🛠️

Introduction to Wireshark

Jul 19, 2024

View transcript

Introduction to Wireshark

Overview

  • Wireshark: A tool for monitoring network traffic, often used by security professionals and students.
  • Functions as a network traffic analyzer, capturing data packets traveling across various network types like Ethernet, Wi-Fi, Bluetooth.
  • Useful for troubleshooting, learning about network protocols, and diagnosing issues.

Key Features

  • Cross-Platform: Available for Windows, Linux, macOS, Unix.
  • Live Packet Capture: Real-time data capture and insights.
  • Data Analysis: Supports analysis of captures from other tools (TCP dump, WinDump, TShark).
  • Hex Dumps: Imports and analyzes raw data efficiently.
  • Export Data: Exports data in various formats for extended analysis.
  • Detailed Packet Analysis: Provides extensive protocol information, filtering, color-coding, and search functionalities.
  • Statistics and Graphs: Generates graphical representations and statistics from captured data.
  • Decryption: Can decode encrypted data if conditions are met.

Installation

  • Download from the Wireshark website (for Windows and Mac users).
  • Pre-installed in Kali Linux (no separate download needed).
  • Installation instructions and troubleshooting available online or through other resources.

Using Wireshark

Opening Wireshark (Kali Linux)

  1. Go to Applications menu -> Sniffing and Spoofing section -> Click Wireshark.
  2. Alternatively, use the command terminal and type wireshark.

Choosing the Interface

  • Wireshark lists active network interfaces for data capture.
  • Choose the interface that is relevant for your analysis.

Understanding Network Protocols

  • Essential to understand network protocols for effective use of Wireshark.
  • Basics covered in additional videos and resources.

Wireshark Interface

  • Menu Bar: Central command hub for tools and options.
  • Toolbar: Quick access to frequently used functions like starting/stopping captures.
  • Filter Feature: Allows you to narrow focus by specifying criteria (e.g., HTTP traffic).
  • Packet List Pane: Displays captured packets in a list view.
  • Packet Details Pane: Shows detailed information about selected packets.
  • Bytes Pane: Displays raw data within packets in hexadecimal and ASCII.
  • Status Bar: Provides real-time updates and statistics.

Capturing Data and Saving Captures

  1. Open Wireshark and select the appropriate network interface.
  2. Packet List Pane will show activity; if not, ensure network traffic is occurring.
  3. Save captured packets by clicking the save icon and choosing a file name and format (e.g., pcapng).

Filters

Capture Filters vs Display Filters

  • Capture Filters: Capture specific packets and discard others (conserves resources).
  • Display Filters: Hide unwanted packets without discarding them (ensures all captured data is kept).

Common Filters

  • TCP: tcp
  • UDP: udp
  • HTTP: http
  • IP Address: ip.addr == 192.168.1.1
  • MAC Address: eth.addr == 00:11:22:33:44:55
  • Ports: tcp.port == 80 or udp.port == 53
  • Logical Operators: and, or, not

Colorization

  • Assists in distinguishing different types of traffic using colors.
  • Default rules exist; custom rules can be created via View -> Coloring Rules.

Profiles

  • Store specific configurations for different analysis scenarios.
  • Easily switch between profiles for different tasks.

Statistics Tools

Capture File Properties

  • Shows detailed information about captured packets, hardware, software, and overall capture stats.

Protocol Hierarchy

  • Overview of protocol distribution and traffic statistics.
  • Helpful for spotting unusual activities.

Conversations and Endpoints

  • Conversations: Shows details about communication between devices such as packet counts and data transferred.
  • Endpoints: Lists devices sharing data, helping identify high traffic devices and potential issues.

IO Graphs

  • Visualize traffic patterns over time.
  • Can focus on specific traffic types (e.g., UDP vs TCP).

Analyzing TCP/UDP

TCP 3-Way Handshake

  • Steps: SYN -> SYN-ACK -> ACK.
  • Ensures reliable connection setup.
  • View in Wireshark to troubleshoot connection issues.

Follow TCP/HTTP/UDP Stream

  • Reassembly of plain text protocols for detailed analysis.
  • Useful for troubleshooting and understanding sequences of communication.

RST Packets

  • Indicates closed or non-responsive ports/sockets.
  • Common in scenarios like port scans or connection failures.

Filtering and Profiling TCP Issues

  • Identifying latencies, packet drops, and unusual patterns using time and sequence numbers.
  • Addressing security concerns and performance issues.

UDP Analysis

  • Less reliable but faster than TCP.
  • Common in protocols like DNS, DHCP.
  • Real-time data transfer without guaranteed delivery.

Conclusion

  • Continuously update knowledge through resources like videos, books, and other learning materials.
  • Deep dive into specific protocols and features based on your requirements.

Full transcript