Wireshark
From charlesreid1
Take advantage of the fact that it's legal in every country to profile protocols and products.
Contents
The Basics
Wireshark is a packet analysis tool. It allows you to capture packets and analyze them live, or load captures from another session. You can also use its very handy filter functions to look for specific packets - based on destination, target, type, time, payload, etc.
Wireshark has a nice GUI and can show you some amazing things about network traffic. However, Wireshark is also memory-intensive, and is pretty slow on Mac. It's worth it.
Packet Captures
Capturing packets on a network is useful for troubleshooting, but it is also useful for seeing what the network normally looks like.
Take a Capture
Open up Wireshark, pick your network interface, and click the green fin to start the capture.
Capture Settings
You can control many of wireshark's capture options, one nice feature is outputting the capture file in size increments or time increments. As networks get busier, these cap files get pretty large. This is a nice feature to have.
You can also load multiple capture files simultaneously.
Filtering Captures: Syntax
To filter out packets at the wireless card level to reduce the CPU load during a capture, you can use packet filters with the Berkeley packet filter (BPF) syntax.
The BPF syntax consists of primitives and operators.
Primitives consist of qualifiers and an ID.
Examples
Hree's an example that would only look for packets to a certain host and port (port 80 is HTTP traffic):
dst host 192.168.0.10 && tcp port 80
The syntax consists of primitives and operators.
A primitive is something like dst host 192.168.0.10 or tcp port 80.
An operator is something like &&.
The primitive itself consists of qualifiers and IDs.
The primitive dst host 192.168.0.10 has the qualifiers dst and host and the ID 192.168.0.10.
Filtering Packets
If your wireless card and CPU can handle a large amount of traffic, It is usually better to capture everything and use display filters to show different packets, instead of applying capture filters on the capture level. Capture filters are better if you're targeting your capture at a specific range of devices, a specific channel, or particular protocols.
Use filter expression dialogue to create packet display filters.
Operators and Filter Expressions
You can use several comparison operators and logical operators when constructing the display filter.
Comparison Operators:
- equal to
- not equal to
- greater than
- less than
- greater than or equal to
- less than or equal to
Logical Operators:
- and
- or
- xor
- not
Related Pages
Advanced Wireshark Stuff: Wireshark/Advanced
Examples:
Wireshark can be used to analyze network traffic in detail: Wireshark/Traffic Analysis
Wireshark can be used to sniff HTTPS traffic: Wireshark/HTTPS
 |
Wireshark a Swiss-army knife for analyzing networks, network traffic, and pcap files.
Wireshark · Category:Wireshark Packet Analysis · Wireshark/Advanced Wireshark/HTTPS · Wireshark/Traffic Analysis · Wireshark/Conversation Analysis · Wireshark/Protocol Analysis Working with SSL/TLS/HTTPS: MITM Labs/Decrypting HTTPS Traffic by Obtaining Browser SSL Session Info · MITM Labs/Decrypting HTTPS Traffic with Private Key File
|
|
Networking pages and notes about computer networks.
Man in the Middle attack vectors on wired networks: Man in the Middle/Wired Packet analysis with Wireshark: Packet Analysis Linux networking: Linux/Networking
Using Aircrack: Aircrack Many Ways to Crack a Wifi: Cracking Wifi
Linux/Networking · Linux/SSH · Linux/File Server
Notes on OpenVPN: OpenVPN Setting Up a Static Key VPN: OpenVPN/Static Key
Domain Name Servers: DNS · Linux/DNS IP Version 6: IPv6
Wireshark · SSH · Stunnel · Tor · Ettercap · Aircrack · Tcpdump
Tunnels · HTTP and HTTPS · SSH Tunnels · Linux/SSH
|