Shopping Cart

No products in the cart.

Cover6 Solutions
Back to Course

#PentesterPrep

0% Complete
0/0 Steps
  1. Home Lab Setup
  2. Passive Information Gathering
  3. Active Information Gathering
  4. Wireshark Fundamentals
  5. IPv6 Overview
  6. Vulnerability Identification & Analysis
  7. Common Services, Threats & Attacks
  8. Exploitation
  9. Post-Exploitation
  10. The Metasploit Framework
  11. Privilege Escalation Techniques
  12. Password Attacks
  13. Antivirus & Firewall Evasion
  14. Pivoting
  15. Wireless Testing
  16. Intro to Web Exploitation
  17. Buffer Overflows
  18. Capture the Flag (CTF)

Participants 2973

    Show more
    #PentesterPrep Wireshark Fundamentals
    Lesson 4 of 18
    In Progress

    Wireshark Fundamentals

    cover6 November 9, 2019

    One of our primary tools for passive/active information gathering is a program called a protocol analyzer or packet analyzer. Packet analyzers can take a file of captured data (known as a pcap file) and examine it in various ways to tell us more about the traffic between different machines on a network. The most popular packet analyzer is Wireshark, so let’s take a look at how it works and how to use it.

    Wireshark is a tool every security professional should be comfortable with. At a minimum, you should understand capture filters, display filters, profiles, and how to filter for different services as well as identifying IPv6 traffic. This workshop is an introduction to network conversation statistics, threat hunting, and carving documents from .pcap files.

    Capture Filters

    Capture filters allow you to capture specific types of traffic, this prevents the capture of packets you don’t want, thus not wasting valuable processing power and hard drive space.

    To capture traffic from a specific host:

    host 10.0.6.187

    To capture traffic from a range of IPs:

    net 10.0.6.0/24
    net 10.0.6.0 mask 255.255.255.0

    To capture traffic from only the source or destination range:

    src net 10.0.6.0/24
    src net 10.0.6.0 mask 255.255.255.0
    dst net 10.0.6.0/24
    dst net 10.0.6.0 mask 255.255.255.0

    To capture traffic from a specific port or range of ports:

    port 23
    portrange 1-1024
    tcp portrange 1-1024
    UDP port 167
    UDP portrange 1-1000

    To capture traffic from a specific URL or host:

    host www.cover6solutions.com

    To exclude a specific type of traffic:

    not port 23
    not arp

    To capture various types of IPv6 traffic:

    ip6
    dst host ff02::1

    Reference(s):

    Display Filters

    Once you start capturing traffic, you can then refine your capture results by using a display filter.

    To display traffic from a specific IP address:

    ip.addr == 10.0.6.187

    To display traffic from a specific source or destination IP address:

    ip.src == 10.0.6.187
    ip.dst == 10.0.6.187

    To display source and destination traffic between two specific IP addresses:

    ip.addr == 10.0.6.101 && ip.addr == 10.0.6.187

    To display traffic from multiple IP addresses:

    ip.addr == 10.0.6.187 or ip.addr == 10.0.6.212

    To display a specific type of traffic:

    http
    telnet
    ipv6

    Reference(s):