Skip to main content

Getting Down with Wireshark as a Network Monitoring Tool


Wireshark-  When you need to get down and dirty with individual packets, it's the undisputed champ. But what happens when you're trying to figure out what's actually going down on a high-speed, chaotic network? Not just  the wireless activity- getting more involved; seeing what is actually going on, what users on the network are active in/ their activities- what can we see? Scrolling through a billion packets to find out who's hogging all the bandwidth with Netflix isn't just a headache; it's practically impossible.

Wireshark is a microscope, but sometimes you need a satellite view. You want to know the big picture: what apps are running, who the top talkers are, and if something sketchy is happening, without spending hours creating ridiculously complex filters.

The Secret Sauce: ntop's nDPI

Enter the total game-changer: nDPI (ntop Deep Packet Inspection).

Think of standard Wireshark as a mailman who only reads the outside of the envelope (the packet header). It sees the to/from address and the port number, but has no clue what's inside. nDPI is like giving your mailman x-ray vision. It looks inside the packet's data to identify the actual application, regardless of the port. It can spot the difference between Skype, BitTorrent, Office365, and Facebook, even when they're trying to be sneaky.

How It Works: The Extcap + Lua Combo

So, how do we get this magic into Wireshark? The super slick solution presented by Luca Deri from ntop uses a one-two punch that doesn't even require you to recompile Wireshark.

  1. Extcap Plugin:  This is an "external capture" module. It grabs the traffic, runs it through the nDPI engine to figure out the real protocol, and then cleverly tags each packet with that info before handing it off to Wireshark.

  2. Lua Script:  A simple script tells Wireshark how to read those new tags. This unlocks the ability to use killer new display filters like ndpi.protocol.name == "Netflix". Yeah, it's that easy.

Turning Wireshark into a Monitoring Dashboard

This integration is more than just filters. The Lua script also unlocks a whole suite of new analysis tools that basically turn Wireshark into a legit network monitoring application. You can generate instant reports to get a bird's-eye view of your network traffic.

We're talking about:

  • Top Applications:  Instantly see a breakdown of traffic by app. See how much bandwidth YouTube, Facebook, and Office 365 are really using.

  • DNS Deep Dive:  See the top DNS clients, resolvers, and queries. A great way to spot misconfigurations or sketchy malware behavior.

  • SSL/TLS Insights:  Analyze SSL certificates to see what servers your users are connecting to. You can even spot the weird, algorithmically-generated domains used by Tor or malware.

  • Passive Recon:  Identify device types and operating systems just by watching DHCP and HTTP traffic. Find out how many iPhones, Windows PCs, or even HP printers are on your network.

  • Latency Checks:  Quickly measure network and application latency to find out if it's the network or the server that's slow.

The Bottom Line

By combining Wireshark with the power of nDPI, you get the best of both worlds. You can still dive deep into a single packet when you need to, but you can also zoom out and get that high-level, actionable intelligence to understand your network in seconds. It’s a massive level-up for anyone in network analysis.

In reference to the following PDFs: 

  •  https://archive.fosdem.org/2025/events/attachments/fosdem-2025-5461-passive-network-traffic-fingerprinting/slides/238457/nDPI_FOSD_UXCmtUQ.pdf
  • https://sharkfest.wireshark.org/retrospective/sfeu/presentations17eu/19.pdf

Relevant Links

Labels:

Comments

Post a Comment

Popular posts from this blog

Windows Doesn't recognize Your HackRF device? Wrong Drivers? Try ...

 Mostly for me to remember, but Windows at times has a lapse in judgement with certain devices, DIY gadgets, peripherals that you maybe trying to connect to- for me, it was my HackRF( I have since stumbled upon a better way to start for the HackF if having driver woes- which I will cover in another post- but keep reading, since this is still good knowledge to know regarding driver issues )- no matter what, my PC could not recognize the HackRF/ or would recognize it, but as a keyboard. I required Windows to apply the correct drivers to the device so that it could be recognized for what it is... a...SDR. A HackRF.  Guessing What's Right... Making Assumptions. Getting it Wrong. So, really what we see here is that when connecting that never connected before thing into your PC, Windows is making an assumption on what that thing is, and then applying the best driver that it thinks suites that thing... From experience, and a general rule of life... "assumptions" aren't the b...
Post a Comment
Read more

Maximising RF Range as per Texas Instruments

Making electronics such as semiconductors and pioneering advances in integrated circuits. Consistently Texas Instruments brings us innovation - in their "about me" they state this mentioning advancements "to make technology smaller, more efficient, more reliable and more affordable" – "Engineering Progress.", that is what Texas Instruments are about. Wireless/ RF Texas Instruments  or TI with their many product offerings and solutions, many of which fall into the category of being wireless- that is what our modern world is now- involving many technologies, but today we are talking more in the area of RF or Radio Frequencies. Though these technologies have advanced, and our knowledge has grown in said technologies- still, limitations exist. One of them, when talking about RF is the range that your solution needs, and realistically, the actual range possible with the technologies being utilized.  How Far Can My RF Signal Transmit? Receive? Sorry to burst you...
Post a Comment
Read more

Miggitty Miggitty Mac Address

 Helping your router identify your WiFi adapter on your network. A Mac address is unique. Kinda like your device's fingerprint. It's made of 6 sets of 2 characters and separated by semiolonsì. A Mac address is comprised of letters and numbers. As an example; something like this ... 01:aa:gg:88:bb:ccp What Makes a Mac Address First six characters are classified as organizational unique identifier.. or OUI...  popular lookup tools/ databases are IEEE ieee Public Mac Address Look Up Tool... Online Search Tool by Wire Shark, to name a couple- there are many more...some more upto date than the other. If you can't locate the OUI within one, give the others a try.  A Tool such as the WiFi Pineapple can link directly to OUI resources giving us an efficient research tool for network analysis. OUI's For Research Utilising such data as an OUI can be of tremendous importance- providing shortcuts, Where once blind, guessing... now, knowing a manufacturer, can point us to default log...
Post a Comment
Read more