Lesson 6 of 12
In Progress

Wireshark Fundamentals

One of our primary tools for passive/active information gathering is a program called a packet analyzer or packet sniffer. Packet analyzers can take a file of captured data (known as a pcap file) and examine it in various ways to tell us more about the traffic between different machines on a network. The most popular packet analyzer is Wireshark, so let’s take a look at how it works and how to use it.

Wireshark is a tool every security professional should be comfortable with. At a minimum, you should understand capture filters, display filters, profiles, and how to filter for different services as well as identifying IPv6 traffic. Our workshop is an introduction to network conversation statistics, threat hunting, and carving documents from .pcap files.

Capture Filters

Capture filters allow you to capture specific types of traffic, this prevents the capture of packets you don’t thus not wasting valuable processing power and hard drive space.

To capture traffic from a specific host:

host 10.0.6.187

To capture traffic from a range of IPs:

net 10.0.6.0/24
net 10.0.6.0 mask 255.255.255.0

To capture traffic from only the source or destination range:

src net 10.0.6.0/24
src net 10.0.6.0 mask 255.255.255.0
dst net 10.0.6.0/24
dst net 10.0.6.0 mask 255.255.255.0

To capture traffic from a specific port or range of ports:

port 23
portrange 1-1024
tcp portrange 1-1024
UDP port 167
UDP portrange 1-1000

To capture traffic from a specific ur or host:

host www.cover6solutions.com

To exclude a specific type of traffic:

not port 23
not arp
To capture various types of IPv6 traffic:
ip6
dst host ff02::1

Reference(s):

Display Filters

Once you already start capturing traffic you can scan still fine tune by using a display filter.

To display traffic from a specific IP address:

ip.addr == 10.0.6.187

To display traffic from a specific source or destination IP address:

ip.src == 10.0.6.187
ip.dst == 10.0.6.187

To display source and destination traffic between two specific IP addresses:

ip.addr == 10.0.6.101 && ip.addr == 10.0.6.187

To display traffic from multiple IP addresses:

ip.addr == 10.0.6.187 or ip.addr == 10.0.6.212

To display a specific type of traffic:

http
telnet
ipv6

Reference(s):