WIRESHARK

Understanding Wireshark 

Disclaimer 

Contains:

How to Save the captured packets as "pcapng" extensions. 

How to use Filters.

How to use Statistics Menu.

How to use MaxMind database and Endpoints Maps.

Reference 

  • GeoLite2 Free Geolocation Data: https://dev.maxmind.com/geoip/geolite2-free-geolocation-data
  • Wireshark basics by Chris Greer

*******************************

Understanding Wireshark 

How to Save the captured packets as "pcapng" extensions

Before starting to capture packets, 

Capture -> options

output format -> pcapng

Create new files automatically with 2 files, small size of 500Mb. This options can be used to create smaller files for easier analysis

Saving the capture in small pcap files for analysis
Saving the capture in small pcap files for analysis 

How to use Filters:


Two types of filters can be used,

Before Capture

  • Capture Filters

Before starting the capture, Setting up filter criteria before starting the capturing of the packets.

  • e.g. TCP - only the TCP packets will be captured and no other packet information's will be captured

  • Sample filters, port 80, port 53, host 192.168.1.5

After capture

After capturing the packets, these display filters are applied. 

Display filters

CConversation Filters

Simple filter options:
  • Arp
  • Ip
  • Ip.addr == 192.168.1.5
    Conversation Filters
    Conversation Filters

Prepare as a Filter


Will have option to add along with conversation filter options
  • (ip.addr eq 192.168.1.157 and ip.addr eq 513.184.133.58) && (tcp)

Prepare as a Filter
Prepare as a Filter


Not filter:

  • not arp
  • not(arp or ipv6)
  • Tcp.port in{80 443 8080}
  • !(arp or stp or lldp or cdp or tcp)

Text Filters

  • Case sensitive: - frame contains google 
Non-case sensitive : frame matches google


How to use Statistics Menu 

Statistics menu option

Statistics -> Resolved Addresses :- 

Name Resolution:

Resolve Mac address, when enabled this will get the available names of the mac address
Use captures DNS:- will provide name of the DNS rather than IP address

Statistics Resolved Addresses
Statistics -> Resolved Addresses

Adding custom name to the IP address

Known IP address can be named for easy understanding, like server, desktop, gateway

  • Right click on the IP address and select edit resolved names  add a name 

Adding Custom names IP address


Name resolution Block

View menu ->  reload as File format/capture 
This view provides the consolidated view of the known IP-address

name resolution block


Statistics -> conversations


    This window will provide the overall summary of packets happening between addresses, bytes, ports and more. This view allows to understand what's going on with between the IP-address. 

  • If there is any malicious activity or port scanning can be found using this summary table. 
  • Filter option: Right click on any address and select apply as filter to get conversation b/w the 2addresses 


Statistics -> conversations
Statistics -> conversations

How to use MaxMind database and Endpoints Maps:


Geo location:

Download the file - free version from - dev.Maxmind.com [geo2lite free geolocation data]

  • Edit -> preferences -> MaxMindDatabase -> selected the download file


MaxMindDatabase
MaxMindDatabase

Statistics ->Endpoint -> map ->open on browser


Endpoint-Maps
Endpoint-Maps

IP address are mapped based on the geo location on the Map

map
map


Under the Internet protocol layer from the captured packets, The destination GEO IP is displayed.


source GEO IP
source GEO IP


The same can be used as display filter.

  • Right click on the “source GeoIP” set as selected filter :-  ip.geoip.src_country == "United States"

******************************

Comments

Post a Comment

Popular Posts

Marriage Registration Online steps [Tamil Nadu]

Marriage Registration Online 1. Hindu Marriage Act 2. TamilNadu Marriage Act Steps To follow 1. Log into :-> https://tnreginet.gov.in/portal/  2. Click on "User Registration"   under " LOGIN " section 3. Now Login with UserID & Password  Hindu Marriage Registration 4. After Log in then select  Home > Marriage Registration > Hindu Marriage Registration 5. Fill in the details     1. Husband details           A.  Details Must be know - District, Taluk, Village and then f rom Drop down select the " street name "         B . if any of the parent is not alive mark the same and produce the death certificate while submitting the application in-person.      2. Wife Details          A. same as above, have all the information to fill in details 3. Witness Options 4. Other Details 5. Proof Details: for Husband & Wife  Home > Draft Listing T...
Read more

Projects-Summary

Project Index & Summaries A comprehensive directory of hands-on projects, technical guides, and research. Cyber Security & Pentesting Ethical Hacking Notes : A deep dive into the world of ethical hacking. This guide covers the complete malware analysis process, footprinting, reconnaissance, and system hacking. It includes specialized modules on hacking IoT devices, cloud computing, and wireless networks. Pentesting Hands-on : Documentation of real-world penetration testing experiences. It follows the five stages of ethical hacking: Reconnaissance, Enumeration, Exploitation, and Reporting. It also includes instructions on building your own vulnerable machines for practice. Hack The Box Notes : Methodologies focused on auditing websites and machines. This section provides a workflow for checking vulnerabilities and testing web security using the Hack The Box platform. Wireshark Basics : Prac...
Read more

HOME LAB : HANDS-ON

Image
HOME LAB : HANDS-ON Disclaimer Home LAB Home Assistant on OMV Container in Raspberry Pi https://www.gouti1454.com/p/homeassistant.html Installing Home Assistant on Docker using OMV Compose, along with Portainer, Jellyfin, and MQTT. Here’s the breakdown: Home Assistant on OMV Compose Setting up MQTT and connected it to Home Assistant HomePage with Docker Compose https://www.gouti1454.com/p/homepage-docker.html Setting Up HomePage with Docker Compose Key things to get right, While installing  HomePage Docker:  Best Practices for Docker Compose: Widgets Configuration: Common Errors & Fixes: Lamma AI https://www.gouti1454.com/p/llama-ai.html This post covers some useful tips and tricks for extracting YouTube transcripts and using the Fabric framework. The topics include: ...
Read more