Blue Team Toolkit
  • 👊Welcome!
  • application-security
    • Application Security
  • DFIR Toolkit
  • Incident Response
    • Containment, Eradication, and Recovery
    • Network Analysis
    • MITRE ATT&CK Framework
    • post-incident
    • preparation
  • network-hardening
    • Basic Network Tools
    • Basic Port Info
    • NMAP
    • Wireshark
  • Phishing Analysis
    • Basic Email Info
    • Email Headers
  • reversing
    • gdb
    • reversing
  • Security Information and Event Monitoring
    • DeepBlueCLI
    • Linux Log Analysis
    • Log Review Approach
    • Network Device Log Analysis
    • Other Tools
    • SIFT Workstation
    • Splunk
    • Syslog
    • Sysmon
    • Web Server Log Analysis
    • Windows Log Analysis
  • Systems Forensics
    • Autopsy
    • Basic File Metadata
    • Browser History Capturer
    • Browser History Viewer
    • Digital Evidence Handling
    • Exiftool
    • File Hashing
    • File Systems
    • forensics-workstation
    • FTK Imager
    • John the Ripper
    • JumpList Explorer
    • KAPE
    • Linux Artifacts
    • Memory File Analysis
    • Prefetch Explorer Command Tool PECmd.exe
    • Scalpel
    • Steghide
    • Sysinternals
    • Volatility
    • Windows Artifacts
    • Windows File Analyzer
    • YARA
  • systems-hardening
    • Active Directory Hardening
    • linux-hardening
    • windows-hardening
Powered by GitBook
On this page
  1. network-hardening

Wireshark

PreviousNMAPNextPhishing Analysis

Last updated 1 year ago

  • Description: used to capture and analyze network traffic in the form of packet capture files

  • Installation: download from

  • Usage

    • Basic Capture Filter Examples

      • Capture Filters

      • Limit traffic to and from IP address: host 192.168.1.1

      • All traffic on the subnet: net 192.168.0.0/24:

      • Packets sent to the specified host: dst host 192.168.1.1

      • Limit traffic to port 53 only: port 53

      • All traffic except DNS/ARP: port not 53 and not arp

    • Basic Display Filter Examples

      • Packets sent from one computer (ip.src) to another (ip.dst): ip.src==IP-address and ip.dst==IP-address

      • Show you all traffic on port 25 (typically SMTP): tcp.port eq 25

      • Only show ICMP traffic: icmp

      • All traffic except traffic from specified IP: ip.addr != IP_address

      • Traffic from src host using TCP 443, using TLC version 1.2: ip.src_host == 192.168.1.7 and tcp.port == 443 and ssl.record.version == 0x0303

      • Show specific HTTP method: http.request.method == "POST"

      • Search for a string within a frame: frame contains "string"

      • Search strings within packets: CTRL + F

      • Host Identification from DHCP traffic: ip.src==xxx.xxx.xxx && dhcp then search for Host Name in the DHCP Options of a DHCP request packet

      • Search for http redirection: http.reaspon.code==301 or search for the http.referer field

      • Search by port: tcp.port

      • More Display Filters here:

    • More Advanced Searching

      • To follow a packet stream: Right Click -> Follow > TCP/UDP/SSL/HTTP Stream

      • To extract HTTP files from packets: File -> Export Objects -> HTTP -> Highlight File -> Save As

      • To extract FTP files from packets: filter FTP-DATA packets for export -> Right Click -> Follow > TCP Stream -> Show and save data as Raw

      • To extract files from streams: Follow TCP Stream -> Save stream as raw -> Analyze with exif-tools or change file extension

        • Example: frame contains 20210429_152157.jpg” -> Follow TCP Stream -> Save stream as raw -> then analyze with exif-tools or change file extension to view

      • To search for domain names: Statistics -> Search for IP

      • To identify hostnames from DHCP traffic: ip.src==xxx.xxx.xxx.xxx && dhcp -> search for Host Name in the DHCP Options of a DHCP request packet

      • To search for http redirction: http.response.code==301 or search for the http.referer field

      • Helpful Windows

        • Conversations

        • Protocol Hierarchy

        • Endpoints

  • Resources

    • T-shark

https://www.wireshark.org/#download
https://wiki.wireshark.org/DisplayFilters
Wireshark User's Guide
Wireshark Training Resources
Into to Wireshark Video
Wireshark Tutorial
Export Wireshark Data from TCP Stream
Identifying Hosts and Users using Wireshark