WIRESHARK

• ?Wireshark is one of the most robust and powerful open-source packet sniffers. It is both an interactive packet sniffing tool and an analysis tool.
• Wireshark is the most popular packet sniffer currently. One of the reasons is its open-source availability and cross-platform compatibility. It can run on Windows, Linux and, Mac, is user-friendly and easy to capture and view data because of the attractive graphical user interface.
• Wireshark is one of the best tools for intercepting packets going across a target network, as well as read the contents of each packet in a human-readable format which can be filtered and colour-coded to meet specific requirements. It has a wide array of features that are mainly used to troubleshoot network problems and for the analysis and testing of software.

Download and Install?:-

• It is open-source software, so it is available for download free of cost. You can download it for both Windows and Mac OS from the official?Wireshark website.
• ?For Linux or other UNIX-like systems, Wireshark is probably present in the package repositories. It comes preinstalled in the Kali Linux OS.

Search for specific packets?:-

• Wireshark has a great query language which you can use to easily search for specific packets.
• Here are a few examples of the kinds of searches I do:

i.?frame contains "mozilla"?– search for the string “mozilla” anywhere in the packet

ii.?tcp.port == 443?– tcp port is 443

iii.?dns.resp.len > 0?– all DNS responses

iv.?cip.addr == 52.7.23.87?– source or dest IP address is 52.7.23.87

Collection of Network Packets Methods

Network Taps?:-

• Network taps are a physical implant in which you physically tap between a cable, these techniques are commonly used by Threat Hunting/DFIR teams and red teams in an engagement to sniff and capture packets.
• ?There are two primary means of tapping a wire. The first is by using hardware to tap the wire and intercept the traffic as it comes across, an example of this would be a vampire tap.
• ?Another option for planting a network tap would be an inline network tap, which you would plant between or 'inline' two network devices. The tap will replicate packets as they pass the tap. An example of this tap would be the very common Throwing Star LAN Tap.

MAC Floods?:-

• MAC Floods are a tactic commonly used by red teams as a way of actively sniffing packets.
• MAC Flooding is intended to stress the switch and fill the CAM table. Once the CAM table is filled the switch will no longer accept new MAC addresses and so in order to keep the network alive, the switch will send out packets to all ports of the switch.

Note:?This technique should be used with extreme caution and with explicit prior consent.

ARP?Poisoning?:-

• ARP?Poisoning is another technique used by red teams to actively sniff packets. By ARP Poisoning you can redirect the traffic from the host(s) to the machine you're monitoring from.
• This technique will not stress network equipment like MAC Flooding however should still be used with caution and only if other techniques like network taps are unavailable.

Packet Dissection?:-

• Wireshark uses OSI layers to break down packets and for analysis.
• You can double click on a packet in capture to open its details. Packets consist of 5 to 7 layers based on the OSI model :

1.?Frame (Layer 1) :-?This will show you what frame or packet you are looking at as well as details specific to the Physical layer of the OSI model.

2.?Source [MAC] (Layer 2) :- This will show you the source and destination MAC Addresses; from the Data Link layer of the OSI model.

3.?Source [IP] (Layer 3) :-?This will show you the source and destination IPv4 Addresses; from the Network layer of the OSI model.

4.?Protocol (Layer 4) :- This will show you details of the protocol used (UDP/TCP) along with source and destination ports; from the Transport layer of the OSI model.

5.?Application Protocol (Layer 5) :-?This will show details specific to the protocol being used such?HTTP, FTP, SMB, etc. From the Application layer of the OSI model.

6.?Application Data :-?This is an extension of layer 5 that can show the application-specific data.

Different Types of Traffic Capture using Wireshark?:-

1.?ICMP Traffic :

??ICMP or Internet Control Message Protocol is used to analyze various nodes on a network. This is most commonly used with utilities like ping and traceroute.

??There are a few important things within the packet details that we can take note of first being the type and code of the packet. A type that equals 8 means that it is a request packet, if it is equal to 0 it is a reply packet.

2.?TCP?Traffic?:

??A common thing that you will see when analyzing?TCP?packets is known as the TCP handshake It includes a?series of packets:?syn, synack, ack; That allows devices to establish a connection.

??The main thing that we want to look for when looking at a?TCP?packet is the sequence number and acknowledgment number.

3.?DNS?Traffic :

??There are a couple of things outlined below that you should keep in the back of your mind when analyzing?DNS?packets.

• ?Query-Response
• ?DNS-Servers Only
• ?UDP

??If anyone of these is out of place then the packets should be looked at further and should be considered suspicious.

4.?HTTP Traffic :

??HTTP?or Hypertext Transfer Protocol is a commonly used port for the world wide web and used by some websites.

??HTTP is used to send GET and POST requests to a web server in order to receive things like webpages. Knowing how to analyze HTTP can be helpful to quickly spot things like SQLi, Web Shells, and other web-related attack vectors.

??HTTP?is one of the most straight forward protocols for packet analysis, the protocol is straight to the point and does not include any handshakes or prerequisites before communication.

5.?HTTPS Traffic :

??HTTPS or Hypertext Transfer Protocol Secure can be one of the most annoying protocols to understand from a packet analysis perspective and can be confusing to understand the steps needed to take in order to analyze HTTPS packet.

??Before sending encrypted information the client and server need to agree upon various steps in order to make a secure tunnel.

• ?Client and server agree on a protocol version.
• ?Client and server select a cryptographic algorithm.
• ?The client and server can authenticate to each other; this step is optional.
• ?Creates a secure tunnel with a public key.

Here are some things Wireshark does not provide:

• Wireshark isn’t an intrusion detection system. It will not warn you when someone does strange things on your network that he/she isn’t allowed to do.
• ?However, if strange things happen, Wireshark might help you figure out what is really going on.
• ?Wireshark will not manipulate things on the network, it will only “measure” things from it.
• ?Wireshark doesn’t send packets on the network or do other active things (except domain name resolution, but that can be disabled).

?

?

?

?

?