NetSec /
\ NetSec

Wireshark LAN Monitoring Guide

Presentation Slides

You can use inexpensive gear (a smart switch or managed switch) and free software (Wireshark or Security Onion) to monitor your network.

In the past you needed expensive equipment and network analysis tools to find out what's actually happening on a network. Now you can use inexpensive gear (a smart switch) and free software (Wireshark).

You'll probably be surprised by what you find out what packets are actually moving around your network. You'll almost certainly be able to use what you learn to make some changes that will improve security, performance, and reliability.

Example

If you want to know, for example, whether devices on your network are silently connecting to the Internet and doing who-knows-what you can do this to find out:

Wireshark Monitored LAN Diagram
Wireshark-Monitored LAN Diagram
  1. Get a "smart" or managed switch.
  2. Configure a mirroring (monitoring) port.
  3. Connect a computer running Wireshark to the mirroring/monitoring port.
  4. Connect the mirrored/uplink port to your router.
  5. Connect hosts/devices to the remaining ports.

If you want to include wireless devices, configure a wireless router as an access point and connect it to the switch.

Packets leaving and entering the switch to and from the router can be captured, profiled, and analyzed using Wireshark.

In the illustration, the "Admin. Port" is a port that's configured as the only one that can be used to configure the switch. Some smart switches don't have this capability. All managed switches do.

Wireshark

Wireshark is the most popular "network protocol analyzer" (sniffer) software. It's a mature and actively-developed Free/Open Source software project. Wireshark has become the de-facto standard tool for its purpose.

Wireshark captures and analyzes copies of network frames, showing you

  • a list of frames that have been "sniffed"
  • information about any specific frame and
  • the captured raw frame data.

Stand-alone Wireshark

If you want to know why network monitoring is even something you should consider, install a copy of Wireshark and take a look at what you can see. I'll bet it sparks some curiosity.

For reasons explained next, you might not see much of your networks overall traffic. You'll only see traffic for the port(s) you're sniffing.

Switched Ethernet

Wireshark shows you what's actually happening on a port. The trouble is, you can't just plug a "sniffer" into a network port and see everything on that network if it's a switched Ethernet network. (Virtually all are.)

In the past Ethernet networks used hubs that were "shared Ethernet" devices. They broadcast incoming traffic on any port to all of the other ports. This topology resulted in collisions and inefficiency, so switching hubs, a.k.a. "switches", were invented.

Switched Ethernet is a vast improvement over shared Ethernet. A switch achieves efficiency by maintaining a table of connected devices using their unique Media Address Control addresses (MAC addresses) and making sure each port only see the traffic that needs to go to the device attached to it.

  • Broadcast traffic is sent to all ports.
  • Multicast (one-to-many) traffic is sent to multiple ports.
  • Unicast (one-to-one) traffic is sent port-to-port.

Unicast traffic that's not destined for your sniffer's port doesn't arrive there. This is why most network traffic can't be captured by just attaching a computer to a network port on a switched network.

You can, however, monitor unicast traffic using a tap or a monitoring port.

Taps

Network Tap Diagram
Network Tap

One way to capture network traffic is with a network tap. A tap a test access point between two nodes where traffic is copied and sent somewhere for analysis.

Network professionals and large IT infrastructures use network taps to capture important traffic in strategic locations on a network. Network taps are devices specifically designed to copy traffic and send it where it can be analyzed.

Port Aggregator Diagram
Port Aggregator

There are various kinds and they're relatively expensive. Two common types for "copper" (not fiber) networks are breakout and aggregating taps.

breakout tap
Captures RX and TX to two separate ports
aggregating tap
Merges (aggregates) RX and TX traffic to a single port

A tap adds a potential point of failure to your network.

Fortunately you can create an inexpensive pseudo-tap using a smart switch or a managed switch.

Switches

I would categorize switches into four basic types.

  1. Unmanaged Switches - not useful for packet capture
  2. Low-end (home) Smart Switches - useful; not secure
  3. Premium (business) Smart Switches - more useful
  4. Fully-managed (enterprise) Smart Switches - useful; most secure

A commonly available smart switch feature is port mirroring, which allows you to monitor one port's activity from another port. A mirroring port is similar to a SPAN (Switched Port ANalyzer) port on enterprise gear. It's technically not a tap, but it's close enough to be useful.

Low-end Smart Switches

The least expensive smart switches, despite having severely limited capabilities, can do port mirroring for network monitoring. These switches, like consumer-grade routers, are notoriously non-secure. You wouldn't be wise to deploy a low-end smart switch in a "hostile environment".

Here are some of the least-expensive models that have port-mirroring capability:

ManufacturerPortsModel #Price
D-Link5DGS-1100-05$30
D-Link8DGS-1100-08$35
Netgear5ProSAFE GS105E$30
Netgear8ProSAFE GS108E$40
TP-Link5TL-SG105E$30
TP-Link8TL-SG108E$35

These use a Windows(-only) utility for management. Current "version 2" models of the TP-Link switches also have a web-based interface that works from Linux and maOS. The Netgear GS105E is specifically mentioned in the Wireshark documentation.

