Hacker News new | comments | show | ask | jobs | submit login
How I use Wireshark (jvns.ca)
552 points by ingve 5 months ago | hide | past | web | favorite | 94 comments



One really useful tip for Wireshark that's not as obvious as it should be.

Increasingly often, what you need to debug is a TLS connection. However, that can make debugging more difficult as the contents of the connection are encrypted.

However, if you can access the server key, whether you have access to the production server, or are working in a development environment, or you MITM yourself with mitmproxy, or you're working on some product that ships the same default server keys with every install, you can load the key into Wireshark and then decrypt all of the TLS traffic.

To do so, go to Preferences > Protocols > SSL, and click "Edit" next to "RSA keys list". Then you can load private keys in, and associate them with a host and port, and when you have a TLS connection on that host and port, Wireshark will decrypt the traffic and you can see the inner protocol.

https://wiki.wireshark.org/SSL

Note that this doesn't work if you use a cipher suite with forward secrecy, though it looks like there is support for that as well if you enable logging of ephemeral keys in your client or server (https://security.stackexchange.com/questions/35639/decryptin...)


If you get a mitmproxy working, you probably won't need the Wireshark bits. Getting ephemeral keys out can be tricky and might not even be worth the trouble.

Sometimes I find it convenient to redirect traffic with iptables. That way, if I can classify which traffic interests me, only that traffic will pass through the proxy for inspection. A warning though, SSL specific problems tend to go away when being looked at that way :).

A third method I know people use is LD_PRELOADing a hook in the application to dump keys (search for sslkeylog.c for an example) but that's far too exciting for me to try in production. Between these three methods I tend to reach for the proxy first.


There's also a fun example of the third method at [1] which is used to decrypt and dump traffic from the official Spotify app for inspection in wireshark. This is used to reverse engineer their protocol and reimplement it in librespot (and various ports of that).

[1] https://github.com/librespot-org/spotify-analyze/blob/master...


This is supported with Firefox and Chrome. Here's how to set it up: https://jimshaver.net/2015/02/11/decrypting-tls-browser-traf...


Also if the security model where you work is like where I work and they wont give you the certs, but will allow you to add your own cert, Charles Proxy works a charm.

Crazy useful for sending server side errors to mobile apps to simulate failure that otherwise wouldn't be replicable on demand in a production environment.


> Crazy useful for sending server side errors to mobile apps to simulate failure

That's what test suites are for.


I've used it for a few things:

* To analyze the bluetooth protocol for a smartwatch so I could reverse-engineer a phone app to talk to it

* To intercept a temperature logger's TCP comms and figure out how it talked to the vendor's (crap) server software so I could write a better server for it

* To track down a weird problem where ffmpeg won't stream from my home CCTV system (it turns out it sends a duplicate PLAY command, still haven't figured out why yet...)

* To snoop for IP addresses on my local network in order to find lost devices (eg. when someone else set a device to a static IP address which has since been lost).

It's basically a fantastic Swiss Army knife for any question that starts with "what" and ends with "on the network".


We recently used it to troubleshoot a problem where 2-3% of TLS connections on a certain VIP were failing. Turns out a switch inside our cloud provider was zeroing out two bits. (TCP CRCs only protect against corruption on the wire, not corruption that happens _inside_ a device!)

That was a fun support ticket.


I can one up that. I had corrupt HTTP payloads with what looked like boot loader data being inserted ! I tracked it back to VMWare host with a physical NIC driver that was reading past the buffer, and picking up the bootloader from memory. Inside the guest, wire shark was happy, but upstream at the LB it was receiving the nasty payload.


Same here. I have developed a few dissectors for Wireshark and monitoring tools on top of libpcap and find it immensely useful. I did a writeup of "Troubleshooting TCP Throughput" that involves Wireshark here: http://www.thedrews.net/troubleshoot_tcp_throughput.pdf


Also: USB with USBPCap.

My personal pain point is lack of localhost tracing under Windows.


