Taken from Chris Greer https://www.youtube.com/c/ChrisGreer

This is a simple posting of the notes I took from going through Chris Greer’s Wireshark beginners series. IF you haven’t already go to his channel and learn about Wireshark.

Screen layout

  • Preferences > Layout

Change from packet bytes to header values

  • Layout > Panes

Add button

  • Right click packet > Prepare as filter > Selected > Add Button (top right)

Colour rules

  • View > Colouring Rules

Custom column

  • Preferences > Appearance > Columns > Add

Simple display filters

  • tcp.flags.syn==1

How to Capture Network Traffic

To see which library WS is using to capture the packets

  • File > About Wireshark

To edit capture options

Snaplength

  • Can be set to reduce the amount of data captured in each frame
  • Often 64B is enough to get the header information etc

Output

Command Line

Add program path ???

The Difference between Capture Filter and Display filter

  • Capture Filter
    • We determine the packets captured as we capture them
    • simpler than display filters
    • beware over doing the capture filer and then missing the packet you need to analyse
  • Display Filter
    • filtering packets we have already captured

Right click on a packet to select filter or Conversation filter

  • Then you can use brackets to add an extra filter

Not filter

  • not arp
  • not (arp or ipv6 or ssdp)
  • useful to slowly home in on the filter you need or the packets you need.

In parameter

  • tcp.port in {80 443 8080}

Clear text strings

  • frame contains google (case sensitive)
  • frame matches Google (case insensitive)

Name Resolution

  • You can also hover over a frame and right click and choose Edit Resolved Name. Then you can name ‘gateway’ or ‘client’ etc

Time Column

  • You can set the time column to various options
  • You can right click on a frame and choose Set/Unset Time reference to reset the time to 0.00 on that frame
  • This is useful as it shows the time relevant to the conversation. Not just the frame above which could be from many other conversations. Set it as a column.
  • Then you can sort the column and look for the responses that were particularly slow.
  • The ones coming from the server are often pertinent.

Statistics

  • Don’t look at each individual packet. Use statistics!!
  • Statistics > Conversations

How to Extract Files from a pcap?

  • Frame 14 contains a .png file and this is what we want to extract.
  • Firstly Right-Click on TCP layer and go to
    • Protocol Preferences
    • Allow subdissector to reassemble TCP streams
  • Reassembles the TCP stream. Otherwise it treats them one packet at a time..
  • Then go to File > Export Objects and we can see that there are 5 types of Objects that WS can export by default
  • So this is how we can extract files from the pcap
  • Executables, binaries
  • Be careful with malware that you don’t execute it!
  • If this export feature does not work, we can look at
    • Right-Click on the frame
    • Choose Follow TCP steam
    • Here we can see the data that comprises the file

Map IP Address Locations with Wireshark Using GeoIP

  • First, we need to download and extract the databases from MaxMind.
  • Now all we have to do is point WS at these databases
  • With this set we can look at the IP layer of a packet and view the GeoIP which will include the City, Country and even map coordinates
  • Now go to Statistics > Endpoints > Map > View In Browser
Azure Lab No 1
PicoCTF – Static Ain’t Always Noise