Wireshark For Mac

 admin

Popular Alternatives to Wireshark for Windows, Linux, Mac, iPhone, Web and more. Explore 25+ apps like Wireshark, all suggested and ranked by the AlternativeTo user community. Stay Current. You can stay informed about new Wireshark releases by subscribing to the wireshark-announce mailing list.We also provide a PAD file to make automated checking easier. The Wireshark OUI lookup tool provides an easy way to look up OUIs and other MAC address prefixes. It uses the Wireshark manufacturer database, which is a list of OUIs and MAC addresses compiled from a number of sources. Directions: Type or paste in a list of OUIs, MAC addresses, or descriptions below.

By

Category: Unit 42

Tags: tutorial, Wireshark

This post is also available in: 日本語 (Japanese)

When a host is infected or otherwise compromised, security professionals need to quickly review packet captures (pcaps) of suspicious network traffic to identify affected hosts and users.

This tutorial offers tips on how to gather that pcap data using Wireshark, the widely used network protocol analysis tool. It assumes you understand network traffic fundamentals and will use these pcaps of IPv4 traffic to cover retrieval of four types of data:

  • Host information from DHCP traffic
  • Host information from NetBIOS Name Service (NBNS) traffic
  • Device models and operating systems from HTTP traffic
  • Windows user account from Kerberos traffic

Host Information from DHCP Traffic

Any host generating traffic within your network should have three identifiers: a MAC address, an IP address, and a hostname.

In most cases, alerts for suspicious activity are based on IP addresses. If you have access to full packet capture of your network traffic, a pcap retrieved on an internal IP address should reveal an associated MAC address and hostname.

How do we find such host information using Wireshark? We filter on two types of activity: DHCP or NBNS. DHCP traffic can help identify hosts for almost any type of computer connected to your network. NBNS traffic is generated primarily by computers running Microsoft Windows or Apple hosts running MacOS.

The first pcap for this tutorial, host-and-user-ID-pcap-01.pcap, is available here. This pcap is for an internal IP address at 172.16.1[.]207. Open the pcap in Wireshark and filter on bootp as shown in Figure 1. This filter should reveal the DHCP traffic.

Note: With Wireshark 3.0, you must use the search term dhcp instead of bootp.

Figure 1: Filtering on DHCP traffic in Wireshark

Select one of the frames that shows DHCP Request in the info column. Go to the frame details section and expand the line for Bootstrap Protocol (Request) as shown in Figure 2. Expand the lines for Client Identifier and Host Name as indicated in Figure 3. Client Identifier details should reveal the MAC address assigned to 172.16.1[.]207, and Host Name details should reveal a hostname.

Figure 2: Expanding Bootstrap Protocol line from a DHCP request

Figure 3: Finding the MAC address and hostname in a DHCP request

In this case, the hostname for 172.16.1[.]207 is Rogers-iPad and the MAC address is 7c:6d:62:d2:e3:4f. This MAC address is assigned to Apple. Based on the hostname, this device is likely an iPad, but we cannot confirm solely on the hostname.

We can easily correlate the MAC address and IP address for any frame with 172.16.1[.]207 as shown in Figure 4.

Figure 4: Correlating the MAC address with the IP address from any frame

Host Information from NBNS Traffic

Wireshark Filter For Mac

Depending on how frequently a DHCP lease is renewed, you might not have DHCP traffic in your pcap. Fortunately, we can use NBNS traffic to identify hostnames for computers running Microsoft Windows or Apple hosts running MacOS.

The second pcap for this tutorial, host-and-user-ID-pcap-02.pcap, is available here. This pcap is from a Windows host using an internal IP address at 10.2.4[.]101. Open the pcap in Wireshark and filter on nbns. This should reveal the NBNS traffic. Select the first frame, and you can quickly correlate the IP address with a MAC address and hostname as shown in Figure 5.

Figure 5: Correlating hostname with IP and MAC address using NBNS traffic

The frame details section also shows the hostname assigned to an IP address as shown in Figure 6.

