See what’s traversing your home network

March 21, 2014   Uncategorized

In our discussion of networking, we talked about how messages are broken up into ‘packets,’ which are like envelopes that have a part of the original message, some error-tracking information, a destination and return address, and some other info. Now, I’m going to show you how to see the individual packets as they pass along your node of the World Wide Web.

First, download a program called Wireshark, which you can do at this link. You can download it for Windows or Mac, in 32 or 64-bit versions. To find out which version you need, you can go to the control panel in Windows Vista/7 and select ‘System and Security,’ then select ‘System’ and near the bottom of that window you will see whether you have a 32 or 64-bit OS. On Windows 8, slide-in from the right on your screen or move your mouse to the upper-right corner of the screen, select the ‘Settings’ charm, then select ‘PC Info.’

On Mac, click the Apple logo in the upper-left corner of your screen, then select ‘About this Mac’ from the menu (if a window appears that has a ‘More Information’ button, click that). In the window that appears, click ‘Hardware’ and on the right side it will tell you your processor type. If it says anything other than ‘Intel Core Solo’ or ‘Intel Core Duo’ it’s 64-bit. If it say one of those two it’s 32-bit. This install guide is for Windows, but it will be almost, but not quite the same on a Mac.

Once you’ve downloaded Wireshark, double-click on it to install. It will ask if you want to install all the components as you see in the screen below, which you should. Keep in mind that Wireshark will also install a program called WinPcap, which actually captures the packets.

One that’s been selected, it will ask about icons and associations. I would have it just make a desktop icon, and allow the associations it suggests, as they won’t be used for anything else anyway. The screen should appear like the one below. 

One the Install starts, you’ll see a screen something like this, with the green progress bar scooting along the top:

It won’t get far, however, before you are asked to install WinPcap. You do want to do that, Wireshark won’t work without it. You can set it to run at boot time or not, but if you don’t and try to run Wireshark after a reboot, it won’t work.

Once WinPcap has installed, the main Wireshark installation will finish and you will have an icon for it on your desktop. When you start the program, you will see a screen like this:

As you can see on the left-hand side of the window, in the section titled ‘Capture,’ it has an interface list, meaning network devices. It might list your NIC card, or WiFi, you’ll want to select the proper interface then click ‘Start’ with the green shark fin right above it. You might have to try a couple of interfaces, if you select the wrong one nothing will happen, it just won’t capture any packets. You’ll know the right one was selected when it shows you a screen like this:

You can adjust the sizes of the three windows (Top, middle, bottom) by moving the horizontal dividers up or down. 
The information rapidly scrolling up in the top window are the actual packets that are working their way across your network right now, and it will tell you the type of packet (we didn’t cover packet types in class) and what it’s trying to do. You can also see source and destination IP addresses. 
If you click on one of the packets, you will see some collapsed items in the middle window, with the payload, or actual data the packet is carrying, in the bottom window. If you click on any of the little pluses to the left of the entries in the middle window, you can get a ton of information, as you can see in the screen below.

You don’t have to worry about the specifics of all it’s telling you, although if you see something curious anywhere in there I can help you analyze what it is. In the picture above, you can see my printer and scanner sending out commands, for example. The colors also represent the type of packet being sent. Also remember, some of those packets are yours, others are just making their way across the Internet. 

This is known as packet-sniffing, and it’s an incredibly valuable tool that can help you diagnose issues or simply see what is being sent across your network. Usually, when you see an IP address beginning with 192.168.1 or 255.255.255, that is your network sending data to your network.

I think you’l be amazed at how much data is sailing across your network all the time, and how much information you can get from watching it. Be amazed!