SEMESTER-II (24-25)

CLASS: SUBJECT: Cyber Forensic Engineering

Name of the student: DATE:

EXPERIMENT NO. 5

"Packet Profiling: Wireshark for Network Analysis and Evidence Retrieval"

AIM: Wireshark monitors and analyses network traffic, enabling the identification of
security threats like suspicious activity and unauthorized access attempts. Investigate network
performance concerns by analysing packet transmission and response times, aiding in the
resolution of performance issues. Extract valuable insights from captured packets to optimize
network configurations and enhance overall efficiency.

Objective: the objective of utilizing Wireshark as a packet tracking tool is to capture and
analyse network traffic comprehensively. This involves identifying network anomalies,
diagnosing performance issues, and detecting potential security threats. Through packet
inspection, the tool aims to provide insights into network behaviour, facilitate troubleshooting
of connectivity problems, and aid in optimizing network performance.

Theory: Wireshark, a powerful packet analysis tool, operates on the fundamental principle of
capturing, analysing, and interpreting network traffic. At its core, Wireshark employs packet
sniffing techniques, intercepting data packets as they traverse the network. Through this
process, it provides a comprehensive view of network activities, including data exchanges,
protocol usage, and potential anomalies.

The tool's practical theory revolves around the OSI model, breaking down network
communication into distinct layers. Wireshark dissects captured packets layer by layer,
enabling users to inspect header information, payload contents, and protocol behaviours. This
approach facilitates in-depth analysis, allowing for the identification of network issues,
security threats, and performance bottlenecks. Wireshark’s functionality extends beyond
passive observation; it enables active participation in network interactions. By filtering and
sorting captured packets based on various criteria, users can focus on specific traffic patterns
or target specific hosts. Moreover, Wireshark supports the decryption of encrypted traffic,
aiding in the investigation of secure communications.

The tool's versatility makes it invaluable for various use cases, including network
troubleshooting, performance optimization, and security auditing. Network administrators
leverage Wireshark to diagnose connectivity issues, identify misconfigurations, and assess
bandwidth utilization. Security professionals rely on it to detect suspicious activities, analyse
malware traffic, and investigate security breaches. Wireshark's practical theory emphasizes
the importance of context and interpretation. While it provides a wealth of raw data,
extracting meaningful insights requires a nuanced understanding of networking protocols and
behaviours.

Ultimately, Wireshark serves as a bridge between the physical infrastructure and the digital
realm, offering a window into the inner workings of interconnected systems. Its practical
theory embodies the principles of transparency, accountability, and empowerment,
empowering users to unravel the complexities of modern networks and safeguard their
integrity.

1
Advantages of Wireshark:
Wireshark boasts numerous advantages that make it a go-to tool for network analysis and
troubleshooting:

1. Comprehensive Packet Analysis: Wireshark offers deep visibility into network traffic,
allowing users to analyse packets at a granular level. It captures and displays detailed
information about protocols, packet headers, and payload contents.

2. Multi-Platform Support: Wireshark is compatible with multiple operating systems,

including Windows, macOS, and Linux, making it accessible to a wide range of users
regardless of their platform preference.

3. User-Friendly Interface: Its intuitive GUI (Graphical User Interface) simplifies packet
analysis tasks, enabling both novice and experienced users to navigate through captured
data efficiently.

4. Powerful Filtering Capabilities: Wireshark provides robust filtering mechanisms,

allowing users to focus on specific packets based on various criteria such as IP
addresses, protocols, ports, and packet contents. This feature enhances efficiency and
reduces analysis time.

5. Protocol Support: Wireshark supports a vast array of network protocols, from common
ones like TCP/IP, UDP, HTTP, and DNS to more specialized protocols used in
industrial control systems, IoT devices, and VoIP communications.

6. Real-Time Analysis: Wireshark can capture and analyse network traffic in real-time,
enabling immediate detection and response to network issues, anomalies, or security
threats as they occur.

