One of our primary tools for passive/active information gathering is a program called a protocol analyzer or packet analyzer. Packet analyzers can take a file of captured data (known as a pcap file) and examine it in various ways to tell us more about the traffic between different machines on a network. The most popular packet analyzer is Wireshark, so let’s take a look at how it works and how to use it.
Wireshark is a tool every security professional should be comfortable with. At a minimum, you should understand capture filters, display filters, profiles, and how to filter for different services as well as identifying IPv6 traffic. This workshop is an introduction to network conversation statistics, threat hunting, and carving documents from .pcap files.
Capture filters allow you to capture specific types of traffic, this prevents the capture of packets you don’t want, thus not wasting valuable processing power and hard drive space.
To capture traffic from a specific host:
To capture traffic from a range of IPs:
net 10.0.6.0 mask 255.255.255.0
To capture traffic from only the source or destination range:
src net 10.0.6.0/24
src net 10.0.6.0 mask 255.255.255.0
dst net 10.0.6.0/24
dst net 10.0.6.0 mask 255.255.255.0
To capture traffic from a specific port or range of ports:
tcp portrange 1-1024
UDP port 167
UDP portrange 1-1000
To capture traffic from a specific URL or host:
To exclude a specific type of traffic:
not port 23
To capture various types of IPv6 traffic:
dst host ff02::1
Once you start capturing traffic, you can then refine your capture results by using a display filter.
To display traffic from a specific IP address:
ip.addr == 10.0.6.187
To display traffic from a specific source or destination IP address:
ip.src == 10.0.6.187
ip.dst == 10.0.6.187
To display source and destination traffic between two specific IP addresses:
ip.addr == 10.0.6.101 && ip.addr == 10.0.6.187
To display traffic from multiple IP addresses:
ip.addr == 10.0.6.187 or ip.addr == 10.0.6.212
To display a specific type of traffic: