WIRESHARK

Understanding Wireshark 

Disclaimer 

Contains:

How to Save the captured packets as "pcapng" extensions. 

How to use Filters.

How to use Statistics Menu.

How to use MaxMind database and Endpoints Maps.

Reference 

  • GeoLite2 Free Geolocation Data: https://dev.maxmind.com/geoip/geolite2-free-geolocation-data
  • Wireshark basics by Chris Greer

*******************************

Understanding Wireshark 

How to Save the captured packets as "pcapng" extensions

Before starting to capture packets, 

Capture -> options

output format -> pcapng

Create new files automatically with 2 files, small size of 500Mb. This options can be used to create smaller files for easier analysis

Saving the capture in small pcap files for analysis
Saving the capture in small pcap files for analysis 

How to use Filters:


Two types of filters can be used,

Before Capture

  • Capture Filters

Before starting the capture, Setting up filter criteria before starting the capturing of the packets.

  • e.g. TCP - only the TCP packets will be captured and no other packet information's will be captured

  • Sample filters, port 80, port 53, host 192.168.1.5

After capture

After capturing the packets, these display filters are applied. 

Display filters

CConversation Filters

Simple filter options:
  • Arp
  • Ip
  • Ip.addr == 192.168.1.5
    Conversation Filters
    Conversation Filters

Prepare as a Filter


Will have option to add along with conversation filter options
  • (ip.addr eq 192.168.1.157 and ip.addr eq 513.184.133.58) && (tcp)

Prepare as a Filter
Prepare as a Filter


Not filter:

  • not arp
  • not(arp or ipv6)
  • Tcp.port in{80 443 8080}
  • !(arp or stp or lldp or cdp or tcp)

Text Filters

  • Case sensitive: - frame contains google 
Non-case sensitive : frame matches google


How to use Statistics Menu 

Statistics menu option

Statistics -> Resolved Addresses :- 

Name Resolution:

Resolve Mac address, when enabled this will get the available names of the mac address
Use captures DNS:- will provide name of the DNS rather than IP address

Statistics Resolved Addresses
Statistics -> Resolved Addresses

Adding custom name to the IP address

Known IP address can be named for easy understanding, like server, desktop, gateway

  • Right click on the IP address and select edit resolved names  add a name 

Adding Custom names IP address


Name resolution Block

View menu ->  reload as File format/capture 
This view provides the consolidated view of the known IP-address

name resolution block


Statistics -> conversations


    This window will provide the overall summary of packets happening between addresses, bytes, ports and more. This view allows to understand what's going on with between the IP-address. 

  • If there is any malicious activity or port scanning can be found using this summary table. 
  • Filter option: Right click on any address and select apply as filter to get conversation b/w the 2addresses 


Statistics -> conversations
Statistics -> conversations

How to use MaxMind database and Endpoints Maps:


Geo location:

Download the file - free version from - dev.Maxmind.com [geo2lite free geolocation data]

  • Edit -> preferences -> MaxMindDatabase -> selected the download file


MaxMindDatabase
MaxMindDatabase

Statistics ->Endpoint -> map ->open on browser


Endpoint-Maps
Endpoint-Maps

IP address are mapped based on the geo location on the Map

map
map


Under the Internet protocol layer from the captured packets, The destination GEO IP is displayed.


source GEO IP
source GEO IP


The same can be used as display filter.

  • Right click on the “source GeoIP” set as selected filter :-  ip.geoip.src_country == "United States"

******************************

Comments

Post a Comment

Popular Posts

HOME LAB : HANDS-ON

Image
HOME LAB : HANDS-ON Disclaimer Home LAB Lamma AI https://www.gouti1454.com/p/llama-ai.html This post covers some useful tips and tricks for extracting YouTube transcripts and using the Fabric framework. The topics include: How to extract YouTube transcripts using the Fabric framework. How to generate summaries and extract insights from these transcripts with Fabric. An introduction to Fabric, an open-source framework that uses AI to help augment human capabilities. Step-by-step instructions for downloading and installing the Fabric framework. Installing the OLLAMA AI model. Creating shortcuts for easy copy and paste. Running AI queries to extract YouTube transcripts. Saving YouTub...
Read more

Multifactor authentication Updated for 2024

Table of Contents How to keep your Accounts safe Google: 2024 Multi-Factor Authentication: 2024: 2-Step Verification Settings 2024: Enhanced Browsing  2024 Dark web report Enable the Dark web report to get info on any data breaches. Facebook: Twitter: https://www.gouti1454.com/2017/05/enable-additional-security-layer-for.html
Read more

Chennai :MTC complaint cell Customer Care No.:+91-9445030516 /Toll Free : 18005991500

MTC  website :  https://mtcbus.tn.gov.in/ Phone : +91 9445030516 / 044 23455888 Customer Care No.:+91-9445030516 /Toll Free : 18005991500 phone 044 - 23455888 customercare.mtc@tn.gov.in <customercare.mtc@tn.gov.in>; Route Information : https://mtcbus.tn.gov.in//Home/routewiseinfo Bus timing search : https://mtcbus.tn.gov.in/Home/bustimingsearch Route wise info :https://mtcbus.tn.gov.in/Home/routewiseinfo The Metropolitan Transport Corporation’s (MTC) complaint cell has received over 100 complaints ever since it was upgraded from a 12-hour facility to a 24-hour service.   The numbers — 044-23455858, 9445030516 and 9383337639 — have been functioning as MTC’s helpline for the past couple of years.
Read more