06. Wireshark & Packet Sniffing

🌊 How Packet Sniffing Works

Your network interface card (NIC) is normally selective—it only processes packets addressed to its own MAC address and discards everything else. Promiscuous mode disables this filter. In promiscuous mode, the NIC captures every packet it sees on the network segment—regardless of the destination. Tools like Wireshark and tcpdump enable promiscuous mode automatically when capturing.

Why sniffing is easy on some networks and hard on others:

• Hub networks (legacy): A hub is a dumb device that broadcasts every frame to every connected port. Every device sees every packet all the time. Passive sniffing is trivially easy—just plug in and listen.
• Switched networks (modern): A switch is intelligent. It maintains a CAM (Content Addressable Memory) table mapping MAC addresses to physical ports and directs frames only to the intended recipient. Passive sniffing captures only your own traffic. This is why attackers combine sniffing with ARP Poisoning—to redirect traffic through their machine before it reaches the real destination.
• Wireless (WiFi): When in monitor mode (different from promiscuous mode), a wireless NIC can capture all 802.11 frames in the air—including those on other channels and from other networks. This is why open WiFi networks are dangerous and why WPA3 with individual key derivation matters.

🔬 Wireshark — Deep Packet Inspection

Wireshark is the most widely used protocol analyzer in the world. It captures raw packets and decodes them into human-readable form, showing every layer from Ethernet frames to application data. Every security professional needs to be fluent with it.

The Wireshark Interface:

• Packet List Pane (top): Chronological list of every captured packet with time, source, destination, protocol, and a brief summary.
• Packet Details Pane (middle): Expandable tree showing the full decode of every protocol layer in the selected packet—Ethernet frame → IP header → TCP segment → HTTP request.
• Packet Bytes Pane (bottom): Raw hexadecimal and ASCII representation of the entire packet. This is the actual bytes on the wire.

Capture Filters — Applied Before Capture:

Capture filters use BPF (Berkeley Packet Filter) syntax and limit what is recorded to disk. Essential for high-traffic captures where you only want to see specific traffic:

• port 80 — Only capture HTTP traffic
• host 192.168.1.100 — Only traffic to/from a specific IP
• net 192.168.1.0/24 — Only traffic within a subnet
• tcp and not port 443 — All TCP except HTTPS
• port 21 or port 22 — FTP and SSH only

Display Filters — Applied After Capture:

Display filters don't remove packets—they just hide the ones you're not interested in. Much more powerful and flexible than capture filters:

• http — Show only HTTP traffic
• http.request.method == "POST" — Show only HTTP POST requests (login forms, data submissions)
• http.request.uri contains "login" — Show requests to login endpoints
• tcp.flags.syn == 1 and tcp.flags.ack == 0 — Show only initial SYN packets (detect port scans)
• dns — Show all DNS queries and responses
• ip.addr == 192.168.1.100 — All traffic involving a specific IP
• frame contains "password" — Search every packet payload for the word "password" (finds plaintext credentials)
• ftp.request.command == "PASS" — Show FTP password transmission commands (always plaintext)

Critical Analysis Techniques:

• Follow TCP Stream: Right-click any packet → Follow → TCP Stream. Wireshark reconstructs the entire TCP conversation in readable form—showing the complete HTTP request and response, FTP session, Telnet interaction, or any other plaintext protocol. This is where you find credentials.
• Follow HTTP Stream: Same as TCP stream but displays HTTP specifically, with headers and body nicely formatted.
• Statistics → Protocol Hierarchy: Shows a percentage breakdown of all protocols in the capture. Immediately reveals anomalies—why is 40% of traffic ICMP? Is there a ping flood?
• Statistics → Conversations: Shows all unique communication pairs and the total bytes exchanged. A machine sending 2GB to an unusual external IP is a data exfiltration indicator.
• Statistics → Endpoints: Shows all unique IP and MAC addresses seen. Reveals all participants in a capture.
• Export Objects (HTTP): File → Export Objects → HTTP. Extracts all files transferred over HTTP in the capture—images, documents, executables. If malware was downloaded over HTTP, you can extract it.

⚡ tcpdump — Command-Line Packet Capture

Wireshark requires a graphical interface. On remote servers, headless systems, and embedded devices, tcpdump is your only option. It shares BPF syntax with Wireshark capture filters and is arguably more powerful for scripted, automated analysis.

