Wireshark – Linux Hint

Using Wireshark to Examine FTP Traffic

Usama Azad — Thu, 11 Feb 2021 15:55:39 +0000

The previous article has provided you with an in-depth understanding of the Wireshark filters, OSI layers, ICMP, and HTTP packet analysis. In this article, we will learn how FTP works and examine FTP Wireshark captures. Before we dig deep into the captured packet analysis, we will begin with a brief understanding of the protocol.

FTP

FTP is a protocol used by computers to share information over the network. Simply put, it’s a way to share files between connected computers. As HTTP is built for Websites, FTP is optimized for large file transfers between computers.

The FTP client first builds a control connection request to the server port 21. A control connection requires a login to establish a connection. But some servers make all of their content available without any credentials. Such servers are known as anonymous FTP servers. Later a separate data connection is established to transfer files and folders.

FTP Traffic Analysis

The FTP client and server communicate while being unaware that TCP manages every session. TCP is generally used in every session to control datagram delivery, arrival, and window size management. For every datagram exchange, TCP initiates a new session between the FTP client and the FTP server. Hence, we will begin our analysis with the available TCP packet information for the FTP session initiation and termination in the middle pane.

Start packet capture from your selected interface and use the ftp command in the terminal to access the site ftp.mcafee.com.

ubuntu$ubuntu:~$ ftp ftp.mcafee.com

Log-in with your credentials, as shown in the screenshot below.

Use Ctrl+C to stop the capture and look for the FTP session initiation, followed by the tcp [SYN], [SYN-ACK], and [ACK] packets illustrating a three-way handshake for a reliable session. Apply tcp filter to see the first three packets in the Packet list panel.

Wireshark displays detailed TCP information that matches the TCP packet segment. We highlight the TCP packet from the host computer to the ftp McAfee server to study the Transfer Control Protocol layer in the Packet detail panel. You can notice that the first TCP datagram for the ftp session initiation only sets SYN bit to 1.

The explanation for each field in the Transport Control Protocol layer in Wireshark is given below:

Source Port: 43854, it’s the TCP host that initiated a connection. It’s a number that lies anywhere above 1023.
Destination Port: 21, it’s a port number associated with ftp service. That means, FTP server listens on port 21 for client connection requests.
Sequence Number: It’s a 32-bit field that holds a number for the first byte sent in a particular segment. This number helps in the identification of the messages received in order.
Acknowledgment Number: A 32-bit field specifies an acknowledgment receiver expects to receive after successful transmission of previous bytes.
Control Flags: each code bit form has a special meaning in TCP session management that contributes to each packet segment’s treatment.

ACK: validates acknowledgment number of a receipt segment.

SYN: synchronize sequence number, which is set at the initiation of a new TCP session

FIN: request for session termination

URG: requests by the sender to send urgent data

RST: request for resetting the session

PSH: request for push

Window size: it’s the sliding window’s value that tells the size of sent TCP bytes.
Checksum: field that holds checksum for error control. This field is mandatory in TCP in contrast to UDP.

Moving toward the second TCP datagram captured in the Wireshark filter. The McAfee server acknowledges the SYN request. You can notice the values of SYN and ACK bits set to 1.

In the last packet, you can notice that the host sends an acknowledgment to the server for FTP session initiation. You can notice that the Sequence number and the ACK bits are set to 1.

After establishing a TCP session, the FTP client and server exchange some traffic, the FTP client acknowledges the FTP server Response 220 packet sent via TCP session through a TCP session. Hence, all the information exchange is carried out via TCP session at FTP client and FTP server.

After the FTP session completion, the ftp client sends the termination message to the server. After request acknowledgment, the TCP session at the server sends a termination announcement to the client’s TCP session. In response, the TCP session at the client acknowledges the termination datagram and sends its own termination session. After receipt of the termination session, the FTP server sends an acknowledgment of the termination, and the session is closed.

Warning

FTP does not use encryption, and the login and password credentials are visible in broad daylight. Hence, as long as no one is eavesdropping and you are transferring sensitive files within your network, it’s safe. But do not use this protocol to access content from the internet. Use SFTP that uses secure shell SSH for file transfer.

FTP Password Capture

We will now show why it’s important not to use FTP over the internet. We will look for the specific phrases in the captured traffic containing user, username, password, etc., as instructed below.

Go to Edit-> “Find Packet” and choose String for the Display Filter, and then select Packet bytes to show searched data in cleartext.

Type in the string pass in the filter, and click Find. You will find the packet with the string “Please specify the password” in the Packet bytes panel. You can also notice the highlighted packet in the Packet list panel.

Open this packet in a separate Wireshark window by right-clicking on the packet and select Follow->TCP stream.

Now search again, and you will find the password in plain text in the Packet byte panel. Open the highlighted packet in a separate window as above. You will find the user credentials in plaintext.

Conclusion

This article has learned how FTP works, analyzed how TCP controls and manages operations in an FTP session, and understood why it’s important to use secure shell protocols for file transfer over the internet. Coming up in future articles, we will cover some of the command-line interfaces for Wireshark.

A Guide to the Wireshark Command Line Interface “tshark”

Usama Azad — Sun, 07 Feb 2021 18:25:21 +0000

In the earlier tutorials for Wireshark, we have covered fundamental to advanced level topics. In this article, we will understand and cover a command-line interface for Wireshark, i.e., tshark. The terminal version of Wireshark supports similar options and is a lot useful when a Graphical User Interface (GUI) isn’t available.

Even though a graphical user interface is, theoretically, a lot easier to use, not all environments support it, especially server environments with only command-line options. Hence, at some point in time, as a network administrator or a security engineer, you will have to use a command-line interface. Important to note that tshark is sometimes used as a substitute for tcpdump. Even though both tools are almost equivalent in traffic capturing functionality, tshark is a lot more powerful.

The best you can do is to use tshark to set up a port in your server that forwards information to your system, so you can capture traffic for analysis using a GUI. However, for the time being, we will learn how it works, what are its attributes, and how you can utilize it to the best of its capabilities.

Type the following command to install tshark in Ubuntu/Debian using apt-get:

ubuntu@ubuntu:~$ sudo apt-get install tshark -y

Now type tshark –help to list out all the possible arguments with their respective flags that we can pass to a command tshark.

ubuntu@ubuntu:~$ tshark --help | head -20

TShark (Wireshark) 2.6.10 (Git v2.6.10 packaged as 2.6.10-1~ubuntu18.04.0)

Dump and analyze network traffic.

See https://www.wireshark.org for more information.

Usage: tshark [options] ...

Capture interface:

-i <interface> name or idx of interface (def: first non-loopback)

-f <capture filter> packet filter in libpcap filter syntax

-s <snaplen> packet snapshot length (def: appropriate maximum)

-p don't capture in promiscuous mode

-I capture in monitor mode, if available

-B size of kernel buffer (def: 2MB)

-y link layer type (def: first appropriate)

--time-stamp-type timestamp method for interface

-D print list of interfaces and exit

-L print list of link-layer types of iface and exit

--list-time-stamp-types print list of timestamp types for iface and exit

Capture stop conditions:

You can notice a list of all available options. In this article, we will cover most of the arguments in detail, and you will understand the power of this terminal oriented Wireshark version.

Selecting Network Interface:

To conduct live capture and analysis in this utility, we first need to figure out our working interface. Type tshark -D and tshark will list all the available interfaces.

ubuntu@ubuntu:~$ tshark -D

1. enp0s3

2. any

3. lo (Loopback)

4. nflog

5. nfqueue

6. usbmon1

7. ciscodump (Cisco remote capture)

8. randpkt (Random packet generator)

9. sshdump (SSH remote capture)

10. udpdump (UDP Listener remote capture)

Note that not all the listed interfaces will be working. Type ifconfig to find working interfaces on your system. In my case, it’s enp0s3.

Capture Traffic:

To start the live capture process, we will use the tshark command with the “-i” option to begin the capture process from the working interface.

ubuntu@ubuntu:~$ tshark -i enp0s3

Use Ctrl+C to stop the live capture. In the above command, I have piped the captured traffic to the Linux command head to display the first few captured packets. Or you can also use the “-c ” syntax to capture the “n” number of packets.

ubuntu@ubuntu:~$ tshark -i enp0s3 -c 5

If you only enter tshark, by default, it will not start capturing traffic on all available interfaces nor will it listen to your working interface. Instead, it will capture packets on the first listed interface.

You can also use the following command to check on multiple interfaces:

ubuntu@ubuntu:~$ tshark -i enp0s3 -i usbmon1 -i lo

In the meantime, another way to live capture traffic is to use the number alongside the listed interfaces.

ubuntu@ubuntu:~$ tshark -i interface_number

However, in the presence of multiple interfaces, it’s hard to keep track of their listed numbers.

Capture Filter:

Capture filters significantly reduce the captured file size. Tshark uses Berkeley Packet Filter syntax -f “”, which is also used by tcpdump. We will use the “-f” option to only capture packets from ports 80 or 53 and use “-c” to display only the first 10 packets.

ubuntu@ubuntu:~$ tshark -i enp0s3 -f "port 80 or port 53" -c 10

Saving Captured Traffic to a File:

The key thing to note in the above screenshot is that the information displayed isn’t saved, hence it’s less useful. We use the argument “-w” to save the captured network traffic to test_capture.pcap in /tmp folder.

ubuntu@ubuntu:~$ tshark -i enp0s3 -w /tmp/test_capture.pcap

Whereas, .pcap is the Wireshark file type extension. By saving the file, you can review and analyze the traffic in a machine with Wireshark GUI later.

