How to Read Packet Captures in Wireshark

Wireshark Tutorial and Cheat Sheet

Primary network analysis with our Wireshark Tutorial and Cheat Sheet.

Find immediate value with this powerful open up source tool. When everything is up and running, read through the tips and tricks to understand means to troubleshoot issues, find security issues, and print your colleagues.

Even a bones understanding of Wireshark usage and filters tin can be a time saver when y'all are troubleshooting network or application layer issues on the wire (or WIFI).

Examples to Understand the Ability of Wireshark

Wireshark can exist useful for many different tasks, whether you are a network engineer, security professional or system ambassador. Here are a few example use cases:

Troubleshooting Network Connectivity

Visually understand bundle loss
Review TCP retransmission
Graph loftier latency package responses

Exam of Application Layer Sessions (even when encrypted by SSL/TLS see below)

View total HTTP session, seeing all headers and data for both requests and responses
View Telnet sessions, see passwords, commands entered and responses
View SMTP or POP3 traffic, reading emails off the wire

Troubleshoot DHCP issues with packet level data

Examine DHCP customer circulate
DHCP offer with address and options
Client requests for offered accost
Ack of server acknowledging the request

Extract files from HTTP sessions

Export objects from HTTP such equally javascript, images, or even executables.

Extract file from SMB sessions

Similar to the HTTP export choice but able to excerpt files transferred over SMB, the always present Microsoft File Sharing protocol.

Notice and Examination of Malware

Detect anomalous behaviour that could indicate malware
Search for unusual domains or IP address endpoints
Employ IO graphs to discover regular connections (beacons) to command and control servers
Filter out the "normal" and find the unusual
Extract big DNS responses and other oddness which may point malware

Examination of Port Scans and Other Vulnerability Scan types

Sympathize what network traffic the vulnerability scanner is sending
Troubleshoot vulnerability checks to understand false positives and fake negatives

These examples only scratch the surface of the possibilities. Proceed reading through the tutorial and get-go getting more from this powerful tool.

Installation of Wireshark

Wireshark will run on a variety of operating systems and is not difficult to become up and running. Nosotros will touch on Ubuntu Linux, Centos and Windows.

Install on Ubuntu or Debian

~# apt-become update ~# apt-get install wireshark tshark

Getting the latest version of Wireshark has a number of benefits. Many new features are released with major updates such as new protocol parsing and other features. There is a PPA available for Ubuntu, add together the repository and update packages to ensure you are getting a more than recent release.

~# add-apt-repository ppa:wireshark-dev/stable ~# apt-get update

Install on Fedora or CentOS

~# yum install wireshark-gnome

Install on Windows

Caput over to the Wireshark Download folio, take hold of the installation executable and run it to install. Pretty straight forward, y'all will besides be installing a bundle capture driver. This allows the network card to enter promiscuous mode.

Getting Started with Filters

Afterward running an initial capture yous volition see the standard layout and the packet details that tin can be viewed through the interface.

When you have captured an HTTP session, cease the capture and try playing with a few basic filters and the Analyze | Follow | HTTP Stream options.

The filters are piece of cake to read and self-explanatory. Y'all enter these expressions into the filter bar (or on the command line if using tshark). A primary do good of the filters is to remove the noise (traffic you don't want to see). As seen here, y'all can filter on MAC address, IP accost, Subnet or protocol. The easiest filter is to type http into the filter bar. The results volition at present only bear witness HTTP (tcp port eighty) traffic.

IP Address Filter Examples

ip.addr == 192.168.0.5 !(ip.addr == 192.168.0.0/24)

Protocol Filter Examples

tcp udp tcp.port == 80 || udp.port == 80 http not arp and not (udp.port == 53)

Endeavor generating a filter combination that shows all non HTTP and HTTPS traffic leaving your local organization that is non destined for the local network. This is a practiced manner to detect software (malware even) that is communicating with the Cyberspace using unusual protocols.

