Wireshark

=Filtering Packets= Information related to Packet filtering is as follows:

Filtering a Cap File
dumpcap -i eth0 -f "host 208.67.220.220 and udp port 53" -w /tmp/dns.cap -b duration:3600 -b files:25

Wireshark Common Filters
More Details: Reference


 * SSL Traffic Filters

Client Hello: ssl.handshake.type == 1

Server Hello: ssl.handshake.type == 2

NewSessionTicket: ssl.handshake.type == 4

Certificate: ssl.handshake.type == 11

CertificateRequest ssl.handshake.type == 13

ServerHelloDone: ssl.handshake.type == 14

Note: “ServerHellpDone” means full-handshake TLS session.

Cipher Suites: ssl.handshake.ciphersuite

SSL handshake message types: 0	HelloRequest 1	ClientHello 2	ServerHello 4	NewSessionTicket 8	EncryptedExtensions (TLS 1.3 only) 11	Certificate 12	ServerKeyExchange 13	CertificateRequest 14	ServerHelloDone 15	CertificateVerify 16	ClientKeyExchange 20	Finished

Wireshark Column Filters
= Advanced Packet Filtering =

Use Case:

I am analyzing an SMB issue. I have 50 PCAP files, each of 100 MB, generated by the intermediate devices. I am not sure which all files contain the interesting traffic. Searching each file manually using wireshark is hectic. Client addresses are 1.1.1.1 and 2.2.2.2. Server address is 3.3.3.3. Protocol is SMB2 (port 445). We can use Tshark or TCPDump for this exercise. Tshakr is slow in Linux & TCPDump is very fast. Wireshark Filter: ((ip.addr==1.1.1.1 or ip.addr==2.2.2.2) and ip.addr==3.3.3.3) and smb

List all Pcap files using any of the below commands: find. -type f | egrep "All.pcap" find. -type f | egrep ".pcap" find. -type f | egrep "*.pcap" find. -type f | grep ".pcap" find. -type f | grep "pcap"

List interesting traffic from all the PCAP files:  for i in `find. -type f | egrep "All.pcap"`; do echo $i; tshark -r $i '((ip.addr==1.1.1.1 or ip.addr==2.2.2.2) and ip.addr==3.3.3.3) and smb' ; echo -e "\n"; done

Filter out errors:  for i in `find. -type f | egrep "All.pcap"`; do echo $i; tshark -r $i '((ip.addr==1.1.1.1 or ip.addr==2.2.2.2) and ip.addr==3.3.3.3) and smb2' ; echo -e "\n"; done | grep -E '(error|unknown|denied)'

Filter out errors and save output to text file in background:  for i in `find. -type f | egrep "All.pcap"`; do echo $i; tshark -r $i '((ip.addr==1.1.1.1 or ip.addr==2.2.2.2) and ip.addr==3.3.3.3) and smb2' ; echo -e "\n"; done | grep -E '(error|unknown|denied)' > errors.txt &

Show Timestamps in the output and save it to a text file:  for i in `find. -type f | egrep "All.pcap"`; do echo $i; tshark -t ad -r $i '((ip.addr==1.1.1.1 or ip.addr==2.2.2.2) and ip.addr==3.3.3.3) and smb2' ; echo -e "\n"; done > smb-time.txt

a      absolute time (local time in your time zone, actual time the packet was captured) ad     absolute with date u      Absolute UTC time ud     Absolute UTC time with date

Search for keywords in the text files created along with traces: for i in `find. -type f | egrep ".txt"`; do echo $i; cat $i ; echo -e "\n"; done | grep smb2.lock

More Filters

 * Filter traffic in time range:

tshark -r trace1.cap -t ud | egrep -E '2017-07-25 10:2[7-9].'
 * Show traffic from 10:27 to 10:29


 * Show traffic from 10:27 to 10:29

tshark -r trace1.cap -t ud '(frame.time >= "July 25, 2017 10:26:00.0") && (frame.time == "July 25, 2017 10:30:00.0")'


 * Decode SSL encrypted Traffic using Private Key:

tshark -r trace1.cap -t ud -o ssl.keys_list:"192.168.3.206","443","http","/home/aman/Downloads/Trace/trace.sslkeys"


 * Decode SSL encrypted Traffic using Pre Master Secret Key:

tshark -r trace1.cap -t ud -o ssl.keys_list:/home/aman/Downloads/Trace/trace.sslkeys

= Misc =


 * In IE, disable HTTP1.1 in Advanced options to see the traffic being sent in HTTP1.0 version. Now you will be able to see traffic in Clear text in wireshark captures. HTTP1.1 uses gzip to compress html, so it is not read in clear text. You will find multiple connections for a single webpage.


 * In Wireshark, anyting you see in square brackets - [bla bla] is the wireshar analysis of the information & is not the part of the packet captured.

Non-Root Capture in Ubuntu
sudo apt-get install libcap2-bin sudo groupadd wireshark sudo usermod -a -G wireshark user newgrp wireshark sudo chgrp wireshark /usr/bin/dumpcap sudo chmod 750 /usr/bin/dumpcap sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap

Verification: getcap /usr/bin/dumpcap    =>   /usr/bin/dumpcap = cap_net_admin,cap_net_raw+eip

If still unable to capture: sudo dpkg-reconfigure wireshark-common sudo chmod +x /usr/bin/dumpcap

Tshark
sudo apt-get install tshark
 * Installation:

tshark -r lotsapackets.cap -R dns -w trace.cap tshark -r lotsapackets.cap -R "dns or tcp.port==80" -w trace.cap
 * Filter Traffic from capture file:

capinfos web.cap
 * Information about the capture file:

editcap -c 50000 lotsapackets.cap fewerpackets.cap
 * Split capture file:

-T       Specify to extract Fields -e       Mention which fields to Extract
 * Extract data from any HTTP requests:

tshark -i wlan0 -Y http.request -T fields -e http.host -e http.user_agent google.com	Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0

tshark -i wlan0 -f "src port 53" -n -T fields -e dns.qry.name -e dns.a google.com     216.58.197.46,216.239.32.10,216.239.34.10,216.239.36.10
 * Extracts both the DNS query and the response address:

Even more details: tshark -i wlan0 -f "src port 53" -n -T fields -e frame.time -e ip.src -e ip.dst -e dns.qry.name -e dns.a Apr 22, 2015 23:20:16.922103000 8.8.8.8 192.168.1.7 wprecon.com	198.74.56.127
 * Tshark can use stdout to manipulate/clean output:

tshark -i wlan0 -Y 'http.request.method == POST and tcp contains "password"' | grep password csrfmiddlewaretoken=VkRzURF2EFYb4Q4qgDusBz0AWMrBXqN3&password=abc123 sudo add-apt-repository ppa:dreibh/ppa sudo apt-get update && sudo apt-get install wireshark tshark
 * Tshark 2.4 is required for some features, Install it in Ubuntu:

tshark -nr test.pcap --export-objects smb,tmpfolder
 * Extract files from an SMB stream:

tshark -nr test.pcap --export-objects http,tmpfolder Figure out the Frame number: tshark -r ~/dhcp.pcap bootp.option.dhcp == 1 View Full details: tshark -r ~/dhcp.pcap -V frame.number == 12
 * Extract files from HTTP stream:
 * Detailed output:


 * References