Figure 6: Frame details for NBNS traffic showing the hostname assigned to an IP address

Device Models and Operating Systems from HTTP Traffic

User-agent strings from headers in HTTP traffic can reveal the operating system. If the HTTP traffic is from an Android device, you might also determine the manufacturer and model of the device.

The third pcap for this tutorial, host-and-user-ID-pcap-03.pcap, is available here. This pcap is from a Windows host using an internal IP address at 192.168.1[.]97. Open the pcap in Wireshark and filter on http.request and !(ssdp). Select the second frame, which is the first HTTP request to www.ucla[.]edu, and follow the TCP stream as shown in Figure 7.

Figure 7: Following the TCP stream for an HTTP request in the third pcap

This TCP stream has HTTP request headers as shown in Figure 8. The User-Agent line represents Google Chrome web browser version 72.0.3626[.]81 running on Microsoft’s Windows 7 x64 operating system.

Here's mine, mvargas (I have since used the offline installer and it worked):Process: Install Adobe Flash Player 843Path: /Volumes/VOLUME/Install Adobe Flash Player.app/Contents/MacOS/Install Adobe Flash PlayerIdentifier: com.adobe.InstallAdobeFlashPlayerVersion: 1.0.0.326 (1.0.0.326)Code Type: X86 (Native)Parent Process:??? Hi,Thank you for the additional information and the crash log file. Adobe flash for mac safari

Figure 8: The User-Agent line for a Windows 7 x64 host using Google Chrome

Note the following string in the User-Agent line from Figure 8:

(Windows NT 6.1; Win64; x64)

Windows NT 6.1 represents Windows 7. For User-Agent lines, Windows NT strings represent the following versions of Microsoft Windows as shown below:

  • Windows NT 5.1: Windows XP
  • Windows NT 6.0: Windows Vista
  • Windows NT 6.1: Windows 7
  • Windows NT 6.2: Windows 8
  • Windows NT 6.3: Windows 8.1
  • Windows NT 10.0: Windows 10

With HTTP-based web browsing traffic from a Windows host, you can determine the operating system and browser. The same type of traffic from Android devices can reveal the brand name and model of the device.

The fourth pcap for this tutorial, host-and-user-ID-pcap-04.pcap, is available here. This pcap is from an Android host using an internal IP address at 172.16.4.119. Open the pcap in Wireshark and filter on http.request. Select the second frame, which is the HTTP request to www.google[.]com for /blank.html. Follow the TCP stream as shown in Figure 9.

Figure 9: Following the TCP stream for an HTTP request in the fourth pcap

Figure 10: The User-Agent line for an Android host using Google Chrome

The User-Agent line in Figure 10 shows Android 7.1.2 which is an older version of the Android operating system released in April 2017. LM-X210APM represents a model number for this Android device. A quick Google search reveals this model is an LG Phoenix 4 Android smartphone.

The User-Agent line for HTTP traffic from an iPhone or other Apple mobile device will give you the operating system, and it will give you the type of device. However, it will not give you a model. We can only determine if the Apple device is an iPhone, iPad, or iPod. We cannot determine the model.

The fifth pcap for this tutorial, host-and-user-ID-pcap-05.pcap, is available here. This pcap is from an iPhone host using an internal IP address at 10.0.0[.]114. Open the pcap in Wireshark and filter on http.request. Select the frame for the first HTTP request to web.mta[.]info and follow the TCP stream as shown in Figure 11.

Figure 11: Following the TCP stream for an HTTP request in the fifth pcap

In Figure 12, the User-Agent line shows (iPhone; CPU iPhone OS 12_1_3 like Mac OS X). This indicates the Apple device is an iPhone, and it is running iOS 12.1.3.

Figure 12: The User-Agent line for an iPhone using Safari

A final note about HTTP traffic and User-Agent strings: not all HTTP activity is web browsing traffic. Some HTTP requests will not reveal a browser or operating system. When you search through traffic to identify a host, you might have to try several different HTTP requests before finding web browser traffic.

Since more websites are using HTTPS, this method of host identification can be difficult. HTTP headers and content are not visible in HTTPS traffic. However, for those lucky enough to find HTTP web-browsing traffic during their investigation, this method can provide more information about a host.

