Ask the Expert

When to capture packets with Wireshark

From a security perspective, what are the best scenarios to use a tool like Wireshark to sniff packet data?

    Requires Free Membership to View

I guess using Wireshark, a freely available network tool that captures network packets and data, depends on your objective. I use packet sniffing as an "audit trail" when I'm conducting penetration tests. By recording all traffic in and out of my test laptop, I can relatively easily demonstrate what I did and how the systems under the test responded. In this instance, the packet sniffer is running on the same machine I use to run the tests.

Another use of packet sniffing may be to conduct surveillance on users to ensure they are adhering to corporate policy. Naturally, this requires their consent. To achieve this, you would need to connect to a spanning port on the relevant switch in order to see all traffic for that network segment.

Finally, it's extremely useful to use a packet sniffer to monitor a computer's activity if you believe it may have been compromised, for example with a Trojan program or virus. You could connect a PC running a packet sniffer to a hub, to which you also connect the suspect machine. You can then observe all traffic in and (more importantly, out) of the suspect device and quickly determine if something is causing it to send data out to an attacker.

This was first published in March 2009

 

COMMENTS powered by Disqus  //  Commenting policy