An introduction to packet analysis with Wireshark

Packet/traffic analysis deals with the study of network traffic, where the objective is to understand the structure, movement, and behavior of packets. Packet analysis is performed over live traffic or done over an already captured stream of traffic.

Numerous issues arise in day-to-day networking infrastructures, and if you are responsible for handling the network or security of your digital environment, you need to equip yourself with troubleshooting and analytical tools. Most of the issues escalate and are rectified at the packet level in networking. Issues arising at the packet level can gradually end up disrupting critical business communication, leading to loss of revenue. Even the best networking hardware utilizing the most advanced and secure set of protocols and services can go against you or behave abnormally. To perform a root cause analysis in such situations, you might need to dig down to the packet level in order to understand the anomaly. Packet analysis can be used for the following purposes:

  • To analyze network issues by looking into the packets and their headers to gain better insights.
  • To detect and analyze network intrusion attempts through filtering patterns and signatures.
  • To detect network misuse by internal or external users by establishing firewall rules in your security appliance and then monitoring those rules.
  • To study and isolate exploited systems so that the affected system doesn't become a pivot point.
  • To monitor and analyze data in motion as it travels live in the wires of your network.
  • To have better control over the allowed and restricted categories of information traveling in your network. For instance, say you want to create a rule in the firewall that will block access to torrent sites (peer-to-peer file sharing). Blocking access to them can be done from your manageable router through access lists also, but the origin of such packets can be identified and validated through traffic analysis.
  • To gather and report network statistics by filtering packet trails.
  • To learn who is on a live network and what they are doing (they may be consuming network bandwidth or trying to connect to restricted websites), and to learn whether someone is trying to bypass the network restrictions you configured.
  • To debug client/server communications so that all the requests and replies communicated on your network can be audited.
  • To identify applications that are sitting in the corner of your network and consuming the bandwidth. They might be making your network insecure, unresponsive, or visible to the public network.
  • To debug network protocol implementations and any anomalies being generated due to unintentional misconfigurations errors or human error.
  • To identify abnormal/malicious traffic patterns that your network, then to analyze, control/supervise, and make yourself ready for such events.

When performing packet analysis, the things to be considered are as follows:

  • The protocol(s) to be interpreted
  • Whether you need to capture traffic from all sources and all destinations
  • Placing your sniffer adequately
  • Capturing traffic pertaining to a particular port or service to avoid unwanted noise

You should record and build use cases pertaining to the network traffic pattern and behavior. Use cases may assist engineers in troubleshooting network issues.

Packet analyzers can interpret most networking protocols (such as IP and ICMP), transport-layer protocols (such as TCP and UDP), and application-layer protocols (such as DNS and HTTP).