TUWC – S2: Networking Basics

  Networking, Wireshark

The Ultimate Wireshark Course Main Menu

Section 2: Networking Basics

Capture Filters

Capture > Options

  • Input
    • Define which network cards to capture from
      • Click [ Manage Interfaces ] to select which NICs to show
    • [ X ] Promiscuous Mode: Sniff traffic not intended for your IP
    • Capture Filters: Define which protocols you want to capture. These can be further filtered down with display filters.
      • Use this to keep your file sizes smaller.
      • Click green icon.
  • Output
    • Specify output file
    • Set pcapng or pcap types
    • Define how to manage file size, history
    • Ring buffer: How many of these files to keep before deleting the oldest
  • Options
    • Leave at defaults
    • [ X ] Resolve MAC addresses
      • Will look up manufacturers of MAC address based on 1st 3 bytes.

Protocol Dissectors

  • AKA Decoders
  • Parse the raw bits of data and try to determine best way to display the output based on the ports.
  • Sometimes cannot analyze the data due to unknown port (very rare)
  • More likely, someone spoofing the port, using for another means!
    • METASPLOIT – Exploitation tool kit. Changing the port to make it look like the packet is being used for something harmless.
  • Dissectors: Edit > Preferences… > Protocols
    • These can be over-ridden. TBDiscussed later.

Navigation

Starting and Stopping a capture

  • Capture > Start (Sharkfin icon) or click Sharkfin icon
    • Ctrl + E starts and stops
    • Ctrl + R restarts
  • Options = Gear/Life preserver icon (Same as Options in Capture Filters above)
  • View – Not much to change here
    • Top section: Packet List
    • Center section: Packet details
    • Bottom: Bytes view (Rarely used)
      • Good idea to shrink this down or remove from view to add viewing real estate
      • To remove from view:
        • Edit > Preferences > Appearance > Layout > Pane 3: None
  • Open PCAP (Folder Icon)
  • Save / Close / Reload
    • Generally save to pcapng file format
    • File > Save As …
      • You decide what data to save. Captured or displayed data with options
  • Search: Locate packets
    • Display filter – Seldom used
    • Hex value – Seldom used
    • String – Most common
    • RegEx – Good luck 🙂
  • Next / Previous – Seldom used
  • Go To Packet: Type in the packet #
  • Scrolling / Stop Scroll
    • Will keep most recent packets on the screen.
  • Zoom In / Out / Reset: Modify font size
  • Bottom Right: Profiles
    • Configure your own views and recall them

For Fun:

  • Help > Sample Captures
    • Download and play away to gain experience!
    • Lots of options to choose from

Exporting Objects

Stopping notes here… need to at least overview the course subject matter.

LEAVE A COMMENT