It’s a good practice to save the file in /tmp as this folder doesn’t require any execution privileges. If you save it to another folder, even if you are running tshark with root privileges, the program will deny permission due to security reasons.

Let’s dig into all the possible ways through which you can:

apply limits to capturing data, such that exiting tshark or auto-stopping the capture process, and
output your files.

Autostop Parameter:

You can use the “-a” parameter to incorporate available flags such as duration file size and files. In the following command, we use the autostop parameter with the duration flag to stop the process within 120 seconds.

ubuntu@ubuntu:~$ tshark -i enp0s3 -a duration:120 -w /tmp/test_capture.pcap

Similarly, if you don’t need your files to be extra-large, filesize is a perfect flag to stop the process after some KB’s limits.

ubuntu@ubuntu:~$ tshark -i enp0s3 -a filesize:50 -w /tmp/test_capture.pcap

Most importantly, files flag allows you to stop the capture process after a number of files. But this can only be possible after creating multiple files, which requires the execution of another useful parameter, capture output.

Capture Output Parameter:

Capture output, aka ringbuffer argument “-b“, comes along with the same flags as autostop. However, the usage/output is a bit different, i.e., the flags duration and filesize, as it allows you to switch or save packets to another file after reaching a specified time limit in seconds or file size.

The below-command shows that we capture the traffic through our network interface enp0s3, and capture traffic using the capture filter “-f” for tcp and dns. We use ringbuffer option “-b” with a filesize flag to save each file of size 15 Kb, and also use the autostop argument to specify the number of files using files option such that it stops the capture process after generating three files.

ubuntu@ubuntu:~$ tshark -i enp0s3 -f "port 53 or port 21" -b filesize:15 -a files:2 -w /tmp/test_capture.pcap

I have split my terminal into two screens to actively monitor the creation of three .pcap files.

Go to your /tmp folder and use the following command in the second terminal to monitor updates after every one second.

ubuntu@ubuntu:~$ watch -n 1 "ls -lt"

Now, you do not need to memorize all these flags. Instead, type a command tshark -i enp0s3 -f “port 53 or port 21” -b filesize:15 -a in your terminal and press Tab. The list of all available flags will be available on your screen.

ubuntu@ubuntu:~$ tshark -i enp0s3 -f "port 53 or port 21" -b filesize:15 -a
duration: files: filesize:
ubuntu@ubuntu:~$ tshark -i enp0s3 -f "port 53 or port 21" -b filesize:15 -a

Reading .pcap Files:

Most importantly, you can use a “-r” parameter to read the test_capture.pcap files and pipe it to the head command.

ubuntu@ubuntu:~$ tshark -r /tmp/test_capture.pcap | head

The information displayed in the output file can be a bit overwhelming. To avoid unnecessary details and get a better understanding of any specific destination IP address, we use the -r option to read the packet captured file and use an ip.addr filter to redirect the output to a new file with the “-w” option. This will allow us to review the file and refine our analysis by applying further filters.

ubuntu@ubuntu:~$ tshark -r /tmp/test_capture.pcap -w /tmp/redirected_file.pcap ip.dst==216.58.209.142
ubuntu@ubuntu:~$ tshark -r /tmp/redirected_file.pcap|head
1 0.000000000 10.0.2.15 → 216.58.209.142 TLSv1.2 370 Application Data
2 0.000168147 10.0.2.15 → 216.58.209.142 TLSv1.2 669 Application Data
3 0.011336222 10.0.2.15 → 216.58.209.142 TLSv1.2 5786 Application Data
4 0.016413181 10.0.2.15 → 216.58.209.142 TLSv1.2 1093 Application Data
5 0.016571741 10.0.2.15 → 216.58.209.142 TLSv1.2 403 Application Data
6 0.016658088 10.0.2.15 → 216.58.209.142 TCP 7354 [TCP segment of a reassembled PDU]
7 0.016738530 10.0.2.15 → 216.58.209.142 TLSv1.2 948 Application Data
8 0.023006863 10.0.2.15 → 216.58.209.142 TLSv1.2 233 Application Data
9 0.023152548 10.0.2.15 → 216.58.209.142 TLSv1.2 669 Application Data
10 0.023324835 10.0.2.15 → 216.58.209.142 TLSv1.2 3582 Application Data

Selecting Fields to Output:

The commands above output a summary of each packet that includes various header fields. Tshark also allows you to view specified fields. To specify a field, we use “-T field” and extract fields as per our choice.

After the “-T field” switch, we use the “-e” option to print the specified fields/filters. Here, we can use Wireshark Display Filters.

ubuntu@ubuntu:~$ tshark -r /tmp/test_capture.pcap -T fields -e frame.number -e ip.src -e ip.dst | head

1 10.0.2.15 216.58.209.142
2 10.0.2.15 216.58.209.142
3 216.58.209.142 10.0.2.15
4 216.58.209.142 10.0.2.15
5 10.0.2.15 216.58.209.142
6 216.58.209.142 10.0.2.15
7 216.58.209.142 10.0.2.15
8 216.58.209.142 10.0.2.15
9 216.58.209.142 10.0.2.15
10 10.0.2.15 115.186.188.3

Capture Encrypted Handshake Data:

So far, we have learned to save and read output files using various parameters and filters. We will now learn how HTTPS initializes session tshark. The websites accessed via HTTPS instead of HTTP ensures a secure or encrypted data transmission over the wire. For secure transmission, a Transport Layer Security encryption starts a handshake process to kick off communication between the client and the server.

Let’s capture and understand the TLS handshake using tshark. Split your terminal into two screens and use a wget command to retrieve an html file from https://www.wireshark.org.

ubuntu@ubuntu:~$ wget https://www.wireshark.org
--2021-01-09 18:45:14-- https://www.wireshark.org/
Connecting to www.wireshark.org (www.wireshark.org)|104.26.10.240|:443... connected.
HTTP request sent, awaiting response... 206 Partial Content
Length: 46892 (46K), 33272 (32K) remaining [text/html]
Saving to: ‘index.html’
index.html 100%[++++++++++++++==================================>] 45.79K 154KB/s in 0.2s
2021-01-09 18:43:27 (154 KB/s) - ‘index.html’ saved [46892/46892]

In another screen, we will use tshark to capture the first 11 packets by using the “-c” parameter. While performing analysis, timestamps are important to reconstruct events, hence we use “-t ad”, in a way that tshark adds timestamp alongside each captured packet. Lastly, we use the host command to capture packets from the shared host ip address.

This handshake is quite similar to the TCP handshake. As soon as the TCP three-way handshake concludes in the first three packets, the fourth to ninth packets follow a somewhat similar handshake ritual and include TLS strings to ensure encrypted communication between both parties.

ubuntu@ubuntu:~$ tshark -i enp0s3 -c 11 -t ad host 104.26.10.240
Capturing on 'enp0s3'
1 2021-01-09 18:45:14.174524575 10.0.2.15 → 104.26.10.240 TCP 74 48512 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=2488996311 TSecr=0 WS=128
2 2021-01-09 18:45:14.279972105 104.26.10.240 → 10.0.2.15 TCP 60 443 → 48512 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
3 2021-01-09 18:45:14.280020681 10.0.2.15 → 104.26.10.240 TCP 54 48512 → 443 [ACK] Seq=1 Ack=1 Win=64240 Len=0
4 2021-01-09 18:45:14.280593287 10.0.2.15 → 104.26.10.240 TLSv1 373 Client Hello
5 2021-01-09 18:45:14.281007512 104.26.10.240 → 10.0.2.15 TCP 60 443 → 48512 [ACK] Seq=1 Ack=320 Win=65535 Len=0
6 2021-01-09 18:45:14.390272461 104.26.10.240 → 10.0.2.15 TLSv1.3 1466 Server Hello, Change Cipher Spec
7 2021-01-09 18:45:14.390303914 10.0.2.15 → 104.26.10.240 TCP 54 48512 → 443 [ACK] Seq=320 Ack=1413 Win=63540 Len=0
8 2021-01-09 18:45:14.392680614 104.26.10.240 → 10.0.2.15 TLSv1.3 1160 Application Data
9 2021-01-09 18:45:14.392703439 10.0.2.15 → 104.26.10.240 TCP 54 48512 → 443 [ACK] Seq=320 Ack=2519 Win=63540 Len=0
10 2021-01-09 18:45:14.394218934 10.0.2.15 → 104.26.10.240 TLSv1.3 134 Change Cipher Spec, Application Data
11 2021-01-09 18:45:14.394614735 104.26.10.240 → 10.0.2.15 TCP 60 443 → 48512 [ACK] Seq=2519 Ack=400 Win=65535 Len=0
11 packets captured

Viewing Entire Packet:

The only disadvantage of a command-line utility is that it doesn’t have a GUI, as it becomes very handy when you need to search a lot of internet traffic, and it also offers a Packet Panel that displays all the packet details within an instant. However, it’s still possible to inspect the packet and dump the entire packet information displayed in GUI Packet Panel.

