for an example) but that's far too exciting for me to try in production. Between these three methods I tend to reach for the proxy first.
There's also a fun example of the third method at [1] which is used to decrypt and dump traffic from the official Spotify app for inspection in wireshark. This is used to reverse engineer their protocol and reimplement it in librespot (and various ports of that).
Also if the security model where you work is like where I work and they wont give you the certs, but will allow you to add your own cert, Charles Proxy works a charm.
Crazy useful for sending server side errors to mobile apps to simulate failure that otherwise wouldn't be replicable on demand in a production environment.
* To analyze the bluetooth protocol for a smartwatch so I could reverse-engineer a phone app to talk to it
* To intercept a temperature logger's TCP comms and figure out how it talked to the vendor's (crap) server software so I could write a better server for it
* To track down a weird problem where ffmpeg won't stream from my home CCTV system (it turns out it sends a duplicate PLAY command, still haven't figured out why yet...)
* To snoop for IP addresses on my local network in order to find lost devices (eg. when someone else set a device to a static IP address which has since been lost).
It's basically a fantastic Swiss Army knife for any question that starts with "what" and ends with "on the network".
We recently used it to troubleshoot a problem where 2-3% of TLS connections on a certain VIP were failing. Turns out a switch inside our cloud provider was zeroing out two bits. (TCP CRCs only protect against corruption on the wire, not corruption that happens _inside_ a device!)
I can one up that. I had corrupt HTTP payloads with what looked like boot loader data being inserted ! I tracked it back to VMWare host with a physical NIC driver that was reading past the buffer, and picking up the bootloader from memory. Inside the guest, wire shark was happy, but upstream at the LB it was receiving the nasty payload.
Same here. I have developed a few dissectors for Wireshark and monitoring tools on top of libpcap and find it immensely useful. I did a writeup of "Troubleshooting TCP Throughput" that involves Wireshark here: http://www.thedrews.net/troubleshoot_tcp_throughput.pdf
Loopback Packet Capture: Npcap is able to sniff loopback packets (transmissions between services on the same machine) by using the Windows Filtering Platform (WFP). After installation, Npcap will create an adapter named Npcap Loopback Adapter for you. If you are a Wireshark user, choose this adapter to capture, you will see all loopback traffic the same way as other non-loopback adapters
Rawcap can do this. It's increasingly showing its age, but I still use it fairly frequently. It generates PCAP files, it's 23KB, and its only dependency is .NET Framework 2.0 (which, admittedly, is becoming more of a problem than a blessing): http://www.netresec.com/?page=RawCap
I was able to quickly reverse engineer a slightly non-standard use of the fastboot protocol to update the firmware on a Linux-based device. Very cool piece of software.
Going to shamelessly post a Wireshark tutorial I made when I TA'd the networking class at Berkeley. I think it's a pretty good intro to the tool, and feel free to suggest others too.
You can use Dreamscene for Windows 7/8. On Windows 10, I used VideoPaper, a free tool from https://www.reddit.com/r/VideoPaper/. It hasn't been updated in a while, so it might not work anymore. Apparently, you can also use VLC to set a video as your desktop background.
EDIT: It appears that the website has changed, but still comments about installing from the PPA for newer packages. PPAs tend to be for Ubuntu only, and is not meant for other Debian-based distros.
My greater concern with recommending that is PPA's may not be by the official folks, and PPA's tend to be for Ubuntu rather than Debian, resulting in a "FrankenDebian" (https://wiki.debian.org/DontBreakDebian), and while that PPA seems to be run by the official devs, PPAs can be set up by anyone, which runs into the whole concern of blindly trusting other's code on your system.
If you want up to date software, you should just run Debian testing (or some other distribution/OS). In Debian, testing lags a few days behind unstable to make sure that things aren't breaking and then pushes the update.
Debian testing is pretty fine, especially if you need newer software than the current stable, and want to be transitioned into the stable state once it becomes that.
I especially tend to install it (or upgrade to it) on servers during freeze time.
One user described the releases this way: "Stable is never broken; Unstable is immediately fixed; Testing is neither" [3].
A Debian developer seemingly agreed, responding "That's because some things might break in testing during migration. E.g., when we upload a new major release of something like MATE and half of the packages take a bit longer to migrate to testing, you end up with half of the packages of MATE in testing on the old major version and the other half being on
the new major version.
This will definitely break" [4].
Chris Lamb also seemed to agree, asking the user why he had not considered Unstable over Testing [4].
