Forensics Tutorial 12 – Network Forensics with Wireshark

Forensics Tutorial 12 – Network Forensics with Wireshark

Explanation Section
About Wireshark
Wireshark, is a network analysis tool (formerly known as Ethereal) that captures packets in real time and
displays them in a readable format. Wireshark provides a variety of options such as filters, color-coding,
and other features that let you analyze network traffic and inspect individual packets. It is most often
used for network troubleshooting, analysis, software and communications protocol development, and
network forensics.

Wireshark is a robust program that allows for the following:

 Using filters can greatly assist in narrowing data, as Wireshark tends to generate a lot of data that
may not all be useful.
 Wireshark can read live data from multiple network types, including Ethernet and IEEE 802.11.
 Wireshark can capture raw USB traffic.
 Wireshark has a GUI for analysis; however it also has a command line version called TShark.
 Data can be captured directly from a live network or read from already-captured packets.
 VoIP calls and their data can be captured from network traffic. If the encoding is compatible, the
VoIP media can even be played.

Forensics Applications
In the scope of a digital forensics-based investigation, Wireshark can be immensely helpful, especially in
finding and displaying emails that could be potential evidence. For example, Wireshark can be used to
catch a suspect who is stealing a victim’s wireless Internet to make fraudulent online purchases. By using
Wireshark as a network monitoring tool, it is possible to find the IP or MAC address of the suspect, and
to see what sites he or she is visiting. Additionally, it may be possible to recover emails and other
potentially sensitive and incriminating information that the suspect is sending over the network. When
used in conjunction with other forensics tools, such as aircrack_ng (a tool that concentrates on
examining wireless traffic versus Ethernet), it is possible to enhance the usefulness of Wireshark to
make it an effective forensic network analysis tool.

In This Tutorial
In this tutorial, we will be looking at analysis of basic, commonly seen network traffic, including SMTP
(email), Skype, HTTP, TCP, and DHCP traffic. We will also focus on utilizing Wireshark filters in order to
narrow down the amount of data through which we must look in order to find more pertinent entries.
Additionally, this tutorial will cover recovering network traffic data, such as emails and Skype audio. In
addition, we will review some preferences that can be set in order to make data easier to analyze, and
to make potential network attacks (ARP poisoning in particular) easier to identify before they pose a
true threat. We will learn how to resolve HTTP addresses in order to more easily identify network traffic
through address names.

Note that the Wireshark captures for DHCP and Skype, and many other sample Wireshark packet files
can be found on the Wireshark Wiki page.

1|Page
 Forensics Tutorial 12 – Network Forensics with Wireshark

Tutorial Section
LEARNING OBJECTIVES:

 Open and run Wireshark on the local network to gather some basic network traffic
 Apply Wireshark filters to narrow data
 Identify and intercept SMPT (email) traffic
 Identify and intercept Skype text chat traffic
 Identify HTTP traffic
 Set Wireshark preferences to alert the user to ARP Poisoning on the network
 Set Wireshark preferences to resolve HTTP addresses

Part 1 – Run Wireshark and Gather Network Information

1. Login to the Virtual Lab website (https://v5.unm.edu/cloud/org/ialab), and enter the ‘NEST Digital
Forensics vApp’. Click on the Windows 8 machine to open the VM.

2. At the login screen of the Windows 8 machine use the password letmein.

3. Launch Wireshark from the Desktop via the Wireshark icon. The main GUI page will open.

2|Page
 Forensics Tutorial 12 – Network Forensics with Wireshark

4. Beneath the green Start icon are the network connections that can be selected. We will be looking
at the Ethernet connection in this tutorial. Select Ethernet (it may be called Ethernet 2, Ethernet 3,
etc. – just select the Ethernet option) so that it is highlighted, and click Start to begin monitoring
network traffic. Since we are not generating any network data at this moment, it is likely that
nothing will appear. However, the program will state that a live capture is in progress near the
bottom of the window.

5. To generate some network traffic, visit some websites, send some mail, connect to FTP, or perform
other operations. Once you have performed some operations and generated some network traffic
within Wireshark, press the red square button to stop the live capture. By browsing through the
large amount of traffic, it is clear that there are multiple different protocols being used, such as TCP,
HTTP, DNS, and ARP.

Below is a breakdown of the most commonly seen protocols within Wireshark.

 TCP: the protocol that controls any inter-electronics communication. It utilizes a 3 way
handshake using SYN, SYN/ACK, and ACK packets to talk. It is important to how computers talk
with one another. This can easily be its own tutorial and will not be the focus in this example.

