ITWire

Previously, we’ve covered Linux security topics on ITWire and showed free tools like nmap and snort and tightening SSH. Wireshark’s purpose is to sniff network traffic, but moreso to interpret and analyse that traffic, giving a far more meaningful breakdown of the actual protocols and applications running, and the nature of the communication that is happening. This is known variously as protocol decoding, and dissecting.

This is terrific for security matters – like network intrusion detection, but that’s not all. Wireshark has an untold number of more regular uses, which include troubleshooting network problems and administering your system.

One of the best features of WIreshark is that it is open-source and extensible; it has a wide community of developers who keep adding support for legions of protocols. Consequently, it supports absolutely hundreds of protocols making it extremely competitive with commercial tools (at this time, there are 759 supported protocols); it can read capture files from over 25 different products; it can capture data from Ethernet and 802.11 wireless networks among others like token-ring; output can be stored in a rich variety of formats like libpcap, NetMon and more, as well as printing in plaintext and PostScript.

Wireshark was developed in 1997 by Gerald Combs, and was called Ethereal at that time, a play on the word Ethernet. Combs was seeking to build his knowledge of networking and wanted a robust network troubleshooting tool. He took it upon himself to build one that met his requirements. He publicly released the product under version 0.2.0 in July 1998. Subsequently its popularity has grown and grown and many programmers around the world have added to its capabilities. Due to trademark issues (specifically, Combs by then former-employer owned the rights to the name Ethereal), the product was forced to change name; in June 2006 it was rebranded Wireshark. In May 2007, e-Week dubbed Wireshark one of the most important open-source apps of all time.

Note well that the ability to sniff packets is a sensitive operation; it’s possible malicious people could use such information for harmful purposes. As a result, most all operating systems reserve this power only for super-users who have unfettered access, and not the ordinary users. The upshot of this is that the bulk of Wireshark’s capturing routines mandate it running as the super-user. Given that Wireshark has such a plethora of add-ins, by hundreds of different programmers from around the world, there is a real risk that a badly written add-in will have vulnerabilities that are exploitable by others. In fact, there have been security warnings in the past regarding third-party Wireshark protocol decoders.

Given this, if you are working in a sensitive environment with obscure protocols it may be prudent to use a program like tcpdump to seize the initial raw information and capture it to disk. It is then possible to run Wireshark, without any elevated privileges, to analyse this captured data. It only requires higher-level access for the actual live data capture itself.