Try npcap https://nmap.org/npcap/

Loopback Packet Capture: Npcap is able to sniff loopback packets (transmissions between services on the same machine) by using the Windows Filtering Platform (WFP). After installation, Npcap will create an adapter named Npcap Loopback Adapter for you. If you are a Wireshark user, choose this adapter to capture, you will see all loopback traffic the same way as other non-loopback adapters


Thanks; will try.


Rawcap can do this. It's increasingly showing its age, but I still use it fairly frequently. It generates PCAP files, it's 23KB, and its only dependency is .NET Framework 2.0 (which, admittedly, is becoming more of a problem than a blessing): http://www.netresec.com/?page=RawCap


Would be interesting reads! Do you have any material out there?


Not at the moment but maybe I should start blogging again... :)


I was able to quickly reverse engineer a slightly non-standard use of the fastboot protocol to update the firmware on a Linux-based device. Very cool piece of software.


eavesdropping, open source best friend. :cough:


Going to shamelessly post a Wireshark tutorial I made when I TA'd the networking class at Berkeley. I think it's a pretty good intro to the tool, and feel free to suggest others too.

https://www.youtube.com/watch?v=jvuiI1Leg6w


Great tutorial. More importantly though, how did you get that desktop wallpaper?


Ha, my favorite question. The video is from https://www.youtube.com/watch?v=skI8e5BCozE.

You can use Dreamscene for Windows 7/8. On Windows 10, I used VideoPaper, a free tool from https://www.reddit.com/r/VideoPaper/. It hasn't been updated in a while, so it might not work anymore. Apparently, you can also use VLC to set a video as your desktop background.


that was a really good tutorial!


Thank you!


My favourite Wireshark link: https://danlebrero.com/2017/04/06/documenting-your-architect...

Generating a sequence diagram of a running system w a bit of Clojure code and PlantUML mixed in.


that is actually really freaking cool use case! bookmarked for future reference.


Thanks for sharing! I plan on playing around with this soon!


Is there a reason that it the website is recommending you install a third party repository in Debian for Wireshark? It is a native package:

https://packages.debian.org/search?searchon=names&keywords=w...

EDIT: It appears that the website has changed, but still comments about installing from the PPA for newer packages. PPAs tend to be for Ubuntu only, and is not meant for other Debian-based distros.


Maybe to get the latest up to date version? I know Debian can lag behind having the latest packages


I can understand that logic, however it looks like it isn't too far behind (2.2.x versus 2.6.x). The PPA points to 2.4.x, (https://launchpad.net/~wireshark-dev/+archive/ubuntu/stable) so even the PPA doesn't have the latest. The official website recommends installing it from the official Debian repository(https://www.wireshark.org/download.html).

My greater concern with recommending that is PPA's may not be by the official folks, and PPA's tend to be for Ubuntu rather than Debian, resulting in a "FrankenDebian" (https://wiki.debian.org/DontBreakDebian), and while that PPA seems to be run by the official devs, PPAs can be set up by anyone, which runs into the whole concern of blindly trusting other's code on your system.

EDIT: Here is what the official Debian website says on it: https://wiki.debian.org/DebianSoftware#Footnotes (Footnote 1).


If you want up to date software, you should just run Debian testing (or some other distribution/OS). In Debian, testing lags a few days behind unstable to make sure that things aren't breaking and then pushes the update.


You should not use Debian Testing (unless you are testing) because it does not get security updates like stable.[1]

You should either use Debian Stable with "stable-updates" or use Debian Sid if you want the latest stuff.

[1] https://www.debian.org/security/faq#testing


Debian testing is pretty fine, especially if you need newer software than the current stable, and want to be transitioned into the stable state once it becomes that.

I especially tend to install it (or upgrade to it) on servers during freeze time.


https://lists.debian.org/debian-user/2017/07/msg00374.html provides some links that are in line with my experience. YMMV of course.

Quote:

One user described the releases this way: "Stable is never broken; Unstable is immediately fixed; Testing is neither" [3]. A Debian developer seemingly agreed, responding "That's because some things might break in testing during migration. E.g., when we upload a new major release of something like MATE and half of the packages take a bit longer to migrate to testing, you end up with half of the packages of MATE in testing on the old major version and the other half being on the new major version. This will definitely break" [4]. Chris Lamb also seemed to agree, asking the user why he had not considered Unstable over Testing [4].