To inspect an entire packet, we use a ping command with the “-c” option to capture a single packet.

ubuntu@ubuntu:~$ ping -c 1 104.26.10.240
PING 104.26.10.240 (104.26.10.240) 56(84) bytes of data.
64 bytes from 104.26.10.240: icmp_seq=1 ttl=55 time=105 ms
--- 104.26.10.240 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 105.095/105.095/105.095/0.000 ms

In another window, use the tshark command with an additional flag to display the entire packet details. You can notice various sections, displaying Frames, Ethernet II, IPV, and ICMP details.

ubuntu@ubuntu:~$ tshark -i enp0s3 -c 1 -V host 104.26.10.240
Frame 1: 98 bytes on wire (784 bits), 98 bytes captured (784 bits) on interface 0
Interface id: 0 (enp0s3)
Interface name: enp0s3
Encapsulation type: Ethernet (1)
Arrival Time: Jan 9, 2021 21:23:39.167581606 PKT
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1610209419.167581606 seconds
[Time delta from previous captured frame: 0.000000000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 0.000000000 seconds]
Frame Number: 1
Frame Length: 98 bytes (784 bits)
Capture Length: 98 bytes (784 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:icmp:data]
Ethernet II, Src: PcsCompu_17:fc:a6 (08:00:27:17:fc:a6), Dst: RealtekU_12:35:02 (52:54:00:12:35:02)
Destination: RealtekU_12:35:02 (52:54:00:12:35:02)
Address: RealtekU_12:35:02 (52:54:00:12:35:02)
.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: PcsCompu_17:fc:a6 (08:00:27:17:fc:a6)
Address: PcsCompu_17:fc:a6 (08:00:27:17:fc:a6)
Interface id: 0 (enp0s3)
Interface name: enp0s3
Encapsulation type: Ethernet (1)
Arrival Time: Jan 9, 2021 21:23:39.167581606 PKT
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1610209419.167581606 seconds
[Time delta from previous captured frame: 0.000000000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 0.000000000 seconds]
Frame Number: 1
Frame Length: 98 bytes (784 bits)
Capture Length: 98 bytes (784 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:icmp:data]
Ethernet II, Src: PcsCompu_17:fc:a6 (08:00:27:17:fc:a6), Dst: RealtekU_12:35:02 (52:54:00:12:35:02)
Destination: RealtekU_12:35:02 (52:54:00:12:35:02)
Address: RealtekU_12:35:02 (52:54:00:12:35:02)
.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: PcsCompu_17:fc:a6 (08:00:27:17:fc:a6)
Address: PcsCompu_17:fc:a6 (08:00:27:17:fc:a6)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 10.0.2.15, Dst: 104.26.10.240
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 84
Identification: 0xcc96 (52374)
Flags: 0x4000, Don't fragment
0... .... .... .... = Reserved bit: Not set
.1.. .... .... .... = Don't fragment: Set
..0. .... .... .... = More fragments: Not set
...0 0000 0000 0000 = Fragment offset: 0
Time to live: 64

Protocol: ICMP (1)
Header checksum: 0xeef9 [validation disabled]
[Header checksum status: Unverified]
Source: 10.0.2.15
Destination: 104.26.10.240
Internet Control Message Protocol
Type: 8 (Echo (ping) request)
Code: 0
Checksum: 0x0cb7 [correct]
[Checksum Status: Good]
Identifier (BE): 5038 (0x13ae)
Identifier (LE): 44563 (0xae13)
Sequence number (BE): 1 (0x0001)
Sequence number (LE): 256 (0x0100)
Timestamp from icmp data: Jan 9, 2021 21:23:39.000000000 PKT
[Timestamp from icmp data (relative): 0.167581606 seconds]
Data (48 bytes)
0000 91 8e 02 00 00 00 00 00 10 11 12 13 14 15 16 17 ................
0010 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 ........ !"#$%&'
0020 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 36 37 ()*+,-./01234567
Data: 918e020000000000101112131415161718191a1b1c1d1e1f...
[Length: 48]

Conclusion:

The most challenging aspect of packet analysis is finding the most relevant information and ignoring the useless bits. Even though graphical interfaces are easy, they cannot contribute to automated network packet analysis. In this article, you have learned the most useful tshark parameters for capturing, displaying, saving, and reading network traffic files.

Tshark is a very handy utility that reads and writes the capture files supported by Wireshark. The combination of display and capture filters contributes a lot while working on advanced level use cases. We can leverage tshark ability to print fields and manipulate data as per our requirements for in-depth analysis. In other words, it’s capable of doing virtually everything that Wireshark does. Most importantly, it’s perfect for packet sniffing remotely using ssh, which is a topic for another day.

Decrypting SSL/TLS Traffic with Wireshark

Bamdeb Ghosh — Sat, 26 Dec 2020 11:06:09 +0000

In this article, we will make Linux set up and capture HTTPS (Hypertext Transfer Protocol Secure) packets in Wireshark. Then we will try to decode the SSL (Secure Socket Layer) encryptions.

Note that: Decryption of SSL /TLS may not work properly through Wireshark. This is just a trial to see what is possible and what is not possible.

What are SSL, HTTPS, and TLS?

Actually, all these three technical terms are interrelated. When we use only HTTP (Hypertext Transfer Protocol), then no transport layer security is used and we can easily see the content of any packet. But when HTTPS is used then we can see TLS (Transport Layer Security) is used to encrypt the data.

Simply we can say.

HTTP + (over) TLS/SSL = HTTPS

Note: HTTP sends data over port 80 but HTTPS uses port 443.

Screenshot for HTTP Data:

Screenshot for HTTPS Data:

Make Linux set up for SSL packet description

Step 1
Add below environment variable inside the .bashrc file. Open the .bashrc file and add the below line at end of the file. Save and close the file.

export SSLKEYLOGFILE=~/.ssl-key.log

Now execute the below command to get the effect of it.

source ~/.bashrc

Now try the below command to get the value of “SSLKEYLOGFILE”

echo $SSLKEYLOGFILE

Here is the screenshot for all the above steps

Step 2
The above log file is not present in Linux. Create the above log file in Linux. Use the below command to create a log file.

touch ~/.ssl-key.log

Step 3
Launch default installed Firefox and open any https site like Linuxhint or Upwork.

Here I have taken the first example as upwork.com.

After the upwork website is opened in Firefox, check the content of that log file.

Command:

cat ~/.ssl-key.log

If this file is empty then Firefox is not using this log file. Close Firefox.

Follow the below commands to install Firefox.

Commands:

sudo add-apt-repository ppa:ubuntu-mozilla-daily/firefox-aurora
sudo apt-get update
sudo apt-get install firefox

Now, launch Firefox and check the content of that logfile

Command:

cat ~/.ssl-key.log

Now we can see huge information like the below screenshot. We are good to go.

Step 4
Now we need to add this log file inside Wireshark. Follow below path:

Wireshark->Edit->Preferences->Protocol->SSL->”Here provide your master secret log file path”.

Follow the below screenshots for visual understanding.

After doing all these settings, do OK and start Wireshark on the required interfaces.

Now the set up is ready to verify SSL decryption.

Wireshark Analysis

After Wireshark starts capturing, put filter as “ssl” so that only SSL packets are filtered in Wireshark.

Look at the below screenshot, here we can see HTTP2 (HTTPS) is opened for some packets which were SSL/TLS encryption before.

Now we can see the “Decrypted SSL” tab in Wireshark and HTTP2 protocols are opened visible. See the below screenshot for pointers.

Let’s see the differences between “Before SSL log file enabled” and “After SSL log file enabled” for https://linuxhint.com

Here is the screenshot for packets of Linuxhint when “SSL log was not enabled”

Here is the screenshot for packets of Linuxhint when “SSL log was enabled”

We can see the differences easily. In the second screenshot, we can clearly see the URL that was requested by the user.

https://linuxhint.com/bash_scripting_tutorial_beginners/\r\n

Now we can try other websites and observe if these methods work or not.

Conclusion

The above steps show how to make Linux set up to decrypt SSL/TLS encryption. We can see it worked well but some packets are still SSL/TLS encrypted. As I mentioned earlier it may not work for all packets or completely. Still, it’s good learning about SSL/TLS decryption.

WireShark in-depth Tutorial

Usama Azad — Tue, 24 Nov 2020 17:16:56 +0000

Wireshark is an open-source and free network traffic inspection tool. It captures and displays packets in real-time for offline analysis in a human-readable format with microscopic details. It requires some sound knowledge of basic networking and is considered an essential tool for system administrators and network security experts.

Wireshark is the de-facto go-to tool for several network problems that vary from network troubleshooting, security issue examination, inspecting network traffic of a suspicious application, debugging protocol implementations, along with network protocol learning purposes, etc.

The Wireshark project was initiated in 1998. Thanks to the global networking expert’s voluntary contribution, it continues to make updates for new technologies and encryption standards. Hence, it’s by far one of the best packet analyzer tools and is utilized as a standard commercial tool by various government agencies, educational institutes, and non-profit organizations.

The Wireshark tool is composed of a rich set of features. Some of them are the following:

Multiplatform: it is available for Unix, Mac, and Window systems.
It captures packets from various network media, i.e., Wireless LAN, Ethernet, USB, Bluetooth, etc.
It opens packet files captured by other programs such as Oracle snoop and atmsnoop, Nmap, tcpdump, Microsoft Network Monitor, SNORT, and many others.
It saves and exports captured packet data in various formats (CSV, XML, plaintext, etc.).
It provides description support for protocols including SSL, WPA/WPA2, IPsec, and many others.
It includes capture and display filters.

