-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathwiresharkNotes-THM
268 lines (156 loc) · 14.1 KB
/
wiresharkNotes-THM
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
Statistics
This menu provides multiple statistics options ready to investigate to help users see the big picture in terms of the scope of the traffic, available protocols, endpoints and conversations, and some protocol-specific details like DHCP, DNS and HTTP/2. For a security analyst, it is crucial to know how to utilise the statical information. This section provides a quick summary of the processed pcap, which will help analysts create a hypothesis for an investigation. You can use the "Statistics" menu to view all available options. Now start the given VM, open the Wireshark, load the "Exercise.pcapng" file and go through the walkthrough.
Resolved Addresses
This option helps analysts identify IP addresses and DNS names available in the capture file by providing the list of the resolved addresses and their hostnames. Note that the hostname information is taken from DNS answers in the capture file. Analysts can quickly identify the accessed resources by using this menu. Thus they can spot accessed resources and evaluate them according to the event of interest. You can use the "Statistics --> Resolved Addresses" menu to view all resolved addresses by Wireshark.
Wireshark - resolved addresses
Protocol Hierarchy
This option breaks down all available protocols from the capture file and helps analysts view the protocols in a tree view based on packet counters and percentages. Thus analysts can view the overall usage of the ports and services and focus on the event of interest. The golden rule mentioned in the previous room is valid in this section; you can right-click and filter the event of interest. You can use the "Statistics --> Protocol Hierarchy" menu to view this info.
Wireshark - protocol hierarchy
Conversations
Conversation represents traffic between two specific endpoints. This option provides the list of the conversations in five base formats; ethernet, IPv4, IPv6, TCP and UDP. Thus analysts can identify all conversations and contact endpoints for the event of interest. You can use the "Statistic --> Conversations" menu to view this info.
Wireshark - conversations
Endpoints
The endpoints option is similar to the conversations option. The only difference is that this option provides unique information for a single information field (Ethernet, IPv4, IPv6, TCP and UDP ). Thus analysts can identify the unique endpoints in the capture file and use it for the event of interest. You can use the "Statistics --> Endpoints" menu to view this info.
Wireshark also supports resolving MAC addresses to human-readable format using the manufacturer name assigned by IEEE. Note that this conversion is done through the first three bytes of the MAC address and only works for the known manufacturers. When you review the ethernet endpoints, you can activate this option with the "Name resolution" button in the lower-left corner of the endpoints window.
Wireshark - endpoints
Name resolution is not limited only to MAC addresses. Wireshark provides IP and port name resolution options as well. However, these options are not enabled by default. If you want to use these functionalities, you need to activate them through the "Edit --> Preferences --> Name Resolution" menu. Once you enable IP and port name resolution, you will see the resolved IP address and port names in the packet list pane and also will be able to view resolved names in the "Conversations" and "Endpoints" menus as well.
Wireshark - name resolution settings
Endpoint menu view with name resolution:
Wireshark - name resolution view
Besides name resolution, Wireshark also provides an IP geolocation mapping that helps analysts identify the map's source and destination addresses. But this feature is not activated by default and needs supplementary data like the GeoIP database. Currently, Wireshark supports MaxMind databases, and the latest versions of the Wireshark come configured MaxMind DB resolver. However, you still need MaxMind DB files and provide the database path to Wireshark by using the "Edit --> Preferences --> Name Resolution --> MaxMind database directories" menu. Once you download and indicate the path, Wireshark will automatically provide GeoIP information under the IP protocol details for the matched IP addresses.
Wireshark - geoip details
Endpoints and GeoIP view.
Wireshark - geoip map view
Note: You need an active internet connection to view the GeoIP map. The lab machine doesn't have an active internet connection!
IPv4 and IPv6
Up to here, almost all options provided information that contained both versions of the IP addresses. The statistics menu has two options for narrowing the statistics on packets containing a specific IP version. Thus, analysts can identify and list all events linked to specific IP versions in a single window and use it for the event of interest. You can use the "Statistics --> IPvX Statistics" menu to view this info.
