Network forensics involves analyzing, reporting, and recovering network information from a computer system or any digital storage media. Forensics involves a detailed investigation of events along with gathering relevant information. Kali comes with a wide range of tools that can assist in effective forensic analysis. Forensic analysis usually involves investigating different aspects, which requires different tools. Unlike exploitation frameworks, forensics usually depends on multiple tools. Let us cover some of the major forensic tools in detail here.
Network analysis with Wireshark Wireshark is an open source network packet analyzer tool similar to tcpdump that captures the data packets flowing over the wire (network) and presents them in an understandable form. Wireshark can be considered as a Swiss army knife as it can be used under different circumstances such as network troubleshooting, security operations, and learning protocol internals. This is one tool that does it all, and with ease.
Some of the important benefits of working with Wireshark are as follows:
- Multiple protocol support
- A user-friendly interface
- Live traffic analysis Ê Open source
To begin working with Wireshark in Kali Linux, navigate to Applications | Kali Linux | Top 10 security tools | Wireshark.
Once the GUI is loaded, you will have to select the interface you want to begin working with. The left-bottom panel shows the various available interfaces. Select an interface and click on Start to begin. You will notice that the GUI starts showing different packets captured on the selected interface.
You will notice that the Wireshark GUI is divided into three distinct sections. The Capture panel displays the live capture of packets. The Packet details panel displays information about the selected packet in the capture panel. The Packet bytes panel represents the information from the Packet details panel in a dump or actual format. It shows the byte sequences of the flow. You can select different actions from the menu option to maximize your capture performance.