Exploring Wireshark for Network Traffic Analysis

In today’s world security and privacy are the most needed qualities of any network. From calling to online transactions all occur on the network on daily basis. So there is the need to analyse the network in which all these activities occur. Network analysis thus plays a vital role in maintaining and optimizing network performance, security and troubleshooting. This paper researches on the topic network traffic analysis using Wireshark. Wireshark is an open source network packet analyser and it can be used by security administrators to analyse the traffic, analyse data packets and their role in shaping network behaviour. The network analysis using Wireshark will help to know any suspicious or malicious traffic in our network so that timely action can be taken to avoid attacks like DDOS, Man-in-the middle etc.


Introduction 1.1 Network Traffic Analysis
It is a process of capturing the traffic or data packets in the network and analyse them [3].It also includes monitoring and evaluating the data that is transmitted over the network from the computers to the servers and back.It involves the examination of the captured data packets that flow through the network in order to gain insights into the network's behaviour, performance and security.The analyses helps the network administrators to track the utilization of the network, identify and suspicious activity, bottlenecks.In the event of breach, network traffic analysis provides valuable evidence for investigating, understanding the reasons for the attack.Network traffic analysis can be performed using various tools and techniques, like intrusion detection systems, packet sniffers, Wireshark etc.

Wireshark
Wireshark is an network packet analyzer used for network analysis by security administrators, network administrators in order to understand the flow of packets over the network [1].Wireshark provides a platform to capture, inspect and analyse the packets and the traffic.It was originally known as Ethereal.It came into existence in order to better understand the inner working of network communication protocols like TCP, UDP, HTTP etc.Over time it has evolved as a versatile and indispensable resource to drive insights and reveal hidden dynamics of the network behaviour [2].Wireshark thus helps in troubleshooting network issues, analysing packets, analysing various protocols and their role in the network traffic.Wireshark also provide various statistical methods and graphs to clearly visualize and understand the network traffic and thus helping the network security administrators to detect various active and pas-sive attacks over the network.With the help of Wireshark we can get the IP addresses and the Port numbers of sender and receiver.

Packet Capturing
Packet capturing refers to the process of recording and intercepting individual data packets that flow over the network.These packets are the fundamental units of data transmission.The packets includes data like the IP address, the port numbers, length of the data, data itself and much more.Capturing allows the network administrators, security professionals, analysts to inspect, analyse and examine the network traffic in real time or offline.This paper discusses the optimization of traffic analysis performance, detection of network forensics and spam, network proofing with penetration testing, policy formation, and data delivery in integrated systems, while also discussing countermeasures to reduce this risk [3].

Research Paper
The paper discussed the use of wireshark for network traffic analysis, its role in addressing network forensics, and the risks associated with obtaining useful information for attacks or stealing data, while also addressing solutions [3]

3
Methodology Wireshark uses several phases for network traffic analysis.The steps are as follows for capturing the network packet:  Select the network on which you want to perform traffic analysis from various available options like Ethernet, Wi-Fi , LAN connection etc.  If you wish to apply filters before starting the capture you can do so by typing the same in the text field provided by the Wireshark.Filters like choosing a specific protocol or port and many more can be applied. Traffic would be captured and be available for analysis.We can also save the captured traffic for future work if we wish to do so. The packets are then decoded, examined, and analysed by the users.Transmission Control Protocol TCP (Transmission Control Protocol) is a transport layer protocol that is used to transmit packets from sender to receiver over the network.It is a connection oriented protocol, and thus uses three-way handshake for connecting devices before sending data over the Internet.This connection remains established till the communication is completed.