PPAs tend to be for Ubuntu only, and is not meant for other Debian-based distros. Ubuntu and other distros will be pegged to other libraries, and mixing libraries on an OS is not a good idea.
If you really want the updated package, I would recommend compiling from source.
EDIT: I should point out that have a valid point that if you want to run up to date software, Debian is probably not the Distro you want to use. Ubuntu is a Debian based Distro that tends to have more up to date software. However, I like using Debian as I rarely need the most up to date software, and I have never had an update go bad on Debian.
I totally get that a FrankenDebian type of system can result from mixing packages from outside of Debian with a base Debian system.
What I really wanted to convey was that saying someone should run Debian unstable or some other OS in order to update a single package is not reasonable - that it is far more reasonable for a person to take point updates using a PPA in such a case.
I agree with that point. Debian has a repository known as backports (https://backports.debian.org/). But they note that it is not as well tested as the stable repository, and it is on an as-is basis, so not all packages are in there.
However, Debian Stable is not the distro you want to run if you want the latest packages. I think Ubuntu and Arch are two distros that do that more? I have not looked around for new distros in several years, Debian is my OS of choice.
I've used debian and arch (on different machines of course) for years. I like that debian never breaks. On the other hand, I like the rolling release model of arch. :)
That's generally not what Debian users do. You can "pin" only specific packages from Debian testing.
It's not guaranteed to work, but for end user facing software that nothing else links to, like Wireshark, it's likely to be completely fine. But no guarantees.
The search term is probably "apt pinning" but it's also in the Debian Wiki.
If you find that you'd rather rebuild the latest source package, you can rebuild the latest source package (apt build-dep will even install the build environment for you) and all the Debian specific patches will be included.
Yeah, remote debugging is possibly the best part of wireshark. If you can generate a pcap file and stream it to your machine, you can view it in wireshark.
Wireshark is my favourite "I told you so" tool. You can't imagine how useful it is for network troubleshooting.
Heck, It's been many times that I've told a customer "you've got this device running this OS in your network doing DPI/ALG/etc and it's probably sitting points at the network diagram exactly here, which you conveniently forgot to add to the diagram" just by looking at a network trace with Wireshark.
Wireshark is worth a couple of hours of play. It was quite a revelation to use it on a non https connection and watch myself transmit my password letter for letter in clear text :) Yes one can imagine how that is, but still, doing it is different.
Or, similarly, I set up an HTTPS proxy on my Mac, and set Wireshark to listen. Then, had someone else log in to a different account (say, the guest account) on the machine, and asked them to log into gmail, say, as usually via HTTPS (with a fake user/pass). A warning does pop up about "insecure connection", but most people just dismiss it and go ahead and log in - and wireshark intercepts username and password.
Classic MiTM, well known, but still freaky to observe how easy it is to set up.
Yeah for Gmail or some other big website. The real targets are usually the smaller corporate sites which are not in the preload list, but you wouldn't use those to demo with...
Well as long as the site has HSTS and the user had visited it at least once before the MiTM attempt.. But yeah a gazillion corporate sites won't have HSTS configured
In this case, the user runs the browser from a guest account - that the "attacker" controls. It would be prudent to start with a clean profile - so no "earlier" visits.
Locally-installed root CAs are allowed by HSTS, so if you added the HTTPS proxy to the root store, this would work without warning, unless you manually checked the certificate.
Of course, this only works on machines you're the admin of, which is why it's allowed.
You could but nobody will notice (no information about insecure machine). Here victim is being informed and should become suspicious.
Most of my friends doesn't know difference between http and https. These are some letters which show up in front of URL.
Wireshark can open streamable multimedia files too. I've used it in contexts completely outside networking to inspect a podcast file that played weirdly and an ancient MP3 mix that turned out to be two files with different sample rates concatenated together so media players didn't seek properly in it.
Slightly off-topic: I personally know the co-creator of Wireshark, Loris Degioanni (https://thenewstack.io/author/lorisdegioanni/), a super-brilliant engineer from Italy. I am wondering why the Wikipedia article doesn't mention him. (I know his co-authorship is true).
My greatest use thus far with Wireshark was proving that some HTTP requests one of your applications were making actually left the machine and went through our network.
Our Node Proxy was not cooperating and it helped us track down the issues. Nice tool to have in your belt.
