--- title: Introduction to Wireshark image: https://i.imgur.com/31DL5r6.png --- :::warning # <center><i class="fa fa-book"></i> Introduction to Wireshark </center> ::: ###### tags: `study` `Wireshark` ![](https://i.imgur.com/31DL5r6.png) :::success **๐ŸŽฏ Goals:** - [x] - <a href="#Module-1-Brief-introduction-to-Wireshark">Brief introduction to Wireshark</a> - [x] - <a href="#Module-2-Brief-introduction-to-TShark">Brief introduction to TShark</a> - [x] - <a href="#1-windows-Operation-practice">[windows] Operation practice</a> - [x] - <a href="#3-Linux-TShark-Operation-practice">[Linux] Operation practice</a> - [x] - <a href="#2-Install-TShark-on-Ubuntu-2004">Install TShark on Ubuntu 20.04</a> - [ ] - <a href="">Summary </a> ::: :::info :bookmark: **Reference:** - [Wiki - Wireshark](https://zh.wikipedia.org/wiki/Wireshark) - [Download Wireshark link](https://www.wireshark.org/download.html) - [[video] Teaching YT: Wireshark - Network Packet Analysis Tool | Network Packet Transcript](https://www.youtube.com/watch?v=Y0u5tDpo5uQ) - [[video] Teaching YT: Capture packets and view the headers and contents of the packets](https://www.youtube.com/watch?v=2yUiBr1Vf3E) - [[video] Teaching YT: Information Security and Wireshark](https://www.youtube.com/watch?v=vV9e_KrWxQU) - [[video] Wireshark Decode As Example](https://www.networkdatapedia.com/post/2017/12/27/wireshark-decode-as-example) - [Using Wireshark on linux](https://opensource.com/article/20/1/wireshark-linux-tshark) - [TShark official document](https://tshark.dev/setup/install/) - [Install TShark](https://lindevs.com/install-tshark-on-ubuntu/) - [Useful command on TShark](https://ithelp.ithome.com.tw/articles/10196772) ::: [toc] # Module 1: Brief introduction to Wireshark ## 1.1 An open source network packet analyzer. <!-- ![](https://i.imgur.com/alBJY4J.png) --> <!-- https://www.elastic.co/blog/analyzing-network-packets-with-wireshark-elasticsearch-and-kibana --> ![](https://i.imgur.com/Qur5OGA.png) - Data in packets can be retrieved from the web interface **in real time**. - When using the software to analyze, you can use the **filter command** to filter out the desired information. ## 1.2 Network packet - **A network packet** is the ==smallest unit== used by the current network to transmit data. - A packet consists of a **Header and Data** ![](https://i.imgur.com/q9vdjKp.png) # Module 2: Brief introduction to TShark ![](https://i.imgur.com/Xm2Sldo.png =150x) ![](https://i.imgur.com/i2JeNSF.png =400x) **TShark is a command line tool for analyzing network traffic.** - This tool enables to capture packets from a network and print them to the standard output. - TShark is a command line version of Wireshark that can be used when graphical user interface isn't available. ![](https://i.imgur.com/X08beuz.png) # โž–โž–โž–โž–โž–โž–โž–โž–โž–โž–โž–โž–โž–โž–โž–โž– # 1. [windows] Operation practice ## 1.1 Ping (icmpv6) ![](https://i.imgur.com/gHWZcss.png) ![](https://i.imgur.com/Z3C4Pnz.png) ## 1.2 GET Web Data ![](https://i.imgur.com/e8PfFRy.png) - Filter command with web (IP address: 140.118.242.219) ```cmd= ip.addr == 140.118.242.219 ``` ![](https://i.imgur.com/YZRkG8t.png) **==Information to be analyzed can be listed==** ## 1.3 Decode As - [[video] Wireshark Decode As Example](https://www.networkdatapedia.com/post/2017/12/27/wireshark-decode-as-example) # 2. Install TShark on Ubuntu 20.04 ## 2.1 step: Install 1. Add the Wireshark and TShark repository: 2. Install TShark: ```cmd= sudo -i sudo add-apt-repository -y ppa:wireshark-dev/stable sudo apt install -y tshark ``` ![](https://i.imgur.com/FQfQPQe.png) > During installation you will be asked if you want to allow non-root users to able to capture packets. Select the "Yes" option. It will add wireshark group and anyone who is a member of this group will be able to capture packets without being root user. ## 2.2 step: Check install - command: ```cmd= tshark --version ``` - Result: ```cmd= Running as user "root" and group "root". This could be dangerous. TShark (Wireshark) 3.6.5 (Git v3.6.5 packaged as 3.6.5-1~ubuntu20.04.0+wiresharkdevstable) Copyright 1998-2022 Gerald Combs <gerald@wireshark.org> and contributors. License GPLv2+: GNU GPL version 2 or later <https://www.gnu.org/licenses/gpl-2.0.html> This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Compiled (64-bit) using GCC 9.4.0, with libpcap, with POSIX capabilities (Linux), with libnl 3, with GLib 2.64.6, with zlib 1.2.11, with Lua 5.2.4, with GnuTLS 3.6.13 and PKCS #11 support, with Gcrypt 1.8.5, with MIT Kerberos, with MaxMind DB resolver, with nghttp2 1.40.0, with brotli, with LZ4, with Zstandard, with Snappy, with libxml2 2.9.10, with libsmi 0.4.8. Running on Linux 5.4.0-122-generic, with Intel(R) Xeon(R) Gold 6226R CPU @ 2.90GHz (with SSE4.2), with 32112 MB of physical memory, with GLib 2.64.6, with zlib 1.2.11, with libpcap 1.9.1 (with TPACKET_V3), with c-ares 1.15.0, with GnuTLS 3.6.13, with Gcrypt 1.8.5, with nghttp2 1.40.0, with brotli 1.0.7, with LZ4 1.9.2, with Zstandard 1.4.4, with libsmi 0.4.8, with LC_TYPE=C.UTF-8, binary plugins supported (0 loaded). ``` ## 2.3 step: Find network interfaces We can find network interfaces which are available to the TShark with command: ```cmd= tshark -D ``` ## 2.4 step: Execute (Start capturing) ```cmd= tshark ``` ### 2.4.1 The `-i` option allows to capture packets on specific network interface - Can enter a name or number ```cmd= tshark -i ens33 ``` ### 2.4.2 The `-c` option To select the number of packets to capture ```cmd= tshark -c 20 ``` ### 2.4.3 The `-w` option , `-r` option `-w` option to save and name the file, `-r` option to read saved files ```cmd= tshark -w test.pcap ``` ### 2.4.4 Filter ```cmd= tshark -i ... -f "host x.x.x.x" ``` ## 2.5 Uninstall TShark ```cmd= sudo apt purge --autoremove -y tshark ``` # 3. [Linux] TShark Operation practice - **Execution screen:** - ![](https://i.imgur.com/ICwPpyq.png) ```cmd= root@ric-yuehhuan:~# tshark Running as user "root" and group "root". This could be dangerous. Capturing on 'vethe9ecccef' ** (tshark:223894) 16:47:49.513470 [Main MESSAGE] -- Capture started. ** (tshark:223894) 16:47:49.513547 [Main MESSAGE] -- File: "/tmp/wireshark_vethe9ecccefAMGNP1.pcapng" 1 0.000000000 10.244.0.1 โ†’ 10.244.0.31 TCP 7056 724 โ†’ 2049 [PSH, ACK] Seq=1 Ack=1 Win=24565 Len=6990 TSval=1407872849 TSecr=1094265745 [TCP segment of a reassembled PDU] 2 0.000036312 10.244.0.1 โ†’ 10.244.0.31 NFS 6452 V3 WRITE Call, FH: 0xc7ab1401 Offset: 3493888 Len: 13208 FILE_SYNC 3 0.000185456 10.244.0.31 โ†’ 10.244.0.1 TCP 66 2049 โ†’ 724 [ACK] Seq=1 Ack=13377 Win=24519 Len=0 TSval=1094275743 TSecr=1407872849 4 0.001888272 10.244.0.31 โ†’ 10.244.0.1 NFS 206 V3 WRITE Reply (Call In 2) Len: 13208 FILE_SYNC 5 0.001910395 10.244.0.1 โ†’ 10.244.0.31 TCP 66 724 โ†’ 2049 [ACK] Seq=13377 Ack=141 Win=24565 Len=0 TSval=1407872851 TSecr=1094275744 6 1.301205466 10.244.0.31 โ†’ 10.96.0.1 TLSv1.2 112 Application Data 7 1.303366132 10.96.0.1 โ†’ 10.244.0.31 TLSv1.2 132 Application Data 8 1.303429854 10.96.0.1 โ†’ 10.244.0.31 TLSv1.2 749 Application Data 9 1.303458494 10.244.0.31 โ†’ 10.96.0.1 TCP 66 46378 โ†’ 443 [ACK] Seq=47 Ack=750 Win=10132 Len=0 TSval=196233199 TSecr=2599073195 ``` <!-- # Module End: Summary --> ---- <!-- >**Name**: `ๅ็จฑ` --> <style> /* ๅƒ…ๆŒ‡ๅฎš้€ฃ็ต็š„ๅœ–็‰‡ๅŽป่ƒŒไธ”้ ๅณๆจกๆ“ฌ็ฝฎไธญ */ img[src^="https"]{ /* position: relative; left: 17%; */ background-color: #fff0; } .title { color: #009933; font-weight:bold; } .highlight { color: #ff4d4d; font-weight:bold; border-bottom:2px red solid; padding-bottom:2px; } </style> <!-- <font class="highlight"> --> <!-- <font class="title"> --> <!-- ็ธฎๅฏซๆ็คบ --> <!-- *[O-RAN]:Open Radio Access Network -->