TCP HEADER:
 Source Port: It includes the source or sender's unique port number.The field has 16 bits [5]. Destination Port: It includes the receiver's or destination's precise port number.The field has 16 bits [5]. Sequence Number: This identifies the amount of data transferred throughout the TCP Session.It's a 32-field here.Initial sequence number for a new connection is a random 32-bit value.Utilizing this sequence number, the recipient replies with an acknowledgment to the sender.To make it simpler to comprehend, Wireshark utilizes relative sequence numbers beginning with 0 [5]. DO (Data Offset): The header length is another name for the 4 bit data offset field.It provides the length of the TCP header to identify when the actual data starts [5]. RSV: The reserved field's three bits are set to 0 and not used [5].
 Flags: There are nine flag bits, are also known as control bits.This field is used to create connections, transmit data and break connections: o Urgent Pointer: (URG) The data should be viewed as having priority over other data when this bit is set [5]. o ACK: abbreviation for acknowledgement [5].o PSH: This stands for PUSH.This instructs a program to send the data right away rather than waiting for it to fill the whole TCP segment [5].o RST: This resets the connection.We must immediately cut off the connection, if we receive it.This is not the typical technique to close a TCP connection; it is only done when there are irrecoverable faults [5].o SYN: This is used to establish the first sequence number and for the initial three-way handshake [5].o FIN: The TCP connection is ended using this finish bit.TCP is full duplex, so in order to terminate a connection; both parties must use the FIN bit.This is how we typically cut off a connection [5]. Window: The window field is of 16-bit.It is used to represent the maximum length of bytes that a receiver will accept.It does this by informing the number of bytes after the sequence number in the acknowledgment field [5]. Checksum: Checksum is a 16 bit field which is used to tell whether the TCP header is in a good situation or not [5]. Urgent Pointer: URG is a 16 bit field and when this bit is set then it acts as a marker for the end of the urgent data [5]. Options: This is an optional field.It's size lies between 0 to 320 bits [5].Wireshark: Network Traffic Capturing The Wireshark has easy to use interface.Users can easily capture the packets and analyse those packets.It is available for both UNIX and Windows.Captured packets can also be exported and imported in a number of capture file formats for further analysis.Colour coding is also provided by Wireshark, helping the user to analyse the packets.Below table shows the various colouring rules.

Fig 3. Coloring Rules
Interface to capture traffic: Wireshark provides easy to use interface to capture the traffic.The below image shows the interface provided by Wireshark to capture the traffic.To start the traffic capture one needs to select the network like Wi-Fi, local area connection, adapter etc.We can also select various interfaces like wired, Bluetooth, wireless from the drop down menu.If we wish to apply filters like specific port number or specific protocol before starting the capture, we can do so by typing the same in using the filter text box.If we have captured any traffic before we can also open that traffic from the recent files available on the very first interface of Wireshark.As soon as a network is chosen, Wireshark starts the network traffic capturing and whatever is searched on various platforms, like Google Chrome, traffic pertaining to those platforms is captured for traffic analysis.1. Menu Options: From here various menus can be selected like file menu, edit menu, analyze menu etc. to help in analysis , importing and exporting of captured traffic.

Filters:
In this section filters can be applied while capturing the packets.Specific protocol like http, tcp ,udp etc can be selected.Applying the filters helps in analyzing specific and relevant packets instead of all packets.

Packet Traffic List:
This section shows the various packets captured in the traffic with details like time, source address, destination address, protocol, descriptions etc. 4. Packet Details: This section shows details regarding a particular selected packet like the frame details, TCP header details etc. From here various details can be seen regarding any packet like destination port , source port, length of packets, Bytes in the packets etc to help analyze the packet.

Packet Bytes Hex Dump:
This sections shows the hex dump of the packets or any raw data in human readable form.

Results and Discussion
During the traffic analysis, traffic was captured from different sites and for a particular duration.This was done in order to check the scalability of the Wireshark depending on the number of sites searched, amount of activity done on those sites etc.Following images show the summary of the captured traffic depending on the number of sites and amount of activity performed.It shows information regarding the capture, such as time remaining, packet and byte counts, and similar data [4].Exploring the Statistics on the Captured Traffic: Protocol Hierarchy: Protocol Hierarchy display the number of packets and number of bytes in those packets for various protocols that were captured during for network analysis all the protocols are arranged in the same hierarchy as they were found in the traffic.It provides the count of packets in which the protocol is present and the packet in which it is the last protocol in the stack.These last-protocol counts let you know how many packets-along with the corresponding byte count-ended in a certain protocol.They are listed under "End Packets" and "End Bytes" in the table [4].

Fig 12 .
Fig 12. Protocol Hierarchy Statistics Flow Graph: Flow graph shows the connection between the hosts.For each connection that was captured it shows the packet timing, direction, ports, and comments.It provides filters like ICMP (Internet Control Message Protocol) flows, ICMPv6 flows, UIM flows, and TCP flow [4].The flow graph window provides different controls based on that.With the help of flow graph you can easily figure out various port numbers and IP addresses and thus can easily get to get know if any unusual port number or IP address occurs in the traffic [4].The below figure shows the flow graph for the captured traffic.

Fig
Fig 13.Flow Diagram IO GRAPH:Display the number of packets or the amount of bytes per second for all packets that match the chosen filter.By default, only one graph displaying the number of packets per second will be shown[4].

Fig
Fig 14.I/O Graphs

Fig
Fig 15.Packet Counter