📞
Contrxl
External Links
Theoretical Learning
Theoretical Learning
  • 🏡Home
  • 📰News & Information
  • Systems Administration
    • ⌨️Cisco
      • Networking Basics
        • Communication in a Connected World
        • Network Components, Types and Connections
        • Wireless and Mobile Networks
        • Home Networking Technologies
        • Communication Protocols
        • Network Media
        • The Access Layer
        • The Internet Protocol
        • IPv4 and Network Segmentation
    • 🎓Learning Links
    • 💻Microsoft
      • AZ-900
        • 1. Cloud Concepts
          • 1.1 Describe Cloud Computing
            • 1.1.1 Introduction - Cloud Computing
            • 1.1.2 What is Cloud Computing?
            • 1.1.3 The Shared Responsibility Model
            • 1.1.4 Define Cloud Models
            • 1.1.5 Define the Consumption based Model
            • 1.1.6 Summary - Cloud Computing
          • 1.2 Describe the Benefits of Cloud Services
            • 1.2.1 Introduction - Cloud Services
            • 1.2.2 Benefits of High Availability and Scalability
            • 1.2.3 Benefits of Reliability and Predictability
            • 1.2.4 Benefits of Security and Governance
            • 1.2.5 Manageability in the Cloud
            • 1.2.6 Summary - Cloud Services
          • 1.3 Describe Cloud Service Types
            • 1.3.1 Introduction - Cloud Service Types
            • 1.3.2 Describe Infrastructure as a Service
            • 1.3.3 Describe Platform as a Service
            • 1.3.4 Describe Software as a Service
            • 1.3.5 Summary - Cloud Service Types
        • 2. Architecture
          • 2.1 Core Architectural Components
            • 2.1.1 Introduction - Core Architectural Components
            • 2.1.2 What is Microsoft Azure
            • 2.1.3 Get Started with Azure Accounts
            • 2.1.4 Explore the Learn Sandbox
            • 2.1.5 Describe Azure Physical Infrastructure
            • 2.1.6 Describe Azure Management Infrastructure
            • 2.1.7 Create an Azure Resource
            • 2.1.8 Summary
          • 2.2 Compute and Networking
            • 2.2.1 Introduction - Compute and Networking
            • 2.2.2 Describe Azure VMs
            • 2.2.3 Create an Azure VM
            • 2.2.4 Describe Azure Virtual Desktop
            • 2.2.5 Describe Azure Containers
            • 2.2.6 Describe Azure Functions
            • 2.2.7 Describe Application Hosting Options
            • 2.2.8 Describe Azure Virtual Networking
            • 2.2.9 Configure Network Access
            • 2.2.10 Describe Azure VPNs
            • 2.2.11 Describe Azure ExpressRoute
            • 2.2.12 Describe Azure DNS
            • 2.2.13 Summary - Compute and Networking
          • 2.3 Azure Storage Services
            • 2.3.1 Introduction - Storage Services
            • 2.3.2 Describe Azure Storage Accounts
            • 2.3.3 Describe Azure Storage Redundancy
            • 2.3.4 Describe Azure Storage Services
            • 2.3.5 Create a Storage Blob
            • 2.3.6 Identify Azure Data Migration Options
            • 2.3.7 Identify Azure File Movement Options
            • 2.3.8 Summary - Storage Services
        • 3. Management and Governance
          • 3.1 Cost Management
            • 3.1.1 Introduction - Cost Management
            • 3.1.2 Describe Factors that can Affect Costs in Azure
            • 3.1.3 Compare Pricing and TCO Calculators
            • 3.1.4 Estimate Workload Costs
            • 3.1.5 Compare Workload Costs with TCO
            • 3.1.6 Describe the Microsoft Cost Management Tool
            • 3.1.7 Describe the Purpose of Tags
            • 3.1.8 Summary - Cost Management
          • 3.2 Governance and Compliance
            • 3.2.1 Introduction - Compliance and Governance
            • 3.2.2 Describe the Purpose of Microsoft Purview
            • 3.2.3 Describe the Purpose of Azure Policy
            • 3.2.4 Describe the Purpose of Resource Locks
            • 3.2.5 Configure a Resource Lock
            • 3.2.6 Describe the Purpose of the Service Trust Portal
            • 3.2.7 Summary - Compliance and Governance
          • 3.3 Tools for Managing Azure Resources
            • 3.3.1 Introduction - Tools for Managing Azure Resources
            • 3.3.2 Describe Tools for Interacting with Azure
            • 3.3.3 Describe the Purpose of Azure Arc
            • 3.3.4 Describe ARM and Azure ARM Templates