Windows User Account from Kerberos Traffic

For Windows hosts in an Active Directory (AD) environment, we can find user account names in from Kerberos traffic.

The sixth pcap for this tutorial, host-and-user-ID-pcap-06.pcap, is available here. This pcap is from a Windows host in the following AD environment:

  • Domain: happycraft[.]org
    • Network segment: 172.16.8.0/24 (172.16.8[.]0 – 172.16.8[.]255)
  • Domain controller IP: 172.16.8[.]8
  • Domain controller hostname: Happycraft-DC
  • Segment gateway: 172.16.8[.]1
  • Broadcast address: 172.16.8[.]255
  • Windows client: 172.16.8[.]201

Open the pcap in Wireshark and filter on kerberos.CNameString. Select the first frame. Go to the frame details section and expand lines as shown in Figure 13. Select the line with CNameString: johnson-pc$ and apply it as a column.

Figure 13: Finding the CNameString value and applying it as a column

This should create a new column titled CNameString. Scroll down to the last frames in the column display. You should find a user account name for theresa.johnson in traffic between the domain controller at 172.16.8[.]8 and the Windows client at 172.16.8[.]201 as shown in Figure 14.

Figure 14: Finding the Windows user account name

CNameString values for hostnames always end with a $ (dollar sign), while user account names do not. To filter on user account names, use the following Wireshark expression to eliminate CNameString results with a dollar sign:

kerberos.CNameString and !(kerberos.CNameString contains $)

Summary

Proper identification of hosts and users from network traffic is essential when reporting malicious activity in your network. Using the methods from this tutorial, we can better utilize Wireshark to help us identify affected hosts and users.

For more help using Wireshark, please see our previous tutorials:

Get updates from
Palo Alto
Networks!

Sign up to receive the latest news, cyber threat intelligence and research from us

How to Install and Use WireShark on Mac OS X

Last modified: December 31 1969 16:00:00

This is a crash course on getting WireShark (formerly known as Ethereal; a powerful graphical front end to tcpdump) installed and running on your Mac, and how to do a few basic analyses of network traffic data.

INSTALLATION

Note: You need to be root or an administrator to do this, and you MUST have Apple's 'X11' framework installed. (If you're not sure you have X11, go into the Applications folder, then into Utilities, and look for the 'X11' application. If it's not there, you will need to install X11 from your original OS X system discs. There's more to it than just the standalone app.)

  1. Download WireShark. [Intel][PPC]
    Note: It is critical that you install the correct version for your architecture -- there were major changes in the handling of permissions with regard to setting the network interface to promiscuous mode.
  2. Mount the disk image. If you are on a PowerPC Mac, launch the 'Wireshark 0.99.5c (ppc).mpkg' installer package and follow the prompts; then you're done with installation. If you are on an Intel Mac, keep reading, there are several more steps.<>
  3. Intel Mac? Okay. Drag the Wireshark app to your Applications folder.
  5. On the disk image, open the Utilities folder. Drag the 'Startup' folder to the Desktop. Eject the disk image.
  6. Open the Startup folder you just copied, and delete 'README.macosx'.
  7. Rename the Startup folder to 'ChmodBPF' instead of 'Startup'.
  8. Open the main 'Library' folder on your hard drive -- NOT the one in your home directory. Look for a folder named 'StartupItems'. If it's there, skip to the next step. If it is not there, create it. Note that there is no space in the name -- 'StartupItems' with capital S and capital I.
  9. Open Terminal. Type the following commands exactly as shown here, and hit return after each line.

    After the second command, you will see 'Password:' -- type your account password. (If you are logged in as 'root', you don't need to enter a password.)

    Netcut for mac

  10. Restart the computer.

BASIC USAGE

Open the Applications folder and launch WireShark. The first time you run it, it may take several minutes before the main screen appears. It will launch much quicker each time afterward. A dialog box appears to tell you this.

When it comes up, go to the Capture menu and select Interfaces. You should see at least two devices listed.