Wireshark - ipv4 and ipv6 statistics
DNS
This option breaks down all DNS packets from the capture file and helps analysts view the findings in a tree view based on packet counters and percentages of the DNS protocol. Thus analysts can view the DNS service's overall usage, including rcode, opcode, class, query type, service and query stats and use it for the event of interest. You can use the "Statistics --> DNS" menu to view this info.
Wireshark - dns statistics
HTTP
This option breaks down all HTTP packets from the capture file and helps analysts view the findings in a tree view based on packet counters and percentages of the HTTP protocol. Thus analysts can view the HTTP service's overall usage, including request and response codes and the original requests. You can use the "Statistics --> HTTP" menu to view this info.
Packet Filtering
In the previous room (Wireshark | The Basics), we covered packet filtering and how to filter packets without using queries. In this room, we will use queries to filter packets. As mentioned earlier, there are two types of filters in Wireshark. While both use similar syntax, they are used for different purposes. Let's remember the difference between these two categories.
Capture Filters
This type of filter is used to save only a specific part of the traffic. It is set before capturing traffic and not changeable during the capture.
Display Filters
This type of filter is used to investigate packets by reducing the number of visible packets, and it is changeable during the capture.
Note: You cannot use the display filter expressions for capturing traffic and vice versa.
The typical use case is capturing everything and filtering the packets according to the event of interest. Only experienced professionals use capture filters and sniff traffic. This is why Wireshark supports more protocol types in display filters. Please ensure you thoroughly learn how to use capture filters before using them in a live environment. Remember, you cannot capture the event of interest if your capture filter is not matching the specific traffic pattern you are looking for.
Capture Filter Syntax
These filters use byte offsets hex values and masks with boolean operators, and it is not easy to understand/predict the filter's purpose at first glance. The base syntax is explained below:
Scope: host, net, port and portrange.
Direction: src, dst, src or dst, src and dst,
Protocol: ether, wlan, ip, ip6, arp, rarp, tcp and udp.
Sample filter to capture port 80 traffic: tcp port 80
You can read more on capture filter syntax from here and here. A quick reference is available under the "Capture --> Capture Filters" menu.
Wireshark - capture filters
Display Filter Syntax
This is Wireshark's most powerful feature. It supports 3000 protocols and allows conducting packet-level searches under the protocol breakdown. The official "Display Filter Reference" provides all supported protocols breakdown for filtering.
Sample filter to capture port 80 traffic: tcp.port == 80
Wireshark has a built-in option (Display Filter Expression) that stores all supported protocol structures to help analysts create display filters. We will cover the "Display Filter Expression" menu later. Now let's understand the fundamentals of the display filter operations. A quick reference is available under the "Analyse --> Display Filters" menu.
Wireshark - display filters
Comparison Operators
You can create display filters by using different comparison operators to find the event of interest. The primary operators are shown in the table below.
English C-Like Description Example
eq == Equal
ip.src == 10.10.10.100
ne != Not equal
ip.src != 10.10.10.100
gt > Greater than
ip.ttl > 250
lt < Less Than
ip.ttl < 10
ge >= Greater than or equal to
ip.ttl >= 0xFA
le <= Less than or equal to
ip.ttl <= 0xA
Note: Wireshark supports decimal and hexadecimal values in filtering. You can use any format you want according to the search you will conduct.
Logical Expressions
Wireshark supports boolean syntax. You can create display filters by using logical operators as well.
English C-Like Description Example
and && Logical AND
(ip.src == 10.10.10.100) AND (ip.src == 10.10.10.111)
or || Logical OR
(ip.src == 10.10.10.100) OR (ip.src == 10.10.10.111)
not ! Logical NOT
!(ip.src == 10.10.10.222)
Note: Usage of !=value is deprecated; using it could provide inconsistent results. Using the !(value) style is suggested for more consistent results.
Packet Filter Toolbar
The filter toolbar is where you create and apply your display filters. It is a smart toolbar that helps you create valid display filters with ease. Before starting to filter packets, here are a few tips:
Packet filters are defined in lowercase.
