Analyse Linux networks through the ethereal world of Wireshark

User Rating: / 3
PoorBest 

by David M Williams

Monday, 29 October 2007

Page 1 of 3 ! What’s happening on your network? Tools exist to display raw data but you still need to put work in to uncover real information. Here’s where a network analyser comes in: it will separate the AIM chatter from the MSN; it will divide RPC from SMB. And the best open-source network analyser is Wireshark. Related stories Google Gears up Safari support Red Hat fesses up to Fedora FOSS security fiasco Google says: Hack the Android! Sun ANZ creates new chief software technologist role It’s the law: open source doesn't mean no copyright Previously, we’ve covered Linux security topics on ITWire and showed free tools like nmap and snort and tightening SSH. Wireshark’s purpose is to sniff network traffic, but moreso to interpret and analyse that traffic, giving a far more meaningful breakdown of the actual protocols and applications running, and the nature of the communication that is happening. This is known variously as protocol decoding, and dissecting. This is terrific for security matters – like network intrusion detection, but that’s not all. Wireshark has an untold number of more regular uses, which include troubleshooting network problems and administering your system. One of the best features of WIreshark is that it is open-source and extensible; it has a wide community of developers who keep adding support for legions of protocols. Consequently, it supports absolutely hundreds of protocols making it extremely competitive with commercial tools (at this time, there are 759 supported protocols); it can read capture files from over 25 different products; it can capture data from Ethernet and 802.11 wireless networks among others like token-ring; output can be stored in a rich variety of formats like libpcap, NetMon and more, as well as printing in plaintext and PostScript. Wireshark was developed in 1997 by Gerald Combs, and was called Ethereal at that time, a play on the word Ethernet. Combs was seeking to build his knowledge of networking and wanted a robust network troubleshooting tool. He took it upon himself to build one that met his requirements. He publicly released the product under version 0.2.0 in July 1998. Subsequently its popularity has grown and grown and many programmers around the world have added to its capabilities. Due to trademark issues (specifically, Combs by then former-employer owned the rights to the name Ethereal), the product was forced to change name; in June 2006 it was rebranded Wireshark. In May 2007, e-Week dubbed Wireshark one of the most important open-source apps of all time. Note well that the ability to sniff packets is a sensitive operation; it’s possible malicious people could use such information for harmful purposes. As a result, most all operating systems reserve this power only for super-users who have unfettered access, and not the ordinary users. The upshot of this is that the bulk of Wireshark’s capturing routines mandate it running as the super-user. Given that Wireshark has such a plethora of add-ins, by hundreds of different programmers from around the world, there is a real risk that a badly written add-in will have vulnerabilities that are exploitable by others. In fact, there have been security warnings in the past regarding third-party Wireshark protocol decoders. Given this, if you are working in a sensitive environment with obscure protocols it may be prudent to use a program like tcpdump to seize the initial raw information and capture it to disk. It is then possible to run Wireshark, without any elevated privileges, to analyse this captured data. It only requires higher-level access for the actual live data capture itself. << First page <   1 2 3 Next page > Last page - Post your comment >>

 

< Next story in category		Previous story in the category >