When to capture packets with Wireshark

Ask the Expert

When to capture packets with Wireshark

From a security perspective, what are the best scenarios to use a tool like Wireshark to sniff packet data?

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.
  • By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

  • Safe Harbor

I guess using Wireshark, a freely available network tool that captures network packets and data, depends on your objective. I use packet sniffing as an "audit trail" when I'm conducting penetration tests. By recording all traffic in and out of my test laptop, I can relatively easily demonstrate what I did and how the systems under the test responded. In this instance, the packet sniffer is running on the same machine I use to run the tests.

Another use of packet sniffing may be to conduct surveillance on users to ensure they are adhering to corporate policy. Naturally, this requires their consent. To achieve this, you would need to connect to a spanning port on the relevant switch in order to see all traffic for that network segment.

Finally, it's extremely useful to use a packet sniffer to monitor a computer's activity if you believe it may have been compromised, for example with a Trojan program or virus. You could connect a PC running a packet sniffer to a hub, to which you also connect the suspect machine. You can then observe all traffic in and (more importantly, out) of the suspect device and quickly determine if something is causing it to send data out to an attacker.

This was first published in March 2009


COMMENTS powered by Disqus  //  Commenting policy