|
|-
|[[Media:OSPF_LSA_types.cap|OSPF LSAs]] || ||[[OSPF]]
|-
|[[Media:OSPF_LSA_Route_Add_Delete.cap|OSPF LSA Route Add Delete]] || Add - #101; Delete - #130 ||[[OSPF]]
|-
|[[Media:Ospf over gre tunnel.cap|OSPF over GRE Tunnel]] || ||[[OSPF]]
|[[Media:Dhcp-auth.pcap|Dhcp-auth]] || || [[DNS#DHCP|DHCP]]
|}
== HTTP - HTTPS ==
{| class="wikitable"
|-
!Packet Type !! Description !! Page Link
|-
|[[Media:http.cap|HTTP]] || Sack Used ||[[HTTP]]
|-
|[[Media:SSL.cap|SSL]], [[Media:Key.zip|Key]] || Sack Used ||[[SSL]]
|}
== TCP/IP ==
{| class="wikitable"
|-
!Packet Type !! Description !! Page Link
|-
|[[Media:TCP SACK.cap|TCP SACK]] || SACK(frame #31), Timestamp, WSF ||[[TCP/IP#TCP_SACK|TCP/IP]]
|-
|[[Media:Tracert.pcap|Traceroute]] || || [[ICMP#Traceroute|Traceroute]]
|-
|[[Media:Path MTU discovery.cap|Path MTU]] ||Fragmentation Needed message in packet #6 || [[ICMP#Path_MTU_Discovery|Path MTU Discovery]]
|-
|[[Media:IPv6.pcap|IPv6]] || ||
|-
|[[Media:ICMP.pcap|ICMP]] || || [[ICMP]]
|}
== Misc Captures ==
|-
!Packet Type !! Description !! Page Link
|-
|[[Media:TCP SACK.cap|TCP SACK]] || SACK(frame #31), Timestamp ||[[TCP/IP#TCP_SACK|TCP/IP]]
|-
|[[Media:Smtp.pcap|Smtp]] || ||
|-
|[[Media:Portscan.pcap|Port Scan]] || ||
|-
|[[Media:Tracert.pcap|Traceroute]] || || [[ICMP#Traceroute|Traceroute]]
|-
|[[Media:Path MTU discovery.cap|Path MTU]] ||Fragmentation Needed message in packet #6 || [[ICMP#Path_MTU_Discovery|Path MTU Discovery]]
|-
|[[Media:http.cap|HTTP]] || Sack Used ||[[HTTP]]
|-
|[[Media:Nat.pcap|NAT]] ||Ping Packet with & without NAT ||
|[[Media:Hsrp-and-ospf-in-LAN.pcap|Hsrp-and-ospf-in-LAN]] || ||
|-
|[[Media:RADIUS2.cap|RADIUS2]] || Using Access-Challenge (EAP) ||
|-
|[[Media:SSHv2.cap|SSHv2]] || ||
|-
|[[Media:Bittorrent.pcap|Bittorrent]] || ||
|-
|[[Media:IPv6.pcap|IPv6]] || ||
|-
|[[Media:Vnc-sample.pcap|Vnc-sample]] || ||
<br />
=Filtering Packets=
Information related to Packet filtering is as follows:
<br />
==Filtering a Cap File==
dumpcap -i eth0 -f "host 208.67.220.220 and udp port 53" -w /tmp/dns.cap -b duration:3600 -b files:25
<br />
==Wireshark Common Filters==
{| class="wikitable"
|-
! Description !! Filter
|-
|Sets a filter for any packet with 10.0.0.1, as either the source or dest || ip.addr == 10.0.0.1
|-
|Sets a conversation filter between the two defined IP addresses || ip.addr==10.0.0.1 && ip.addr==10.0.0.2
|-
|Sets a filter to display all http and dns || http or dns
|-
|Sets a filter for any TCP packet with 4000 as a source or dest port || tcp.port==4000
|-
|Displays all TCP resets || tcp.flags.reset==1
|-
|Display all SYN packets || tcp.flags.syn==1
|-
|Filter packets using Identification Field (across multiple traces) || ip.id==518
|-
|Displays all HTTP GET requests || http.request
|-
|Displays all TCP packets that contain the word ‘traffic’.<br/>Excellent when searching on a specific string or user ID || tcp contains traffic
|-
|Masks out arp, icmp, dns, or whatever other protocols may be background noise.<br/>Allowing you to focus on the traffic of interest || !(arp or icmp or dns)
|-
|Sets a filter for the HEX values of 0x33 0x27 0x58 at any offset || udp contains 33:27:58
|-
|Displays all retransmissions in the trace.<br/>Helps when tracking down slow application performance and packet loss || tcp.analysis.retransmission
|-
|Fragmented Traffic || ip.flags.mf == 1 or ip.frag_offset > 0
|-
|ICMP Fragmentation needed packets || icmp.type==3 and icmp.code==4
|-
|Combination of above two || <nowiki>ip[0,9,20:2]==4501:0304||ip[6:2]&3fff</nowiki>
|-
|Starting and Ending sessions || tcp.flags&7 or (tcp.seq==1 and tcp.ack==1 and !tcp.window_size_scalefactor==-1 and tcp.len==0)
|}
<br />
== Wireshark Column Filters ==
{| class="wikitable"
|-
! Value to display !! Filter
|-
| TTL || ip.ttl
|-
| Flags || tcp.flags
|-
| SEQ || tcp.seq
|-
| ACK || tcp.ack
|-
| MSS || tcp.options.mss_val
|-
| In-Flight || tcp.analysis.bytes_in_flight
|-
| Payload || tcp.len
|-
| Window || tcp.window_size
|-
| Content-Length || http.content_length_header
|}
<br />
== Advanced Packet Filtering ==
Use Case:
I am analyzing an SMB issue. I have 50 PCAP files, each of 100 MB, generated by the intermediate devices.
