Tuesday 4 February 2020

WireShark Series: Part 1- Getting Started, Filters, Expressions, Graphs

  • We can get already available captures using Tools -> Sample captures

  • To see the OSI Layers, goto Statistics -> Protocol hierarchy
    • Here, we see the protocols and based on the protocols we can tell the layers
    • If any error is there in any protocol, we can find out
    • Frame (Physical), then Ethernet (Datalink), then Internet Protocol (Network), then TCP (Transport), then SSL (session) and HTTP (application layer)

  • Wireshark Filters
    • Capture -> Filters
    • These will filter only those specific packets

  • BPF Filters
    • Capture -> Capture Options
    • Next to "Capture Filters" , we will have "Compile Selected BPFs"
    • BPFs stand for "Berkeley Packet Filte Syntax"
    • It is the expression that is used for filtering

  • Expressions
    • We need a qualifier and an ID
    • For eg: wlan.address ==b4:52:7e:62:6c:4d . Here, the first part is the qualifier and the second part is the ID
    • Operators can be && or || or just !
      • && means AND
      • || means OR
      • means not equal to
    • Qualifiers can either be:
      •  TYPE which would be like HOSTNET or PORT. These identify what the ID refer to. 
      • DIR which would be direction which tells whether the transfer is going to or from the ID. This can be either the source SRC or destination DST
      • PROTO which is the protocol. This could be either HTTP, TCP, UDP, FTP. This is a particular protocol specifically that the ID is also repeating again
    • A cheat sheet that tells all the different expressions that we can use. They also display operators as well as logic
packetlife.net/media/library/13/Wireshark_Display_Filters.pdf
  • For eg,
ip.src == 10.73.31.59 && tcp.port == 80
  • Here, ip qualifier tells it's type is IP address
  • src tells about the direction and it's Source
  • 10.73.31.59 tells us that it is the ID. So, we know that we are looking for a source that equals this IP address
  • && tells us that we also include the next expression while filtering
  • TCP is the type and the port tells us the port ID 80

  • Expressions Examples
    • ip addresses 
      • ip.src == 96.17.148.161 means we are looking for source Ip address as given
      • ip.src_host == 96.17.148.161 gives the same o/p as above and means we are looking for source hosts that have the IP address given
      • ip.addr == 96.17.148.161 means we are looking for IP address given that not only includes sources but also includes destinations
      • ip.dst == 96.17.148.161 or ip.dst_host == 96.17.148.161 means we are looking for destination ip address as given
      • For IPv6 addresses, we need to use ipv6.addr == ...
      • We can also packet capture using DNS host names, you can type ip.host == nameofthehost.
      •  Now try ip.addr == 192.168.1.0/24 and this will show anything on that network within that range.
      • We can also filter by qualifier protocols using ip or http or udp directly. If we want to search by more than one protocol at a time, we can use &&. For eg, udp && http . Ot we can use udp || http
      • ip.dst != 10.73.31.59 gives ip address not equal to given one
    • We can also use the "expression" box next to the filter box to get the options possible directly and we can choose from that if we dont remember the syntax
    • We can also use the "save" button next to the filter box to make a bookmark of the filter and use it instead of having to type it out again
    • Instad of using the "save" option, we can also save the command as a permanent filter using Edit -> New Filter. Thusm, we can directly type the newfiltername in the filter box whenever we want to use that filter
    • We can also filter by the packet sizes using frame.len <= 128 and we will get packets less than or equal to 128


  • TCP Streams and Objects
    • If we visit many sites and don't know which packet is for what in the list, then right-click on the desired packet and click "Follow TCP Stream"

  • Decode As:
    • If we right click on desired packet and select "Decode As", we can convert it to any desired format.
    • For eg, TCP on the transport layer can be decoded to any user-specified protocol from the options

  • Name Resolutions:
    • Capture -> Options
    • Name Resolutions doesnt always work and needs network to be online and correctly configured
    • Resolve  MAC address means Wireshark will resolve the layer-2 or layer-2 mac address
    • Resolve network address means wireshark will  try to resolve IP address into a understandable DNS name
    • Resolve Transport Layer Name means that wireshark will try to convert a port number into whatever that port stands for. For eg, port 80 means HTTP

  • Graphs
    • Flow Graphs:
      • Statistics -> Flow Graph
      • We can choose whether we want all packets or displayed packets (ie. the packets that are shown after using a filter)
      • Then , we get a graph
      • We will see different time stamps and comments about each and every single packet in the middle under the green area with analysis of source and destination

  • This can help to visualize each and every packet flow during the packet capture. Also, we can find from which and to which ip address a specific packet has benn sent and also see the details using the comment
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)