Using Wireshark to show you, how unsecure a public network can be
The following article was written for college purposes.
What is Wireshark?
Wireshark is the world’s foremost and widely-used network protocol analyzer. It lets you see what’s happening on your network at a microscopic level and is the de facto (and often de jure) standard across many commercial and non-profit enterprises, government agencies, and educational institutions. Wireshark development thrives thanks to the volunteer contributions of networking experts around the globe and is the continuation of a project started by Gerald Combs in 1998.
What it is used for?
Wireshark is a data capturing program that “understands” the structure (encapsulation) of different networking protocols. It is used for network troubleshooting, analysis, software and communications protocol development, and education.
How to use it?
It’s pretty easy to start capturing data on Wireshark, you just have to click on the first icon on the top bar.
What do the colors mean?
The colors are rules, for example: light green, named HTTP will filter (paint) all the traffic that uses the HTTP protocol, the port number 80 and the HTTP2 protocol.
In case you want to change the colors you can go to view and then coloring rules.
Filters
You can filter packets in very different ways. Here are two examples:
IP address
This will filter by IP address.
ip.addr == <IP_ADDRESS>You can also change .addr to .dst or .src to filter by destination or source.
Port
In this case it will filter by port:
tcp.port == <PORT>Or ports:
tcp.port == <PORT> or tcp.port == <PORT> or tcp.port == <PORT>Name Resolution
This is some basic configuration that and it will display the names that the IP’s addresses are linked to, and it will make it easyier for you to track an user/server.
Endpoints
Opening the endpoints statistics you will find all addresses that were found during the capture.
As you can see here in IPv4:
(I activated the name resolution)
Now if you want to see which ports were used or the number of bytes on a device you select TCP:
This might be very important in case you find a uncommon open port on a device or if you have a lot of data coming from a suspicious address.
Follow the communication between 2 addresses
If you have found an unusual destination address and you want to check up all the packets in the stream you can do this and it will filter:
In this other example you can see the source and destination address performing an handshake (first three lines):
But how unsafe could it be?
In this example I will be hosting a super simple website with a register form, that could have been a website without an SSL certificate that you visit daily.
Then I used my phone to open use the website.
On the wireshark I used this filter:
http.request.method == "POST"This will filter every submission made while Whireshark was on. And has you can see:
Now if we double click on this packet and scroll to the bottom you will find the information that was sent by the phone.
Stay safe and use HTTPS websites!
