Passive network mapping involves analyzing existing network traffic to identify devices, IP addresses, open ports, and services without actively probing the network. Wireshark, a powerful packet analyzer, can be utilized for this purpose by examining captured traffic to infer the network topology and device details.
1. Extracting Device and IP Information
To identify devices and their IP addresses from Wireshark captures, you can use the following methods:
-
Endpoints Analysis:
- Navigate to Statistics > Endpoints.
- This window displays all network endpoints observed in the capture, including IP addresses and MAC addresses.
- By examining the list, you can identify active devices on the network.
-
Protocol Filters:
- Address Resolution Protocol (ARP):
- Filter: arp
- ARP packets map IP addresses to MAC addresses. By analyzing ARP requests and replies, you can determine which IP addresses correspond to specific hardware addresses.
- Dynamic Host Configuration Protocol (DHCP):
- Filter: bootp or dhcp
- DHCP traffic can reveal IP address allocations along with device hostnames. When a device requests an IP address, it often provides its hostname, which can be observed in the DHCP packets.
2. Identifying Open Ports and Services
While passive analysis doesn't actively probe for open ports, you can infer active services by observing communication patterns:
-
TCP/UDP Conversations:
- Navigate to Statistics > Conversations and select the TCP or UDP tab.
- This displays pairs of IP addresses and the ports they are communicating over.
- By analyzing these conversations, you can deduce which services are active on which devices.
-
Service Identification:
- Common ports are associated with well-known services (e.g., port 80 for HTTP, port 443 for HTTPS, port 25 for SMTP).
- By observing traffic on these ports, you can infer the presence of corresponding services on devices.
3. Utilizing Specific Protocols for Network Mapping
Certain protocols are particularly useful for passive network mapping:
-
ARP (Address Resolution Protocol):
- ARP is used to map IP addresses to MAC addresses. By capturing ARP traffic, you can build a table of active devices and their associated IP and MAC addresses.
-
DHCP (Dynamic Host Configuration Protocol):
- DHCP traffic can reveal which IP addresses are assigned to which devices, along with hostnames and MAC addresses.
-
NetBIOS Name Service (NBNS):
- Filter: nbns
- NBNS is used by Windows devices for name resolution. By analyzing NBNS traffic, you can identify device names and their associated IP addresses.
Step-by-Step Guide to Passive Network Mapping Using Wireshark
-
Capture Network Traffic:
- Start Wireshark and begin capturing traffic on the network interface of interest.
- Ensure you have the necessary permissions and are compliant with local policies and regulations.
-
Analyze Endpoints:
- Navigate to Statistics > Endpoints.
- Review the list of IP addresses and MAC addresses to identify active devices.
-
Examine ARP Traffic:
- Apply the arp filter to view ARP packets.
- Analyze ARP requests and replies to map IP addresses to MAC addresses.
-
Inspect DHCP Traffic:
- Apply the dhcp filter to view DHCP packets.
- Look for DHCP requests and acknowledgments to identify device hostnames and their assigned IP addresses.
-
Review TCP/UDP Conversations:
- Navigate to Statistics > Conversations and select the TCP and UDP tabs.
- Identify active connections and the services in use based on port numbers.
-
Utilize Display Filters:
- Use Wireshark's display filters to focus on specific traffic types or protocols.
- For example, filter by http to view HTTP traffic and identify web servers.
-
Correlate Information:
- Combine data from various analyses to build a comprehensive map of the network.
- Document device IP addresses, MAC addresses, hostnames, and active services.
Considerations
By following these steps, you can effectively map your network passively using Wireshark, gaining insights into device configurations and active services without generating additional network traffic.
