packet analysis using wireshark

PACKET ANALYSIS USING WIRESHARK

CEHTWITTER:@BASAVESWARK

WHAT IS WIRESHARK ?WIRESHARK IS A FREE AND OPEN SOURCE PACKET ANALYZER. IT IS USED FOR NETWORK TROUBLESHOOTING, ANALYSIS, SOFTWARE AND COMMUNICATIONS PROTOCOL DEVELOPMENT, AND EDUCATION

FEATURES• DEEP INSPECTION OF HUNDREDS OF PROTOCOLS, WITH MORE BEING ADDED ALL THE TIME• LIVE CAPTURE AND OFFLINE ANALYSIS• MULTI-PLATFORM: RUNS ON WINDOWS, LINUX, MACOS, SOLARIS, FREEBSD, NETBSD, AND MANY

OTHERS• CAPTURED NETWORK DATA CAN BE BROWSED VIA A GUI, OR VIA THE TTY-MODE TSHARK UTILITY• THE MOST POWERFUL DISPLAY FILTERS IN THE INDUSTRY• RICH VOIP ANALYSIS• READ/WRITE MANY DIFFERENT CAPTURE FILE FORMATS: TCPDUMP (LIBPCAP), PCAP NG, CATAPULT

DCT2000, CISCO SECURE IDS IPLOG, MICROSOFT NETWORK MONITOR, NETWORK GENERAL SNIFFER® (COMPRESSED AND UNCOMPRESSED), SNIFFER® PRO, AND NETXRAY®, NETWORK INSTRUMENTS OBSERVER, NETSCREEN SNOOP, NOVELL LANALYZER, RADCOM WAN/LAN ANALYZER, SHOMITI/FINISAR SURVEYOR, TEKTRONIX K12XX, VISUAL NETWORKS VISUAL UPTIME, WILDPACKETS ETHERPEEK/TOKENPEEK/AIROPEEK, AND MANY OTHERS

• CAPTURE FILES COMPRESSED WITH GZIP CAN BE DECOMPRESSED ON THE FLY• COLORING RULES CAN BE APPLIED TO THE PACKET LIST FOR QUICK, INTUITIVE ANALYSIS• OUTPUT CAN BE EXPORTED TO XML, POSTSCRIPT®, CSV, OR PLAIN TEXT

CAPTURING LIVE TRAFFIC

COLORING RULES

DISPLAY FILTERS• Filter specific addresses

ip.addr == 192.168.1.5ip.src ==192.168.1.5ip.dest ==192.168.1.5

• Filter specific protocolsdns || http (OR) dns or http

• Filter specific portstcp.port == 443udp.port == 1234

• Identity TCP issues, packet losstcp.analysis.flag

• Cleaning up or Pruning noise !(arp or dns or icmp)

DISPLAY FILTERS (CONTINUED)• Follow tcp stream

tcp.stream eq 32

• DNS Queriesudp contains facebook

• HTTP Request/Responseshttp.request http.response.code == 200

• TCP Traffic flagstcp.flags.syn == 1tcp.flags.reset == 1

• SIP Traffic sip

DEMO TIME

SOME QUICK SHORTCUTS

USE CASE # 1VOIP CALL RECORDING

USE CASE # 1VOIP CALL RECORDING (CONTINUED..)

USE CASE # 2DNS QUERY

USE CASE # 2DNS QUERY (CONTINUED)

USE CASE # 3TROUBLESHOOTING INTERNET ACCESS ISSUE(UNABLE TO ACCESS A PARTICULAR MUSIC SITE)

USE CASE # 4UNDERSTANDING SSL FLOW

USE CASE # 4UNDERSTANDING SSL FLOW (CONTINUED..)

REFERENCES• https://

en.wikipedia.org/wiki/Wireshark• https://www.wireshark.org/• Practical Packet Analysis by by

Chris Sanders• https://

www.youtube.com/watch?v=68t07-KOH9Y

• https://en.wikipedia.org/wiki/User_Datagram_Protocol

• https://en.wikipedia.org/wiki/Transmission_Control_Protocol

• http://www.informatics.buzdo.com/_images/f912-1.gif

• http://1.bp.blogspot.com/-gTRV25VTdb8/T55rvji6cEI/AAAAAAAACXM/9clbBo-y0nY/s1600/dnslookups.png

APPENDIX

APPENDIX (CONTINUED)

packet analysis using wireshark

Technology

wireshark user's guide -...

packet analysis with wireshark - sample chapter

analyzing honeypot traffic - wireshark...• practice using...

lab one: wireshark lab -...

getting started guide · using wireshark™ ... wireshark...

analysis of voice captured packet using wireshark

wireshark traceroute pinghy335a/frontistiria/xeim... ·...

using packet analysis for quality of experience monitoring...

network packet analysis with wireshark

wireshark workshop - ehackb · wireshark install...

wireshark udp v7 -...

lab 1: packet sniffing and wireshark

i12: capturing a packet - from ether and wire to...

2.3.2.6 packet tracer - using wireshark to view network...

using wireshark as an application support engineer · using...

hands-on keyboard: cyber experiments for strategists …...

lab - using wireshark to view networkk...

wireshark user’s guide• open files containing packet...

packet analysis using wireshark - florida gulf coast...

wireshark dhcp v7 -...