• tcpdump -i eth0 — Capture all traffic on interface eth0. Use -i any to capture on all interfaces.
• tcpdump -i eth0 port 80 -A — Capture HTTP traffic and print each packet in ASCII. This is how you read plaintext HTTP in real time.
• tcpdump -i eth0 -w /tmp/capture.pcap — Write raw capture to a pcap file. Transfer it to your machine and open with Wireshark for full analysis.
• tcpdump -r capture.pcap 'host 10.0.0.1' — Read from a saved pcap file and filter by host.
• tcpdump -i eth0 'tcp[tcpflags] & tcp-syn != 0 and tcp[tcpflags] & tcp-ack == 0' — Capture only TCP SYN packets without ACK—isolates initial connection attempts, useful for detecting port scans.
• tcpdump -i eth0 -X port 21 — Capture FTP traffic and print both hex and ASCII—clearly shows usernames and passwords.
• tcpdump -i eth0 'icmp' — Capture only ICMP traffic. Useful for detecting ping sweeps, ICMP tunneling (data exfiltration hidden inside ping packets), and network mapping attempts.

🎭 ARP Poisoning — Setting Up the Man-in-the-Middle

On a switched network, passive sniffing only shows you your own traffic. ARP Poisoning (also called ARP Spoofing) tricks other devices into sending their traffic through you first—turning a switched network back into a hub from your perspective.

How ARP Poisoning Works, Step by Step:

1. Attacker runs an ARP spoofing tool (arpspoof, ettercap, or bettercap) on the network.
2. Tool continuously broadcasts fake ARP replies to the victim: "Hey, the router (192.168.1.1) is at [ATTACKER MAC]."
3. Tool simultaneously broadcasts fake ARP replies to the router: "Hey, the victim (192.168.1.50) is at [ATTACKER MAC]."
4. Both the victim and router update their ARP caches with the attacker's MAC for the other's IP.
5. The attacker enables IP forwarding on their machine (echo 1 > /proc/sys/net/ipv4/ip_forward) so traffic is forwarded to the real destination after interception—the connection still works, the victim notices nothing.
6. All traffic between the victim and the router now flows through the attacker. Wireshark captures everything.

What an attacker captures from a MitM position:

• HTTP login forms with plaintext usernames and passwords
• Session cookies from authenticated sessions (which can be replayed to hijack the session)
• Unencrypted email (POP3, IMAP, SMTP without TLS)
• DNS queries (revealing every website the victim visits)
• Any file transfers over unencrypted protocols (FTP, HTTP)

Tools for ARP Poisoning:

• arpspoof -i eth0 -t 192.168.1.50 192.168.1.1 — Poison the victim's ARP cache
• arpspoof -i eth0 -t 192.168.1.1 192.168.1.50 — Poison the router's ARP cache (run simultaneously)
• bettercap: All-in-one MitM framework. bettercap -iface eth0 → net.probe on → arp.spoof on → net.sniff on. Handles everything automatically.
• ettercap: Older but still widely used. Has plugins for credential harvesting, SSL stripping, and injection.

🧪 Lab Mission: Packet Capture and Analysis

Work through each task in sequence. Document all commands used and findings at each step.

1. Start tcpdump on your network interface: tcpdump -i eth0 -w /tmp/lab.pcap. Browse to an HTTP (not HTTPS) site in your browser, then stop the capture.
2. Open the pcap in Wireshark. Apply the display filter http.request.method == "POST". Can you see any login attempts?
3. Right-click a POST packet and select Follow → TCP Stream. Can you read the submitted form data?
4. Apply the filter frame contains "password". What do you find?
5. Go to Statistics → Conversations. Which IP address exchanged the most data?
6. Use tcpdump in real time to capture only HTTP traffic with ASCII output: tcpdump -i eth0 -A port 80. Visit an HTTP site and observe your own plaintext request and response in real time.
7. Set up ARP poisoning in a controlled lab environment (two VMs you control). Capture the victim's traffic from the attacker VM. Can you extract a cookie from an HTTP session?

✅ Module 06 Summary

• Promiscuous mode captures all packets on a network segment—not just those addressed to you.
• Wireshark and tcpdump share BPF filter syntax. Master the key display filters: http.request.method, tcp.flags.syn, frame contains.
• "Follow TCP Stream" reconstructs the full conversation—this is how you find plaintext credentials in packet captures.
• ARP Poisoning turns a switched network into a passive sniffing target. Bettercap automates the entire attack.
• The best defense against sniffing and MitM is end-to-end encryption. Even with perfect network access, intercepted ciphertext is useless without the keys.