Latest revision as of 05:30, 23 January 2016

http://www.wireshark.org/

Take advantage of the fact that it's legal in every country to profile protocols and products.

The Basics

Wireshark is a packet analysis tool. It allows you to capture packets and analyze them live, or load captures from another session. You can also use its very handy filter functions to look for specific packets - based on destination, target, type, time, payload, etc.

Wireshark has a nice GUI and can show you some amazing things about network traffic. However, Wireshark is also memory-intensive, and is pretty slow on Mac. It's worth it.

Packet Captures

Capturing packets on a network is useful for troubleshooting, but it is also useful for seeing what the network normally looks like.

Take a Capture

Open up Wireshark, pick your network interface, and click the green fin to start the capture.

Capture Settings

You can control many of wireshark's capture options, one nice feature is outputting the capture file in size increments or time increments. As networks get busier, these cap files get pretty large. This is a nice feature to have.

You can also load multiple capture files simultaneously.

Filtering Captures: Syntax

To filter out packets at the wireless card level to reduce the CPU load during a capture, you can use packet filters with the Berkeley packet filter (BPF) syntax.

The BPF syntax consists of primitives and operators.

Primitives consist of qualifiers and an ID.

Examples

Hree's an example that would only look for packets to a certain host and port (port 80 is HTTP traffic):

dst host 192.168.0.10 && tcp port 80

The syntax consists of primitives and operators.

A primitive is something like dst host 192.168.0.10 or tcp port 80.

An operator is something like &&.

The primitive itself consists of qualifiers and IDs.

The primitive dst host 192.168.0.10 has the qualifiers dst and host and the ID 192.168.0.10.

Filtering Packets

If your wireless card and CPU can handle a large amount of traffic, It is usually better to capture everything and use display filters to show different packets, instead of applying capture filters on the capture level. Capture filters are better if you're targeting your capture at a specific range of devices, a specific channel, or particular protocols.

Use filter expression dialogue to create packet display filters.

Operators and Filter Expressions

You can use several comparison operators and logical operators when constructing the display filter.

Comparison Operators:

equal to
not equal to
greater than
less than
greater than or equal to
less than or equal to

Logical Operators:

and
or
xor
not

Related Pages

Advanced Wireshark Stuff: Wireshark/Advanced

Examples:

Wireshark can be used to analyze network traffic in detail: Wireshark/Traffic Analysis

Wireshark can be used to sniff HTTPS traffic: Wireshark/HTTPS

@@ Line 1: / Line 1: @@
 http://www.wireshark.org/
-=Background=
+Take advantage of the fact that it's legal in every country to ''profile'' protocols and products.
-Wireshark is a packet analysis tool. It allows you to capture packets and analyze them live, or load captures from another session. You can also use its very handy filter functions to look for specific packets - based on destination, target, type, , time, payload, etc.
+=The Basics=
+Wireshark is a packet analysis tool. It allows you to capture packets and analyze them live, or load captures from another session. You can also use its very handy filter functions to look for specific packets - based on destination, target, type, time, payload, etc.
+Wireshark has a nice GUI and can show you some amazing things about network traffic. However, Wireshark is also memory-intensive, and is pretty slow on Mac. It's worth it.
 =Packet Captures=
@@ Line 19: / Line 23: @@
 You can also load multiple capture files simultaneously.
-==Capture Syntax==
+==Filtering Captures: Syntax==
-The filters use BPF (berkeley packet filter) syntax.
+To filter out packets at the wireless card level to reduce the CPU load during a capture, you can use packet filters with the Berkeley packet filter (BPF) syntax.
 The BPF syntax consists of primitives and operators.
@@ Line 27: / Line 31: @@
 Primitives consist of qualifiers and an ID.
-Example:
+===Examples===
+Hree's an example that would only look for packets to a certain host and port (port 80 is HTTP traffic):
 <pre>
@@ Line 33: / Line 39: @@
 </pre>
-First, the primitives and the operators:
+The syntax consists of primitives and operators.
-primitive: dst host 192.168.0.10
-operator: &&
+A primitive is something like <code>dst host 192.168.0.10</code> or <code>tcp port 80</code>.
-primitive: tcp port 80
+An operator is something like <code>&&</code>.
-Now qualifiers and ID portion:
+The primitive itself consists of qualifiers and IDs.
-primitive: dst host 192.168.0.10
+The primitive <code>dst host 192.168.0.10</code> has the qualifiers <code>dst</code> and <code>host</code> and the ID <code>192.168.0.10</code>.
-qualifier: dst
-qualifier: host
-id: 192.168.0.10
 =Filtering Packets=
-It is usually better to capture everything and hide packets using display filters, instead of applying capture filters on the capture level.
+If your wireless card and CPU can handle a large amount of traffic, It is usually better to capture everything and use display filters to show different packets, instead of applying capture filters on the capture level. Capture filters are better if you're targeting your capture at a specific range of devices, a specific channel, or particular protocols.
 Use filter expression dialogue to create packet display filters.
@@ Line 75: / Line 73: @@
 * not
-=Advanced Stuff=
+=Related Pages=
-==Endpoints and Conversations==
-You can see the network endpoints, or members of a network that initiate/terminate conversation and communication, by picking Statistics > Endpoints. This shows a list of endpoints and statistics.
-You can see the conversations between two endpoints by picking Statistics > Conversations, which will show a window with a list of IP address pairs and various statistics of each conversation.
-Endpoints/Conversations are useful for troubleshooting lots of traffic, or determining which server is busiest.
-==Protocol Statistics==
+Advanced Wireshark Stuff: [[Wireshark/Advanced]]
-You can open Statistics > Protocol Hierarchy to see information about what protocols are used in what amounts.
+Examples:
-This can be useful if you are trying to determine "normal" behavior for a network, and then trying to determine if a particular day's traffic is an outlier and why.
+Wireshark can be used to analyze network traffic in detail: [[Wireshark/Traffic Analysis]]
-By looking at a network's traffic protocol statistics, you can learn a lot about that network. Example: IT department will have admin protocols like ICMP or SNMP. Ordering department will use lots of SMTP. Interns will use WoW.
+Wireshark can be used to sniff HTTPS traffic: [[Wireshark/HTTPS]]
-==Name Resolution==
-To convert from a MAC address to an IP address is name resolution using the ARP protocol.
-To convert from IP to Human-readable domain name uses DNS protocol.
+{{WiresharkFlag}}
-=Wireless=
+{{NetworkingFlag}}
-==Filtering for WPA Handshake Packets==
+{{KaliFlag}}

Wireshark: Difference between revisions

From charlesreid1