However, Wireshark won’t warn you of any malicious activity. It will only help you inspect and identify what is happening on your network. Moreover, it will only analyze network protocol/activities and won’t perform any other activity like sending/intercepting packets.

This article provides an in-depth tutorial that begins with the basics (i.e., filtering, Wireshark network layers, etc.) and takes you into the depth of traffic analysis.

Wireshark Filters

Wireshark comes with powerful filter engines, Capture Filters and Display Filters, to remove noise from the network or already captured traffic. These filters narrow down the unrequired traffic and display only the packets that you want to see. This feature helps network administrators to troubleshoot the problems at hand.

Before going into the details of filters. In case you are wondering how to capture the network traffic without any filter, you can either press Ctrl+E or go to the Capture option on the Wireshark interface and click Start.

Now, let’s dig deep into the available filters.

Capture Filter

Wireshark provides support in reducing the size of a raw packet capture by allowing you to use a Capture Filter. But it only captures the packet traffic that matches the filter and disregards the rest of it. This feature helps you monitor and analyze the traffic of a specific application using the network.

Do not confuse this filter with display filters. It’s not a display filter. This filter appears at the main window that is needed to set before starting packet capture. Moreover, you cannot modify this filter during the capture.

You can go to the Capture option of the interface and select Capture Filters.

You will be prompted with a window, as shown in the snapshot. You can choose any filter from the list of filters or add/create a new filter by clicking on the + button.

Examples of the list of helpful Capture Filters:

host ip_address – captures traffic, only between the specific communicating IP address
net 192.168.0.0/24 – captures traffic between IP address ranges/CIDRs
port 53 – captures DNS traffic
tcp portrange 2051-3502 – captures TCP traffic from port range 2051-3502
port not 22 and not 21 – capture all the traffic except SSH and FTP

Display Filter

Display filters allow you to hide some packets from the already captured network traffic. These filters can be added above the captured list and can be modified on the fly. You can now control and narrow down the packets you want to concentrate on while hiding the unnecessary packets.

You can add filters in the display filter toolbar right above the first pane containing packet information. This filter can be used to display packets based on protocol, source IP address, destination IP address, ports, value and information of fields, comparison between fields, and a lot more.

That’s right! You can build a combination of filters using logical operators like ==.!=,||,&&, etc.

Some examples of display filters of a single TCP protocol and a combination filter are shown below:

Network Layers in Wireshark

Other than packet inspection, Wireshark presents OSI layers that aids in the troubleshooting process. Wireshark shows the layers in reverse order, such as:

Physical Layer
Data Link Layer
Network Layer
Transport Layer
Application Layer

Note that Wireshark does not always show the Physical layer. We will now dig in each layer to understand the important aspect of packet analysis, and what each layer presents in Wireshark.

Physical Layer

The Physical layer, as shown in the following snapshot, presents the physical summary of the frame, such as hardware information. As a network administrator, you do not generally extract information from this layer.

Data Link Layer

The next data link layer contains the source and destination network card address. It is relatively simple as it only delivers the frame from the laptop to the router or the next adjacent frame in the physical medium.

Network Layer

The network layer presents the source and destination IP addresses, IP version, header length, total packet length, and loads of other information.

Transport Layer

In this layer, Wireshark displays information about the transport layer, which consists of the SRC port, DST port, header length, and sequence number that changes for each packet.

Application Layer

In the final layer, you can see what type of data is being sent over the medium and which application is being used, such as FTP, HTTP, SSH, etc.

Traffic Analysis

ICMP Traffic Analysis

ICMP is used for error reporting and testing by determining if the data reaches the intended destination on time or not. Ping utility uses ICMP messages to test the speed of the connection between devices, and report how long the packet takes to reach its destination then come back.

The ping uses ICMP_echo_request message to the device on the network, and the device responds by ICMP_echo_reply message. To capture packets on the Wireshark, start the Capture function of the Wireshark, open the terminal, and run the following command:

ubuntu$ubuntu:~$ ping google.com

Use Ctrl+C to terminate the packet capture process in Wireshark. In the snapshot below, you can notice the ICMP packet sent = ICMP packet received with 0% packet loss.

In the Wireshark capture pane, select the first ICMP_echo_request packet and observe the details by opening the middle Wireshark pane.

In the Network Layer, you can notice the source Src as my ip_address, whereas the destination Dst ip_address is of Google server, whereas the IP layer mentions the protocol to be ICMP.

Now, we zoom into the ICMP packet details by expanding Internet Control Message Protocol and decode the highlighted boxes in the snapshot below:

Type: 08-bit field set to 8 means Echo request message
Code: always zero for ICMP packets
checksum: 0x46c8
Identifier Number (BE): 19797
Identifier Number (LE): 21837
Sequence Number (BE): 1
Sequence Number (LE): 256

The identifier and the sequence numbers are matched to aid in identifying the replies to echo requests. Similarly, before packet transmission, the checksum is computed and added to the field to be compared against the checksum in the received data packet.

Now, in the ICMP reply packet, notice the IPv4 layer. The source and destination addresses have swapped.

In the ICMP layer, verify and compare the following important fields:

Type: 08-bit field set to 0 means Echo reply message
Code: always 0 for ICMP packets
checksum: 0x46c8
Identifier Number (BE): 19797
Identifier Number (LE): 21837
Sequence Number (BE): 1
Sequence Number (LE): 256

You can notice that the ICMP reply echoes the same request checksum, identifier, and sequence number.

HTTP Traffic Analysis

HTTP is a Hypertext Transfer application layer protocol. It is used by the world wide web and defines rules when the HTTP client/server transmits/receives HTTP commands. The most commonly used HTTP methods ae POST and GET:

POST: this method is used to securely send confidential information to the server that doesn’t appear in the URL.

GET: this method is usually used to retrieve data from the address bar from a web server.

Before we dig deeper into HTTP packet analysis, we will first briefly demonstrate the TCP three-way-handshake in Wireshark.

TCP Three-Way-Handshake

In a three-way handshake, the client initiates a connection by sending an SYN packet and receiving an SYN-ACK response from the server, which is acknowledged by the client. We will use the Nmap TCP connect scan command to illustrate TCP handshake between client and server.

ubuntu$ubuntu:~$ nmap -sT google.com

In the Wireshark packet capture pane, scroll to the top of the window to notice various three-ways-handshakes established based on particular ports.

Use the tcp.port == 80 filter to see if the connection is established via port 80. You can notice the complete three-way-handshake, i.e., SYN, SYN-ACK, and ACK, highlighted at the top of the snapshot, illustrating a reliable connection.

HTTP Packet Analysis

For HTTP packet analysis, go to your browser and paste the Wireshark documentation URL: http://www.wafflemaker.com and download the user’s guide PDF. In the meantime, Wireshark must be capturing all the packets.

Apply an HTTP filter and look for the HTTP GET request sent to the server by the client. To view an HTTP packet, select it, and expand the application layer in the middle pane. There can be a lot of headers in a request, depending upon the website and browser as well. We will analyze the headers present in our request in the snapshot below.

Request Method: the HTTP request method is GET
Host: identifies the name of the server
User-Agent: informs about the client-side browser type
Accept, Accept-Encoding, Accept-language: informs the server about the file type, accepted encoding at the client-side, i.e., gzip, etc., and the accepted language
Cache-Control: shows how the requested information is cached
Pragma: shows the cookie’s name and values the browser holds for the website
Connection: header that controls whether the connection stays open after the transaction

In the HTTP OK packet from server to client, observing the information in the Hypertext Transfer Protocol layer shows “200 OK“. This information indicates a normal successful transfer. In the HTTP OK packet, you can observe different headers in comparison to the HTTP GET packet. These headers contain information about the requested content.

Response Version: informs about the HTTP version
Status Code, Response Phrase: sent by the server
Date: the time when the server received the HTTP GET packet
Server: server details (Nginx, Apache, etc.)
Content-type: type of content (json, txt/html, etc.)
Content-length: total length of content; our file is 39696 bytes

In this section, you have learned how HTTP works and what happens whenever we request content on the web.

Conclusion

Wireshark is the most popular and powerful network sniffer and analysis tool. It is widely used in day-to-day packet analysis tasks in various organizations and institutes. In this article, we have studied some beginner to medium level topics of the Wireshark in Ubuntu. We have learned the type of filters offered by Wireshark for packet analysis. We have covered the network layer model in Wireshark and performed in-depth ICMP and HTTP packet analysis.

However, learning and understanding various aspects of this tool is a long hard journey. Hence, there are a lot of other online lectures and tutorials available to help you around specific topics of Wireshark. You can follow the official user guide available on the Wireshark website. Moreover, once you have built the basic understanding of protocol analysis, it’s also advised to use a tool like Varonis that points you at the potential threat and then use Wireshark to investigate for better understanding.

Why does Wireshark say no interfaces found

Bamdeb Ghosh — Sun, 22 Nov 2020 12:04:40 +0000

Wireshark is a very famous, open-source network capturing and analyzing tool. While using Wireshark, we may face many common issues. One of the common issues is “No Interfaces are listed in Wireshark”. Let’s understand the issue and find a solution in Linux OS.If you do not know Wireshark basic, then check Wireshark Basic first, then come back here.