This tends to be why I use testing almost only when the freeze has happened. Much less chance for breakage (closer to current stable)


> If you want up to date software, you should just run Debian testing (or some other distribution/OS).

Telling people to run a new OS in order to get an updated version of Wireshark is crazy.

If people only want a single updated package, then it is perfectly fine to include the updated PPA.


PPAs tend to be for Ubuntu only, and is not meant for other Debian-based distros. Ubuntu and other distros will be pegged to other libraries, and mixing libraries on an OS is not a good idea.

If you really want the updated package, I would recommend compiling from source.

EDIT: I should point out that have a valid point that if you want to run up to date software, Debian is probably not the Distro you want to use. Ubuntu is a Debian based Distro that tends to have more up to date software. However, I like using Debian as I rarely need the most up to date software, and I have never had an update go bad on Debian.


Good points. Thank you.

I totally get that a FrankenDebian type of system can result from mixing packages from outside of Debian with a base Debian system.

What I really wanted to convey was that saying someone should run Debian unstable or some other OS in order to update a single package is not reasonable - that it is far more reasonable for a person to take point updates using a PPA in such a case.


I agree with that point. Debian has a repository known as backports (https://backports.debian.org/). But they note that it is not as well tested as the stable repository, and it is on an as-is basis, so not all packages are in there.

However, Debian Stable is not the distro you want to run if you want the latest packages. I think Ubuntu and Arch are two distros that do that more? I have not looked around for new distros in several years, Debian is my OS of choice.


I've used debian and arch (on different machines of course) for years. I like that debian never breaks. On the other hand, I like the rolling release model of arch. :)


I get that! I used to do the Debian testing "rolling" release and really liked it. Sometime I will try Arch.


That's generally not what Debian users do. You can "pin" only specific packages from Debian testing.

It's not guaranteed to work, but for end user facing software that nothing else links to, like Wireshark, it's likely to be completely fine. But no guarantees.

The search term is probably "apt pinning" but it's also in the Debian Wiki.

If you find that you'd rather rebuild the latest source package, you can rebuild the latest source package (apt build-dep will even install the build environment for you) and all the Debian specific patches will be included.


Caveat: testing will get security fixes more slowly than any other flavor of Debian. It's not really ideal as a rolling-release distro.


I use this to run Wireshark on local desktop with live traffic from remote server

e.g. excludes port 22/53

ssh root@host tcpdump -U -s0 'not port 22 and not port 53' -w - | wireshark -k -I -


The first time I used this command to monitor traffic remotely on a headless device it felt like magic. Incredibly useful.

You can achieve the same under Windows using putty/plink:

plink.exe -ssh -pw password root@host "tcpdump -ni eth0 -s 0 -w - not port 22" | "C:\Program Files\Wireshark\Wireshark.exe" -k -i -

Of course you need to have tcpdump as a command line executable in the host.


Worth to mention that you can dump traffic from router to your machine and debug network in issues between headless/sshless devices.


Yeah, remote debugging is possibly the best part of wireshark. If you can generate a pcap file and stream it to your machine, you can view it in wireshark.


Curious, why skip DNS traffic when your capturing all other traffic?


seems nobody mentioned rpcapd in this thread - https://github.com/rpcapd-linux/rpcapd-linux could be used to see interfaces on remote linux boxes from windows desktop


Every time someone posts about wireshark, I think it's good to post about tcpflow.

What is it? In short, it shows you the TCP packets as opposed to the raw IP packets. If you are doing protocol analysis or debugging, it's AMAZING!

https://linux.die.net/man/1/tcpflow


Wireshark is my favourite "I told you so" tool. You can't imagine how useful it is for network troubleshooting.

Heck, It's been many times that I've told a customer "you've got this device running this OS in your network doing DPI/ALG/etc and it's probably sitting points at the network diagram exactly here, which you conveniently forgot to add to the diagram" just by looking at a network trace with Wireshark.


> You can't imagine how useful it is for network troubleshooting.