I have happily used Wireshark during my physics PhD to deal with poor vendor software for various equipment. Example: while Montana Instruments (https://www.montanainstruments.com/) now has a python library for interacting with their cryostats (refrigerators), they didn't always have one, and I just couldn't get their dll's to work. Instead, I sniffed the packets that were being sent back and forth between their provided GUI software and the cryostat, and got things working fairly easily in python thereafter.
I love Wireshark. It's a very useful tool for anything network related. Sometimes I like to boot it up and just look at arp requests being bounced around the network, it's hard to resist the temptation to boot up Metasploit and engage in some script kiddy fun while I'm doing it.
The one problem I have is that usually when I discover I need to use Wireshark, I'm not able to download it as I don't have an internet connection.
Hansang Bae, the CTO of Riverbed (Wireshark's corporate sponsor) has a series of videos about using Wireshark. There are some great practical packet analysis tips in these.
Wireshark is fantastic. It also great for listening in on USB connections. The only issue I have with it is I have to use a secondary program to capture the loopback. But rawcap is small lightweight and easy is its not a huge issue
if i recall correctly, this is a windows-only limitation. i've had no problems capturing loopback on linux. on windows, you can install npcap rather than winpcap to allow capturing on the loopback with wireshark.
used it after I had ssh connections from/to china.
checked to see if system cleanup and hardened firewall kicked them out. After some days with zero traffic (minus broadcast etc) declared red alert over.
Great for wireless debug as well. We had an issue in the early days of WPA and Wireshark was one of the first open apps to support sniffing and decrypting WPA traffic. We also used Omnipeek, which had a better GUI and better promiscuous and monitor support but Wireshark caught up and now it's my go-to tool.
Filter syntax is a headache, though, if I remember correctly it's totally different for capture and display. I have to go to the manual every time I use wireshark.
Bluetooth? Is Wireshark is useful for troubleshooting dropped connections between mouse and host controller? So far hcidump and bluetoothd debugging aren't revealing why I keep getting dropped connections, but only on Linux. I don't have the same problem with Windows 10 and the same hardware setup. But off hand it seems like Wireshark would produce a ton of really verbose data.
I never understood how to intercept another device's TCP packets. Do you connect some sort of device in between the device and the network as a node or is the only requirement is to be connected in the same hub? Does anyone have reading material on how to do this?
Either you run wireshark directly on the endpoint, or you setup some means of tapping into the traffic.
The most common method is to use a managed switch to setup a mirror port. Basically you tell the switch to copy all traffic and send it out on an extra port and then capture traffic while connected to that port.
I personally use a hub. You are limited to 10 or 100 Mbps (no gigabit hubs exist). I typically am debugging embedded systems, so inserting a hub into the mix is trivial and easier than trying to login to a managed switch. No tracing in the data closet or calls to IT required.
There is a such a thing as an Ethernet tap (basically, you tap one pair to Rx on a NIC, and if you want both ways you need another NIC)... but it's tricky to avoid impedance mismatch etc, and not feasible at all for Gigabit Ethernet. The simple/easy option is configure port mirroring on your switch[1] as mentioned by other commenters.
A hub will limit your speed significantly. They aren't usually bidirectional.
I used to use a linux PC with multiple ports. You can enable port forwarding and capture traffic as it passes through. Use a 3rd port to access it.
However, I've recently acquired a managed 5 port switch. I didn't know these were available, but they are awesome and pretty cheap.
Example:
https://www.amazon.com/TP-Link-Ethernet-Sheilded-Replacement...
You must connect an old network hub to the device you want to listen to (or its Wifi access point) and your PC that is running WireShark. A hub is like a switch that sends every received data to all of its ports.
I telnet into my router and run tcpdump, then I use FTP to copy the file from the router to my computer and import it to Wireshark in order to inspect it.
Increasingly often, what you need to debug is a TLS connection. However, that can make debugging more difficult as the contents of the connection are encrypted.
However, if you can access the server key, whether you have access to the production server, or are working in a development environment, or you MITM yourself with mitmproxy, or you're working on some product that ships the same default server keys with every install, you can load the key into Wireshark and then decrypt all of the TLS traffic.
To do so, go to Preferences > Protocols > SSL, and click "Edit" next to "RSA keys list". Then you can load private keys in, and associate them with a host and port, and when you have a TLS connection on that host and port, Wireshark will decrypt the traffic and you can see the inner protocol.
https://wiki.wireshark.org/SSL
Note that this doesn't work if you use a cipher suite with forward secrecy, though it looks like there is support for that as well if you enable logging of ephemeral keys in your client or server (https://security.stackexchange.com/questions/35639/decryptin...)