Wat is Wireshark

Wireshark - How to analyze your own network traffic

Stephan Lamprecht

More and more devices require access to the Internet. You can only determine with a special tool whether only the data is actually transmitted that is necessary for the smart door lock or the remote heating control.

EnlargeWireshark shows the entire data traffic that runs through the network adapter of a computer.

We are all used to the convenience of countless applications on our computers updating themselves automatically. And of course it is comfortable to be able to turn on the air conditioning or heating on the way home. In this context, applications regularly make headlines that send additional information about the connected systems to a manufacturer's server. Without asking for permission, of course. Wireshark helps you track down unwanted data traffic. However, the packet sniffer is a hardware tool that requires a good knowledge of network protocols.

Tip:Set up a secure connection to the home network: Your own VPN

What do you use Wireshark for?

The Sniffer Wireshark is available in all Linux distributions as well as for Windows and Mac OS. The program can record the data traffic, whereby you can view the content of a data packet. The IP address of the target system is always logged. With Wireshark, for example, programs can be exposed that are notoriously “calling home”. You can also statistically evaluate the collected data traffic, for example looking for particularly large packets or looking for addresses that are accessed frequently. A cross-check to see who owns such an IP address may then lead you on the trail of an attack.

Wireshark logs the network traffic of the interfaces of the system on which it is installed. So it can examine all incoming and outgoing connections of the respective computer. At the same time, it also receives all data packets that are sent to all systems in the network (broadcasts).

It gets more difficult with the router: Wireshark cannot control and log the headquarters in the network directly, unless the router supports this itself. If available, this logging function of the router is usually buried deep in the configuration. In the case of the Fritzbox, calling fritz.box/support.lua leads to a support page that offers "packet recordings". The page can also be reached on the normal Fritzbox interface via the small link "Support" at the bottom left. The recording is saved as a file on the hard drive of the PC with which you operate the Fritzbox. The file format is Wireshark-compatible and can be passed directly to the sniffer.

Caution: Unfortunately, some Fritz boxes (such as the cable Fritz boxes from Vodafone) are functionally reduced and do not offer this option. We can only address the technically far more demanding alternative here, but not explicitly explain it: It consists in using the router only as a modem. Behind it you build a router with Open WRT and a Raspberry Pi, which the Wireshark installed there can then completely control.

Analyze network traffic

EnlargeYou can inspect every single package.

The recording precedes the analysis. After you have started Wireshark, the software first shows you the interfaces of the computer. In the overview, mark the entry for the interface that is to be monitored. Start the recording with a click on the symbol of a fin in the upper left corner. You can click on an entry during the recording to take a closer look at the package. Continue working with the system as usual. When it comes to discovering unwanted network traffic, it is not possible to determine with certainty when a computer calls its target host. By the way, at a later point in time, if you have a protocol or a destination address under particular suspicion, you can filter the recording of the data traffic from the beginning. In the “Record” menu you will find the entry “Recording filter”.

From the following dialog you can then decide on one of the options shown. You can use the plus sign to define your own filters with the support of the program. The function of organizing the rapidly growing list using an auto filter (icon with colored bars) is practical. This makes the packets of the same protocol more visible. As you analyze it, you are likely to come across logs that you have not encountered often in your day-to-day life. Then research on the Internet what it is all about and what it is used for.

Find network problems

EnlargeFor each element, the context menu shows the properties of the respective protocol.

Delays in accessing network resources or the impression that the connection is too slow are classic network problems. If a speed measurement directly on the router (via Ethernet cable and directly on an Ethernet interface) shows that the bandwidth does not correspond to the booked tariff, the DNS server should also be checked. Providers often have a problem with this, especially in the evening hours. If possible, enter a public DNS in the router, for example from Google or Oracle, and check whether this can solve the problem. If not, Wireshark can help narrow down. If the throughput is low, the suspicion is that the interface is being used by a service that sends many or large data packets. Such analyzes can be carried out with the statistical functions of the program. Use the “Endpoints” command to call up a list of the destination addresses of the packets. With a click on the column headings you can sort these entries according to the frequency. You will quickly notice endpoints outside of your network. Using Whois queries, you can then determine who is behind the relevant IP addresses.

If it is the provider whose hardware you are using, a look at the packets can possibly reveal what is being transmitted there. If it turns out that the IP address cannot be clearly assigned, but comes from the address space of another access provider, particular caution is required. An attack attempt could then be behind this. Then it makes sense to check the computer for malware and rootkits. Wireshark doesn't lead you directly to the potential culprit, but it does reveal a lot about what's going on on the network. However, you have to judge for yourself whether this is all right.

See also:Increase WiFi speed - this is how it works

The SSL encryption

Sniffers like Wireshark have a problem: In order to be able to see the contents of a packet, it has to be unencrypted. With a secure connection, the package with the destination address appears, but the content cannot be checked. The good news: Wireshark can also decrypt encrypted data traffic. The restriction: This only works if you can read the key used into Wireshark. However, this is demanding: The Wireshark developers have written instructions in the official wiki that describe the basic procedure, for example to analyze SSL connections that are established by Firefox.