Friday, March 21, 2014

See what's traversing your home network

In our discussion of networking, we talked about how messages are broken up into 'packets,' which are like envelopes that have a part of the original message, some error-tracking information, a destination and return address, and some other info. Now, I'm going to show you how to see the individual packets as they pass along your node of the World Wide Web.

First, download a program called Wireshark, which you can do at this link. You can download it for Windows or Mac, in 32 or 64-bit versions. To find out which version you need, you can go to the control panel in Windows Vista/7 and select 'System and Security,' then select 'System' and near the bottom of that window you will see whether you have a 32 or 64-bit OS. On Windows 8, slide-in from the right on your screen or move your mouse to the upper-right corner of the screen, select the 'Settings' charm, then select 'PC Info.'

On Mac, click the Apple logo in the upper-left corner of your screen, then select 'About this Mac' from the menu (if a window appears that has a 'More Information' button, click that). In the window that appears, click 'Hardware' and on the right side it will tell you your processor type. If it says anything other than 'Intel Core Solo' or 'Intel Core Duo' it's 64-bit. If it say one of those two it's 32-bit. This install guide is for Windows, but it will be almost, but not quite the same on a Mac.

Once you've downloaded Wireshark, double-click on it to install. It will ask if you want to install all the components as you see in the screen below, which you should. Keep in mind that Wireshark will also install a program called WinPcap, which actually captures the packets.


One that's been selected, it will ask about icons and associations. I would have it just make a desktop icon, and allow the associations it suggests, as they won't be used for anything else anyway. The screen should appear like the one below. 


One the Install starts, you'll see a screen something like this, with the green progress bar scooting along the top:


It won't get far, however, before you are asked to install WinPcap. You do want to do that, Wireshark won't work without it. You can set it to run at boot time or not, but if you don't and try to run Wireshark after a reboot, it won't work.



Once WinPcap has installed, the main Wireshark installation will finish and you will have an icon for it on your desktop. When you start the program, you will see a screen like this:


As you can see on the left-hand side of the window, in the section titled 'Capture,' it has an interface list, meaning network devices. It might list your NIC card, or WiFi, you'll want to select the proper interface then click 'Start' with the green shark fin right above it. You might have to try a couple of interfaces, if you select the wrong one nothing will happen, it just won't capture any packets. You'll know the right one was selected when it shows you a screen like this:


You can adjust the sizes of the three windows (Top, middle, bottom) by moving the horizontal dividers up or down. 

The information rapidly scrolling up in the top window are the actual packets that are working their way across your network right now, and it will tell you the type of packet (we didn't cover packet types in class) and what it's trying to do. You can also see source and destination IP addresses. 

If you click on one of the packets, you will see some collapsed items in the middle window, with the payload, or actual data the packet is carrying, in the bottom window. If you click on any of the little pluses to the left of the entries in the middle window, you can get a ton of information, as you can see in the screen below.


You don't have to worry about the specifics of all it's telling you, although if you see something curious anywhere in there I can help you analyze what it is. In the picture above, you can see my printer and scanner sending out commands, for example. The colors also represent the type of packet being sent. Also remember, some of those packets are yours, others are just making their way across the Internet. 

This is known as packet-sniffing, and it's an incredibly valuable tool that can help you diagnose issues or simply see what is being sent across your network. Usually, when you see an IP address beginning with 192.168.1 or 255.255.255, that is your network sending data to your network.

I think you'l be amazed at how much data is sailing across your network all the time, and how much information you can get from watching it. Be amazed!
Posted by at

11 comments:

  1. UnknownMarch 21, 2014 at 1:38 PM

    It is amazing to see all the information traveling through the network. My screens look like they contained very general information, however one line was black. This line indicated that a destination was unreachable or had an unreachable port. The IP was a 192. address., so I am assuming that it is within my own network. Further than that I am not sure to what it is referring. Interesting all the same!

    ReplyDelete
  2. Natalia BrooksMarch 21, 2014 at 9:59 PM

    This is such a cool program. It's interesting to see what's going on inside my network. I just need to get more educated at to what I am looking at. It looks concerning but I'm sure its normal activity. There is a WOL protocol listed, I'm not so sure what this means but I'll just Google it.

    ReplyDelete
  3. UnknownMarch 22, 2014 at 2:26 PM

    I think it is like you stated in the beginning, it is incredible but also scary. I guess if I'm the one running it there's no worries, althought if my wife finds it, there will be some explanation to do, so I'm hesitant to download it or not. Is the "app" safe? no malware or adware?

    ReplyDelete
    Replies
    1. DarrenMarch 22, 2014 at 3:35 PM

      I give you my solemn promise there is no adware and certainly not malware. I would never suggest a program that had either of those, and in fact we'll have a class showing what they are and how to avoid them!

      Delete
    2. UnknownMarch 28, 2014 at 11:43 AM

      No malware/adware with this program Cesar.

      Delete
  4. Rebecca NevittMarch 24, 2014 at 7:58 PM

    I thought that the Wireshark program was incredible. It truly provided a picture of just how many packets were moving across my network. I had no idea how many. I can see how this program could be a very useful tool in watching your network and troubleshooting potential issues. I will keep this program on my computer and share it with others.

    ReplyDelete
  5. Roger SarneckeMarch 26, 2014 at 9:45 AM

    Well, using Wireshark to see what's going on behind the curtain, so to speak, was definitely interesting. I was not sure what I was looking at, but there was a lot going on. I also had one red line and I assume that was something being blocked. All-in-all, it was pretty cool.

    ReplyDelete
  6. UnknownMarch 26, 2014 at 10:09 PM

    It is interesting to see how many packets are being transferred back and fourth through a network; it is quite more than I expected. I'm curious though, now that packet sniffing was brought to my attention, how easy is it for people to view my data being transferred over the internet? It makes me a little concerned.

    ReplyDelete
    Replies
    1. DarrenMarch 26, 2014 at 10:16 PM

      Not very. This is for people to monitor their own networks. In order for someone to see what's going on on your network, they'd have to be tapped in to it or able to access it, and if your network is secured you'll be fine.

      Delete
    2. UnknownMarch 27, 2014 at 1:26 AM

      I see, that makes me feel a little better.

      Delete
  7. UnknownMarch 28, 2014 at 11:43 AM

    I have used this at work to track down logs for network connectivity issues, but I have never used this at home. I will give this a try, and post more feedback later.

    ReplyDelete

Subscribe to: Post Comments (Atom)