SysAdmins, InfoSec, and Network Engineers often use this tool to troubleshot and detect network activities on-the-fly. Without further adieu, here is an overview on the usage of this thingy:
1. Configure wireshark to listen to an interface
2. To collect data, click Start
3. Data columns
- Source
- Destination
- Protocol
- Length
- Info
4. Filtering raw data to produce information
- Filter > type in protocol name (e.g. FTP) > select a packet > scroll down to the protocol section
- To narrow down filter to view a certain host and protocol, input (ftp) && (<IP_ADDRESS>). This can also be done by right-click an interesting packet > select filter by
5. How to detect a network scan
- If a the Info section shows “RST” / TCP ACKed unseen segment(usually being marked as black by Wireshark for quick identification of bad packets), it means that the local interface has dropped the packet. This can be interpreted as a network scan detection if the other nodes on the network is showing the same origination IP with similar responses.
- If the local interface is sending unknown traffic to a strange remote IP, follow your operating system’s syntax to trace down to the offending pplication or process. Here are some sample commands on various OS’es:
i. Windows: run CLI > netstat | findstr "{port_number}" > netstat -aon | find /I "{PID}"
ii. Linux:run CLI > netstat -lnp | grep {port_number}
iii. MacOS: run CLI > sudo lsof -i:{port_number} > locate the PID of probable cause > run Activity Monitor > match the PID of the suspecting app > halt process
