How can you troubleshoot a network if you really don’t know that network?
One of the tasks I often teach in class is passive discovery -- the process of building a network diagram of host addresses, infrastructure devices, and applications in use simply based on the traffic captured.
In this 3-part blog set, I will take you through the process of drawing a network diagram based only on the packets captured. We will use several Wireshark features to identify hardware addresses, software addresses and applications in use.
So how does one perform passive discovery with Wireshark? It’s actually relatively simple.
Let’s open a trace file and start building a picture of the network based on the traffic captured. You can learn how to download the file on which I will be working (and hundreds of other public trace files) by visiting https://www.chappell-university.com/traces.
The trace file I used for this blog set is skill-passivediscovery1.pcapng.
This trace file consists of only 65 packets. It’s a relatively easy start for passive discovery. I recommend you capture traffic on your own network and perform the same steps after you’ve worked with this trace file.
Identify the Hosts and Open Ports
Select Statistics | Endpoints to build a list of the hosts and their open ports. I start with TCP and then move to UDP. I don’t use the IPv4 or IPv6 tabs as they only provide me with the layer 3 addresses without the port number information.
In the image below, we see 15 TCP endpoints listed. We can easily tell which endpoints are likely web servers. One host supports port 80 (likely HTTP) and six hosts support port 443 (likely HTTPS).
We can see a number of well-known application ports associated with the hosts listed. Based on this port information, the client appears to be 192.168.0.101.
Under the UDP tab, we notice our client, 192.168.0.101 has a number of UDP ports open. There appears to be another client, 192.168.0.102, in this trace file as well.
Watch out for broadcasts and multicasts. These network addresses appear as endpoints in the Endpoints window. The address 255.255.255.255 is a broadcast address. It is not an actual physical endpoint. IPv4 addresses that begin with 224-239 (inclusive) are multicast addresses. They are not physical endpoints.
Based on this information, we can start drawing a network diagram.
Note that I have highlighted port 53 and port 137 on this diagram. Port 137 is an indication that A is running Windows since this is the NetBIOS port. The port 53 traffic in this trace file indicates that the host is likely a DNS server. Most likely, it is a network router that supports DNS resolution for local hosts.
Excellent! You have made a great passive discovery start on this trace file.
In Part 2 of this blog set, we will examine Wireshark’s Protocol Hierarchy window and the information contained within application and protocol traffic to fill in our picture of the network.
Cheers!