7. Extensive Decoding Capabilities: It automatically decodes packet data into human-

readable format, simplifying the analysis process and aiding in the identification of
protocol-specific issues or abnormalities.

8. Customizable Display Options: Users can customize Wireshark's display preferences,

including colour coding, packet layout, and column selection, to suit their specific
analysis requirements and preferences.

9. Community Support and Documentation: Wireshark benefits from a large and active
user community, providing ample resources such as forums, documentation, and
tutorials. Users can readily find assistance, share knowledge, and contribute to the tool's
ongoing development.

10. Open-Source and Free: Wireshark is open-source software distributed under the GNU
General Public License (GPL), making it freely available for anyone to download, use,
modify, and distribute without cost. This accessibility promotes widespread adoption
and fosters continuous improvement through community contributions.

2
Procedure:

1. Wireshark Installation and Network Capture:

 Installing Wireshark is straightforward. You can find the download for your operating
system on the official Wireshark website https://www.wireshark.org/download.html.
 Capturing network traffic, especially on a shared network, can be a privacy violation.
It's generally not recommended without explicit permission from everyone on the
network. There are also legal restrictions in some regions.

2. Weevil.info:
Visit this website https://weevil.myspecies.info/ which is a deliberately insecure
website designed for educational purposes to demonstrate vulnerabilities. Creating an
account and logging in with real credentials is highly discouraged. Hackers could
potentially capture your login information on such a site.

3
3. Filtering Logs (Educational Purposes Only):

 If you're interested in learning Wireshark's filtering capabilities in a safe environment,

you can set up a controlled test scenario. Here's an example filter for HTTP POST
requests:

http.request.method == "POST"

Step 1

4
 Step 2

4. Capturing Cookies:
 In a controlled setup, you could potentially capture cookies from HTTP traffic.
However, cookies typically don't contain usernames and passwords directly. They
might hold session identifiers that could be used in conjunction with other
captured.

5
Other Use of Wireshark:
Wireshark is a powerful tool for network analysis, but it's important to use it responsibly.
Here are some common ethical uses of Wireshark:

Network Troubleshooting:

 Identifying Network Issues: Network administrators can use Wireshark to capture

and analyse network traffic to pinpoint problems like slowdowns, connection errors,
or dropped packets. By examining the captured data, they can identify bottlenecks,
faulty devices, or misconfigurations causing network issues.

Network Security Analysis:

 Detecting Malicious Activity: Security professionals can use Wireshark to monitor

network traffic for signs of suspicious activity. By looking for unusual patterns,
unauthorized access attempts, or known malware communication protocols, they can
identify potential security threats.
 Investigating Security Incidents: In the event of a security breach, Wireshark can be
used to analyse captured network traffic to understand how the attack occurred. This
information can be crucial for identifying the source of the attack, patching
vulnerabilities, and preventing future breaches.

Network Performance Optimization:

 Identifying Traffic Bottlenecks: Wireshark can help identify parts of the network
that are congested or overloaded. By analysing traffic patterns and identifying
applications or protocols consuming excessive bandwidth, network administrators can

6
 optimize network performance by prioritizing traffic or implementing network
segmentation strategies.
 Capacity Planning: Analysing network traffic trends with Wireshark can help
network administrators plan for future network capacity needs. By understanding how
network usage fluctuates over time, they can ensure the network has sufficient
bandwidth and resources to handle future traffic demands.

Educational Purposes:

 Learning Network Protocols: Wireshark is a valuable tool for understanding how

network protocols work. By capturing and dissecting network traffic, users can learn
about different protocols, their structure, and how they facilitate communication
between devices.
 Analysing Network Security Concepts: Wireshark can be used to explore network
security concepts in a safe environment. By capturing traffic from simulated scenarios
(e.g., virtual labs), users can observe how encryption works, how vulnerabilities are
exploited, and how security measures can be implemented.

Conclusion: