top of page
Search

Basic Wireshark tutorial

Updated: Sep 29, 2023


Image showing Wireshark logo.

In this blog:

What is Wireshark?


Wireshark is an open-source network packet analyser which captures packets on the Network layer of the OSI model.


Wireshark has many purposes including detecting and troubleshooting network problems like load failure and congestion, understanding protocol details like response codes and payload data, and finding security issues like abnormal port usage, rogue hosts, and suspicious traffic.


Packets are chunks of data that travel across the network to where they were requested from.


They ensure that data can be sent in a manageable and efficient manner.

You can learn more about packets and their ins and outs by visiting ➡️


Installation


If you are capturing data on a network which you don’t own, for example in a coffee shop, ensure that you have your network adapter in Wireshark switched to monitor mode, or promiscuous mode.

Image showing man sitting on laptop in cafe.

This allows the network interface to capture all packets that it sees instead of just packets that were addressed to the interface.


For this tutorial, I will be using Wireshark version 3.6.6 in a virtual environment.


You can download the latest version of Wireshark for free here ➡️


https://www.wireshark.org/download.html, selecting the correct installer for your specific architecture.

Wireshark install page.
Wireshark install page.

The image below shows the network adapters and interfaces that Wireshark sees when it opens.


When hovering over certain interfaces, Wireshark will display the IP and appropriate MAC addresses. I will be analysing traffic on my eth0 network adapter.


Double clicking the interface, you wish to analyse will display the packet captures and data that is coming in and out of your selected network.

Selecting networks to capture packets from (sniff).
Selecting networks to capture packets from (sniff).

Wireshark makes it easier to understand the rather complicated interface by displaying the source and destination IP addresses of packets and the source MAC and destination MAC.


This helps to understand how different computers and components on the network interact with each other.

Understanding the display


The image below shows what data is being captured and their relevant details. Pulling the sections out with the mouse can make it easier to read and break down the information.


  • The menu at the top (labelled ‘1’) allows you to start, end and restart the current capture along with skipping to the next packet, delete the current capture, reload the capture, automatically scroll to the latest packet, change colours of different packet types and protocols and more. Functions can be found by hovering over the icons.

  • The section labelled 2 is the display filter and is where you can specify specific ports, text, protocols and more.

  • Number 3 is the packet window where you can see all of the captured packets.

  • Number 4 is the packet details that you can delve into to find more information about a certain packet.

  • Number 5 is the packet bytes which shows the data of the current packet in a hex dump and decoded ASCII style.

  • Number 6 is your file name which you can change to whatever you like.

  • Number 7 is the total number of packets as it says.

  • Number 8 is the number of packets output in the display window.

Wireshark gives information on the protocol, for example, in the image, the first packet is a DNS query which was initiated when I opened Firefox as denoted by ‘Mozilla.net’.


you can find out more about how each part of Wireshark works here at the Wireshark official documentation ➡️



Or read this great book on practical packet analysis by Chris Sanders ➡️


Typical Wireshark display.
Typical Wireshark display.

Merging PCAPs


Another feature of Wireshark is the ability to merge PCAPS (packet captures).


This not only makes it easier and more efficient to fine comb your investigative efforts, but it also allows for faster comparison and analysis of packets. You can learn more about merging PCAPs here ➡️



The next screen shots show a different PCAP file to figure 1.


To merge two packet capture files, first go to file ➡️ Merge. Notice number of packets shown at the bottom.

Merging P-CAPS with file then merge.
Opening file ➡️ merge.

Select the file you want to merge. Notice the size of the file in Kilobytes.

Selecting the file you want to merge.
Selecting the second file we wish to merge with the original capture file.

The two PCAP files have been combined in chronological order as shown in the image below. The total number of packets has also gone up from 6177 to 14030.

Result of two merged P CAP files.
Wireshark profile showing result of merging two PCAP files.

Simple Netcat based port scanner script


The first step in any penetration test is reconnaissance. This includes probing networks for hosts and open TCP, HTTP ports which can be used to infiltrate a host on the target network.


The script below allows the user to supply a target IP address for Netcat to scan and output with a list of ports and their statuses.

Netcat based port scanner in bash.
Netcat based port scanner in bash.

Bibliography


5.4. Merging Capture Files (n.d.) www.wireshark.org. [Online] [Accessed on 12th November 2022] https://www.wireshark.org/docs/wsug_html_chunked/ChIOMergeSection.html.


1996 CERT Advisories (1996) resources.sei.cmu.edu. Carnegie Mellon University. [Online] [Accessed on 3rd November 2022] https://www.cert.org/advisories/CA-1996-21.html.


Commentaires

Noté 0 étoile sur 5.
Pas encore de note
Ajouter une note
  • GitHub
  • Twitter
  • LinkedIn
bottom of page