Computer security is always a concern, network security even more so. Wireless networks are a favourite target for hackers. This is simply because there is no physical link between machines: everything goes over the airwaves. One of the first steps to tightening security is simply to see what the current activity is, and what machines are involved. The tool that should be your first stop is Wireshark.
Wireshark gets used a lot for analysing Ethernet networks, but many people probably don’t realise that there are several options available that are specific to wireless networks and the 802.11 protocol. You’ll see some of the options available when trying to analyse your own wireless network. At the end, you’ll see how you can even generate firewall rules to further tighten your network security.
One issue that you need to be aware of is that what you can actually see is very dependent on your wireless network card. Newer cards are probably fully capable, but older cards (or less common cards) probably won’t support all of the possible capture options. If you find you have problems, check the Wireshark wiki to see if there are solutions.
Step by Step
Like most open source software, Wireshark is available on all of the most popular operating systems. Your distribution should have packages available: on Ubuntu the package is simply called ‘wireshark’. As always, you can download the latest source code and build it from scratch.
You need to take care how you start Wireshark. If you start it as a regular user, you will only be able to see traffic addressed directly to your machine. If you want to see other traffic, or do other interesting things, you will need to run as root. You can either run it with ‘sudo wireshark’, or you can collect the data earlier as root using dumpcap and then use Wireshark to do your analysis.
Since there is so much analysis that you can do with Wireshark, you will probably want to save your captured data. To do this, simply click on File>Save, where you can save the data in one of over 20 different formats.
In some cases, you may not be able to use Wireshark to do that actual capturing. This might be the case on a distant server where running graphical programs may be just too painful. In these cases, you can use ‘dumpcap’ to capture the actual packet data. You have all of the options available to select the data you want to capture.
If you want to analyse data, either from an earlier run or from an offline capture session, you can load it by clicking on File>Open. You can select whether to do name resolution for MAC, network or transport names.
Now that you’re ready, the first step is to select which interfaces Wireshark is going to be listening on. You can select them from the front screen, clicking on the interface icon at the far left. Or you can click on Capture>Interfaces… You can select any combination of interfaces, including a pseudo-interface that captures data from all of the available interfaces.
When you have the interface screen up, you can also click on the options button to fine- tune what you’re capturing. Once this is all set, you can click on ‘start’ to start the data capture. You will see in the main window a growing list of captured network packets that you can start to play with.
Looking at live data
Once you have some data collected – and depending on how busy your network is, this may be quite a bit – you can take a quick look at what is happening. The first two columns tell you the packet number and time for each packet captured. The next three give you the source and destination addresses, along with the protocol for each packet. The last column gives you a single line of packet information, letting you identify packets of interest.
By default, Wireshark only does name resolution for MAC and transport. This means that you get raw IP addresses. Depending on your network conditions, it may be better to resolve these IP addresses to hostnames. You can turn this on at the interface option screen for new captures. You can apply it to already captured data by clicking on View>Name Resolution>Enable for Network Layer, and then reload the data.
Looking at packet details
When you select a packet, you will see a display of the data at the bottom of the screen. Depending on your screen size, you may want to open this into a separate window by simply double-clicking on the packet of interest.
Setting promiscuous mode
The real interest in monitoring your Wi-Fi network is to see what is going on out there. This means that you need to set your network card to promiscuous mode, which requires that Wireshark be run as root. This option can be set in the interface’s options screen.
Setting capture filters
By default, Wireshark captures everything visible, which is likely what you want to do at first. But once you have an idea of the type of traffic, you can set capture filters so that you are only capturing either traffic to/from specific machines, or specific protocols.