# WireShark [TOC] # Basic Concept ## Pcap Property    ## Protocol Hierarchy   HTTP (Analysis Web Attack) ### Analysis HTTP Data   ### Analysis Reverse shell ``` tcp.port == 4444 ```   ### HTTP Stream Follow HTTP stream   ## Export (HTTP Analysis) Export we interesting Protocol e.g. HTTP !   ## Export (FTP file)   ## Identify Attacker IP and Victims IP Statistics > Endpoints.  ## Decode As If some Server is not run in stander Port we can use decode as to specify packet Protocol Internal FTP  Due to the FTP is not run on Stander port, export object can't recognize it we have to manual identify it and set it as FTP packet    ## Filter Setting (Interesting Packet) ### Filtering Operators - and - operator: and / && - or - operator: or / || - equals - operator: eq / == - not equal - operator: ne / != - greater than - operator: gt /  > - less than - operator: lt / < Reference https://www.wireshark.org/docs/wsug_html_chunked/ChWorkBuildDisplayFilterSection.html ## Recover Doc File we have to find Transfer Doc stream, and flow the string    ## Searching Interest Packets ### IP Address ``` ip.addr == <IPaddress> ip.src == <packet source> ip.des == <packe destination> ``` ### Port ``` tcp.port == <port number> tcp.port eq <port number> or <protocol> ``` e.g. ``` tcp.port == 80 || udp.port == 80 ``` ### TCP ``` tcp.flags.syn == 1 #SYN Flag tcp.flags.ack == 1 #ACK Flag tcp.seq == 0 #Scaning Attack tcp.seq == 1 #Service Replay ``` ### info column ``` http contains "string" frame contains "string" (if you don't care if the string is inside HTTP packets) ``` ### FTP ``` ftp || ftp-data ``` # HTTPS Decrypt (Need Private key) Security Tunnel  TLS   ## Load RSA key (Private Key) Edit > Preferences > Protocols > TLS >  \[+\] .  IP Address: 127.0.0.1 Port: start_tls Protocol: http Keyfile: RSA key location  Now, we could know this is a Get request packet Export Objects > HTTP