Capturing and Analyzing Network Traffic Using Wireshark

Wireshark is a free, often more utilized tool used to capture and analyze network traffic. “It is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education.” In many ways, Wireshark is similar to the Network Monitor tool included in Windows Server 2003. It monitors all data packets throughout the network and displays them in a easy to understand, color coordinated GUI. Since it is an open-source and widely used tool, it receives constant updates and technical support. Many IT professionals prefer it to the Network Monitor. Wireshark also includes a “promiscuous mode” which attempts to monitor ALL network traffic on a network, as opposed to a single network adapter.

To get started using wireshark, open the application and select your network adapter from the list. If you have virtual machines installed, their network adapters may appear as well. For this example, we will use the LAN network adapter built into the motherboard. Click “start” under the correct network adapter to begin capturing. I let the program capture data for about 30 seconds while I log into an e-mail account.

I successfully logged into a test account, which I created just for this exercise. Upon successful logon, I stopped the capturing process within Wireshark.

The amount of packets collected after 30 seconds was staggering. Wireshark contains a filter and search feature which makes analyzing your data easy. For this example, I filtered the results to “HTTP” since that is where the majority of our data resided. The filter actually sorts by protocol, so by typing HTTP we filtered our packets to those only using the HTTP protocol. This is traffic that generally occurs over web browsers using port 80.