Wireshark Lecture Notes

Jul 18, 2024

Wireshark Lecture Notes

Introduction

  • Wireshark Overview: A powerful tool for analyzing network traffic.
    • Purpose: Spying on data flow for understanding network behavior.
    • Use Cases: Useful for hackers, network troubleshooting, and learning network protocols.

Getting Started with Wireshark

  • Compatibility: Works on Windows, Linux, macOS, Unix.
  • Core Functions:
    • Live packet capture.
    • Analyze data from other tools like TCPdump and Windump.
    • Import and analyze hex dumps.
    • Export data in various formats.
    • Detailed packet analysis.
    • Create statistics and graphs.
    • Decode encrypted data.

Installing Wireshark

  • Downloading for Windows/Mac: Get from Wireshark website; follows simple steps.
  • Kali Linux: Wireshark comes pre-installed.
  • Running Wireshark on Kali Linux:
    • Go to the Applications menu -> Sniffing and Spoofing section -> Wireshark.
    • Alternatively, use the terminal command wireshark.

Interface Overview

  • Menu Bar: Central Command Center for tools and options.
  • Toolbar: Quick access to common tools (e.g., stopping or restarting captures).
  • Filter Bar: Type specific criteria to filter captured packets.
  • Packet List Pane: Displays captured packets.
  • Packet Details Pane: Shows details like packet's origin, destination, and protocols.
  • Bytes Pane: Reveals actual data within packets in hexadecimal form.
  • Status Bar: Provides real-time updates, total packets captured, duration, etc.

Capturing and Saving Packets

  1. Choosing the Interface:
    • List of interfaces shown; pick the relevant one.
  2. Starting Capture: Begin browsing to see packets.
  3. Saving Captures:
    • Click on the save icon, choose a file name.
    • Default file format is pcapng; other options available.

Filtering Options

  • Types of Filters:
    • Capture Filters: Capture specific packets while discarding others.
    • Display Filters: Hide packets that don't match criteria.

Common Filters

  • TCP Traffic: tcp

  • UDP Traffic: udp

  • HTTP Traffic: http

  • IP Address Filtering: ip.addr == 192.168.1.1

  • MAC Address Filtering: eth.addr == <MAC Address>

  • Port Filtering:

    • HTTP: tcp.port == 80
    • DNS: udp.port == 53

  • Logical Operators:

    • AND: tcp.port == 80 && ip.addr == 192.168.1.2
    • OR: tcp.port == 443 || tcp.port == 80
    • NOT: !ip.addr == 192.168.1.100

Colorizing Traffic

  • Purpose: Differentiate traffic types for better visibility.
  • Default Color Rules: Available for various protocols.
  • Custom Color Rules: Can create and specify colors for custom filters.

Profiles in Wireshark

  • Purpose: Save personalized setups.
  • Components: Capture filters, display filters, protocol preferences, etc.
  • Creating Profiles:
    • Right-click profile column in status bar -> New -> Name it.

Statistics & Graphs

  • Capture File Properties: Metadata, capturing details, statistics.
  • Protocol Hierarchy: Overview of protocol distribution.
  • Conversations & Endpoints Windows:
    • Conversation window: Details about packets exchanged.
    • Endpoints window: Info about devices communicating.
  • Packet Length: Size of packets, useful for identifying anomalies.
  • IO Graphs: Visual representation of network traffic over time.
  • Service Response Time: Measure time for services/protocols to respond.
  • Flow Graphs: Visual summary of traffic flow between endpoints.
  • TCP Stream Graphs: Detailed packet-by-packet view over time.

UDP Multicast Streams

  • Use: Efficiently broadcast data to multiple devices.
  • Analysis: Check how multicast communication occurs and troubleshoot.

Other Protocols

  • Various Protocol Stats: e.g., HTTP, DHCP, DNS, etc.

Advanced Features

  • Follow TCP/UDP Streams:
    • Right-click -> follow -> choose stream type (HTTP, TCP, UDP).
    • View detailed communication between client and server.
    • Save or filter the stream's content.

Troubleshooting

  • RST Packets: Indicates unsuccessful connection attempts.
  • Latency Issues: Large time gaps = potential latency problems.
  • Port Scans: Recognizable by numerous reset packets (RST).

Protocol Analysis

  • TCP 3-Way Handshake: SYN, SYN-ACK, ACK packets.
  • UDP Analysis: Efficiency and real-time data delivery.

Real-World Scenarios

  • DHCP Communication: Device IP assignment.
  • DNS Traffic: Resolves domain names to IP addresses.

Exploring More

  • Additional Learning:
    • Engagement with more books, video tutorials, etc.

Conclusion

  • Practice and Exploration: Crucial for mastering Wireshark.
  • Further Topics: Potential for future videos on more protocols and tools.