Follow the White Rabbit Stream

One time you lot have several packets showing HTTP, select one and then select Clarify | Follow | HTTP Stream from the drop-down menu. This will evidence you an assembled HTTP session. In this new window, you see the HTTP request from the browser and HTTP response from the web server. Goal! You are now winning at Wireshark. Go on reading our Wireshark Tutorial for more than advanced tips.

Wireshark Follow Stream Example Screenshot

Resolve DNS in Wireshark

By default, Wireshark won't resolve the network address that it is displaying in the console. But showing IP addresses, past changing an option in the preferences, you can enable the resolution of IP addresses to network names. This volition slow down the display of packets, as it also does when using tcpdump, due to the DNS resolution that has to take place. It is important to understand if you are doing a alive capture, the DNS requests from your Wireshark host will be additional traffic that yous might be capturing.

Edit | Preferences | Name Resolution | Enable Network Name Resolution

Tshark for the Command Line

If you haven't had a play with tshark, have a wait at our tshark tutorial and filter examples. This program is often overlooked simply is a great way to capture application layer sessions on a remote system. The advantage over tcpdump is you lot tin can capture and view awarding layer sessions on the fly, as the protocol decoders included in Wireshark are too available to tshark.

Build Firewall Rules

A quick way to generate command line firewall rules, this can save a few minutes Googling for different firewall syntax. Select a rule, and caput up to the Tools | Firewall ACL Rules. Dissimilar firewall products such equally Cisco IOS (standard and extended), ipfilter, ipfw, iptables, pf and even Windows firewall using netsh.

Wireshark Firewall Rules generator screenshot

Wireshark GeoIP Mapping

As long as Wireshark has been compiled with GeoIP support and you have the Free Maxmind databases available, yous can resolve IP addresses to locations. Look at Nearly | Wireshark to come across what has been compiled with the version you are using. If GeoIP is listed, ensure y'all have the GeoLite City, Country, and ASNum databases in a directory on your organisation running Wireshark. Bespeak to the location of the databases in Edit | Preferences | Name Resolution.

Examination it by loading a capture and selecting Statistics | Endpoints | IPv4. The columns on the right show the location and ASN information for the IP accost.

Wireshark GeoIP example

A further function of the GeoIP feature is to filter traffic based on location using the ip.geoip display filter.

For example, use this filter to exclude traffic from an ASN.
ASN 63949 is the Linode cake, then the filter now displays only IP traffic not coming from this netblock.

ip and not ip.geoip.asnum == 63949

Of course, you tin can apply the same filter to urban center and land based queries. Doing this removes noise from your capture display and allows you to focus on the packets you lot care about.

Decrypt SSL/TLS sessions

One mode of decrypting SSL/TLS sessions is to utilize the Private Key from the server that is being continued to by the client. Using this cardinal, you can decrypt the session and view the protocol nether the SSL/TLS layer. For example, in a browser session you could see the apparently text HTTP.

You lot are not always going to take access to the servers private key. Hence, there is another option for easily viewing the browser SSL/TLS traffic from your local organization. If Firefox or Chrome are loaded using a special environment variable, the individual SSL/TLS session symmetric keys will be logged to a file that Wireshark can read. With these keys, Wireshark tin can show you the session fully decrypted for the win!

i. Configure the Environment Variable

Linux / Mac

export SSLKEYLOGFILE=~/sslkeylogfile.log

Windows

Under avant-garde arrangement settings, select Environment Variables and add the variable proper noun SSLKEYLOGFILE with the variable value as the path to where yous want the file saved.

2. Configure Wireshark

From the drop-down menu select Edit | Preferences | Protocols | SSL | (Pre)-Master-Secret Log Filename -- Scan to the log file you placed in your environment variable.

Offset a capturing on your local arrangement.

iii. Restart Firefox or Chrome

After browsing to a HTTPS site. The log file should start to increment in size as it logs the symmetric session keys.

Review the Wireshark session previously started. You should run into something resembling the image beneath showing the decrypted sessions. Take note of the decrypted packets in the tab in the bottom pane.

