It's no secret that I'm a big fan of Wireshark. While it isn't always the best tool for every job, it is the best graphical packet analysis application you will find, and is a must have for NSM analysis. I wanted to share a quick tip that I use nearly every time I'm using Wireshark for analysis.
Most people know that Wireshark will do host name resolution. As a matter of fact, I generally recommend people disable this feature so that your analysis is not causing the generation of additional traffic on the wire when the machine you are running Wireshark from starts generating DNS queries for the hosts in your capture file. However, what a lot of people don't know is that you can actually create a host file just for use by Wireshark so that you can easily identify certain IP addresses.
To do this, let's start with a basic capture file. In Figure 1, there is some traffic being transmitted between a few different hosts.
Figure 1: Traffic Between A Lot of Hosts
It's pretty common in analysis to be required to examine packet captures that contain traffic from multiple hosts. When this happens, it can be confusing remembering which IP address is what. In this case, let's say that we know that 192.168.3.35 is our friendly host, and 18.104.22.168 is the hostile host we are concerned about. Since there is a lot of other traffic to be found here, it would be nice if we could easily identify these hosts without committing these IP addresses to memory. I don't know about you, but I'm horrible at remembering IP addresses. Especially when I'm having to juggle what may be multiple compromised systems or track down a web of systems involved in a compromise.
Let's remedy this by creating a Wireshark host file. First, we need to tell Wireshark to perform name resolution for IP addresses from a host file. To do this, open Wireshark's preference window (Edit -> Preferences on Windows or Wireshark -> Preferences on OS X). Then make sure that "Resolve network (IP) addresses" and "Only use the profile "hosts" file" are enabled. Also, disable "Use an external name resolver." This is shown on an OS X system (running the latest dev version of Wireshark) in Figure 2.
Figure 2: Enabling Host File Name Resolution
Now we need to create a host file. This file takes the same form as a Windows or Linux hosts file. In our case, we will create the following hosts file:
The file should be saved in the following location depending on your architecture:
- Windows: %USERPROFILE%\Application Data\Wireshark\hosts
- OS X: /Users/username/.wireshark/hosts
- Linux: /home/username/.wireshark/hosts
Now, all we have to do is relaunch Wireshark and our capture file is appropriately populated with names for the devices we are examining. This is shown in Figure 3.
Figure 3: Our Traffic is Easier to Identify
There are a number of strategies you can use for labeling hosts. For instance, you can label hosts by whether they are internal or external to the network as we did here, or you can label them by role (web server 1, dns server 2, known botnet C&C, etc).
This is a pretty simple trick, but it saves me a lot of time and frustration. It also helps the accuracy of my analysis, because I'm less likely to confuse IP addresses this way. You can even create large hosts files that can be used to automatically label known entities on your network.