I think anyone who has ever had to troubleshoot networking issues can attest to that. I certainly can. ;-)


Thought someone might find it useful... There is a command line equivalent called tshark. It's great for simple packet processing.

I used it a lot to generate csv files with relevant packet data.


Wireshark is worth a couple of hours of play. It was quite a revelation to use it on a non https connection and watch myself transmit my password letter for letter in clear text :) Yes one can imagine how that is, but still, doing it is different.


Or, similarly, I set up an HTTPS proxy on my Mac, and set Wireshark to listen. Then, had someone else log in to a different account (say, the guest account) on the machine, and asked them to log into gmail, say, as usually via HTTPS (with a fake user/pass). A warning does pop up about "insecure connection", but most people just dismiss it and go ahead and log in - and wireshark intercepts username and password.

Classic MiTM, well known, but still freaky to observe how easy it is to set up.


This wouldn't really be possible with a modern browser, luckily, since they don't let users bypass the warning for sites with HSTS.


Yeah for Gmail or some other big website. The real targets are usually the smaller corporate sites which are not in the preload list, but you wouldn't use those to demo with...


Well as long as the site has HSTS and the user had visited it at least once before the MiTM attempt.. But yeah a gazillion corporate sites won't have HSTS configured


In this case, the user runs the browser from a guest account - that the "attacker" controls. It would be prudent to start with a clean profile - so no "earlier" visits.


Locally-installed root CAs are allowed by HSTS, so if you added the HTTPS proxy to the root store, this would work without warning, unless you manually checked the certificate.

Of course, this only works on machines you're the admin of, which is why it's allowed.


What's the purpose of this Rude Goldberg's machine if you could do keylogging instead?


You could but nobody will notice (no information about insecure machine). Here victim is being informed and should become suspicious. Most of my friends doesn't know difference between http and https. These are some letters which show up in front of URL.


Rube not Rude.


Wireshark can open streamable multimedia files too. I've used it in contexts completely outside networking to inspect a podcast file that played weirdly and an ancient MP3 mix that turned out to be two files with different sample rates concatenated together so media players didn't seek properly in it.


Wow! Can you elaborate more on the latter? How were you able to figure that out with Wireshark?


My greatest use thus far with Wireshark was proving that some HTTP requests one of your applications were making actually left the machine and went through our network.

Our Node Proxy was not cooperating and it helped us track down the issues. Nice tool to have in your belt.

Thanks for sharing.


Wireshark is great, I used it a while back to diagnose why a rogue DHCP server was routing DNS through Germany.


I have happily used Wireshark during my physics PhD to deal with poor vendor software for various equipment. Example: while Montana Instruments (https://www.montanainstruments.com/) now has a python library for interacting with their cryostats (refrigerators), they didn't always have one, and I just couldn't get their dll's to work. Instead, I sniffed the packets that were being sent back and forth between their provided GUI software and the cryostat, and got things working fairly easily in python thereafter.

Good times.


I love Wireshark. It's a very useful tool for anything network related. Sometimes I like to boot it up and just look at arp requests being bounced around the network, it's hard to resist the temptation to boot up Metasploit and engage in some script kiddy fun while I'm doing it.

The one problem I have is that usually when I discover I need to use Wireshark, I'm not able to download it as I don't have an internet connection.


> The one problem I have is that usually when I discover I need to use Wireshark, I'm not able to download it as I don't have an internet connection.

Solution: carry a fresh version for all platforms on a pendrive, in your wallet.


Slightly off-topic: I personally know the co-creator of Wireshark, Loris Degioanni (https://thenewstack.io/author/lorisdegioanni/), a super-brilliant engineer from Italy. I am wondering why the Wikipedia article doesn't mention him. (I know his co-authorship is true).


Wireshark is fantastic. It also great for listening in on USB connections. The only issue I have with it is I have to use a secondary program to capture the loopback. But rawcap is small lightweight and easy is its not a huge issue


if i recall correctly, this is a windows-only limitation. i've had no problems capturing loopback on linux. on windows, you can install npcap rather than winpcap to allow capturing on the loopback with wireshark.


used it after I had ssh connections from/to china.

checked to see if system cleanup and hardened firewall kicked them out. After some days with zero traffic (minus broadcast etc) declared red alert over.


