Looking at network data
Now that you are capturing data across your whole network, you will see packets travelling across other machines where yours is not directly involved. And yet the full packet is collected and available for analysis.
Setting display filters
The other option available to you to narrow down the packets to analyse is by using display filters. You can set them by clicking on Analyze>Display Filters… Here you can select packets based on several different criteria.
How many machines
One of the primary issues that you may want to investigate is whether or not there are unauthorised machines present on your network. You can see this by pulling up the list of endpoints visible on your network. To see this window, you will need to click on Statistics>Endpoints. It will be broken down by protocol, depending on what kind of traffic is showing up on your network. The Ethernet tab should give you the physical machines directly connected to your network. The other tabs of most interest are the TCP and UDP tabs. You can find out what kind of traffic is travelling over your network.
When you find traffic of interest, you can get Wireshark to pull out all of the packets relevant to this stream. To this end, you can select a packet and then click on Analyze. If this is a TCP stream, then that particular option will be available. If it is UDP, then that specific option will be available.
You can generate flow graphs showing what the traffic looks like. You have the option of only displaying the currently displayed packets, or all of the captured packets. You can see the traffic, broken up by time, with arrows showing the direction of data flow.
All of the steps until now apply equally to wired and wireless networks. With wireless networks, you have the additional complexity of the medium that the network uses for information transfer. Your data actually needs to travel over the air as an electromagnetic wave. This requires control frames, which aren’t normally captured by Wireshark. What to do?
To set extra options for wireless network capture, you will need to pull up the preferences window by clicking on View>Preferences. Under Protocols on the left-hand side, you can find an entry for ‘IEEE 802.11’. Here you can set options like reassembling fragmented datagrams.
802.11 decryption keys
This window is also where you can enter decryption keys. This is useful on wireless networks where security is set. You do have security set on your wireless network, don’t you? You can set keys to decrypt WEP and WPA/WPA2 traffic, but the WPA/WPA2 enterprise keys aren’t supported yet. Simply click on the Edit button to add your keys.
An easy way to set your card into monitor mode is to use the command ‘airmon-ng start wlan0’. This command is part of the aircrack-ng package, so you will probably want to install it, too. This will generate a pseudo-interface which you use to capture data.
Starting monitor mode
You can also start monitor mode by hand by using the command iwconfig. If either this or airmon-ng fails, then your card and/or driver probably don’t support monitor mode. There is a very well-written section on the Wireshark wiki covering your options to try to get your card into monitor mode.
Looking at WLAN traffic
Wireshark actually has a summary window that shows details of what kind of traffic is travelling over your wireless network. You can see things like the number of beacons, the number of SSIDs and the numbered channels visible to your network card. Selecting a row in the top window will pull down further details in the lower window.
Generating firewall rules
After finding out what is happening on your wireless network, you may want to tighten up your security by fine-tuning your firewall rules. Clicking on Tools>Firewall ACL Rules to pull up a window. You can select what firewall you want to generate rules for, such as Cisco or IP Filter. This way, you can get tighter control over who does what on your network.