Wireshark: Difference between revisions
From charlesreid1
No edit summary |
|||
| Line 7: | Line 7: | ||
=Packet Captures= | =Packet Captures= | ||
Capturing packets on a network is useful for troubleshooting, but it is also useful for | Capturing packets on a network is useful for troubleshooting, but it is also useful for seeing what the network normally looks like. | ||
==Take a Capture== | |||
Open up Wireshark, pick your network interface, and click the green fin to start the capture. | |||
==Capture Settings== | |||
You can control many of wireshark's capture options, one nice feature is outputting the capture file in size increments or time increments. As networks get busier, these cap files get pretty large. This is a nice feature to have. | |||
You can also load multiple capture files simultaneously. | |||
==Capture Syntax== | |||
The filters use BPF (berkeley packet filter) syntax. | |||
The BPF syntax consists of primitives and operators. | |||
Primitives consist of qualifiers and an ID. | |||
Example: | |||
<pre> | |||
dst host 192.168.0.10 && tcp port 80 | |||
</pre> | |||
First, the primitives and the operators: | |||
<pre> | |||
dst host 192.168.0.10 && tcp port 80 | |||
----------------------------- --- ------------- | |||
primitive operator primitive | |||
</pre> | |||
Now the qualifier and id portion: | |||
<pre> | |||
dst host 192.168.0.10 | |||
---- -------- ------------------------- | |||
qualifier qualifier ID | |||
</pre> | |||
=Wireless= | =Wireless= | ||
==Filtering for WPA Handshake Packets== | ==Filtering for WPA Handshake Packets== | ||
Revision as of 03:41, 3 August 2015
Background
Wireshark is a packet analysis tool. It allows you to capture packets and analyze them live, or load captures from another session. You can also use its very handy filter functions to look for specific packets - based on destination, target, type, , time, payload, etc.
Packet Captures
Capturing packets on a network is useful for troubleshooting, but it is also useful for seeing what the network normally looks like.
Take a Capture
Open up Wireshark, pick your network interface, and click the green fin to start the capture.
Capture Settings
You can control many of wireshark's capture options, one nice feature is outputting the capture file in size increments or time increments. As networks get busier, these cap files get pretty large. This is a nice feature to have.
You can also load multiple capture files simultaneously.
Capture Syntax
The filters use BPF (berkeley packet filter) syntax.
The BPF syntax consists of primitives and operators.
Primitives consist of qualifiers and an ID.
Example:
dst host 192.168.0.10 && tcp port 80
First, the primitives and the operators:
dst host 192.168.0.10 && tcp port 80 ----------------------------- --- ------------- primitive operator primitive
Now the qualifier and id portion:
dst host 192.168.0.10 ---- -------- ------------------------- qualifier qualifier ID