In this window, three devices are shown: en0, en2, and lo0 (localhost). On Macs, the main ethernet interface is always called en0 (most Macs have only one ethernet port). If you have a wireless card (which I do), or additional ethernet cards, then those may be called en1 or en2. You will almost always want to capture on en0.

Click the Start button next to the interface you wish to sniff -- en0, probably.

Now, all kinds of colorful stuff will begin flying by. Let it run for a few seconds, maybe one minute. (This is just while you are learning the program; when you really want to look at your network, let it run as long as you can.) Then click the Stop the running live capture button (which is the button with the red X, towards the left side of the button bar.)

Each colored line in the main window represents a packet -- a unit of network communication -- between two hosts. The hosts may be client computers, printers, network devices like switches, wireless base stations, etc.

The Source and Destination columns represent the direction of the packet. In other words, for a given line, the host with the IP in the Source column sent that packet to the host with the IP in the Destination column. That packet may have been a reply in a long string of back-and-forth conversation between the two hosts. If the Destination is listed as Broadcast, that means the Source IP basically shouted out to everyone on the network (more accurately, to everyone on its local subnet).

Wireshark

Wireshark For Macos

On any busy network, you will see lots of 'chatter' like broadcasts and SNMP requests and ICMP pings. These are how network devices find each other and intelligently adapt to changes in the network. If you want these out of your way, you can enter something likein the Filter box at the top of the window, then hit the Apply button. Now you only see non-ICMP traffic.

Filters in WireShark are very powerful. If you click the Filter button, next to the text box, you will see a list of pre-defined filters you can use (and you can create and save your own). Note what gets filled in for the actual filter string; you will see how the syntax works, and be able to build more complex filters based on that.

Download Wireshark For Mac

If you run WireShark with your computer plugged in to a regular switched network port, you will only see a small segment of your entire network's traffic. Switches only allow hosts to 'see' the traffic destined for them, along with the chatter mentioned above; hosts can't see packets addressed to other hosts on the same network, or even on the same switch. This is both a performance and security boost. However, if you're trying to troubleshoot problems that affect your entire network, you need to see more than just what's headed to and from your own machine. You need to place your sniffer at a point in your network where you can see everything you need to see.

Many managed switches and some routers support the use of a 'span port' or 'monitor mode' or similar. In this scenario, you designate a certain port on the device to 'mirror' all of the traffic that crosses another port on that device. So, without interfering with the network connections, you can configure the switch/router to send a 'copy' of all traffic from a certain port, back to another port, where your sniffer (WireShark) is listening. Depending on what you're trying to monitor and how your network is laid out, the port you choose to monitor may be the 'uplink' port (the path to your router or firewall or T1 module).

Wireshark For Mac Os Download

Back to the WireShark program. One common task you might want to use it for is to determine who the high-traffic culprits are on your network. Let a capture run for awhile, maybe a minute or two; then hit Stop. Go to the Statistics menu and select Conversations. It will think for a bit, then a new window will appear (on the PPC version, it hides behind the main window.) Each line in this list reflects a series of two or more packets between a host in the Address A column and another host in the Address B column, and the other columns show statistics about how many packets/bytes have been exchanged between these two parties during your capture.

Wireshark For Mac Tutorial Pdf

Click the TCP tab, for example, to see the conversations that used Transmission Control Protocol (which includes common things like web, email, ftp downloads, etc.) Then click the Packets column heading to sort by the number of packets exchanged during the conversation. Click it again to reverse the sort so that the largest number is at the top. Now you have a sorted list of the highest-bandwidth-consumption network events that were visible to your sniffer during the time of your capture. Keep in mind that this data does not reflect anything that happened before you clicked Start Capture, or after you clicked Stop. In the screenshot above, look at the first line. 10.1.0.15 is me, and 66.135.202.161 is an eBay.com server. That network conversation was the result of my loading 1 web page on eBay.com. There was a grand total of 61815 bytes -- 61k -- transferred during that session, which is nothing. So make sure to analyze the actual numbers in light of your network's bandwidth limits.