Intro to WireShark - Diving with the Sharks

Intro to WireShark - Diving with the Sharks

Table of contents

In This brief blog post, we will take a quick glance at Wireshark, an essential investigative tool in the arsenal of professional cyber warriors and Network Pros.

WireShark as we know it today was developed by Gerald Combs in 1997 with the name of Ethereal to track down those annoying network problems and discover the “what and why” behind the network issues. Over time, a host of people contributed to its growth.

Gerald Combs

  • Gerald Combs

  • Today, Wireshark has developed into a network analysis tool used for analysis and investigation by network engineers, cybersecurity professionals and even hackers

Lab Topology

    • 1 kali linux endpoint

      • 1 taget endpoint (windows, ubuntu etc)
  • Task 1: Start a packet capture

    • Fire up the kali endpoint and start Wireshark from the menu or open a shell and type: Wireshark at the prompt.

    • Note, if you are not using kali linux, you would have to install wireshark manually, this is not covered in this first part but a quick google will present you with guides for other linux platform and for Windows

This will start the Wireshark program, be sure to select your network interface from the list presented, your network interface will be the first on the list

  • Wireshark immediately starts capturing network traffic based on the following criteria:

    • Time

    • source IP

    • Destination IP

    • Protocol

    • Length

  • In an instant we get over 8000 packets passing through. When investigating network events, you would want to filter out the unrelated traffic so you can get a better insight to the activities in question

Task 2: Display Filters

To do this, Wireshark uses various display filters.

  • A list of these are shown below
Filter by IPip.addr == 10.10.50.1
Filter by Destination IPip.dest == 10.10.50.1
Filter by Source IPip.src == 10.10.50.1
Filter by IP rangeip.addr >= 10.10.50.1 and ip.addr <= 10.10.50.100
Filter by Multiple IPsip.addr == 10.10.50.1 and ip.addr == 10.10.50.100
Filter out/ Exclude IP address!(ip.addr == 10.10.50.1)
Capture Filterhost <host IP address>host
Filter IP subnetip.addr == 10.10.50.1/24
Filter by multiple specified IP subnetsip.addr == 10.10.50.1/24 and ip.addr == 10.10.51.1/24
Filter by Protocoldns
http
ftp
ssh
arp
telnet
icmp
Filter by port (TCP)tcp.port == 25
Filter by destination port (TCP)tcp.dstport == 23
Filter by ip address and portip.addr == 10.10.50.1 and Tcp.port == 25
Filter by URLhttp.host == “host name”
Filter by time stampframe.time >= “June 02, 2019 18:04:00”
Filter SYN flagtcp.flags.syn == 1
tcp.flags.syn == 1
tcp.flags.ack == 0
Beacon Filterwlan.fc.type_subtype = 0x08
broadcast filtereth.dst == ff:ff:ff:ff:ff:ff
Multicast filter(eth.dst[0] & 1)
Host name filterip.host = hostname
MAC address filtereth.addr == 00:70:f4:23:18:c4
RST flag filtertcp.flags.reset ==
    • To demonstrate the filter functions, we will do some filtering

      • Lets sort by IP address, note, you can sort by source, destination, IP address range and multiple Ip addresses

      • I will be sorting for my Windows 11 endpoint with its IP: 192.178.30.92

      • The command is :

        ip.addr == 192.168.30.92
  • Never mind the javascript in the image, its not related

  • This filters out all traffic that is not sourced or destined for 192.168.30.92

  • Next lets try filtering by port numbers, options include: 80, 22, 443, 21 etc lets try 80 first, given that these are lab devices we might and might not get any output

  • The command is :

    tcp.port == 80 || udp.port == 80

  • As you can see we didn’t get any TCP/UDP protocol in the output.

  • To help this, lets browse a bit

  • lets fire up Firefox and play around the internet

  • After browsing a bit, we see tcp packets in the network traffic showing up

  • Next lets inspect a packet to see what type of information we can glean

  • Looking at the packet under frames, we can deduce the following:

    • The size of the frame: 66 bytes

    • The interface it originated from: eth0

    • The arrival date and time, thats when it was captured:18th Oct 2024 00:05:23 EDT

    • Protocols in the frame: eth:ethertype:ip:tcp

    • This line reveals whats in multiple layers of the OSI from layer 2 to 5

  • Next we will review the Ethernet part of the captured frame

  • Reviewing the output shows the source and destination MAC addresses

The internet protocols part of the packet reveals

  • The protocol in play: TCP

  • The source and destination IP addresses in play

  • The TCP part of the packet shows :

    • Source Port, Destination Port

    • Time Stamps

    • Header length

    • Check Sums, Flags

You can see at a glance that we are able to use the information from the captured packet to deduce a lot about the traffic this packet is a part of and this will aid our investigation when a network or cyber issue occurs.

Developing the eyes and instinct to sniff out the important information that relates to the objective at hand while ignoring the fluff is a vital skill for any cybersecurity practitioner

I hope this has given you enough confidence to go jump off the not so deep end and get your feet wet! HAPPY DIVING!!!!