# Disboard #
  • Reconnaissance
    • Quick Guide
    • Ports and Protocols
    • Passive Reconnaissance
    • Active Reconnaissance
  • Enumeration
    • Password Cracking
    • Hydra
    • Wireshark
    • Snort
    • Steganography
  • Web
    • OWASP Top 10
    • OWASP API
    • SQL Injection
      • Microsoft SQL Injection
    • Cross Site Scripting
    • Browser Vulnerabilities
    • Fuzzing
  • Linux
    • Privilege Escalation
    • Docker
    • Program Life Cycle
  • Windows
    • Privilege Escalation
    • Active Directory
    • Powershell
  • Event Logs
    • Sysmon
  • Exploitation
    • Shells
      • Upgrading Shells
    • Metasploit
      • Meterpreter
    • KOTH
    • Source Code Review
  • Hack the Box
    • ARCHETYPE
    • BASE
    • BASHED
    • EXPLORE
    • NIBBLES
  • Try Hack Me
    • ADVENTURE TIME
    • HACKFINITY
    • MOTHER'S SECRET
    • OFFSEC
    • POSTEXPLOIT
    • ROASTED
    • TEMPEST
    • TRAVERSE
  • CompTIA
    • Network
      • 1.0 Networking Fundamentals
      • 2.0 Network Implementations
      • 3.0 Network Operations
      • 4.0 Network Security
      • 5.0 Network Troubleshooting
    • PenTest
  • SIEM
    • Splunk
    • Elastic
  • Wireless
    • Wi-Fi Hacking
  • Other
    • PicoCTF
    • SSH Tunneling
    • Life Hacks
    • My Pokémon API
    • Github
Powered by GitBook
On this page
  1. Enumeration

Wireshark

Using Wireshark to analyze protocols and PCAPs

PreviousHydraNextSnort

Last updated 1 month ago

Wireshark is an open-source, cross-platform network packet analyzer tool capable of sniffing and investigating live traffic and inspecting packet captures. Wireshark is one of the most potent traffic analyzer tools available in the wild. There are multiple purposes for its use:

  • Detecting and troubleshooting network problems, such as network load failure points and congestion.

  • Detecting security anomalies, such as rogue hosts, abnormal port usage, and suspicious traffic.

  • Investigating and learning protocol details, such as response codes and payload data.

Wireshark supports protocol or packet dissection, which investigates packet details by decoding available protocols an fields. The application supports a long list of protocols, and even accepts custom dissection scripts. Packets consist of 5 to 7 layers based on the OSI model.

  1. Layer 1 Physical - The Frame

  2. Layer 2 Data Link - Source [MAC]

  3. Layer 3 Network - Source [IP]

  4. Layer 4 Transport - TCP/UDP (Includes protocol errors)

  5. Layer 5 Application - HTTP, FTP, SMB, etc. (Includes data)

Packet Filtering

Common commands:

Usage
Filter Syntax

Wireshark Filter by IP

ip.addr == 127.0.0.1

Filter by Destination IP

ip.dest == 127.0.0.1

Filter by Source IP

ip.src == 127.0.0.1

Filter by IP range

ip.addr > 127.0.0.1 and ip.addr < 127.0.0.254

Filter by Multiple IPs

ip.addr == 127.0.0.1 or ip.addr == 127.0.0.2

Filter out IP

!(ip.addr == 127.0.0.1)

Filter subnet

ip.addr == 127.0.0.1/24

Filter by port

tcp.port == 80

Filter by destination port

tcp.dstport == 80

Filter by timestamp

frame.time ≥ "Jan 01, 2000 00:00:00"

Filter by SYN flag

tcp.flags.syn == 1 and tcp.flags.ack == 0

MAC address

eth.addr == AB:CD:EF:12:34:56

Application filtering:

Usage
Filter syntax

Show HTTP packets

http

Show HTTP packets with response code 200

http.response.code == 200

Show GET requests

http.request.method == "GET"

Show POST requests

http.request.method == "POST"

Show DNS packets

dns

Show all DNS requests

dns.flags.response == 0

Show all DNS responses

dns.flags.response == 1

Show all DNS "A" records

dns.qry.type == 1

Advanced filtering:

Usage
Filter syntax

Search HTTP server

http.server contains "Apache"

Matches host path for php or html

http.host matches "\.(php|html)"

Searches in port list

tcp.port in {80 443 8000 8080}

Uppercase

upper(http.server)

Lowercase

lower(http.server)