Great for wireless debug as well. We had an issue in the early days of WPA and Wireshark was one of the first open apps to support sniffing and decrypting WPA traffic. We also used Omnipeek, which had a better GUI and better promiscuous and monitor support but Wireshark caught up and now it's my go-to tool.

Filter syntax is a headache, though, if I remember correctly it's totally different for capture and display. I have to go to the manual every time I use wireshark.


Bluetooth? Is Wireshark is useful for troubleshooting dropped connections between mouse and host controller? So far hcidump and bluetoothd debugging aren't revealing why I keep getting dropped connections, but only on Linux. I don't have the same problem with Windows 10 and the same hardware setup. But off hand it seems like Wireshark would produce a ton of really verbose data.


Hansang Bae, the CTO of Riverbed (Wireshark's corporate sponsor) has a series of videos about using Wireshark. There are some great practical packet analysis tips in these.

https://www.youtube.com/watch?v=U0QABcTD-xc&list=PLnKJHZhW_B...


To follow a specific TCP connection I rather do this: 1. select message from a connection, 2. Follow -> TCP Stream.

Another thing that helps is to just write a display filter expression, like 'tcp.port eq 443 and ip.dst==1.2.3.4'

https://wiki.wireshark.org/DisplayFilters


I never understood how to intercept another device's TCP packets. Do you connect some sort of device in between the device and the network as a node or is the only requirement is to be connected in the same hub? Does anyone have reading material on how to do this?


Either you run wireshark directly on the endpoint, or you setup some means of tapping into the traffic.

The most common method is to use a managed switch to setup a mirror port. Basically you tell the switch to copy all traffic and send it out on an extra port and then capture traffic while connected to that port.


Port mirroring on most managed switches will allow you to pick up TCP packets for another device.


Wireshark has a document: https://wiki.wireshark.org/CaptureSetup/Ethernet

I personally use a hub. You are limited to 10 or 100 Mbps (no gigabit hubs exist). I typically am debugging embedded systems, so inserting a hub into the mix is trivial and easier than trying to login to a managed switch. No tracing in the data closet or calls to IT required.


There is a such a thing as an Ethernet tap (basically, you tap one pair to Rx on a NIC, and if you want both ways you need another NIC)... but it's tricky to avoid impedance mismatch etc, and not feasible at all for Gigabit Ethernet. The simple/easy option is configure port mirroring on your switch[1] as mentioned by other commenters.

[1] https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2...


A hub will limit your speed significantly. They aren't usually bidirectional. I used to use a linux PC with multiple ports. You can enable port forwarding and capture traffic as it passes through. Use a 3rd port to access it. However, I've recently acquired a managed 5 port switch. I didn't know these were available, but they are awesome and pretty cheap. Example: https://www.amazon.com/TP-Link-Ethernet-Sheilded-Replacement...


You must connect an old network hub to the device you want to listen to (or its Wifi access point) and your PC that is running WireShark. A hub is like a switch that sends every received data to all of its ports.


I telnet into my router and run tcpdump, then I use FTP to copy the file from the router to my computer and import it to Wireshark in order to inspect it.


I was a network engineer for a University so.

-Used it to discover Cisco switch port number and switch names for ports

-Find rouge routers on the network people setup in their dorm rooms that would hand out their own ip address(DHCP) on our network


Worth adding that Wireshark has a plugin system for adding protocols.

The fix/fast protocol plugin is something I'd have been in a lot of trouble without in my past.


And you can write dissectors in Lua. Super handy for quick/dirty jobs.


The UI in the Mac version has a Windows look and feel, which seems odd. I'm interested in why the developers chose this approach.


I think they just use the default GTK theme.


It's Qt now unless you're on a pretty old version.


You're right. I assumed the new look was a Gtk 2 to 3 switch, but it's been Gtk to Qt.


Important filter: !(tcp.len==0)


That blog is a treasure trove! Her writing style is great, very accessible, even if you are a newbie to the subject, and her enthusiasm is infectious!




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: