Scribd Logo
Upload

Welcome to Scribd!

  • Wireshark

    Uploaded by

    youssef sherif
    10 views3 pages
    Wireshark is a program used to capture and analyze network traffic. It displays captured packet data in three main sections - interfaces, a control bar, and packet details. Users can start capturing on an interface, then filter and analyze packets using options in the control bar like statistics, conversations, and endpoints. Filters can be applied during capture to select packets by host, source/destination IP/port, or protocol. Display filters further refine the visible packets. Tcpdump is a command line tool that can also capture packets with various options like interface, host, port, and protocol specifications. Captures can be saved to a pcap file for later analysis in Wireshark or other programs.

    Original Description:

    Basic introduction to the wireshark tool and tips that will help you get started with analyzing packets.

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Wireshark is a program used to capture and analyze network traffic. It displays captured packet data in three main sections - interfaces, a control bar, and packet details. Users can start capturing on an interface, then filter and analyze packets using options in the control bar like statistics, conversations, and endpoints. Filters can be applied during capture to select packets by host, source/destination IP/port, or protocol. Display filters further refine the visible packets. Tcpdump is a command line tool that can also capture packets with various options like interface, host, port, and protocol specifications. Captures can be saved to a pcap file for later analysis in Wireshark or other programs.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    10 views3 pages

    Wireshark

    Uploaded by

    youssef sherif
    Wireshark is a program used to capture and analyze network traffic. It displays captured packet data in three main sections - interfaces, a control bar, and packet details. Users can start capturing on an interface, then filter and analyze packets using options in the control bar like statistics, conversations, and endpoints. Filters can be applied during capture to select packets by host, source/destination IP/port, or protocol. Display filters further refine the visible packets. Tcpdump is a command line tool that can also capture packets with various options like interface, host, port, and protocol specifications. Captures can be saved to a pcap file for later analysis in Wireshark or other programs.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    Wireshark

    Getting Started with Wireshark


    Once you open Wireshark, you can see that the screen is divided into several parts:
    1- Part 1: contains a shortcut for all pcap files that have been opened or captured.
    a. A pcap file is a data file created using a program which contains packet data of a
    network and are used to analyze the network characteristics.
    2- Part 2: contains all the interfaces that you are using in your machines, like the vpn-
    interface, vms, docker, etc.
    3- Part 3: it is the control bar, you can find all the tools and features that can help you to
    capture or analyze packets.
    Start Capturing
    In order to start capturing, we need to identify the interface to capture its traffic and then click on
    the blue button in the control bar. After you click on the button, the program redirects you to a
    new interface that is also divided into 3 subparts.
    - Part 1: Lists information about all the packets that are being transferred since you start
    capturing including:
    o A number for each packet
    o The time in seconds it took the interface to capture the packet.
    o The source and the destination IP addresses of the packet.
    o The protocol used in this packet and the ROW load of the packet.
    - Part 2: this part shows the packet data for each network layer (OSI Model).
    - Part 3: contains packets in hex representation
    Start Analyzing
    Stop the capturing by clicking on the red button in the control bar and save it. We can start by
    analyzing the hierarchy and the percentage of the protocols that make up the pcap file. From the
    control bar, we click on the statistics button.
    - Different options under the statistics button:
    o Protocol hierarchy: provides a tree of all the protocols found in the capture.
    o Conversation: provides information about the data sent or received from each IP
    address.
    o Endpoint: provides information about the IP server.
    o Resolved addresses: list most of the Ips hostnames if found.

    Capture Filter:
    We can choose to capture packets and analyze them according to some predefined criteria:
    - A specific host  host ip or host url
    - A specific source address  src ip
    - A specific destination address  dst ip
    - TCP/UDP port number  port no.
    Difference between promiscuous and monitor modes
    - Monitor Mode
    You’re just sniffing on packets that are in the air without being directly connected to a specific
    access point. More over like walking in the street and overhearing conversations everywhere
    around you without being part of that conversation.
    - Promiscuous Mode
    Listening to packets that go through a specific access point after being authenticated and
    connected to that access point.

    Display Filters
    After you initiated your capture, you can start displaying the information you found based on
    some criteria:
    - IP
    o IP address  ip.addr ==/!=
    o IP source address  ip.src ==/!=
    o IP destination address  ip.dst ==/!=
    - Display on different protocol:
    o TCP
    o HTTP
    o UDP
    o FTP
    o SSH
    o DNS
    o ARP
    TCPDUMP
    TCPDUMP is a tool that is mostly used in the terminal with commands to capture traffic from all
    the layers of the OSI model. It also provides you with many options you can do to the
    information gathered.
    Commands in tcpdump tool:
    1- To capture packets normally without any filters we use tcpdump -i (the interface) -v
    a. -i stands for the interface and you specify it directly afterwards
    b. -v stands for verbose which means the data will be displayed for you in the
    terminal.
    2- To capture packets coming/going to a specific host we use tcpdump -i (interface) -v host
    (specify the hostname or address)
    3- To capture packets with a specific source/destination we use tcpdump -i (interface) -v
    src/dst (specify the address)
    4- To combine filters we use the following syntax: tcpdump -i (interface) -v first filter and
    the other filter
    5- To capture the entire network or a subnet from the network we use tcpdump -i (interface)
    -v net (specify the network range using addresses for example 192.168.1.0/24)
    6- To capture data related to a specific protocol we use tcpdump -i (interface) -v (protocol).
    7- To capture data specified for a specific port we use tcpdump -i (interface) -v portno.
    8- To capture data specified for a specific src/dst port tcpdump -i (interface) -v src/dst
    portno.
    9- To save the capture in a pcap file instead of printing it on the screen we use tcpdump -w
    (destination of the file) -i (interface) -v (any filtration you want)

    You might also like