No Interfaces are listed in Wireshark:

Let’s see this issue and try to solve it.

Step1:

First of all, we need to see how many interfaces are there in our Linux PC.

We can use the command “ifconfig” to see a list of up interfaces in our Linux pc. So open terminal (Short cut Alt+Ctrl+t) and run command “ifconfig”

Outputs:

It should list down all up interfaces. Here is the screenshot for the “ifconfig” output

Here we can see three interfaces, including loopback interface “lo”.

If we want to see all interfaces in our system, including down interfaces, then use the command “ifconfig -a”

Step2:

Now launch Wireshark from the command line.

“wireshark”

Screenshot:

Output:

Now we do not see the interfaces that we have seen from the previous output of the “ifconfig” command. On the right side, we can see “All interfaces shown” is selected.

Then what is the issue? Why Wireshark not able to detect required interfaces?

Let’s see.

Step3:

Close Wireshark and come back to the terminal. Here we can see the user is a normal user [Example: “rian”], but we need to launch Wireshark in superuser mode; otherwise, Wireshark is allowed to access the system interface list. Let’s try it out.

“su” and enter the root password.

Output:

Now we can see the prompt as “root@”. This means we are in root. Let’s try to launch Wireshark again from the terminal.

“wireshark”

Output:

All interfaces are listed down here on the Wireshark home page. Required interfaces are marked with a blue circle. These are the same interfaces that we have seen in the “ifconfig” command output.

In Linux, running Wireshark in sudo or superuser mode solves the problem.

We have seen in superuse mode. Let’s try if doing “sudo” works or not.

Command sequences:

1. Close Wireshark and enter “exit” to come out from the root.

2. Type the command “sudo wireshark” and enter the password for user “rian”. No need of a root password.

Here is the screenshot for the above steps 1 and 2.

Here is the home screen of Wireshark

All interfaces are listed down here.

Capturing Test:

Note: “enp1s0” is an Ethernet interface, and “wlp2s0” is a Wi-Fi interface.

As we see, interfaces are listed down, so let’s try to capture in one interface to see if it’s working or not.

See the below screenshot and double-click on the first interface.

As soon as we double click on the “enp1s0” interface, it starts capturing. Here is the screenshot for live capturing on interface “enp1s0”

We can try on capturing other interfaces also to see if it’s working.

Now double click on “wlp2s0” to start capturing. Here is the screenshot for live capturing.

Conclusion

In this article, we have learned how to solve the problem when Wireshark cannot detect or list down all interfaces from the Linux system. And there are two ways we can resolve this; either launch Wireshark in superuser mode or using sudo.

How to change time format in Wireshark

Bamdeb Ghosh — Sun, 15 Nov 2020 08:13:46 +0000

Wireshark is a popular network capturing and analysis tool. There are many options for doing better and quick analysis. One of them is using the time format in Wireshark. Let’s understand for this article how to use the time format in Wireshark.

Where is time in Wireshark capture?

Let’s open one saved capture to understand the time option in Wireshark. Now we can see below screenshot that the second column is a time-related column.

Where is “Time Display Format” in Wireshark capture?

Now we can check what the “Time Display Format” in Wireshark is.
Go to View->Time Display Format. Here is the output

Meaning of each option:

To understand this, we will select one option and see the effect on Wireshark capture. Let’s label each option one number for easy understanding.

As we see, there are two sections

The First 1 to 10 options are for time display format, and the next 1 to 7 options are for the time unit.

Let’s keep next option 1 (See below screenshot)

constant and make changes for the first 1-10 options.

Option 1:

Now we will see the date and time for each packet of Wireshark. Here is the output screen

Option 2:

Now we will see the year, day of the year, and time of the day. Here is the output screen

Option 3:

After selecting this option, we can see only the Time of the Day. No year is shown.

See the below screenshot.

Option 4:

This option enables time in second in Epoch Time style. Here is the screenshot.

Option 5:

After selecting this option, we will see the first packet of captured time is set to 0.00 second, and after how many seconds the next packet was captured. So we will see the time will be increasing.

See the below screenshot.

Option 6:

This shows the time for each packet with reference to the previous capture packet. So we will see time as “Time delta from previously captured frame” second for the current packet.

See the below screenshot.

Option 7:

This option shows the time as “Time delta from previously displayed frame” second for the current packet. Actually, “option 6” and “option 7” are the same for maximum times. That’s why we do not see any differences.

See the below screenshot.

Option 8:

This shows the time as UTC [Coordinated Universal Time] Date and Time of the day. This option is almost the same as “option 1,” but the Time of day is different.

See the below screenshot.

Option 9:

Now we will see UTC year, day of the year, and time of the day.

Here is the output screen

Option 10:

After selecting this option, we can see only UTC Time of Day. No year is shown here.

We are done with the first set of options. Now, let’s see how the time unit affects the Wireshark packet time.

Keep below time format constant

Option 1:

This gives the default Date and Time from capture.

See the below screenshot.

Option 2:

Now see the difference between option1 and this option. We can see time is shown till the second.

Check the below screenshot.

Option 3:

This option shows “Tenth of Second” for time.

Check the below screenshot.

Option 4:

This option shows “Hundredths of Second” for time.

Check the below screenshot.

Option 5:

This shows the millisecond part after second. Look at the below screenshot.

Option 6:

Now we can see a microsecond part of the time. See the below screenshot.

Option 7:

This option enables a microsecond part of the time. See the below screenshot.

Check Box

As our current Time Format is already having Hours and Minutes, so it does not affect.
So, we can play a combination of all these options.

Try one random combination:

Let’s see the effect of the below combination

Output [Look at Day Time column]:

Conclusion:

Now we know the time formats and units, we may think, what is the use of all these different options? This help does Wireshark capture analysis. We may need a different time scale to see many factors from Wireshark captures. So, it’s all about quick and better Wireshark capture analysis.

How to Use Wireshark to Search for a String in Packets

Bamdeb Ghosh — Sat, 07 Nov 2020 13:58:42 +0000

In this article, you will learn how to search for strings in packets using Wireshark. There are multiple options associated with string searches. Before going further in this article, you should have a general knowledge of Wireshark Basic.

Assumptions

A Wireshark capture be in one state; either saved/stopped or live. We can perform string search in live capture also but for better and clear understanding we will use saved capture to do this.

Step 1: Open Saved Capture

First, open a saved capture in Wireshark. It will look like this:

Step 2: Open Search Option

Now, we need a search option. There two ways to open that option:

Use the keyboard shortcut “Ctrl+F”
Click “Find a packet” either from the outside icon or go to “Edit->Find Packet”

Check out the screenshots to view the second option.

Whichever option you use, the final Wireshark window will look like the screenshot below:

Step 3: Label Options

We can see multiple options (dropdowns, checkbox) inside the search window. You can label these options with numbers for easy understanding. Follow the screenshot below for numbering:

Label1
There are three sections in the dropdown.

Packet list
Packet details
Packet bytes

From the below screenshot, you can see where these three sections in Wireshark are located:

Selecting section a/b/c means that the string will be done in that section only.

Label2
We will keep this option as the default, as it is the best for common searching. It is recommended to keep this option as the default unless it is required to change it.

Label3
By default, this option is unchecked. If “Case sensitive” is checked, then the string search will only find exact matches of the searched string. For example, if you search for “Linuxhint” and Label3 is checked, then this will not search for “LINUXHINT” in Wireshark capture.

It is recommended to keep this option unchecked unless it is required to change it.

Label4
This label has different types of searches, such as “Display filter,” “Hex value,” “String,” and “Regular Expression.” For the purposes of this article, we will select “String” from this dropdown menu.

Label5
Here, we need to enter the search string. This is the input for the search.

Label6
After the Label5 input is given, click the “Find” button to trigger the search.

Label7
If you click “Cancel,” then the search windows will close, and you need to return to follow Step 2 to get this search window back.

Step 4: Examples

Now that you understood the options for searching, let us try out some examples. Note that we have disabled the coloring rule to see the search packet we selected more clearly.

Try1 [Options combination used: “Packet List” + “Narrow & Wide” + “Unchecked Case Sensitive”+ String]

Search String: “Len=10”

Now, click “Find.” Below is the screenshot for the first click on “Find:”

As we have selected “Packet list,” the search was performed inside the packet list.

Next, we will click the “Find” button again to see the next match. This can be seen in the screenshot below. We did not mark any sections to allow you to understand how this search happens.

With the same combination, let us search the string: “Linuxhint” [To check not found scenario].

In this case, you can see the yellow-colored message at the left-bottom side of Wireshark, and no packet is selected.

Try2 [Options combination used: “Packet details” + “Narrow & Wide” + “Unchecked Case Sensitive”+ String]

Search String: “Sequence number”

Now, we will click “Find.” Below is the screenshot for the first click on “Find:”

Here, the string found inside “packet details” was selected.

We will check the “Case sensitive” option and use the search string as a “Sequence Number,” keeping the other combinations as is. This time, the string will match the exact “Sequence Number.”

Try3 [Options combination used: “Packet bytes” + “Narrow & Wide” + “Unchecked Case Sensitive”+ String]

Search String: “Sequence number”

Now, click “Find.” Below is the screenshot for the first click on “Find:”

As expected, the string search is happening inside the packet bytes.

