Identify Network Abuse with Wireshark - A Guide

Wireshark: A Comprehensive Network Analysis Tool

Wireshark functions as a versatile and powerful solution for network analysis. It’s capable of addressing a wide range of network investigation needs, from identifying peer-to-peer communication to monitoring website access by specific IP addresses.

Building on Previous Wireshark Knowledge

We have previously provided an introductory overview of Wireshark. This article expands upon the concepts discussed in our earlier publications.

Successful network analysis with Wireshark relies on strategic capture placement. It’s crucial to capture data from a network location that provides visibility into a sufficient volume of traffic.

Importance of Capture Location

Performing a capture solely on a local workstation may limit the scope of observed network activity. A significant portion of network traffic might remain unseen in such a scenario.

Wireshark supports remote capture capabilities. For further details and advanced techniques regarding remote captures, refer to our dedicated post on Wireshark tricks and tips.

Detecting Peer-to-Peer Network Activity

The protocol column within Wireshark indicates the protocol utilized by each packet transmitted. Examining a Wireshark capture may reveal the presence of BitTorrent or other forms of peer-to-peer (P2P) communication.

Network protocol usage can be assessed through the Protocol Hierarchy tool, accessible via the Statistics menu.

This interface presents a detailed breakdown of network traffic categorized by protocol. For instance, it can be observed that approximately 5 percent of packets on the network pertain to BitTorrent.

However, BitTorrent also leverages UDP packets. The nearly 25 percent of packets categorized as UDP Data are, in this instance, also attributable to BitTorrent activity.

Filtering for Specific Protocols

To isolate and view only BitTorrent packets, a filter can be applied by right-clicking the protocol in the hierarchy and selecting the "Apply as Filter" option. This functionality extends to other P2P protocols like Gnutella, eDonkey, and Soulseek.

Applying the filter "bittorrent" allows for focused analysis of related traffic. Alternatively, a protocol’s traffic can be directly viewed by entering its name into the Filter box.

Analysis of the filtered traffic reveals that the local IP address 192.168.1.64 is actively engaged in BitTorrent communication.

Identifying Participating IP Addresses

To determine all IP addresses involved in BitTorrent traffic, the Endpoints option within the Statistics menu can be selected.

Navigating to the IPv4 tab and enabling the "Limit to display filter" checkbox will display both remote and local IP addresses associated with the BitTorrent traffic. Local IP addresses will typically be listed at the top of the results.

Exploring Supported Protocols and Filters

A comprehensive list of protocols supported by Wireshark, along with their corresponding filter names, can be found under the Analyze menu by selecting Enabled Protocols.

The Enabled Protocols window allows for searching by beginning to type a protocol name.

This feature facilitates quick identification of the appropriate filter for analyzing specific network traffic types.

Analyzing Website Access with Wireshark

Having established methods for categorizing network traffic by protocol, we can now focus on HTTP traffic specifically. Entering "http" into the Filter field allows us to isolate and examine only this type of communication.

With the "Enable network name resolution" setting activated, the names of the websites visited on the network become visible, enhancing readability.