            • 3.3.5 Summary - Tools for Managing Azure Resources
          • 3.4 Monitoring Tools
            • 3.4.1 Introduction - Monitoring Tools
            • 3.4.2 Describe the Purpose of Azure Advisor
            • 3.4.3 Describe Azure Service Health
            • 3.4.4 Describe Azure Monitor
    • 📘Microsoft Portal Links
  • Cybersecurity
    • ❓Anonymity Tools
    • 💡OSINT
      • IP & Domain OSINT
      • Email & Username OSINT
      • Vulnerability OSINT
    • 📚Projects
      • ‼️A Simulation Study of DDoS
  • 🦈Hacking
    • ☁️Cloud Attack Vectors
      • Credential Harvesting
      • Privilege Escalation
      • Account Takeover
      • Metadata Service Attacks
      • Misconfigured Cloud Assets
      • Resource Exhaustion and DoS
      • Cloud Malware Injection Attacks
      • Side-Channel Attacks
    • Maintaining Persistence
      • Reverse and Bind Shells
      • Command and Control (C2) Utilities
      • Scheduled Jobs, Tasks and Custom Daemons
    • 💻Network-Based Vulnerabilities
      • Windows Name Resolution and SMB
      • DNS Cache Poisoning
      • SNMP
      • SMTP
      • FTP
      • Pass-the-Hash
      • Kerberos and LDAP-Based Attacks
      • On-Path
      • Route Manipulation
      • DoS and DDoS
      • NAC Bypass
      • VLAN Hopping
      • DHCP Starvation/Rogue DHCP Server
    • Pivoting
      • Post-Exploitation Scanning
      • Legitimate Utilities and LotL
      • Privilege Escalation
    • Specialised System Vulnerabilities
      • Mobile Devices
      • Internet of Things Devices
      • Virtual Machines
      • Containerised Workloads
    • ⚒️Tools
      • Burp Suite
        • Repeater
        • Intruder
        • Other Modules
      • GoPhish
      • Hydra
      • John the Ripper
      • Metasploit
        • Exploitation
        • Meterpreter
      • NMAP
      • Wireshark
    • 🖥️TryHackMe
      • Complete Beginner
        • 1. Complete Beginner Intro
        • 2. Linux Fundamentals
        • 3. Introductory Networking
        • 3.1 Network Exploitation Basics
        • 4. OWASP Top 10 Exploits
        • 5. Upload Vulnerabilities
        • 5.1 An Example Methodology
        • 6. Cryptography - Hashing
        • 7. Cryptography - Encryption
        • 8. Active Directory Basics
        • 9. What the Shell?
        • 10. Linux Privesc
        • 11. More Linux Privesc
      • Jr Penetration Tester
        • Walking an Application
        • Content Discovery
        • Subdomain Enumeration
        • Authentication Bypass
        • IDOR
        • File Inclusion
        • SSRF
        • XSS (Cross-site Scripting)
        • Command Injection
        • SQL Injection
        • Passive Reconnaissance
        • Active Reconnaissance
        • Protocols and Servers
        • Protocol and Server Attacks
        • Vulnerabilities
        • Exploiting Vulnerabilities
        • Linux Privilege Escalation
        • Windows Privilege Escalation
      • CompTIA Pentest+
        • Planning and Scoping
          • Pentesting Fundamentals
          • Red Team Engagements
          • Governance and Regulation
        • Tools and Code Analysis
          • Metasploit: Introduction
          • Wireshark: The Basics
          • Burp Suite: The Basics
          • Hydra
          • Python Basics
        • Attacks and Exploits
          • Phishing
          • Windows Local Persistence
          • Breaching Active Directory
          • Lateral Movement & Pivoting
    • Web Application Vulnerabilities
      • The HTTP Protocol
      • Business Logic Flaws
      • Injection-Based Vulnerabilities
      • Authentication-Based Vulnerabilities
      • Authorisation-Based Vulnerabilities
      • Cross-Site Scripting (XSS)
      • Cross-Site Request Forgery (CSRF/XSRF) and Server-Side Request Forgery (SSRF)
      • Clickjacking
      • Security Misconfigurations
      • File Inclusion Vulnerabilities
      • Insecure Coding Practices
    • Wireless Vulnerabilities
      • Rogue Access Point/Evil Twin
      • Disassociation/Deauthentication
      • Preferred Network List Attack
      • Wireless Signal Jamming
      • War Driving
      • Initialization Vector (IV) and Insecure Wireless Protocol
      • KARMA
      • Fragmentation Attacks
      • Credential Harvesting
      • Bluejacking and Bluesnarfing
      • RFID Attacks
Powered by GitBook
On this page
  • Overview
  • Packet Dissection
  • Packet Navigation
  • Packet Filtering
  1. Hacking
  2. Tools