Consumer-oriented devices like these shouldn't be deployed into a "hostile" environment because there are some glaring security weaknesses. For example, the management interface is always available on all ports.

Business Smart Switches

Higher-end smart switches are marketed for small-office environments. These at least can have their management features isolated away from some of the ports, which is a minimum requirement if security is a concern.

Fully-Managed Switches

Fully-managed switches are marketed to for corporate IT environments. They're significantly more powerful than smart switches and they have extra security-oriented features. Their documentation also tends to be quite a bit better than smart switch documentation.

New fully-managed switches with 10-Gigabit uplink ports are expensive, however older models without 10-Gigabit ports are available used for very reasonable prices. You can get one for about the price of a new smart switch.

Limitations

Bandwidth Limitations

If the mirrored port is full-duplex it's possible to exceed the bandwidth of the mirroring port. This is possible because sent and received packets from the mirrored port are aggregated into a single stream of packets for the mirroring port to send.

if you want to ensure no packets will be dropped, you need to have double the bandwidth for mirroring (e.g. two mirroring ports).

Typically this won't be a problem. If traffic on the uplink port is to/from the Internet, the speed is probably limited at the Internet connection.

Limiting the speed on some of the switch's ports may help avoid this bandwidth limitation if it does occur.

Intra-switch Limitations

Unicast port-to-port traffic among devices on the switch will not be monitorable because unicast traffic on a switch only involves the source and destination ports.

This means port scans, attacks, or whatever else happens among devices on the smart switch will not be "seen" by the monitoring port.

Monitoring a Single Device

You can monitor a single device using three ports on your switch. When you monitor a single port all of that device's frames will be captured (subject to the bandwidth considerations described below).

Setup is straightforward.

  1. Mirror a port to another port.
  2. Connect a device to the mirrored port.
  3. Connect another port to a network.
PortConnected to
1 (Mirroring)Monitoring Device
2 (Mirrored)Monitored Device
3 (Uplink)Network

Monitoring Multiple Devices

Wireshark Monitored LAN Diagram
Wireshark-Monitored LAN Diagram

The example above is a simple example of a monitored single LAN where all Internet-bound traffic is monitored.

A more practical and security-conscious example would have multiple isolated private LANs, all of which are monitored. You can accomplish this with a single managed switch and a router that can create isolated private LANs (e.g. pfSense, IPFire, Ubiquity Edgrouter, Mikrotik RouterBoard).

  1. Create multiple private LANs with unique subnets.
  2. Configure a managed switch.
    1. Use one port for switch management (only).
    2. Use one port for monitoring the LANs.
    3. Configure VLANs with one mirrored port each.
    4. Each VLAN's mirrored port will be the "uplink" port that connects to the router.
    5. Put devices on the VLANs using a swithch and/or transparent WiFi access point (not router (*)).
Wireshark Monitored LANs With Three Dumb Routers
Monitored LANs Using Three Dumb Routers

You will be able to capture this traffic:

  • Broadcast (all LANs)
  • IoT LAN ↔ Internet
  • Secure LAN ↔ Internet
  • Work LAN ↔ Internet

(*)Many WiFi routers can be configured as transparent access points using a setting. If your router doesn't have that setting you can probably do it anyway. Maybe try this:

  1. Disable the DHCP server.
  2. Disable the WAN port.
  3. Connect a LAN port to the network.
  4. Use the other LAN ports for wired devices.

Links

Overview of Security Onion:

IntroductionToSecurityOnion · Security-Onion-Solutions/security-onion Wiki · GitHub
Whether you’re tracking an adversary or trying to keep malware at bay, NSM provides context, intelligence and situational awareness of your network.

Explains tap designs, including breakout and aggregate taps.:

The 101 Series: A Primer On Network TAPs
The truth is, the subjects of network TAPs is quite complex, read on to learn about the six different network TAP designs.

Explains the differences between unmanaged, smart, and managed switches:

Understanding the different types of Ethernet Switches
Ethernet Switches are broadly categorized into two main categories – Modular and Fixed Configuration.

Wireshark’s page about capturing packets from Ethernet networks:

CaptureSetup/Ethernet - The Wireshark Wiki
If you're trying to capture network traffic that's not being sent to or from the machine running Wireshark or TShark, i.e. traffic between two or more other machines on an Ethernet segment, you will have to capture in "promiscuous mode", and, on a switched Ethernet network, you will have to set up the machine specially in order to capture that traffic.

Videos

Optimal Wireshark Setup | Enhance Your Wireshark Experience 

  https://www.youtube.com/watch?v=F4l3CedRlJc
Tutorial: Packets don't lie: how can you use tcpdump/tshark (wireshark) to prove your point
  https://www.youtube.com/watch?v=F2HAPAUqitc

Top 10 Wireshark Filters 

 https://www.youtube.com/watch?v=68t07-KOH9Y

How to read Wireshark Output 

  https://www.youtube.com/watch?v=-aTGL4M0db4
ToDo:
  • Machine in the Middle?
Edit | History | Recent Changes (all) | Search
Page last modified on March 18, 2017
Powered by PmWiki