Wireshark/Advanced: Difference between revisions

From charlesreid1
 
(2 intermediate revisions by the same user not shown)
Line 3: Line 3:
==Endpoints and Conversations==
==Endpoints and Conversations==


You can see the network endpoints, or members of a network that initiate/terminate conversation and communication, by picking Statistics > Endpoints. This shows a list of endpoints and statistics.
See [[Wireshark/Conversation Analysis]] page


You can see the conversations between two endpoints by picking Statistics > Conversations, which will show a window with a list of IP address pairs and various statistics of each conversation.
==Protocols==


Endpoints/Conversations are useful for troubleshooting lots of traffic, or determining which server is busiest.
See the [[Wireshark/Protocol Analysis]] page for more info on analyzing traffic protocols.
 
==Protocol Statistics==
 
You can open Statistics > Protocol Hierarchy to see information about what protocols are used in what amounts.
 
This can be useful if you are trying to determine "normal" behavior for a network, and then trying to determine if a particular day's traffic is an outlier and why.
 
By looking at a network's traffic protocol statistics, you can learn a lot about that network. Example: IT department will have admin protocols like ICMP or SNMP. Ordering department will use lots of SMTP. Interns will use WoW.


==Name Resolution==
==Name Resolution==
Line 25: Line 17:
=Traffic=
=Traffic=


Wireshark IO graphs show the measure of traffic in a given space over time. By changing the time resolution you get very different pictures of the data.
See the [[Wireshark/Traffic Analysis]] page for information about analyzing the amount of traffic on a network with wireshark.
 
Case in point: the rather boring 1-second resolution:
 
[[Image:WiresharkIO_1second.png|500px]]
 
versus the much more interesting 10-minute resolution:
 
[[Image:WiresharkIO_10minute.png|500px]]
 
 
 


{{WiresharkFlag}}
{{WiresharkFlag}}

Latest revision as of 03:09, 20 January 2016

Advanced Stuff

Endpoints and Conversations

See Wireshark/Conversation Analysis page

Protocols

See the Wireshark/Protocol Analysis page for more info on analyzing traffic protocols.

Name Resolution

To convert from a MAC address to an IP address is name resolution using the ARP protocol.

To convert from IP to Human-readable domain name uses DNS protocol.

Traffic

See the Wireshark/Traffic Analysis page for information about analyzing the amount of traffic on a network with wireshark.



Defcon.png
Wireshark
a Swiss-army knife for analyzing networks, network traffic, and pcap files.

Wireshark  · Category:Wireshark

Packet Analysis  · Wireshark/Advanced

Wireshark/HTTPS  · Wireshark/Traffic Analysis  · Wireshark/Conversation Analysis  · Wireshark/Protocol Analysis

Working with SSL/TLS/HTTPS:

MITM Labs/Decrypting HTTPS Traffic by Obtaining Browser SSL Session Info  · MITM Labs/Decrypting HTTPS Traffic with Private Key File


Flags  · Template:WiresharkFlag  · e



Retrieved from "https://charlesreid1.com/w/index.php?title=Wireshark/Advanced&oldid=8945"