Packet filters have an autocomplete feature to break down protocol details, and each detail is represented by a "dot".
Packet filters have a three-colour representation explained below.
Green Valid filter
Red Invalid filter
Yellow Warning filter. This filter works, but it is unreliable, and it is suggested to change it with a valid filter.
Wireshark - filter colours
Filter toolbar features are shown below.
Wireshark - toolbar features
We've covered lots of principles and syntax. Let's put these into practice and start filtering packets in the next task.
## Source for display ref filter syntax
https://www.wireshark.org/docs/man-pages/pcap-filter.html
https://gitlab.com/wireshark/wireshark/-/wikis/CaptureFilters#useful-filters
https://www.wireshark.org/docs/dfref/
Protocol Filters
As mentioned in the previous task, Wireshark supports 3000 protocols and allows packet-level investigation by filtering the protocol fields. This task shows the creation and usage of filters against different protocol fields.
IP Filters
IP filters help analysts filter the traffic according to the IP level information from the packets (Network layer of the OSI model). This is one of the most commonly used filters in Wireshark. These filters filter network-level information like IP addresses, version, time to live, type of service, flags, and checksum values.
The common filters are shown in the given table.
Filter Description
ip
Show all IP packets.
ip.addr == 10.10.10.111
Show all packets containing IP address 10.10.10.111.
ip.addr == 10.10.10.0/24
Show all packets containing IP addresses from 10.10.10.0/24 subnet.
ip.src == 10.10.10.111
Show all packets originated from 10.10.10.111
ip.dst == 10.10.10.111
Show all packets sent to 10.10.10.111
ip.addr vs ip.src/ip.dst Note: The ip.addr filters the traffic without considering the packet direction. The ip.src/ip.dst filters the packet depending on the packet direction.
Wireshark - ip filters
TCP and UDP Filters
TCP filters help analysts filter the traffic according to protocol-level information from the packets (Transport layer of the OSI model). These filters filter transport protocol level information like source and destination ports, sequence number, acknowledgement number, windows size, timestamps, flags, length and protocol errors.
Filter
Description
Filter Expression
tcp.port == 80
Show all TCP packets with port 80
udp.port == 53
Show all UDP packets with port 53
tcp.srcport == 1234
Show all TCP packets originating from port 1234
udp.srcport == 1234
Show all UDP packets originating from port 1234
tcp.dstport == 80
Show all TCP packets sent to port 80
udp.dstport == 5353
Show all UDP packets sent to port 5353
Wireshark - tcp and udp filters
Application Level Protocol Filters | HTTP and DNS
Application-level protocol filters help analysts filter the traffic according to application protocol level information from the packets (Application layer of the OSI model ). These filters filter application-specific information, like payload and linked data, depending on the protocol type.
Filter Description Filter Description
http
Show all HTTP packets
dns
Show all DNS packets
http.response.code == 200
Show all packets with HTTP response code "200"
dns.flags.response == 0
Show all DNS requests
http.request.method == "GET"
Show all HTTP GET requests
dns.flags.response == 1
Show all DNS responses
http.request.method == "POST"
Show all HTTP POST requests
dns.qry.type == 1
Show all DNS "A" records
Wireshark - http and dns filters
Display Filter Expressions
As mentioned earlier, Wireshark has a built-in option (Display Filter Expression) that stores all supported protocol structures to help analysts create display filters. When an analyst can't recall the required filter for a specific protocol or is unsure about the assignable values for a filter, the Display Filter Expressions menu provides an easy-to-use display filter builder guide. It is available under the "Analyse --> Display Filter Expression" menu.
It is impossible to memorise all details of the display filters for each protocol. Each protocol can have different fields and can accept various types of values. The Display Filter Expressions menu shows all protocol fields, accepted value types (integer or string) and predefined values (if any). Note that it will take time and require practice to master creating filters and learning the protocol filter fields.
Wireshark - display filter expressions
Note: The first room introduced the "Colouring Rules" (Task-2). Now you know how to create display filters and filter the event of interest. You can use the "View --> Coloring Rules" menu to assign colours to highlight your display filter results.