Join Lisa Bock for an in-depth discussion in this video Traffic capture overview, part of Troubleshooting Your Network with Wireshark.
- Network administrators use a packet sniffer, network monitor, or network analyzer to monitor and troubleshoot network traffic. As data flows across the network, the sniffer captures each packet, decodes the packet's raw bits, and then displays the field values in the packet according the appropriate RFC or other specification. This information can help identify bottlenecks, and help maintain efficient network data transmission. There are many uses for packet analysis.
We can analyze network problems, detect network intrusion attempts, and network misuse, perform regulatory compliance through content monitoring perimeter and endpoint traffic, monitor bandwidth usage per application and process, and verify endpoint security status to see unwanted protocols, such as, bogus ARP traffic and Multicast DNS, and gather and report network statistics. The tool we will use for this demonstration is Wireshark, formerly Ethereal, an open source packet analyzer.
In the late 1990s, Gerald Combs needed a tool for analyzing network problems. Portable sniffers were available at the time, but they were costly. Gerald developed Ethereal with the help of some friends, and this later became Wireshark. It has been around for over 15 years. In addition to Wireshark, there are some other packet analyzers. Cain and Abel recovers passwords by sniffing the network and can record voice-over IP conversations. NarusInsight, formerly Carnivore, can monitor all internet traffic.
dSniff, passively monitors a network for interesting traffic, such as, passwords, emails, and files. Ettercap, intercepts traffic on a network segment, captures passwords and conducts active eavesdropping. Tcpdump, a common protocol analyzer that runs from the command line. Placement is key. All traffic is not created equally. Dependent on the placement, you may only capture a portion of the total network traffic. Off of a switch, the traffic may be unicast, broadcast, or multicast.
To see all traffic on a switch, use Port Monitoring or SPAN. Also use a full duplex tap in line with traffic. You may need a special adapter. Network administrators should be familiar with Wireshark because Wireshark is built into the Cisco Nexus 7000 series, and many other devices.
- Exploring the Wireshark interface
- Using display and capture filters
- Dissecting the OSI model
- Analyzing TCP, IPv4, and other protocols
- Detecting denial-of-service attacks and password attacks
- Using security tools for ethical hacking