Context Navigation

← Previous Change
Wiki History
Next Change →

wireshark

Timestamp:: Sep 9, 2021, 8:05:29 PM (3 years ago)
Author:: admin
Comment:: --

Legend:

: Unmodified
: Added
: Removed
: Modified

NspwUprouse/Agenda/wireshark

               v1
+= Capture and Analise Packets =
+In this lab session, we will use tcpdump and Wireshark to capture packets. To analyze them we will use Wireshark.
+== Packet Capturing using tcpdump ==
+ - Go to the ubuntu VM
+ - use tcpdump command to capture packets
+{{{
+tcpdump -nn
+}}}
+ - you will get outputs like following
+{{{
+IP 199.59.148.139.443 > 192.168.1.8.54343: Flags [P.], seq 53:106,
+ack 1, win 67, options [nop,nop,TS val 854797891 ecr 376933204],
+length 53
+}}}
+ - You can try tcpdump with different attributes
+{{{
+tcpdump –nni eth0 host 10.10.10.10
+tcpdump –nni eth0 dst host 10.10.10.10 and tcp
+tcpdump –nni eth0 src net 10.10.10.0/24 and tcp and portrange 1-1024
+tcpdump –nni eth0 –s0
+tcpdump –nni eth0 not port 22 –s0 –c 1000
+tcpdump –nni eth0 not port 22 and dst host 10.10.10.10 and not src net 10.20.30.0/24
+-nn = don’t use DNS to resolve IPs and display port no
+-i = interface to watch
+dst = watch only traffic des0ned to a net, host or port
+src = watch only traffic whose src is a net, host or port
+net = specifies network
+host = specifies host
+port = specifies a port
+proto = protocol ie tcp or udp
+-s0 = seIng samples length to 0 m
+-c = number of packets
+}}}
+ - You can capture packets and save them to a file
+{{{
+# tcpdump –nni eth0 -w capture.pcap –vv –c 1000
+# tcpdump –nni eth0 –r capture.pcap port 80
+-w capture.pcap = save capture packet to capture.pcap
+–vv =  display number of packet captured
+-r capture.pcap = read capt
+}}}
+ - You can open the created file and see the captured packets
+== Wireshark ==
+Download Wireshark from [https://www.wireshark.org/download.html here] and install Wireshark. Installation is very simple.
+=== Captureing Packets from wireshark ===
+Once you open the Wireshark you will get the following interface.
+[[Image(https://ws.learn.ac.lk/raw-attachment/wiki/netsec2018wireshark/welcome.png)]]
+You can select the interface that you want to capture packets by clicking on the interface listed there. Then you can click the '''Start Capture''' to capture the packets.
+[[Image(https://ws.learn.ac.lk/raw-attachment/wiki/netsec2018wireshark/start.png)]]
+You will see the packets capturing. Click the '''Stop Capture''' button when you want to stop the capturing.
+[[Image(https://ws.learn.ac.lk/raw-attachment/wiki/netsec2018wireshark/stop.png)]]
+You can save the captured packets by clicking '''File>Save as...''' and Clicking '''Save''' after you select a Location
+You can change the interface and add or remove the filter by clicking the '''Options''' button.
+[[Image(https://ws.learn.ac.lk/raw-attachment/wiki/netsec2018wireshark/options.png)]]
+=== Filters ===
+Wireshark has a lot of filters. Let's try a simple filter. Let's capture only the packets that are using ICMP protocol.
+You will the filter text field in the Wireshark interface. Type '''icmp''' there and start capturing. You can try different filters.
+ - '''ip.addr == <Your IP address>''' [Sets a filter for any packet with 10.0.0.1, as either the source or dest]
+ - '''ip.addr==<Your IP address> && ip.addr==<neighbors IP address>''' [sets a conversation filter between the two defined IP addresses]
+ - '''http or dns''' [sets a filter to display all http and dns]
+ - '''tcp.port==53''' [sets a filter for any TCP packet with 4000 as a source or dest port]
+ - '''http.request''' [displays all HTTP GET requests]
+ - '''!(arp or icmp or dns)''' [masks out arp, icmp, dns, or whatever other protocols may be background noise. Allowing you to focus on the traffic of interest]
+=== Analysing ===
+Download the sample packet capture files from here. Open them from Wireshark to analyze them. Go to '''File>Open''' and select the pcap file to be open.
+'''Telnet.pcap'''
+[https://ws.learn.ac.lk/raw-attachment/wiki/netsec2018wireshark/telnet.pcap download]
+ - What is the Username and Password?
+ - What did the User do after login?
+Open the file. Filter all the telnet traffic. Go to Analyse>Follow>TCP Stream.
+'''massivesyn.pcap'''
+[https://ws.learn.ac.lk/raw-attachment/wiki/netsec2018wireshark/massivesyn.pcap download]
+ - Is this an attack? If so what type of an attack?
+Open the file, Go to Statistics>Coversation. Check for the type of packet, Source IP and the duration
+'''chat.dmp'''
+[https://ws.learn.ac.lk/raw-attachment/wiki/netsec2018wireshark/chat.dmp download]
+ - What are the email addresses of the chatters?
+ - What were they planning to do?
+Open the file. Go to Analyse>Follow>TCP Stream.
+'''ftp.pcap'''
+[https://ws.learn.ac.lk/raw-attachment/wiki/netsec2018wireshark/ftp.pcap download]
+ - What is the IP address of the FTP server and the Client?
+ - What is the error code 530?
+Open the file. Statistics>Coversation.  Click TCP. Check the Statistics. Go to Analyse>Follow>TCP Stream
+'''foobar.pcap'''
+[https://ws.learn.ac.lk/raw-attachment/wiki/netsec2018wireshark/foobar.pcap download]
+ - What is the protocol use TCP 6346?
+ -  What could be this scenario?
+Open the file. Statistics>Coversation and check for source and destination IP and port. Go to Statistics>Protocol Hierarchy
+'''covertinfo.pcap'''
+[https://ws.learn.ac.lk/raw-attachment/wiki/netsec2018wireshark/covertinfo.pcap download]
+ - Is this a normal icmp packet?
+Open the file. Statistics>Coversation and check for packet length.
+'''sip.pcap'''
+[https://ws.learn.ac.lk/raw-attachment/wiki/netsec2018wireshark/sip_chat.pcap download]
+ - What is the protocol used for media?
+ - Can you listen to the phone conversation?
+Statistics>Protocol Hierarchy check for UDP protocols. Use Telephony>(Protocol) > Analysis