Wireshark is a powerful tool that should be part of a system or security administrator’s arsenal of tools. It is no substitute for a SIEM, although its data can be used for some of the same activities, such as event correlation and forensic packet analysis. It is not a security information and event management (SIEM) suite nor should it be “sold” to management as such. There are many other tasks one can perform with Wireshark, but these are the ones most often listed by legitimate users (see the “Hackers Beware” box).Ī final word on what Wireshark is not. Look at attempts to connect to your wireless networks.
Capture traffic to or from specific hosts.Establish a baseline of “normal” network traffic.Take snapshots of traffic during peak periods.Read captures from other programs, such as tcpdump.Discover clandestine or forbidden applications.Find network communications sent in clear text.So what does one find when “sniffing” the network? In other words, what can you do with Wireshark? I’ve seen many lists that attempt to show Wireshark’s many facets, and here’s another one: For this reason, Wireshark has a very powerful display filter, which you’ll learn to love, because who really needs to see thousands of “Who has” Address Resolution Protocol (ARP) messages, unless that’s what you’re looking for in a capture? If you’ve ever used Wireshark, or any network sniffer, you know that it only takes a few minutes to capture thousands of packets. It offers live network packet capture and offline analysis. Wireshark is a network protocol analyzer - sometimes referred to as a packet analyzer or as a network sniffer (see the “Caution” box).