What’s on your network? Introduction to packet sniffing with wireshark

Have you ever wondered what’s happening in the background on your network? This article will show you how to determine for yourself. In order to begin, you’re going to need two things – your IP address, and the program wireshark (if you’re testing this on a remote shell like a VPS, use tcpdump instead of wireshark, which is just a GUI version basically).

There are different ways to obtain your IP address, depending on which operating system you’re using. In Windows you typically would do Run -> cmd which will open a dos looking window where you can type “ipconfig”. In macosx, open Terminal from Applications -> Utilities and run “ifconfig” (your IP address will appear within en0 or en1 and after the inet line). In any UNIX based operating system, open a terminal and follow the same steps as macosx. Write down this IP address for use later.

Now it’s time to download and install Wireshark for windows or macosx (macports or fink). Most other operating system can be found in the bottom right of their download page. When running wireshark, you are going to put your network card into a special listening setting called promiscuous mode. If it’s a wireless card, this is sometimes called monitor mode. In this mode, your card is being permitted to show you all the traffic it can sniff, not just your own. In order to be able to do this successfully, you have to open the program as administrator and not as a regular user. Once you have it open, choose your network card and “start capture”. You can run it as long as you like, or rather as long as you have disk space, but I recommend stopping around the 100-500 packet mark for your first time. I’ll leave it up to you to read the wireshark documents or watch their tutorials to see the real power of this tool, but the one trick I recommend you start with is ignore your own IP and see what else you can sniff off your network. Let’s say your internet address is 192.168.1.100, you should enter this in the Filter text box at the top left of the screen:

!(ip.addr==192.168.1.100)

and click “Apply”. This is a regular expression that says only capture things that are not (!) equal to your IP address. If you see nothing but ARP type packets, things are likely configured well, but if you see packets that say TCP or UDP in the Protocol column, someone else is using your network and you’re capturing their activity! This could include emails, web surfing, you name it. Right click on one of those packets, and choose “Follow TCP stream” which might convert the data to something more resembling English, unless it’s encrypted or compressed. Now you can move on to the official wireshark documents and videos until our next technical post.