Professional Documents
Culture Documents
Uses of Wireshark:
Wireshark can capture packets from our Wi-Fi network and let us examine the contents of these
packets.
Filtering the ARP packets
The Address Resolution Protocol is used to dynamically discover the mapping between a layer 3
(protocol) and a layer 2 (hardware) address. A typical use is the mapping of an IP address (e.g.,
192.168.0.10) to the underlying Ethernet address (e.g., 01:02:03:04:05:06). You will often see ARP
packets at the beginning of a conversation, as ARP is the way these addresses are discovered
The data flow diagram shows the relation between the source and the destination along with entire
three handshake acknowledgement process.
Colour Rules for Wireshark
The packets captured are displayed with the following colour code based on the protocol:
Step 1: Open Wireshark application and start capturing packets through Wi-fi network
Step 2: Open the browser and browse through any insecure website that contains images
Here we will be using dalberghetti.com and danscourses.com for this purpose. Once the websites
open up in the browser, we scroll through the entire sites in order to receive packets containing
images.
Step 3: Once we have browsed through the websites, we will go to the Wireshark application and
stop capturing the packets.
Step 4: After the packets have been captured, Filter the captured data by using the filter tab. The
data needs to be filtered in order to view only those packets that are captured through the “http”
protocol.
Step 5: Once the packets are filtered by the “http” protocol, we need to scroll down the list and
look for file types such as JPEG, GIF, or PNG. Once we find a packet with any of these extensions
(JPEG here), we select that packet by clicking on it.
Step 6: After selecting that particular packet, we will go to the second window area and right click
on Hypertext Transfer Protocol. Next, we select the Export Packet Bytes from the pop-up menu.
Step 7: We export the Packet Bytes and save it with “.jpg” extension.
Step 8: Next, we scroll down the packet list and find all the packets having these extensions and
export them to our desktop by repeating steps 6 and 7. Here, after going through the list, we are
able to export 3 images.
Step 9: On opening these images, we are able to see the images that the user browsed through
while operating the insecure website. Below is an example of the image can we rebuilt from the
packets captured.
CONCLUSION:
We can conclude by saying that if someone had access to our network and was listening to the
packet activity on the network, they could easily pull the images and the information we have been
viewing using the Wireshark application. However, this is not possible in case of a secure website the
encrypts the data that is sent via these packets.
Date: 24/08/2021 LAB CLASS 4
WIRESHАRK FILTERS
In this activity, we will try various filters that can be applied to view the captured packets in Wireshark
according to our needs. Firstly, we will open the Wireshark software and start capturing packets
through the Wi-fi. Next, we are going to browse through any insecure website in order to capture
packets. After capturing the packets, we can filter and view the packets by typing our filter query in
the “Apply a display filter” bar.
1. Filter traffic on specific IP address
This will display all traffic for the IP entered, source or destination.
ip.addr == 239.255.255.250
This will only show traffic where the source IP address is the given IP address.
ip.src == 52.112.41.185
3. Filter by destination address
4. Filter by IP subnet
Displays all traffic for the entered subnet, this will match on source or destination. Use CIDR format
for subnet display filter.
ip.addr == 192.168.29.1/24
If you want to filter on а IP source subnet, use ip.src==subnet.
If you want to filter on IP destination subnet, use ip.dst==subnet.
5. Filter traffic based on protocol
To filter for а specific protocol just type in the name of the protocol. For example, to display all DNS
traffic just type DNS in the filter box.
dns
arp
http
icmp
6. Exclude IP address
If you want to filter out an IP address so it’s not displayed use this filter.
!ip.addr == 192.168.29.1
This first one will show only traffic between the two subnets.
Use this filter if you only want to see traffic for а specific MАC address.
eth.addr == 68:14:01:a0:7b:22
9. Filter on TCP port
tcp.port == 443
tcp.srcport == 443
Or filter on TCP port destination.
tcp.dstport == 443
Its а good idea to understand what user agents are being used on your network, malicious traffic can
often use unusual agent strings. To search for а user agent we can use this.
We can replace Chrome with the user agent string we want to search for.
We can also filter multiple user agents in a single query
There are several protocols that can be very noisy, it sometimes helps to filter this out so you can
focus on other traffic.
We can use this if we want to see traffic from а certain IP on а specific port.
We can use this filter to view only the http get requests.
http.request
14. Filter for http get and response
We can use this filter to view only the http get and post requests.
http.request or http.response
The three way handshake is often used to calculate the network round trip time. This filter will
display ill the SYN, SYN АCK and SYN packets that should match the three way handshake.
This filter is used to see if the user has downloaded any .exe or .pdf file types. We can replace “pdf”
with any file extension that we want to filter for.
frame contains “pdf”
This displays all TCP packets that contain the word Facebook. Just replace the word with want you
want to search for.
tcp contains facebook
The only problem with the above filter is it’s limited to TCP packets only. To include all protocols, we
use this filter.
frame contains facebook
DDos аttаcks can be done in а variety of ways, а large number of TCP connections is one of them. To
look for а large number of tcp connection attempts, we use this filter.
tcp.flags.syn == 1 and tcp.flags.ack == 0
This will filter for the start of new TCP connections. If we see constant new connections to the same
destination IP, it could be а SYN or DDoS attack.