Conclusion

Performing a string search is a very useful method that can be used to find a required string inside of a Wireshark packet list, packet details, or packet bytes. Good searching makes analysis of large Wireshark capture files easy.

How to Capture Wi-Fi Traffic Using Wireshark

Bamdeb Ghosh — Sat, 07 Nov 2020 10:16:42 +0000

In this article, you will learn how to capture wireless frames using Wireshark in Linux (Example: Ubuntu. To follow this article, first, you should learn the basics of WireShark in the Wireshark Basic article, and then you can come back here.

There are some steps to be followed to achieve this.

Setup Check

Below are the requirements for capturing Wi-Fi packets using Wireshark.

Wi-Fi Interface

To check whether you meet this requirement, open the terminal using the shortcut Alt+Ctrl+T and run the command “iwconfig.” This output should show if there is an operable Wi-Fi interface. The following screenshot shows the output of this command:

In this example “wlp2s0” is the interface name for the Wi-Fi card.

“IEEE 802.11” is the indication for the Wi-Fi interface.
By default, the mode is “Managed,” which means that it is a client or station mode.

Support for Monitor Mode

The Wi-Fi card must support monitor mode to be able to sniff out wireless packets. This is a must, or you cannot sniff wireless packets using Wireshark. Open the terminal and run the command “iw phy0 info” or “iw list.” There is a huge list of information available here, but we just have to check the section for “monitor.” If the device does not support monitor mode, then it will not be possible to sniff the wireless packet using Wireshark.

Check Wireshark Software

Open the terminal and run the command “wireshark –version.” If Wireshark is installed, then there should be a version name with many details, as in the following screenshot:

If it is not installed, then use the commands “apt-get update” and “apt-get install wireshark” to install Wireshark on your system.

Configuring Monitor Mode

In previous sections, you saw that the Wi-Fi interface default mode is “managed.” To capture a wireless packet, we need to convert the “managed” mode to “monitor” mode. There are different commands that you can use, but to use a simple method first, we will try using the “iwconfig” command to create monitor mode.

Let us assume that the name of the Wi-Fi interface is “wlp2s0,” as shown in the screenshot.

Step 1: Enter Superuser Mode

First, enter into superuser mode; otherwise, we will get permission to do this.

Command: “su”

Step 2: Create Monitor Mode

Command: “iwconfig wlps20 mode monitor”

Output: If the interface is up and active, you will get the “Device or resource busy” error.

So, make interface down using the following command.

Command: “ifconfig wlsp2s0 down”

Then, execute the first command again.

Finally, check whether the interface is in monitor mode using the “iwocnfig” command.

Here is the screenshot to explain all the above steps:

Step 3: Configure Wi-Fi Sniffing Channel

In wireless protocol, there are two radio frequency bands:

5GHz [Frequency range is 5180MHz – 5825MHz]
2.4GHz [Frequency range is 2412MHz – 2484MHz]

Wiki link for WLAN channels list: https://en.wikipedia.org/wiki/List_of_WLAN_channels

If your wireless card supports 1 and 2, that means that the Wi-Fi card can sniff both bandwidth configured channels. Let us see what our card supports.

Using the command “iw list,” we can check this capability. We are looking for the section below in the command output screenshot:

As yu can see in the above list, this Wi-Fi chip supports only 2.4Ghz [Check the frequency range].

Each frequency is known as channel number. For example, 2412MHz is considered channel 1 [Shown in [] ].

Now, we need to configure one channel for our monitor mode interface. Let us try to set channel 11 [frequency is 2462MHz].

Command: “iwconfig wlp2s0 channel 11”

If above command outputs an error, this makes the interface up [“ifconfig wlp2s0 up”] and then executes the “iwconfig wlp2s0 channel 11” command. Finally, execute the “iwconfig” command to ensure that the channel is set up properly.

The following screenshot explains the steps given above:

Step 4: Launch Wireshark and Start Capturing

Now, we are all set to capture wireless packets. You can start Wireshark in the background using the following command:

In the startup window of Wireshark, you should see the following screen. Here, you can see a list of interfaces.

Next, choose your monitor mode interface, which is “wlp2s0.” Select this interface and then double-click on it.

You can see that live capturing is currently going on.

The following include some hints about wireless packets:

You should see the protocol section, which generally shows 802.11, which is wireless IEEE standard.

You should also see the “Beacon,” “Probe Request,” and “Probe Response” frames under the info section of any frame.

If you wish to save the capture and check it later, then select “save” or “save as” and save it for later analysis.

As long as the interface is in monitor mode you can capture wireless packet. Remember if you reboot the system the wireless interface will come up as “Managed” mod again.

Conclusion

In this article, you learned how to capture wireless packets using Wireshark in Linux. This is very easy to do in Linux using the built-in Wi-Fi card without installing any extra third-party software. You can make a shell script containing all these commands and run that single shell script to configure your system’s Wi-Fi card as monitor mode, set the preferred channel, and start using Wireshark.

Wireshark Network Forensic Analysis Tutorial

Bamdeb Ghosh — Tue, 01 Sep 2020 12:32:43 +0000

Wireshark is an open-source network monitoring tool. We can use Wireshark to capture the packet from the network and also analyze the already saved capture. Wireshark can be installed through the below commands in Ubuntu.^[1]$ sudo apt-get update [This is for updating Ubuntu packages]

$ sudo apt-get install wireshark [This is for installing Wireshark]

The above command should start the Wireshark installation process. If the below screenshot window occurs, we have to press “Yes”.

Once the installation is completed, we can Wireshark version using the below command.

$ wireshark –version

So, installed Wireshark version is 2.6.6, but from official link [https://www.wireshark.org/download.html], we can see the latest version is more than 2.6.6.

To install the latest Wireshark version, follow the below commands.

$ sudo add-apt-repository ppa:wireshark-dev/stable
$ sudo apt-get update
$ sudo apt-get install Wireshark

We can install manually from the below link if the above commands do not help. https://www.ubuntuupdates.org/pm/wireshark

Once Wireshark is installed, we can start Wireshark from the command line by typing

“$ sudo wireshark”

by searching from Ubuntu GUI.

Note that we will try to use the latest Wireshark [3.0.1] for further discussion, and there will be very little differences between different versions of Wireshark. So, everything will not match exactly, but we can understand the differences easily.

We can also follow https://linuxhint.com/install_wireshark_ubuntu/ if we need step by step Wireshark installation help.

Introduction to the Wireshark:

graphical interfaces and Panels:

Once Wireshark is launched, we can select the interface where we want to capture, and Wireshark window looks like below

Once we choose the correct interface for capturing the whole Wireshark window looks like below.

There are three sections inside Wireshark

Packet List
Packet Details
Packet Bytes

Here is the screenshot for understanding

Packet List: This section displays all packets captured by Wireshark. We can see the protocol column for the type of packet.

Packet Details: Once we click on any packet from Packet List, packet details show supported networking layers for that selected packet.

Packet Bytes: Now, for the selected field of the selected packet, hex (default, It can be changed to binary also) value will be shown under the Packet Bytes section in Wireshark.

Important Menus and Options:

Here is the screenshot from Wireshark.

Now there are many options, and most of them are self-explanatory. We will learn about those while doing analysis on captures.

Here are some important options are shown using a screenshot.

TCP/IP Fundamentals:

Before going to do packet analysis, we should be aware basics of networking layers [https://linuxhint.com/osi_network_layer_analsysis_wireshark/].

In general, there are 7 layers for the OSI model and 4 Layer for the TCP/IP model shown in the below diagram.

But in Wireshark, we will see below layers for any packet.

Each layer has its job to do. Let’s have one quick look at each layer’s job.

Physical Layer: This layer can transmit or receive raw binary bits over a physical medium like Ethernet cable.

Data Link Layer: This layer can transmit or receive a data frame between two connected nodes. This layer can be divided into 2 components, MAC and LLC. We can see the MAC address of the device in this layer. ARP works in the Data Link Layer.

Network Layer: This layer can transmit or receive a packet from one network to another network. We can see the IP address (IPv4/IPv6) in this layer.

Transport Layer: This layer can transmit or receive data from one device to another using a port number. TCP, UDP are transport layer protocols. We can see the port number is used in this layer.

Application Layer: This layer is closer to the user. Skype, Mail service, etc. are the example of application layer software. Below are some protocols which run in the application layer

HTTP, FTP, SNMP, Telnet, DNS etc.

We will understand more while analyzing the packet in Wireshark.

Live Capture of network traffic

Here are the steps to capture on a live network:

Step1:

We should know where [Which Interface] to capture packets. Let’s understand the scenario for a Linux laptop, which has an Ethernet NIC card and Wireless card.

:: Scenarios ::

Both are connected and have valid IP addresses.
Only Wi-Fi is connected, but Ethernet is not connected.
Only Ethernet is connected, but Wi-Fi is not connected.
No interface is connected to the network.
OR there are multiple Ethernet and Wi-Fi cards.

Step2:

Open terminal using Atrl+Alt+t and type ifconfig command. This command will show all up interface with IP address if any interface has. We need to see the interface name and remember. The below screenshot shows the scenario of “Only Wi-Fi is connected, but Ethernet is not connected.”

