HakTip 116 – Wireshark 101: The OSI Model
Today on HakTip, Shannon Morse discusses the OSI Model and how it relates to Wireshark for packet analysis.
Today we’re checking out more Wireshark – understanding protocols and the OSI model.
If you’re still wondering why the heck one would use Wireshark, now is the time to pay attention. We’re having some fun with packet sniffing and analysis. But what is that? Packet sniffing is pretty self-descriptive. You’re digging under the applications on your computer or network and looking through the packets that are flowing along your connection. Analyzing these packets will help you determine if there is a problem with the network, checking to see if someone is on your network who shouldn’t be, figuring out what traffic is making you hit your data cap, or finding out if some malicious is going on. Wireshark supports a bunch of different protocols when you want to analyze data, such as TCP, ARP, HTTP, DNS, and more.
When capturing data, Wireshark makes you go into something called Promiscuous Mode. It’s kind of like chilling in a dark corner of a coffee shop and overhearing all the conversations around you. They aren’t directed at you, but since you’re in proximity, you can still hear what people are talking about.
If you’ve ever seen this thing called the OSI model, it’ll give you a good idea of how this information in a computer is transferred and how it’s actually seen by an end user. The OSI model has 7 layers to it, starting with application at the top. This is what mom sees when she logs into her operating system. Presentation is next and shows the computer data in a way the application can understand, such as a jpeg, or an mp3, etc.Third down is Session, which will manage the connection between two hosted computers, and it makes sure your connection doesn’t just stop suddenly. Transport is fourth down, and is where TCP and UDP live. It manages traffic between point a and point b to make sure data gets transferred error free. This is where things like proxy servers and firewalls live. Then Network, which is where routers live. The network layer makes sure the routing of data between two physical points is correct. Data link is sixth down, and operates using MAC address, bridges, and more to identify physical devices. Lastly is Physical which is the actual hardware that data is transferred through. By understanding that different protocols work on different OSI layers, it’ll help you figure out and fix problems on your network.
Application layer includes: HTTP SMTP FTP Telnet
Presentation: ASCII, JPEG, MP3, MPEG
Session:: NetBIOS, SAP etc
Transport: TCP, UDP, etc
Data link: Ethernet, etc
Physical: Cat 5.
Each layer sits on top of another to ensure proper delivery of data from one place to another. If any of these layers fail, you then end up with an error. By understanding that I can’t browse the internet if there is some sort of IP error, I know that my network layer is at fault. If I know that everything works correctly on my end and someone else isn’t receiving my information, I know it is a problem with one of their OSI layers, and we can then fix the problem.
This is why we have pretty Wireshark, which will help us determine which protocol is failing, what layer, and be able to fix it.
Now that we understand the OSI model layers, lets take a look at Wireshark. I’ve done a packet capture of my Wi-Fi with some quick internet browsing. Everything is working correctly, so no OSI layers are erroring out. If you want to take a look at the layers in Wireshark though, there is a way. Go to Statistics at the top and click on Protocol Hierarchy. This gives you statistics based on the packets and bytes transferred at each stage of the capture. Protocols are divided by type. You start with the frame (which is physical), then go down to Ethernet (Data link layer). Drop down to Internet Protocol on the Network layer, then TCP and UDP on the Transport layer. Under here we have SSL at the Session layer and HTTP on the Application layer. BAM. Now you know how your network is set up in the form of layers, and Wireshark makes all of this easy as pie.
Let me know what you think. Send me a comment below or email us at [email protected]. And be sure to check out our sister show, Hak5 for more great stuff just like this. I’ll be there, reminding you to trust your technolust.