Knowledgebase
Monitoring Ethernet traffic using Wireshark
Posted by Liam Heaver on 18 January 2018 09:25 AM

Wireshark

Overview

Wireshark is a PC-based application which can capture all traffic sent or received by the PC’s Ethernet interfaces. It has extensive packet filtering capabilities, and can decode many different protocols.

The main limitations of Wireshark are:

  • It can only capture Ethernet traffic.
  • It can only capture traffic that is received or sent by the PC. Normally this means that it can only capture traffic sent to or by the PC. However, by using an Ethernet hub it is possible for the PC to “snoop” on Ethernet traffic sent from one RTU to another.

Snooping

In a modern Ethernet network, each device (PC, RTU, etc.) is normally connected to an Ethernet switch or router. The switch or router examines each packet that passes through it and directs it to the appropriate destination device. This means that if two RTUs and a PC are all connected to an Ethernet switch or router, then the communications between the two RTUs will be invisible to the PC, which means that Wireshark will not be able to capture them.

However, there is an older technology which can be used to connect devices on an Ethernet network, called a hub. Hubs broadcast each received packet to all connected devices. The devices will normally discard anything not addressed to them, with the exception of tools such as Wireshark, which can capture them.

The following diagram shows how a hub can be temporarily added to a network to allow Ethernet traffic sent between two RTUs to be captured.

In the top diagram, RTU1 and RTU2 are connected via an Ethernet switch, so the PC will not receive (and will therefore not be able to capture) any traffic except that addressed to it.

In the bottom diagram, RTU1 has been unplugged from the switch and plugged into a hub instead. The hub is also connected to the PC and to rest of the network via the switch. In this configuration anything sent to or from RTU1 (including traffic directed to RTU2) will be visible to the PC and will be able to be captured by Wireshark.

If an Ethernet hub is not available, you can use an Ethernet switch to monitor the network traffic if it supports port mirroring. Connect the PC to the mirrored port on the switch and enable port mirroring to receive a copy of every packet traversing the switched network. This is explained further by the wireshark wiki.

Using Wireshark

Download Wireshark from www.wireshark.org  and install on your PC, then start it as you would any application.

The Wireshark website includes extensive documentation and tutorials. In general terms, however the procedure is to first select the correct Ethernet interface (if your computer has more than one) from the list on the Wireshark home screen, then press Start.

A typical Wireshark display is shown below:

This shows, from top to bottom:

  • A list of all received or transmitted packets
  • Details of the selected packet, with each protocol layer decoded (if possible)
  • The raw data in the packet.
(0 vote(s))
Helpful
Not helpful

Comments (0)
Post a new comment
 
 
Full Name:
Email:
Comments: