Monitoring Ethernet traffic using Wireshark
Posted by Liam Heaver on 18 January 2018 09:25 AM
Wireshark is a PC-based application which can capture all traffic sent or received by the PC’s Ethernet interfaces. It has extensive packet filtering capabilities, and can decode many different protocols.
The main limitations of Wireshark are:
In a modern Ethernet network, each device (PC, RTU, etc.) is normally connected to an Ethernet switch or router. The switch or router examines each packet that passes through it and directs it to the appropriate destination device. This means that if two RTUs and a PC are all connected to an Ethernet switch or router, then the communications between the two RTUs will be invisible to the PC, which means that Wireshark will not be able to capture them.
However, there is an older technology which can be used to connect devices on an Ethernet network, called a hub. Hubs broadcast each received packet to all connected devices. The devices will normally discard anything not addressed to them, with the exception of tools such as Wireshark, which can capture them.
The following diagram shows how a hub can be temporarily added to a network to allow Ethernet traffic sent between two RTUs to be captured.
In the top diagram, RTU1 and RTU2 are connected via an Ethernet switch, so the PC will not receive (and will therefore not be able to capture) any traffic except that addressed to it.
In the bottom diagram, RTU1 has been unplugged from the switch and plugged into a hub instead. The hub is also connected to the PC and to rest of the network via the switch. In this configuration anything sent to or from RTU1 (including traffic directed to RTU2) will be visible to the PC and will be able to be captured by Wireshark.
Download Wireshark from www.wireshark.org and install on your PC, then start it as you would any application.
The Wireshark website includes extensive documentation and tutorials. In general terms, however the procedure is to first select the correct Ethernet interface (if your computer has more than one) from the list on the Wireshark home screen, then press Start.
A typical Wireshark display is shown below:
This shows, from top to bottom: