Wireshark 101 - HackMD

# Wireshark 101 ###### tags: `detect` `cybersecurity` `wireshark` ## Installing You can download and install wireshark from [here](https://www.wireshark.org/download.html) Documentation on wireshark can be found [here](https://www.wireshark.org/docs/) The graphs next to the interface names show the activity on the interface. It might be futile to try to capture on an interface with a flat line as there is probably no data being passed on it. ## About the shark Wireshark gives us important info about each packet including: * Packet Number * Time * Source * Destination * Protocol * Length * Packet info Wireshark also color codes packets in order of danger level as well as protocol to enable the quick id of anomalies and protocols in captures. ## Collection Methods Some methods are: * taps * port mirroring * MAC floods * ARP poisoning Overview: 1. Begin by starting with a sample capture to ensure everything is successfully set up and you are successfully capturing traffic 2. Ensure you have enough compute power to handle the number of packets based on the size of the network. 3. Ensure enough disk space to store all the captured packets. ### Network Taps This is a **physical implant** in which you **physically tap between a cable** - commonly used by Red teams, Threat hunting and DFIR teams to sniff and capture packets. Primarily done in 2 ways: 1. Using **hardware** to tap the wire and **intercept traffic as it comes across** e.g vampire tap ![](https://i.imgur.com/rRXDcQ6.gif) 2. An **inline network** tap planted **between** or inline **two network devices**. The tap will **replicate packets as they pass the tap**. e.g Throwing Star LAN tap ![](https://i.imgur.com/087GkCv.jpg) ### MAC Floods Commonly used by red teams as a way to actively sniff packets. Intended to **stress the switch and fill the CAM**(Content Addressable Memory) table. Once the CAM table is filled, the **switch no longer accepts new MAC addresses**. Therefore, in order to keep the network alive, the **switch will send out packets to all ports** of the switch. ***only user with extreme caution and explicit prior consent*** ### ARP Poisoning Redirect host traffic to the monitoring machine. Does not stress the host system like a mac flood but should still be used with caution and only if other alternatives like network taps are unavailable. ## Filtering Captures **Display filters are your friend** They can be applied through the analyze tab and at the filter tab at the top of the packet capture. ### Filtering Operators based on logical expressions: * and - operator: and / && * or - operator: or / || * equals - operator: eq / == * not equals - operator: ne / != * greater than - operator: gt / > * greater than or equal to - operator: ge / >= * less than - operator: lt / < * less than or equal to - operator: le / <= Other operators are: **contains, matches, bitwise_and** * Contains: protocol , field or slice contains a value * Matches: ~ : protocol or text field matches perl compatible regex * bitwise_and: & : Bitwise AND is non-zero e.g tcp.flags AND 0X02 The basic syntax of wireshark filters is: * service/protocol: ip or tcp * dot * whatever is being filtered for e.g MAC, src, protocol e.g ip.addr == [ip] When threat hunting and you have identified a suspicious host with other tools you can use wireshark to further analyze packets coming from that device. To filter by src and dst : **ip.src == [src ip] AND ip.dst == [dst ip]** Protocol filter allows you to set a port or protocol to filter by , useful for keeping track of unusual port / protocol being used. Wireshark can filter by both port number and protocol name. syntax: **tcp.port eq [port #] or [protocol name]** To filter udp ports just change the prefix syntax: **udp.port eq [port #] or [protocol name]** ### Packet Dissection ![](https://i.imgur.com/JAjPOFR.png) double click on a packet in capture to open its details packets consist of 5 to 7 layers based on the OSI model * frame / packet layer: shows you what frame / packet you are looking at as well as details specific to the physical layer of the OSI model. * source (MAC) (layer 2):Shows you the source and destination mac addresses * source(IP) (layer3) : shows you the source and destination ipv4 addresses * protocol (layer4): shows details of the protocol used (UDP/TCP) along with source and destination ports * Protocol errors: this is a continuation of the fourth layer showing specific segments from TCP that need to be reassembled. * Application layer (layer5): shows details specific to the protocol being used e.g HTTP, SMB, FTP etc * Application Data: An extension of layer 5 that shows app specific data ## ARP traffic Address Resolution Protocol is a layer 2 protocol used to connect ip addresses with mac addresses. They contain REQUEST messages and RESPONSE messages. To identify packets the message header will contain one of two operation codes: * Request (1) * Reply (2) You need to enable a setting within Wireshark to resolve physical addresses. To enable this feature, navigate to View > Name Resolution > Ensure that Resolve Physical Addresses is checked. example filters: arp.opcode == 2 , gives the packets that are replies arp.src.hw_mac==[mac address] && arp.opcode==2, gives the packets that have been sent by the corresponding mac address and can be used to view the corresponding ip address ## ICMP traffic type 8 is request type 0 is reply to read the data field, right click on it and select decode, then change the view as option to raw instead of ASCII text ## Tcp traffic When analyzing tcp packets it might be useful to also enlist the help of RSA netwitness and Network miner to filter out and further analyze packets. The main thing to look for when analyzing a TCP packet is the sequence number and acknowledgement number. We can see the original sequence numbers by unchecking the edit > preferences > protocols > TCP > relative sequence numbers box. Typically, TCP packets need to be looked at as a whole to tell a story rather than in individual detail. ## DNS traffic Things to keep in mind: * Query-response * DNS servers only * UDP If any of these is out of place, that packet warrants further investigation. ## HTTP traffic Knowing how to analyze http can be useful for quickly spotting SQLi, web shells and other web related attack vectors. Http goes straight to the point and does not include handshakes or prerequisites before communication. Important information to look out for is: * Request URI * File data * Server To view the full request uri, right click on the request uri and select apply as column. Scroll till you see the full request uri that comes up. ## HTTPS traffic Before sending encrypted information, the client and server have to agree on a few things: 1. Client and server agree on a protocol version 2. Client and server select a cryptographic algorithm 3. Client and server can authenticate to each other (optional) 4. Creates a secure tunnel with a public key You can use an RSA key in Wireshark in order to view the data unencrypted. In order to load an RSA key navigate to Edit > Preferences > Protocols > TLS > [+] . If you are using an older version of Wireshark then this will be SSL instead of TLS. Fill in the various sections on the menu with the following preferences: * IP Address: 127.0.0.1 {essentially localhost} * Port: start_tls * Protocol: http * Keyfile: RSA key location Once added, the traffic will appear decrypted. ## Analyzing Exploit PCAPs When analyzing PCAPs we need to be aware of the Indicators of Compromise particular exploits may have with them. Set a filter for the source ip you believe to be malicious. Then analyze using the methods from the different sections above for the respective traffic types.