Wireshark

Wireshark is a network traffic analysis program, which can be used to individually analyze packets and different kinds of conversations

Download Here

Toolbar

File

The file menu primarily allows you to open and save PCAPs, along with reassembling detected objects (PDUs)

Edit

Edit is primarily going to be used to change your preferences (there are some options that can be changed in view here as well). In preferences, you may want to change/add columns, which can show additional information per packet

View

You can change various options that affect the way Wireshark looks here. You can change coloring options, time formatting, etc.

Capture

The capture menu will allow you to start and stop captures, allowing you to adjust options in relation to your capture

Analyze

You can use and apply readily-available/commonly-used filters here

Statistics

Statistics has some notable items within it

• Resolved addresses - This will show you all the IP addresses that have been resolved to a MAC/Hostname
• Protocol hierarchy - This will show you a list of the different protocols that have been used with a count
• Conversations - This will show you conversations between two machines, including the ports that are being used in the conversation

Packet investigation windows

Example below:

Image courtesy of wiersharkthebasics room on TryHackMe

Packet list

The packet list will show you all the captured packets with their respective time captured (changeable in the "view" menu, source and destination IPs and ports, along with protocol, packet length, information, and any other user-customized columns

Packet details

Clicking on a packet will bring up both the packet details and packet bytes. The packet details page will show you all parts of the packet, which can be expanded by clicking on the dropdown menu next to the packet portion

Packet bytes

The packet bytes will show you the raw bytes of the packet, which can be used to in the search or in snort rules to find packets that may not be matched on a string

Display Filters

There are many tags that can be searched for, instead of listing them all, I will provide an example search below

(tcp && ip.addr == 192.168.0.1 && tcp.dstport == 8000) || (udp && ip.addr == 192.168.0.1 && udp.dstport == 8000)

• (tcp && ip.addr == 192.168.0.1 && tcp.dstport == 8000)
  • () - Parentheses will allow you to nest filters
  • tcp - Filter for TCP traffic only
  • && - Logical AND operator
  • ip.addr == 192.168.0.1 - IP address filter
  • tcp.dstport == 8000 - TCP destination port filter
• || (udp && ip.addr == 192.168.0.1 && udp.dstport == 8000)
  • || - Logical OR operator
  • udp - Filter for UDP traffic only
  • udp.dstport == 8000 - UDP destination port filter

Other search methods

You can also click on the magnifying glass icon ("Find a packet"), which can be a quick way to search for strings and hex values