Objectives

You will learn how to install and capture traffic using Wireshark

You will be familiar with various Wireshark filter.

Why you need to know

Traffic flowing via a network contains various kinds of data. Understanding the packets of data flowing via the network using command line applications is a tedious task, and it is difficult to sort out the required traffic from the live traffic that is flowing via the network. Being a network admin, you need to have Wireshark installed to monitor and capture network traffic.

What is Wireshark

Wireshark is a network packet analyzer, which is used to capture network packets and display packet data in detail.

Network topology

Demo

1:login Domain Controller

2:Install Wireshark

3: Open it and choose your ethernet. I choose Internet

4: Wireshark has three main different panes

Packet list pane displays the capture packets. Each line in the packet lists corresponds to one packet in the capture file. If you selected any one of the line in this pane, more details of that packet will be shown in details and bytes pane.

5: The packet bytes pane shows the data of the current packet in a hexdump style. This way, you can configure wireshark to capture network traffic.

6: Now we analyze the packet using different filters in Wireshark

7: To view HTTP packet capture, type http in Apply a display filter field.

8:To view TCP packet capture, type tcp in Apply a display filter

9: To view ARP packet capture, type arp in Apply a display filter.

10:You can also filter based on source and destination IP address. To view traffic originating or destined to specific IP address, type

ip.addr = IP adress

192.168.3.1 is my home router

11: To view traffic originating from specific IP address, type

ip.scr == IP address

This filter helps you to find out source of IP address that you have mentioned and via this IP address what is the traffic generated.

12: To view traffic of specific destination of the IP address,

ip.dst == IP Address

13: To view traffic higher than a specific IP address, use > conditional operator in conjunction with IP address filtering.

Apply filter ip.dst > IP address to find the destination IP address greater than the specific IP address

14: To view traffic originating or destined to tcp port, type tcp.port == 80

15: To view traffic originating from specific port, tcp.srcport == 443 (port number). destination of the port, type tcp.dstport == 443

16: You can also use various conditional operators with port filtering technique to filter out traffic of your interest.

!(tcp.port == port number)

The packets that are not traversing on the specified port.

17: To view traffic which contains mentioned string,

http contains {string}

This can only be applied to characters and not numerical. It searches for a sequence of characters given in the filter.

18: To view HTTP traffic whose request header fields (referrer or host) contains specific string,

http.referer contains {string}

19: You can also filter traffic based on specific pattern contained in the traffic. This matches sequence of exact characters in pattern with traffic.

http.accept matches {pattern}

20: To view traffic originating from specific set of IP addresses, apply membership operator to allow you to compare IP address field with a set of values.

ip.src in {IP Address 1]} [IP address2]

21:To view the TCP traffic with specific tcp flag is set,

tcp.flags & [flag code]

Also you can use flag code 0x002 to check packets with SYN flag is set and flag 0x010 to check ACK flag is set.

22: You can specify one or more conditional and logical operators to find of your interest. For example, you can apply ICMP based filter to filter traffic originating and destined to specific IP address with request type 8 and checksum value 0x4d53.

icmp.type == 8 && icmp.checksum == 0x4d53 && ip.src == 192.168.3.1 && ip.dst == 192.168.3.11

23: Similarly, you can use Logical OR operator. To check the number of packets which are referencing a particular URL or are referred by a particular URL, browse a website of your choice

http.user_agent == youtube.com or http.host == wordpress

Conclusion

You learned how to use various Wireshark filter to view the details.