3|Page
 Forensics Tutorial 12 – Network Forensics with Wireshark

 FTP: the protocol used for file sharing

 SMTP: the protocol used for email
 HTTP: the protocol used for web browsers and visiting websites

Part 2 – Applying Wireshark Filters

1. Since there is an enormous amount of traffic, most of which is not really useful to us at this time, it
is possible to apply filters within Wireshark to narrow down the data to what it really important to
the situation.

Since we visited some web pages, we want to view HTTP data and see what websites we visited. In
order to view only HTTP network traffic, we must apply a filter. To apply a filter, type “http” into the
Filter box near the top of the Wireshark window and click Apply. Now only HTTP protocol traffic will
be displayed.

4|Page
 Forensics Tutorial 12 – Network Forensics with Wireshark

2. The same filters can be applied to SMPT, TCP, and DNS. Be sure to clear the current filter using the
Clear button before applying another. Filters can also be saved for later viewing by clicking the Save
button.

5|Page
 Forensics Tutorial 12 – Network Forensics with Wireshark

Part 3 – Identify and Intercept SMTP (email) Traffic

1. In the scope of digital forensics, Wireshark can be used to capture potential data, such as data found
in email. In this sample, we will see how email data can be captured. For this section of the tutorial,
we will be using the Wireshark premade packed named emailpackets. In Wireshark, save and close
the current session, and make your way back to the main Wireshark GUI page.

2. Click Open to open a previously captured file. Navigate to Y:\Investigative Drive\Wireshark Packets
and open the emailpackets file.

6|Page
 Forensics Tutorial 12 – Network Forensics with Wireshark

3. The file will open and there will be packets shown within Wireshark. You will note that there
multiple types of network protocols displayed here, including HTTP, SMTP, TCP, and others. In this
example we are focusing on SMTP, or email. Navigate to the SMTP packet that states MAIL FROM in
the Info field. This is an email that was sent across the network.

7|Page
 Forensics Tutorial 12 – Network Forensics with Wireshark

4. If we look at the surrounding block of packets, we can see that an email was sent from
[email protected] to [email protected]. In this case, both machines are on the same
network. Now that we can see how the email was sent, we can attempt to gather information sent
in the email.

5. Next we want to view the TCP stream, which will allow us to see the steps in this particular network
event. Right click on any of the packets in the SMTP block, and click Follow TCP Stream. This also
applies a filter to the top of the Wireshark window which will need to be cleared after reading the
TCP Stream in order to get back to the entire capture.

8|Page
 Forensics Tutorial 12 – Network Forensics with Wireshark

6. A new window will open with information about the TCP Stream. Within this new window depicting
text output, we can see some plain text information:
“My backup password:
Hell0W0rld!
Don't delete this!”
This information appears that it could be potentially useful – we should hold onto it for the scope of
the investigation.

9|Page
 Forensics Tutorial 12 – Network Forensics with Wireshark

7. We can now continue looking through the stream. However, instead of looking through all traffic in
the file again for interesting packets, we can instead sort the traffic by protocol and scroll down to
the SMTP protocols.

We can see that there are multiple packets labeled data fragment. This means that data was sent
over the SMTP protocol – as an attachment of some sort. However, even though the data is shown
in fragments does not mean we can’t see the entire file. By following the TCP Stream we can see the
entire data file. Right click on one of the fragment packets and follow the stream.

10 | P a g e
 Forensics Tutorial 12 – Network Forensics with Wireshark

8. A new window will open with some scrambled-looking data. This means that the data was not sent
in plain text. However, at the top of the file, the encoding for this data is Base64. This is a way for
the computer to translate the attachment into data that can then be interpreted into binary and
sent over the network. In order to view this attachment, simply save the file by clicking Save As at
the bottom of the open window. Save it anywhere you would like.

11 | P a g e
 Forensics Tutorial 12 – Network Forensics with Wireshark

9. Since the packet was sent via email, the data must be opened with an email client in order to view
the data as it was originally sent. In this case, it has been opened in Mozilla Thunderbird by opening
Thunderbird and going to File>>Open Saved Message and opening the saved data file. The email,
when opened, displays an email with an attachment, backup.rar. Save the rar file and open it with
any program that opens rar files. In this case I am using 7zip. When opened, you will be prompted
for a password. However, we already have this information from examining previous SMTP files. Try
Hell0W0rld! As the password. This will open the file and unlock the rar file, giving us access to this
information.

12 | P a g e
Forensics Tutorial 12 – Network Forensics with Wireshark

13 | P a g e
 Forensics Tutorial 12 – Network Forensics with Wireshark

10. This is the type of information useful in the scope of digital forensics investigations. Wireshark can
be used for additional operations and analysis that can result in the gathering of data. However, in
order to become comfortable with Wireshark, it is necessary to simply practice with data on your
own network.

Part 4 – Identify and Intercept Skype Information

1. In this example, we will be examining Skype chat (text) data. Click Open to open a previously
captured file. Navigate to Y:\Investigative Drive\Wireshark Packets and open the SkypeIRC file. The
window will appear as below.

14 | P a g e
 Forensics Tutorial 12 – Network Forensics with Wireshark

2. We can see that there are a number or protocol types, including IRC. IRC stands for Internet Relay
Chat and is used for text-based conferencing. Through following the TCP stream, we can view text-
based chats occurring between systems on the same network. Right click on an IRC protocol entry,
and click Follow TCP Stream. A similar effect can be found by entering IRC into the Filter field near
the top of the Wireshark window.

15 | P a g e
 Forensics Tutorial 12 – Network Forensics with Wireshark

3. We can now follow the text-based chat conference between several different users. In order to
better view the text-based Skype chat, click Save As and save the text file to the Y:\Investigative
Drive. Open the saved file with another application – in this case we are using Internet Explorer. It is
possible to now see a list of users with email addresses involved in the chat, and the chat text from
the Skype conference.

Information like this can be used in the scope of forensics investigations, especially when
investigators are attempting to gather information from potentially criminal chats on a network.
This same method is used when gathering chat information over a wireless network as well.
Checking to IRC data will assist in detecting potential text-based chats occurring on the network.

16 | P a g e
 Forensics Tutorial 12 – Network Forensics with Wireshark

Part 5 – Setting Wireshark Preferences for ARP Poisoning Detection

1. There are several preferences within Wireshark that can be used to detect potential network
attacks. Wireshark is used not only for forensics, but is also a proficient tool in identifying potential
network attacks. In this case, it is possible to detect ARP poisoning as it is beginning to occur.
Navigate to Edit>>Preferences. Drill down to Protocols>>ARP/RARP. Check the box to Detect ARP
request storms. An ARP storm is generated when an ARP attack is launched on a network; multiple
ARP requests will be sent across the network. Also make sure that Detect duplicate IP address
configuration is checked. Click Apply. In the future, Wireshark will alert you to ARP poisoning
attempts on the network being captured.

17 | P a g e
 Forensics Tutorial 12 – Network Forensics with Wireshark

Part 5 – Setting Wireshark Preferences for HTTP Name Resolution

1. When looking at HTTP protocol network traffic, the HTTP traffic is displayed by IP address. At times,
it is more beneficial to view the IP address as the resolved web address name. In order to enable
this, navigate to Edit>>Preferences. Under Name Resolution, check the box that says Resolve
network (IP) addresses.

18 | P a g e
 Forensics Tutorial 12 – Network Forensics with Wireshark

2. Start a new network capture and browse some websites. Stop the capture and apply an HTTP filter.
Now when looking at the HTTP information, the majority of the IP address names have been
resolved. In this case, it is clear that a website using the host dreamhost.com was being visited. If
CNN.com or another site was visited, this information would be shown in the resulting HTTP data. In
the scope of digital forensics, investigators can use this information to identify suspects visiting
illegal sites or conducting illegal activities on these sites.

19 | P a g e
 Forensics Tutorial 12 – Network Forensics with Wireshark

Conclusion
Wireshark is a highly proficient tool that can be used not only for digital forensic investigations, but also
for network defense and protection. It does have a bit of a learning curve due to the massive amount of
network traffic data that is generated by Wireshark. However, through the use of filters and correctly
set preferences, it is possible to identify and extract data from Wireshark.

There are a large amount of Wireshark-based tutorials that can be found online and on the Wireshark
Wiki page. Essentially, the best and most thorough way to use Wireshark efficiently is to practice
identifying useful versus non-useful types of data. Utilizing online resources and premade packets to
identify useful information and to reassemble data are the ideal ways in which to best learn how to use
Wireshark efficiently.

Try This
Locate a set of premade Wireshark packets from the Wireshark Wiki page or from an online Wireshark
tutorial. Identify the various protocols and network traffics and identify the useful data using filters and
preferences to narrow the data to that which is most useful. A helpful tutorial might involve looking at
network traffic involving media transfer. Attempt to gather the media data from the Wireshark traffic.
Are you able to reassemble the original data?

20 | P a g e