How To Sniff And Analyze Various Protocols

There are many requirements when we are dealing with networking. Networking is the world of simulation and analyzing, where we use different approaches to understand various network architecture, network protocols, network congestion and many more. In this tutorial, we will understand how to analyze different network protocols.

For such analyzing, we need some tools to work out. Here, we are using Wireshark. Wireshark is a network analysis tool also known as Ethereal, which captures the packets in real time and display them in human-readable format. Wireshark includes filters, color-coding and other features, which lets you dig deep into network traffic and inspect individual packets.

By this analysis tool, we can capture the packets, filter them and also inspect them. Also, there are more enhanced features, which leads to suspicious program’s network traffic, analyze the traffic, troubleshoot the network problems.

You can get Wireshark from its source site – Wireshark.org, which installed it and can use the real time traffic for the analysis. If you are using Linux, the tool gives you maximum profitability because of its compatibility with Linux. Also, if you are a Debian user, then Wireshark is preinstalled as sniffer in Network Tools.


Figure 1 - Wireshark Network Analyser

This is what it looks like when you installed it in your system. As you can see, there are numerous interfaces shown in the software, you have to choose your interface. In my case, it is Wi-Fi. You will see a small graph will run while connecting with your interface.


Figure 2 - Choosing Interfaces

When you connect with your interface, you will see in the top left; a blue button is enabled, which shows that now, you can start capturing the packet. Click it and you will see something, as shown below.


Figure 3 - Capturing Packet

You’ll probably see the packets highlighted in Green, Blue and Black. Wireshark uses colors to help you identify the types of traffic at a glance. By default, Green is TCP traffic, dark Blue is DNS traffic, light Blue is UDP traffic, and Black identifies TCP packets with the problems — for example, they could have been delivered out-of-order.

You can perform Filter for the subsequent packet, if you want only TCP packet, then you can type in Filter Box – TCP, it will show you only TCP packet. You also can make your own filter by moving your analyze tab and selecting display Filter.

For inspecting Packet

I Googled this Website – www.csharpcorner.com – I have no idea about the network and this Website is used. We will see how Wireshark helps us in determining the network information.

We will take packet number 28 that is for my search – www.csharpcorner.com - question is how do I know that the packet is for csharpcorner only? For this, you have to add one more preferences by moving to edit preferences Name and Resolution  Check –“Resolve Network address”. Now, you can find the destination address is now showing you the IP addresses and its domain name too. 


Figure 4 - Setting up Network Address

Other related information are Source Address, Destination Address, Protocol used, Length of the packet and the related information about the packet can be seen in the Analyzer.


Apart from it, you can analyze more by double clicking on the subsequent packet and can see all the related information, as shown below.




Figure 5 - Elaborated View of Packet 28

This is the more elaborated view of packet 28, where you can see the Mac address of both source and destination. You also can see the frame size and also the IP address. Other crypt information is stored in hex and ASCII format , which you can analyze with the help of look up table. 

You can use many network protocols such as TCP, DNS, ARP and many more with the help of this tool; you can analyse any network, perform any operation related to the security on any protocol. There are other interfaces too, which also work in a similar manner.