Shopping Cart

No products in the cart.

Getting Started With Wireshark

Getting Started With Wireshark

This webcast was originally published on January 8, 2020.

In this video, John Strand discusses the practical applications and features of Wireshark for network analysis. He demonstrates how to use Wireshark to capture and analyze packets, emphasizing its advantages over tcpdump. The tutorial covers packet sniffing, filtering, and analyzing network communications, providing insights into network forensics and troubleshooting.

  • Wireshark is preferred over tcpdump for its GUI interface and in-depth analysis capabilities.
  • Wireshark can display and analyze packets in real-time, providing insights into network traffic and potential security issues.
  • Wireshark’s ability to follow TCP streams allows for detailed examination of communication between systems, useful for troubleshooting and understanding network behavior.

Highlights

Full Video

Transcript

John Strand

Hello and welcome. My name is John Strand, and in this video we’re going to be getting started with Wireshark. Now, Wireshark is very similar than Tcpdump. In fact, a lot of people actually prefer Wireshark to tcpdump, but I look at them as two completely different utilities.

Tcpdump is fantastic for creating scripts, going through and doing large packet captures on systems. and Wireshark is a lot better at doing analysis of systems using a full GUI interface.

So let’s get started. We’re using the security onion again, because the security onion is fantastic for anything with network forensics. Once again, thanks to Doug Birx and crew. So let’s dive right in.

So we can go into applications and we can go to Internet and we can select Wireshark. And once we’re in Wireshark, Wireshark has the ability to list out all of the interfaces on the system.

This is once again very similar to what we saw with the Tcpdump video. With the minus capital d, I can choose any of the interfaces and it’ll pop up and it’ll say, hey, you need to be running this as root.

So what I’m going to do is do Sudowireshark and it’s going to ask me for my password. So, all right, so when we first get into wireshark, you’re going to be able to see all of your interfaces.

So down here, if I can zoom in, you can see that we have ENS 33 is sending some traffic. So I can double click that and it’s automatically going to start sniffing on that particular interface.

There’s not a lot going on. However, if I actually start up another terminal, I can send a ping once again to eight dot, eight dot, eight dot eight.

And then whenever we go back to wireshark, you can actually see those ICMP echo requests going through. So pretty snifty to actually be able to see your traffic. Once again, another thing with wireshark is if you actually select any of these packets, it’s going to break down the actual hexadecimal decode here or the hex.

And if you highlight over certain sections and click on the sections within the hex, it’s going to decode what that is in the middle window. So let’s go ahead and zoom in on that just a little bit.

So if you select this section, it says that this is the individual address. Unicast. You can see this is the, Mac address is in vMware. If I get down to the bottom, this is the actual payload of what’s being sent.

And with an ICMP Echo request and reply on most Linux systems it’s going to send an ICMP echo request with a payload of 0123-4567 so that’s pretty neat.

Now let’s actually go through and open up a file. I’m going to stop my sniff by clicking the little stop button and I’m going to go file open recent and I’m going to open up the actual Pcap backdoor.

I’m going to continue without saving. Now this is actually a packet capture from a compromised computer system and this will give me the ability to dig in a little bit on some of the cool things that I can do with wireshark.

So if I can take any one of these packets, right, a packet doesn’t necessarily exist in most communications, is just an individual thing. Some protocols like UDP and ICMP are very, very much non stateful.

However, with most TCP protocols they’re stateful. So I’m going to send a packet to a system and it’s going to respond. This is going to be a conversation. So I can right click on any one of these different packets and I can actually go through and, and apply filters, I can apply conversation filter.

I can look at the individual streams themselves. What I’m going to do is I’m going to do follow TCP stream and this is going to give me the actual communication between these two systems and it’s going to display it in such a way that it’s easy for me to understand what’s going on.

Now this is clear text HTTP. If it’s encrypted, you’re going to see the encrypted data. But you can see that what was being sent between the two systems in this HTTP request was a get request with our actual command and control data for our backdoor.

And then an HTTP okay response came back. Now whenever I applied that you can see that each of the streams have number values and in this situation wirestruck said I want you to look at just this stream equals zero.

I can clear that out by hitting the little x right here. The next thing I can do is I can look at some really cool statistics in a packet capture. I can do statistics and then I can look at all of the endpoints that are communicating in this particular packet capture.

This allows me, if I’m doing threat hunting or doing troubleshooting to make sure that the IP address that I’m looking for is actually in this communication capture file that I have here as well.

Other things I can do is I can look at statistics and I can actually look at the conversations, how much data is being sent in between these different IP addresses. So what’s the address a, what’s the port that’s being used and who is that system actually talking to?

How many packets are being sent, how much data is being sent as well. This will allow, you to focus in on your top talkers on the network. Finally, you can look at statistics and you can go through and look at protocol hierarchy as well.

So where did I, there it is. There we go, protocol hierarchy. And I’ll actually break down the actual protocols that are being used in this particular packet capture itself.

And in this situation you can see that we have Ethernet, we have IPV four, we have some netbios traffic, but we also have some TCP and some HTTP traffic as well.

Now the reason why you would do this, honestly, is because if you’re trying to break down a packet capture and you’re trying to understand what a system or a series of systems is doing, it really helps to kind of step back and say, okay, who’s talking with whom?

And then drill down to the specific IP address or IP addresses that you’re looking forward to talking to as well. Finally, you can do statistics and you can actually look at the HTTP conversations as well.

And this will actually show you the HTTP requests that are being sent into the computers. So this is just a quick overview of Wireshark. Once again, this isn’t meant to be exhaustive, but this is definitely a start for people that have never used wireshark.

Once again, we’re using the security because we absolutely love that distribution and everything that they do because all these tools are built in. And yes, you can get wireshark for Mac and for Windows as well.

So I can’t wait to see you in the next video. This episode was brought to you by Black Hills information security, specializing in pen testing, red teaming, threat hunting, webcast, open source tools and blogs.

It was also brought to you by AI Hunter from active countermeasures. The AI stands for actual intelligence. Need a threat hunting solution for the network? Check out AI Hunter. It is also brought to you by Wild West Hackin’ Fest, currently offering conferences in San Diego and Deadwood, South Dakota.

To check out the schedule and the speaker lineup, check out wildwesthackinfest.com.