I am not sure which all files contain the interesting traffic. Searching each file manually using wireshark is hectic.
Client addresses are 1.1.1.1 and 2.2.2.2. Server address is 3.3.3.3. Protocol is SMB2 (port 445).
We can use Tshark or TCPDump for this exercise. Tshakr is slow in Linux & TCPDump is very fast.
Wireshark Filter:
((ip.addr==1.1.1.1 or ip.addr==2.2.2.2) and ip.addr==3.3.3.3) and smb
List all Pcap files using any of the below commands:
find . -type f | egrep "All.pcap"
find . -type f | egrep ".pcap"
find . -type f | egrep "*.pcap"
find . -type f | grep ".pcap"
find . -type f | grep "pcap"
List interesting traffic from all the PCAP files:
<pre style="width: 2000px; overflow-x: scroll;">
for i in `find . -type f | egrep "All.pcap"`; do echo $i; tshark -r $i '((ip.addr==1.1.1.1 or ip.addr==2.2.2.2) and ip.addr==3.3.3.3) and smb' ; echo -e "\n"; done
</pre>
Filter out errors:
<pre style="width: 2000px; overflow-x: scroll;">
for i in `find . -type f | egrep "All.pcap"`; do echo $i; tshark -r $i '((ip.addr==1.1.1.1 or ip.addr==2.2.2.2) and ip.addr==3.3.3.3) and smb2' ; echo -e "\n"; done | grep -E '(error|unknown|denied)'
</pre>
Filter out errors and save output to text file in backgroup:
<pre style="width: 2000px; overflow-x: scroll;">
for i in `find . -type f | egrep "All.pcap"`; do echo $i; tshark -r $i '((ip.addr==1.1.1.1 or ip.addr==2.2.2.2) and ip.addr==3.3.3.3) and smb2' ; echo -e "\n"; done | grep -E '(error|unknown|denied)' > errors.txt &
</pre>
Show Timestamps in the output and save it to a text file:
<pre style="width: 2000px; overflow-x: scroll;">
for i in `find . -type f | egrep "All.pcap"`; do echo $i; tshark -t ad -r $i '((ip.addr==1.1.1.1 or ip.addr==2.2.2.2) and ip.addr==3.3.3.3) and smb2' ; echo -e "\n"; done > smb-time.txt
a absolute time (local time in your time zone, actual time the packet was captured)
ad absolute with date
u Absolute UTC time
ud Absolute UTC time with date
</pre>
Search for keyworks in hte text files created along with traces:
for i in `find . -type f | egrep ".txt"`; do echo $i; cat $i ; echo -e "\n"; done | grep smb2.lock
Using TCPDump instead of Tshark
<pre style="width: 2000px; overflow-x: scroll;">
for i in `find . -type f | egrep "All.pcap"`; do echo $i; tcpdump -r $i '((host 1.1.1.1 or host 2.2.2.2) and host 3.3.3.3) and port 445' ; echo -e "\n"; done
</pre>
= Misc =
* In IE, disable HTTP1.1 in Advanced options to see the traffic being sent in HTTP1.0 version. Now you will be able to see traffic in Clear text in wireshark captures. HTTP1.1 uses gzip to compress html, so it is not read in clear text. You will find multiple connections for a single webpage.
* In Wireshark, anyting you see in square brackets - [bla bla] is the wireshar analysis of the information & is not the part of the packet captured.
==Non-Root Capture in Ubuntu==
sudo apt-get install libcap2-bin
sudo groupadd wireshark
sudo usermod -a -G wireshark kirat
newgrp wireshark
sudo chgrp wireshark /usr/bin/dumpcap
sudo chmod 750 /usr/bin/dumpcap
sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap
Verification:
getcap /usr/bin/dumpcap => /usr/bin/dumpcap = cap_net_admin,cap_net_raw+eip
If still unable to capture:
sudo dpkg-reconfigure wireshark-common
sudo chmod +x /usr/bin/dumpcap
==Tshark==
apt-get install tshark
tshark -r lotsapackets.cap -R dns -w dns.cap
tshark -r lotsapackets.cap -R "dns or tcp.port==80" -w web.cap
capinfos web.cap
editcap -c 50000 lotsapackets.cap fewerpackets.cap
|