Wireshark is a powerful open source packet analyzer with a wide range of network-related use cases. For beginners, however, the application can be overwhelming.
For one thing, the amount of information Wireshark collects and reports is staggering. It could take days to sort through the data in a single scan. The tool comes packaged with a number of user-friendly features, however, that help users filter scan results to dip below the surface of the information reported and find data pertinent to their use cases.
Author Lisa Bock wrote Learn Wireshark: A definitive guide to expertly analyzing protocols and troubleshooting networks using Wireshark, Second Edition to help those who want to learn more about using the packet analysis tool. The book covers everything users need to get started using Wireshark, whether they're a beginner, network admin or security analyst.
One important Wireshark feature to consider, Bock said, is customizable profiles that help improve a user's workflow. These profiles enable users to dive deeper into results and quickly discover relevant answers during analysis. Read on as she explains more on Wireshark, its uses and how to use filters.
Editor's note: The following interview has been edited for clarity and length.
Who can benefit from using Wireshark?
Lisa Bock: Wireshark is a versatile tool with many applications that can benefit nearly everyone in the technology industry. For example, developers can use it to identify the source of slow response times in an application. Network admins can use it to identify bottlenecks and congestion in networks. Security analysts can use Wireshark to monitor for unusual and suspicious activity. Lastly, malicious actors can use Wireshark for reconnaissance activity.
What are the major use cases for Wireshark?
Bock: In my book, I highlight a number of use cases that organizations can take advantage of. Here are a few specific use cases:
- Monitoring for network threats. One of the most valuable uses of Wireshark is to monitor traffic for network threats and indicators of compromise. For example, in the event of a ransomware attack, it may be difficult to determine whether the attacker is still in the network even after the ransom is paid. Wireshark can be used to examine network traffic and identify signs of malicious activity, which can help to detect and prevent further attacks.
- Baselining network traffic. Wireshark can be used to create a baseline, which provides a snapshot of how the network typically operates. Once created, the baseline can be saved for later comparison to identify anomalies or issues. Baselining is also critical for network security as it makes it easier to detect any changes that could indicate a potential security threat.
- Testing IoT devices. Wireshark can be used to test IoT devices prior to their implementation. Testing is done to understand who the device is communicating with and how secure the device is out of the box. As IoT use becomes more widespread, it's important to carefully consider the potential security risks before a full deployment. For example, prior to using webcams in a warehouse setting, ensure the devices are properly secured and that unauthorized users cannot access or manipulate them. Using Wireshark to test IoT devices can help identify potential vulnerabilities and prevent attacks.
Since Wireshark is customizable, how can users make it unique to them?
Bock: You can customize your work area by using profiles. With a Wireshark profile, users can customize their workspace with specific preferences, such as column settings and colors. Each profile is tailored to your preferences and particular use case, so you can quickly switch between different tasks and responsibilities. Whether you're a network admin responsible for multiple virtual LANs or a security analyst focused on monitoring for potential threats, a profile can provide an interface that's relevant to a specific task.
How do you create a profile?
Bock: Creating a profile in Wireshark is a simple process. Go to Edit, then select Configuration Profile. From there, you can create a new profile to meet your specific needs. Wireshark will save any changes you make while you are in a specific profile.
Personalized profiles are useful in shared workspaces. Each team member can have their own unique Wireshark profile, so they don't have to start from scratch every time they use that particular workspace. This can save time and help users work more efficiently.
Can you share Wireshark profiles with other users?
Bock: Yes, users can share profiles with others. In Learn Wireshark, I cover how to manage and modify profiles. Users can import or export profiles to share them across their entire team. If users right-click on Profile, Wireshark provides the option to import profiles or export a selected personal profile or all personal profiles. This makes it easy to send your crafted profiles to other members of your team and can help ensure everyone is using the same tools and workflows.
Another user-friendly feature of Wireshark is filters, which help narrow the scope to home in on specific types of traffic to analyze. Check out an excerpt from Chapter 7 of Learn Wireshark to uncover how to create, edit and use display and capture filters.
Does Wireshark have any other features to improve efficiency?
Bock: Yes, Wireshark does have other features to improve efficiency, such as using shortcuts when creating filters. One feature I like is the ability to quickly create a button, or icon, for commonly used filters. When a button is clicked, Wireshark runs the filter. By using buttons to apply filters, users can streamline tasks and improve their productivity.