Wireshark

Open-source packet analyser.

Overview

Wireshark is an open-source tool capable of sniffing and investigating live traffic, as well as analysing packet captures (PCAP).

Wireshark is one of the most potent tools available in the wild, it can be used for:

  • Detecting and troubleshooting network problems, such as network failure points.

  • Detecting security anomalies, like rogue hosts, abnormal port usage and suspicious traffic.

  • Investigating and learning protocol details, like response codes and payload data.

The Wireshark GUI opens with a single, all-in one page. There are five main sections:

  • Toolbar: contains menus and shortcuts for packet sniffing and processing. This includes filtering, sorting, summarising, exporting and merging.

  • Display Filter Bar: main query and filtering section.

  • Recent Files: a list of recently investigated files. Listed files can be recalled with a double-click.

  • Capture Filter & Interfaces: capture filters and available sniffing points (interfaces). The network interface connects a computer and network, whilst a software connection (lo, eth0, ens33) enable networking hardware.

  • Status Bar: Tool status, profile and numeric packet info.

When a file is opened or Wireshark starts capturing, packet info is displayed in different panes:

  • Packet List Pane: summary of each packet. Each packet can be clicked for more information, once a packet is chosen, its info appears in other panels.

  • Packet Details Pane: detailed protocol breakdown of the chosen packet.

  • Packet Bytes Pane: hex and decoded ASCII of the selecting packet, highlights teh packet field depending on the clicked section.

Wireshark can also merge two PCAP files into one file with "File > Merge". Note that the merged file needs to be saved before it can be worked on. Wireshark can also capture a files properties (a file hash, capture time, capture comments, interface and statistics). This can be done with "Statistics > Capture File Properties".

Packet Dissection

Also known as protocol dissection, this is investigation of packet details by decoding available protocols and fields. Wireshark supports a long list of protocols and you can also write custom dissection scripts.

Each packet is broken down into five to seven layers based on the OSI model. At most a packet will have seven distinct layers:

  1. The Frame (Layer 1): the frame/packet you are looking at, and details specific to the physical layer of the OSI model.

  2. Source [MAC] (Layer 2): the source and destination MAC addresses from the data link layer of the OSI model.

  3. Source [IP] (Layer 3): source and destination IPv4 addresses from the network layer of the OSI model.

  4. Protocol (Layer 4): details of the protocol used (UDP/TCP) and the source & destination ports from the transport layer of the OSI model.

  5. Protocol Errors: continuation of the 4th layer showing TCP segments that need reassembled.

  6. Application Protocol (Layer 5): details specific to protocol used, such as HTTP, FTP and SMB from the application layer of the OSI model.

  7. Application Data: extension of the 5th layer showing application-specific data.

Packet Navigation

Wireshark assigns a unique number for each packet, making it easy to analyse big captures and go to a specific packet. You can use "Go > Go To Packet" to quickly jump to a specific packet number.

You can also find packets by content using "Edit > Find Packet" which will search inside the packets for an event of interest. There are two crucial parts to this: knowing the input type and choosing the search field. The input type can be: display filter, hex, string and regex - the most commonly used are string or regex. The search field can be the packet list, packet details or packet bytes. If you try to find info in the packet details pane by searching the packet list pane, Wireshark will not find it.

You can mark or comment on packets by right-clicking them and choosing "Mark/Unmark Packet(s)" or "Packet Comment..." respectively. Note that packet markers will be removed after you close the capture file.

You can export only certain packets (like marked ones) with "File > Export Specified Packets" - this can help narrow down analysis.

You can export objects/files through the wire using "File > Export Objects". Note that files can only be extracted for the selected protocols streams e.g. DICOM, HTTP etc.

You can have Wireshark show you the exact time a packet was captured with "View > Time Display Format > UTC Data and Time of Day" (the default is "Seconds since Beginning of Capture).

Wireshark also marks packets a colour based on the state of the protocol, these are only suggestions and there are always chances for false positives/negatives but are as follows:

Severity
Colour
Info

Chat

Blue

Info on usual workflow.

Note

Cyan

Notable events like app error codes.

Warn

Yellow

Unusual error codes or problem statements.

Error

Red

Malformed packets.

This "Expert Information" can be viewed under "Analyse > Expert Information".

Packet Filtering

Wireshark offers two kinds of filtering: capture and display filters. Capture filers are for only the packets valid for the used filters. Display filters are for viewing the packets valid for the used filter.

The most basic way to filter traffic, is to right click a packet and choose "Apply As Filter", alternatively you can use "Analyse > Apply As Filter". If you wanted to find a specific packet and all linked packets, you can use "Analyse > Conversation Filter" to filter for conversations.

This can also be done with "View > Colourise Conversation" to do this without filtering out other packets. This can be undone with "View > Colourise Conversation > Reset Colourisation".

The "Prepare as Filter" option is similar to "Apply as Filter" except it waits for additional input like "and/or" or an execution command with enter.

You can right-click a value in the packet details pane and choose "Analyse > Apply as Column" to add it to the packet list pane, this helps analyse the appearance of a specific value or field.

Streams can be reconstructed to allow viewing of raw traffic by using "Analyse > Follow TCP/UDP/HTTP Stream" which will show the streams in a separate dialogue box.

Last updated 1 year ago

🦈
⚒️