Wireshark Follow SSL Stream Screenshot

Another way to view the session is to use the assay drop down and follow the stream. If the session has successfully been decrypted you will meet the option for SSL under Stream.

Analysis | Follow | Stream | SSL

Use caution when logging these keys and pcaps. Someone with access to the key log file and your pcap might very well find your passwords and authentication cookies inside the pcap.

Some other pick for getting at the underlying HTTP traffic is using Burp Suite with its CA loaded in your browser. In this case, the proxy decrypts the connexion on the client side and so establishes a new SSL/TLS session to the server. There are many ways to man in the middle (mitm) yourself, these are two of the most straightforward.

Extract files from PCAP using Export (HTTP or SMB)

Information technology is quite easy to extract files from a Wireshark capture using the export option.

File | Export Objects | HTTP

The new Window will show any files that were found. In this new Window you can salve the individual files or save them all to a folder. A similar method tin be used to extract files from SMB sessions. This is the Microsoft Server Message Cake protocol that allows Windows File Sharing.

Screenshot showing the Wireshark export file object Window

Correct Paw Condition Bar

Quickly jump to packets based on the color of the chief display. For instance, to find Blood-red - Errors run into the cherry-red line noted in the right hand side status bar and jump to that location with a click.

Wireshark Right Status Bar Screen shot

Sample PCAP's are readily available

You may be getting started with Wireshark and looking for interesting packet captures to explore, the Wireshark Samples page is a great identify to start. Due to the fact, there are enough sample protocols to continue yous busy for months and several worm / exploit samples for those digging into Network Security Monitoring.

Setting up your Surroundings

A handy tip is to call back the default console is highly configurable. You may add or remove columns, even adding something as simple equally a UTC fourth dimension column. Which might be immediately useful if you lot are looking at historical pcaps.

The columns can be configured by going to Edit | Preferences | Advent | Columns. In this area, you can also alter the layout, font, and colors.

This video has good configuration tips for the environment. Including troubleshooting tips and configurations for identifying bug through TCP sequence numbers.

capinfos

A handy command line tool that comes packaged with Wireshark is the capinfos binary. This command will produce a summary of a pcap with statistics, start / end times and other details.

Run it every bit beneath or use the tabular array option -T to produce tab separated output that can exist imported into a spreadsheet or parsed on the command line.

examination@ubuntu:~$ capinfos test.pcap File name:           test.pcap File blazon:           Wireshark/tcpdump/... - pcap File encapsulation:  Ethernet File timestamp precision:  microseconds (6) Parcel size limit:   file hdr: 262144 bytes Number of packets:   341 thou File size:           449 MB Data size:           444 MB Capture duration:    3673.413779 seconds First package time:   2018-12-01 eleven:26:53.521929 Last package time:    2018-12-01 12:28:06.935708 Data byte rate:      120 kBps Data bit charge per unit:       967 kbps Boilerplate packet size: 1300.72 bytes Average packet rate: 93 packets/s SHA256:              989388128d676c329ccdbdec4ed221ab8ecffad81910a16f473ec2c2f54c5d6e RIPEMD160:           0742b6bbc79735e57904008d6064cce7eb95abc9 SHA1:                d725b389bea044d6520470c8dab0de1598b01d89 Strict time order:   True Number of interfaces in file: i

Wrapping Upwards

This postal service was originally published in 2011, it has undergone a major and much needed refresh. Whatsoever comments, improvements or tips to add to the Cheat Sheet drib me a line on the Contact Page. Wireshark is one of those indispensable tools that many use but few really principal. The rabbit hole goes deep on this 1.

Take y'all seen our Gratuitous IP and Network Testing tools.

Discover. Explore. Learn.

Adjacent level testing with avant-garde Security Vulnerability Scanners.

Trusted tools. Hosted for piece of cake access.

ridgwayraceiziendas.blogspot.com

Source: https://hackertarget.com/wireshark-tutorial-and-cheat-sheet/