Wireshark is an open source protocol analyzer. It is “free” and runs on most platforms. Wireshark is a valuable tool for web programming, network troubleshooting and analyzing security issues. In this post we’ll look at a simple way to capture data and look at HTTP’s “Basic Authentication”. I’ll dive Windows instructions, but the operation is the same under other platforms. You can get wireshark from www.wireshark.org.We use Wireshark in multiple Learning Tree classes including Learning Tree Course 468, System and Network Security Introduction.
If you are using the network, you will likely see packets begin to fill the top pane. At this point I entered 10.10.10.100/protected into my web browser (you will be able to see which one shortly). When an authentication window appeared, I entered an (incorrect) username and password. At that point I returned to Wireshark and clicked on the red square on the toolbar to stop the capture.
I wanted to look only at traffic to the demo web server I’d setup so I entered ip.addr==10.10.10.100 in the filter window. If you don’t know how to use Wireshark filters, click on Expression… – it will help you build a filter. Mine looks for all packets where either the IP source or destination address is that of my web server.
I selected one of the web packets and “Follow TCP stream “ from the Analyze menu item. This shows both sides of the communication in a (mostly) human-readable form. Where you see the Authorization: Basic line with gibberish after the “Basic” is where the username and password were sent. Note that it is unreadable.
I closed the window and in the top pane selected the packet with the authentication (called “Authorization” here) information. Note that in the center pane the gibberish is decoded to show the username “joe” and the password “blogs:. That gibberish is not encryption, of course, but rather an encoding called “Base64” used on the web to encode possibly binary data into plain text.
So, if you use “Basic Authentication” on the web, the username and password are sent in the clear. That may or may not be an issue for you, but you should know how it works. In a future post I’ll show some other Wireshark features.
Stay tuned for part 2 on Wireshark, coming soon!
To your safe computing,