Lesson 3 of 15
In Progress

Wireshark Fundamentals

cover6 November 9, 2019

In cybersecurity, protocol analyzers, commonly known as packet analyzers, serve as indispensable tools for both passive and active information gathering. These analyzers dissect captured data files, termed ‘pcap files’, shedding light on the intricate traffic interactions between networked devices.

Enter Wireshark: The Gold Standard of Packet Analyzers

Wireshark stands out as the most renowned packet analyzer, and for good reason. Every cybersecurity enthusiast, novice, or expert should fully grasp its functionalities. At its core, Wireshark offers capabilities such as capture filters, display filters, profiles, and specialized filters for services and IPv6 traffic identification. This workshop aims to provide a foundational understanding of network conversation statistics, threat-hunting techniques, and the art of extracting documents from .pcap files.

Capture Filters: Precision in Data Capture

Capture filters enable you to selectively capture specific traffic types selectively, ensuring efficient processing power and storage utilization.

  • Specific Host Traffic: host 10.0.6.187
  • IP Range Traffic: net 10.0.6.0/24 or net 10.0.6.0 mask 255.255.255.0
  • Source or Destination Range Traffic: Use src net or dst net followed by the IP range.
  • Specific Port or Port Range Traffic: Examples include port 23, portrange 1-1024, and UDP port 167.
  • Specific URL or Host Traffic: host www.cover6solutions.com
  • Excluding Specific Traffic: Use not followed by the traffic type, e.g., not port 23 or not arp.
  • IPv6 Traffic Types: Examples include ip6 and dst host ff02::1.

Reference(s):

Display Filters: Refining Your Capture View

Post-capture, Wireshark’s display filters come into play, allowing you to fine-tune the captured data’s display.

  • Specific IP Traffic: addr == 10.0.6.187
  • Specific Source or Destination IP: Use src or ip.dst followed by the IP address.
  • Traffic Between Two IPs: addr == 10.0.6.101 && ip.addr == 10.0.6.187
  • Multiple IP Traffic: addr == 10.0.6.187 or ip.addr == 10.0.6.212
  • Specific Traffic Types: Examples include http, telnet, and ipv6.

Reference(s):