Wireshark

Description: used to capture and analyze network traffic in the form of packet capture files
Installation: download from https://www.wireshark.org/#download
Usage
- Basic Capture Filter Examples
  - Capture Filters
  - Limit traffic to and from IP address: host 192.168.1.1
  - All traffic on the subnet: net 192.168.0.0/24:
  - Packets sent to the specified host: dst host 192.168.1.1
  - Limit traffic to port 53 only: port 53
  - All traffic except DNS/ARP: port not 53 and not arp
- Basic Display Filter Examples
  - Packets sent from one computer (ip.src) to another (ip.dst): ip.src==IP-address and ip.dst==IP-address
  - Show you all traffic on port 25 (typically SMTP): tcp.port eq 25
  - Only show ICMP traffic: icmp
  - All traffic except traffic from specified IP: ip.addr != IP_address
  - Traffic from src host using TCP 443, using TLC version 1.2: ip.src_host == 192.168.1.7 and tcp.port == 443 and ssl.record.version == 0x0303
  - Show specific HTTP method: http.request.method == "POST"
  - Search for a string within a frame: frame contains "string"
  - Search strings within packets: CTRL + F
  - Host Identification from DHCP traffic: ip.src==xxx.xxx.xxx && dhcp then search for Host Name in the DHCP Options of a DHCP request packet
  - Search for http redirection: http.reaspon.code==301 or search for the http.referer field
  - Search by port: tcp.port
  - More Display Filters here: https://wiki.wireshark.org/DisplayFilters
- More Advanced Searching
  - To follow a packet stream: Right Click -> Follow > TCP/UDP/SSL/HTTP Stream
  - To extract HTTP files from packets: File -> Export Objects -> HTTP -> Highlight File -> Save As
  - To extract FTP files from packets: filter FTP-DATA packets for export -> Right Click -> Follow > TCP Stream -> Show and save data as Raw
  - To extract files from streams: Follow TCP Stream -> Save stream as raw -> Analyze with exif-tools or change file extension
    Example: frame contains 20210429_152157.jpg” -> Follow TCP Stream -> Save stream as raw -> then analyze with exif-tools or change file extension to view
  - To search for domain names: Statistics -> Search for IP
  - To identify hostnames from DHCP traffic: ip.src==xxx.xxx.xxx.xxx && dhcp -> search for Host Name in the DHCP Options of a DHCP request packet
  - To search for http redirction: http.response.code==301 or search for the http.referer field
  - Helpful Windows
    Conversations
    Protocol Hierarchy
    Endpoints
Resources

PreviousNMAP NextPhishing Analysis

Last updated 1 year ago

Wireshark

Description: used to capture and analyze network traffic in the form of packet capture files
Installation: download from https://www.wireshark.org/#download
Usage
- Basic Capture Filter Examples
  - Capture Filters
  - Limit traffic to and from IP address: host 192.168.1.1
  - All traffic on the subnet: net 192.168.0.0/24:
  - Packets sent to the specified host: dst host 192.168.1.1
  - Limit traffic to port 53 only: port 53
  - All traffic except DNS/ARP: port not 53 and not arp
- Basic Display Filter Examples
  - Packets sent from one computer (ip.src) to another (ip.dst): ip.src==IP-address and ip.dst==IP-address
  - Show you all traffic on port 25 (typically SMTP): tcp.port eq 25
  - Only show ICMP traffic: icmp
  - All traffic except traffic from specified IP: ip.addr != IP_address
  - Traffic from src host using TCP 443, using TLC version 1.2: ip.src_host == 192.168.1.7 and tcp.port == 443 and ssl.record.version == 0x0303
  - Show specific HTTP method: http.request.method == "POST"
  - Search for a string within a frame: frame contains "string"
  - Search strings within packets: CTRL + F
  - Host Identification from DHCP traffic: ip.src==xxx.xxx.xxx && dhcp then search for Host Name in the DHCP Options of a DHCP request packet
  - Search for http redirection: http.reaspon.code==301 or search for the http.referer field
  - Search by port: tcp.port
  - More Display Filters here: https://wiki.wireshark.org/DisplayFilters
- More Advanced Searching
  - To follow a packet stream: Right Click -> Follow > TCP/UDP/SSL/HTTP Stream
  - To extract HTTP files from packets: File -> Export Objects -> HTTP -> Highlight File -> Save As
  - To extract FTP files from packets: filter FTP-DATA packets for export -> Right Click -> Follow > TCP Stream -> Show and save data as Raw
  - To extract files from streams: Follow TCP Stream -> Save stream as raw -> Analyze with exif-tools or change file extension
    Example: frame contains 20210429_152157.jpg” -> Follow TCP Stream -> Save stream as raw -> then analyze with exif-tools or change file extension to view
  - To search for domain names: Statistics -> Search for IP
  - To identify hostnames from DHCP traffic: ip.src==xxx.xxx.xxx.xxx && dhcp -> search for Host Name in the DHCP Options of a DHCP request packet
  - To search for http redirction: http.response.code==301 or search for the http.referer field
  - Helpful Windows
    Conversations
    Protocol Hierarchy
    Endpoints
Resources

PreviousNMAP NextPhishing Analysis

Last updated 1 year ago