With a few quick clicks, you can detect network abuse with Wireshark. Jack Wallen shows the way.
Recently, I had reason to worry that there was malicious traffic on my local area network (LAN) and decided I needed to monitor the network to find out what was happening. Naturally, I switched to an open source network monitor, Wireshark.
Wireshark is a pretty impressive tool that can do more than most network analyzers. The problem is, those who are unfamiliar with this tool may have a little trouble knowing where to begin – this can be very scary.
For that, I want to show you one way to detect network abuse with Wireshark. Specifically, I want to show you how easy it is to actually see what protocols are used on your network and then find out where those protocols come from. With that information, it’s much easier to determine if something undesirable happens (like BitTorrent, Bitcoin, etc.).
What do you need
To detect network abuse, you must install Wireshark. The platform you use doesn’t matter. However, what is important is that you can start Wireshark with admin privileges.
I will show on Pop! _OS Linux. If you use a different platform, you must know how to launch Wireshark with admin rights.
How to start Wireshark with admin privileges
The reason you have to start Wireshark with admin privileges is because it has to be able to run / usr / bin / dumpcap, which can only be done by users with admin rights. An easy way to start Wireshark with admin rights is to open a terminal window and issue the command:
With Wireshark open, it will find your interface and then you can choose the capture filter and click the start button (blue shark fin) (Figure A).
Wireshark main window.
How to monitor protocols
After Wireshark captures packets on your network, you will see packets flying in the main window (Figure B).
Wireshark arrest package.
When Wireshark retrieves the package, click Statistics | Protocol Hierarchy. The resulting window lists each network protocol taken on your LAN (Figure C).
The Wireshark Protocol Hierarchy Window in action.
Say you find a protocol that seems suspicious. As you see above, Wireshark detects BitTorrent traffic, which you don’t normally have on your network. Right-click the entry, select Apply As Filter | Selected. Close the Protocol Hierarchy and return to the Wireshark main window, where you will see the BitTorrent filter applied (Figure D).
The BitTorrent filter is applied from the Wireshark Protocol Hierarchy window.
You can then see the destination and source address for the offending protocol. Trace the IP address on your network and stop any applications that send or receive packets.
One thing to note about Protocol Hierarchy is not getting real-time updates. If you don’t see something offensive in the window, you might have to close it, wait a minute (for Wireshark to collect more packages), and then reopen.
And that’s the simplest method of using Wireshark to detect network abuse on your LAN. Although Wireshark can do significantly more, if you are looking for ways to quickly detect unwanted traffic on your network, this method should work every time.