Here is the screenshot of command “ifconfig” which shows that only wlan0 interface has the IP address 192.168.1.102. That means wlan0 is connected to the network, but ethernet interface eth0 is not connected. This means we should capture on the wlan0 interface to get to see some packets.

Step3:

Launch Wireshark, and you will see the interfaces list on the home page of Wireshark.

Step4:

Now click on the required interface, and Wireshark will start capturing.

See the screenshot to understand live capture. Also, look for Wireshark’s indication for “live capture is in progress” at the bottom of Wireshark.

Color coding of traffic in Wireshark:

We may have noticed from previous screenshots that different types of packets have a different color. Default color coding is enabled, or there is one option to enable color-coding. Look at the screenshot below

Here is the screenshot when color coding is disabled.

Here is the setting for coloring rules at Wireshark

After clicking “Coloring Rules” below window will be opened.

Here we can customize the coloring rules for Wireshark packets for each protocol. But the default setting is quite good enough for capture analysis.

Saving Capture to a file

After stopping the live capture, here are the steps to save any capture.

Step1:

Stop the live capture by clicking below the marked button from screenshot or by using shortcut “Ctrl+E”.

Step2:

Now to save file go to File->save or use shortcut “Ctrl+S”

Step3:

Enter the file name and click on Save.

Loading a Capture file

Step1:

To load any existing saved file, we have to go to File->Open or use the shortcut “Ctrl+O”.

Step2:

Then choose the required file from the system and click open.

What important details can be found in packets that can help with forensic analysis?

To answer questions first, we need to know what kind of network attack we are dealing with. As there are different kinds of network attack which uses different protocols so we can not say any fix Wireshark packet field to identify any issue. We are going to find this answer when we will discuss each networking attack in detail under “Network Attack”.

Creating Filters on traffic type:

There may be many protocols in a capture, so if we are looking for any specific protocol like TCP, UDP, ARP, etc., we need to type the protocol name as a filter.

Example: To show all TCP packets, the filter is “tcp”.

For UDP filter is “udp”

Note that: After typing the filter name, if the color is green, that means it’s a valid filter or else its invalid filter.

Valid Filter:

Invalid Filter:

Creating filters on address:

There are two types of addresses we can think of in case of networking.

1. IP address [Example: X = 192.168.1.6]

Requirement	Filter
Packets where IP is X	ip.addr == 192.168.1.6
Packets where source IP is X	ip.src == 192.168.1.6
Packets where destination IP is X	ip.dst == 192.168.1.6

We can see more filters for ip after following below step shown in the screenshot

2. MAC address [Example: Y = 00:1e:a6:56:14:c0]

This will be similar to previous table.

Requirement	Filter
Packets where MAC is Y	eth.addr == 00:1e:a6:56:14:c0
Packets where source MAC is Y	eth.src == 00:1e:a6:56:14:c0
Packets where destination MAC is Y	eth.dst == 00:1e:a6:56:14:c0

Like ip, we can also get more filters for eth. See the below screenshot.

Check the Wireshark website for all available filters. Here is the direct link

https://www.wireshark.org/docs/man-pages/wireshark-filter.html

You can also check these links

https://linuxhint.com/filter_by_port_wireshark/

https://linuxhint.com/filter_by_ip_wireshark/

Identify a large amount of traffic being used and what protocol it’s using:

We can take help from Wireshark inbuilt option and find out which protocol packets are more. This is required because when there are millions of packets inside a capture, and also size is huge, it will be difficult to scroll through every packet.

Step 1:

First of all, the total number of packets in the capture file is shown at right bottom side

See below screenshot

Step 2:

Now go to Statistics->Conversations

See below screenshot

Now the output screen will be like this

Step 3:

Now let’s say we want to find out who (IP address) exchanges maximum packets under UDP. So, go to UDP->Click on Packets so that the max packet is displayed on top.

Look at the screenshot.

We can get the source and destination IP address, which exchanges maximum UDP packets. Now the same steps can be used for other protocol TCP also.

Follow TCP Streams to see the full conversation

To see full TCP conversations, follow the below steps. This will be helpful when we want to see what happens for one particular TCP connection.

Here are the steps.

Step1:

Right-click on TCP packet in Wireshark like below screenshot

Step2:

Now go to Follow->TCP Stream

Step3:

Now one new window will be opened showing the conversations. Here is the screenshot

Here we can see HTTP header information and then the content

||--------Header--------||
POST /wireshark-labs/lab3-1-reply.htm HTTP/1.1
Accept: text/html, application/xhtml+xml, image/jxr, */*
Referer: http://gaia.cs.umass.edu/wireshark-labs/TCP-wireshark-file1.html
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Content-Type: multipart/form-data; boundary=---------------------------7e2357215050a
Accept-Encoding: gzip, deflate
Host: gaia.cs.umass.edu
Content-Length: 152327
Connection: Keep-Alive
Cache-Control: no-cache
||-----Content-----||
ontent-Disposition: form-data; name="file"; filename="alice.txt"
Content-Type: text/plain
ALICE'S ADVENTURES IN WONDERLAND
Lewis Carroll
THE MILLENNIUM FULCRUM EDITION 3.0
CHAPTER I
Down the Rabbit-Hole
Alice was beginning to get very tired of sitting by her sister
on the bank, and of having nothing to do: once or twice she had
peeped into the book her sister was reading, but it had no
pictures or conversations in it, `and what is the use of a book,'
thought Alice `without pictures or conversation?'
…..Continue…………………………………………………………………………………

Now let’s go through some famous networking attacks through Wireshark, understand the pattern of different networking attacks.

Network Attacks:

Network attack is a process to gain access to other network systems and then steal data without knowledge of the victim or inject malicious code, which makes the victim’s system into a mess. In the end, the target is to steal data and make use of it with a different purpose.

There are many types of networking attacks, and here we are going to discuss some of the important networking attacks. We have chosen below attacks such a way that we can cover different types of patterns of attack.

A. Spoofing/ Poisoning Attack (Example: ARP spoofing, DHCP spoofing, etc.)

B. Port Scan Attack (Example: Ping sweep, TCP Half-open, TCP full connect scan, TCP null scan, etc.)

C. Brute force Attack (Example: FTP username and password, POP3 password cracking)

D. DDoS Attack (Example: HTTP flood, SYN flood, ACK flood, URG-FIN flood, RST-SYN-FIN flood, PSH flood, ACK-RST flood)

E. Malware Attacks (Example: ZLoader, Trojans, Spyware, Virus, Ransomware, Worms, Adware, Botnets, etc.)

A. ARP Spoofing:

What is ARP Spoofing?

ARP spoofing is also known as ARP poisoning as an attacker, makes the victim update ARP entry with attacker MAC address. It’s like adding poison to correct ARP entry. ARP spoofing is a networking attack that allows the attacker to divert the communication between network hosts. ARP spoofing is one of the methods for Man in the middle attack( MITM).

Diagram:

This is the expected communication between Host and Gateway

This is the expected communication between Host and Gateway when the network is under attack.

Steps of ARP Spoofing Attack:

Step1: The attacker chooses one network and starts sending broadcast ARP requests to the sequence of IP addresses.

Wireshark Filter: arp.opcode == 1

Step2: Attacker checks for any ARP reply.

Wireshark Filter: arp.opcode == 2

Step3: If an attacker gets any ARP reply, then the attacker sends the ICMP request to check the reachability to that host. Now the attacker has the MAC address of these hosts whoever sent ARP reply. Also, the host who has sent ARP reply updates its ARP cache with the attacker IP and MAC assuming that that is the real IP and MAC address.

Wireshark Filter: icmp

Now from the screenshot, we can say any data comes from 192.168.56.100 or 192.168.56.101 to IP 192.168.56.1 will reach to attacker MAC address, which is claiming as ip address 192.168.56.1.

Step4: After ARP spoofing, there may be multiple attacks like Session hijack, DDoS attack. ARP spoofing is just the entry.

So, you should look for these above patterns to get hints of the ARP spoofing attack.

How to avoid it?

ARP spoofing detection and prevention software.
Use HTTPS instead of HTTP
Static ARP entries
VPNS.
Packet filtering.

B. Identify Port Scan attacks with Wireshark:

What is Port scanning?

Port scanning is a type of networking attack where attackers start sending a packet to different port numbers to detect the status of the port if it’s open or closed or filtered by a firewall.

How to detect Port scanning in Wireshark?

Step1:

There are many ways to look into Wireshark captures. Suppose we observe that there are contentious multiple SYN or RST packet in captures. Wireshark Filter: tcp.flags.syn == 1 or tcp.flags.reset == 1

There is another way to detect it. Go to Statistics->Conversions->TCP [Check Packet Column].

Here we can see so many TCP communications with different ports [Look at Port B], but packet numbers are only 1/2/4.

Step2:

But there is no TCP connection observed. Then it’s a sign of port scan.

Step3:

From below capture, we can see SYN packets were sent to port numbers 443, 139, 53, 25, 21, 445, 23, 143, 22, 80. As some of the ports [139, 53, 25, 21, 445, 443, 23, 143] were closed so attacker [192.168.56.1] received RST+ACK. But the attacker received SYN+ACK from port 80 (packet number 3480) and 22 (packet number 3478). This means port 80 and 22 are opened. Bu attacker was not interested in TCP connection it sent RST to port 80 (packet number 3479) and 22 (packet number 3479)

Note that: Attacker can go for TCP 3-way handshake (Shown below), but after that attacker terminates the TCP connection. This is called a TCP full connect scan. This is also one type of port scan mechanism instead of a TCP half-open scan like discussed above.

1. The attacker sends SYN.

2. The victim sends SYN+ACK.

3. Attacker sends ACK

How to avoid it?

You can use a good firewall and intrusion prevention system (IPS). The firewall helps to control ports about its visibility, and IPS can monitor if any port scan is in progress and block the port before anyone gets full access to the network.

C. Brute force Attack:

What is the Brute Force Attack?

Brute Force Attack is a networking attack where the attacker tries a different combination of credentials to break any website or system. This combination may be a user name and password or any information that allows you to enter to system or website. Let’s have one simple example; we often use a very common password like password or password123, etc., for common usernames like admin, user, etc. So if the attacker makes some combination of username and password, this type of system can be easily breakable. But this is one simple example; things can go for a complex scenario also.

Now, we will take one scenario for File Transfer Protocol (FTP) where username and password are used to login. So, the attacker can try multiple usernames and password combinations to get into the ftp system. Here is the simple diagram for FTP.

Diagram for Brute Force Attchl for FTP Server:

FTP Server

Multiple wrong login attempts to FTP Server

One successful login attempt to FTP server

From the diagram, we can see that attacker tried multiple combinations of FTP usernames and passwords and got success after sometime.

Analysis on Wireshark:

Here is the whole capture screenshot.

This is just starting of capture, and we just highlighted one error message from the FTP server. An error message is “Login or password incorrect”. Before the FTP connection, there is a TCP connection, which is expected, and we are not going to details on that.

To see if there is more than one login fail message, we can tale the help of Wireshark filer “ftp.response.code==530” which is the FTP response code for login failure. This code is highlighted in the previous screenshot. Here is the screenshot after using the filter.

As we can see, there are a total of 3 failed login attempts to the FTP server. This indicates there was a Brute Force Attack on the FTP server. One more point to remember that attackers may use botnet, where we will see many different IP addresses. But here for our example, we see only one IP address 192.168.2.5.

Here are the points to remember to detect Brute Force Attack:

1. Login failure for one IP address.

2. Login failure for multiple IP addresses.

3. Login failure for an alphabetically sequential username or password.

Types of Brute Force Attack:

1. Basic brute force attack

2. Dictionary attack

3. Hybrid brute force attack

4. Rainbow table attack

Is the above scenario, we have observed the “Dictionary attack” for cracking the FTP server username and password?

Popular tools used for brute force attack:

1. Aircrack-ng

2. John, the ripper

3. Rainbow crack

4. Cain and Abel

How to avoid Brute Force Attack?

Here are some points for any website or ftp or any other network system to avoid this attack.

1. Increase password length.

2. Increase password complexity.

3. Add Captcha.

4. Use two-factor authentications.

5. Limit login attempts.

6. Lock any user if the user crosses the number of failed login attempts.

D. Identify DDOS attacks with Wireshark:

What is DDOS Attack?

A distributed denial-of-service (DDoS) attack is a process to block legitimate network devices to get the services from the server. There may be many types of DDoS attacks like HTTP flood (Application Layer), TCP SYN (Transport Layer) message flood, etc.

Example Diagram of HTTP Flood:

HTTP SERVER

Client Attacker IP
Client Attacker IP
Client Attacker IP
Legitimate Client sent HTTP GET Request
|
|
|
Client Attacker IP

From the above diagram, we can see the Server receives many HTTP requests, and the server gets busy in service of those HTTP requests. But when a legitimate client sends an HTTP request, the server is unavailable to reply to the client.

How to Identify HTTP DDoS attack in Wireshark:

If we open a capture file, there are many HTTP requests (GET/POST, etc.) from different TCP source port.

Used filter: “http.request.method == “GET”

Let’s see the captured screenshot to understand it better.

From the screenshot, we can see attacker ip is 10.0.0.2, and it has sent multiple HTTP requests using different TCP port numbers. Now server got busy sending HTTP reply for all those HTTP requests. This is the DDoS attack.

There are many types of DDoS attacks using different scenarios like SYN flood, ACK flood, URG-FIN flood, RST-SYN-FIN flood, PSH flood, ACK-RST flood, etc.

Here is the screenshot for the SYN flood to the server.

Note that: The basic pattern of DDoS attack is there will be multiple packets from the same IP or different IP using different ports to the same destination IP with high frequency.

How to stop the DDoS attack:

1. Immediately report to the ISP or Hosting provider.

2. Use the Windows firewall and contact your host.

3. Use DDoS detection software or routing configurations.

E. Identify Malware attacks with Wireshark?

What is Malware?

Malware words came from Malicious Software. We can think of Malware as a piece of code or software that is designed to do some damage on systems. Trojans, Spyware, Viruses, ransomware are different types of malware.

There are many ways malware gets into the system. We will take one scenario and try to understand it from Wireshark capture.

Scenario:

Here in example capture, we have two windows systems with IP address as

10.6.12.157 and 10.6.12.203. These hosts are communicating with the internet. We can see some HTTP GET, POST, etc. operations. Let’s find out which windows system got infected, or both got infected.

Step1:

Let’s see some HTTP communication by these hosts.

After using the below the filter, we can see all HTTP GET request in the capture

“http.request.method == “GET””

Here is the screenshot to explain the content after the filter.

Step2:

Now out of these, the suspicious one is GET request from 10.6.12.203, so we can follow TCP stream [see below screenshot] to find out the more clearly.

Here are the findings from following TCP stream

Step3:

Now we can try exporting this june11.dll file from pcap. Follow the below screenshot steps

c. Now click on Save All and select destination folder.

d. Now we can upload june11.dll file to virustotal site and get the output as below

This confirms that june11.dll is a malware that got downloaded to the system [10.6.12.203].

Step4:

We can use the below filter to see all http packets.

Used Filter: “http”

Now, after this june11.dll got into the system we can see there is multiple POST from 10.6.12.203 system to snnmnkxdhflwgthqismb.com. The user did not do this POST, but the downloaded malware started doing this. It’s very difficult to catch this type of issue on run time. One more point to be noticed that the POST are simple HTTP packets instead of HTTPS, but most of the time, ZLoader packets are HTTPS. In that case, it’s quite impossible to see it, unlike HTTP.

This is HTTP post-infection traffic for ZLoader malware.

Summary of malware analysis:

We can say 10.6.12.203 got infected because of downloading june11.dll but did not get any more information about 10.6.12.157 after this host downloaded invoice-86495.doc file.

This is an example of one type of malware, but there may be different types of malware which work in a different style. Each has a different pattern to damage systems.

Conclusion and next learning steps in Network Forensic Analysis:

In conclusion, we can say there many types of network attacks. It’s not an easy job to learn everything in detail for all attacks, but we can get the pattern for famous attacks discussed in this chapter.

In summary, here are the points we should know step by step to get the primary hints for any attack.

1. Know basic knowledge of the OSI/ TCP-IP layer and understand the role of each layer. There are multiple fields in each layer, and it carries some information. We should be aware of these.

2. Know the basics of Wireshark and get comfortable using it. Because there are some Wireshark options that help us to get the expected information easily.

3. Get an idea for attacks discussed here and try to match the pattern with your real Wireshark capture data.

Here are some tips for the next learning steps in Network Forensic Analysis:

1. Try to learn advanced features of Wireshark for a quick, large file, complex analysis. All documents about Wireshark are easily available in the Wireshark website. This gives you more strength to Wireshark.

2. Understand different scenarios for the same attack. Here is an article we have discussed port scan giving an example as TCP half, full connect scan, but there are many other types of port scans like ARP scan, Ping Sweep, Null scan, Xmas Scan, UDP scan, IP protocol scan.

3. Do more analysis for sample capture available on the Wireshark website instead of waiting for real capture and start the analysis. You can follow this link to download sample captures and try to do basic analysis.

4. There are other Linux open-source tools like tcpdump, snort which can be used to do the capture analysis along with Wireshark. But the different tool has a different style of doing analysis; we need to learn that first.

5. Try to use some open-source tool and simulate some network attack, then capture and do the analysis. This gives confidence, and also, we will be familiar with the attack environment.

How to Install and Configure Wireshark on Ubuntu 20.04

Younis Said — Wed, 17 Jun 2020 12:04:18 +0000

Wireshark is one of the best network protocols for analyzing freely available packages. Previously known as Ethereal, Wireshark is widely used by industries and educational institutes. Wireshark has a “live capturing” ability for packet investigation, and the output data is stored in XML, CSV, PostScript, and plain text documents. This program is the most famous network protocol analyzer, and its purpose is to see what is happening around your network. Wireshark provides all the details you need to know about the packets in movement in your network.

Features

Wireshark contains several useful features, the foremost of which are listed below:

Inspecting thousands of protocols
New protocols being added with every update
Live-capturing of protocols with offline analysis
Three-way handshake
Maximum portability: runs on Solaris, Linux, Windows, MAC OS X, FreeBSD, and more
Analyzing VoIP protocols
Reads data from many platforms, i.e., Wi-Fi, Ethernet, HDLC, ATM, USB, Bluetooth, Frame Relay, Token Ring, and more
Results can be saved in CSV, XML, PostScript, and plain text documents
Reads and write a wide variety of captured file formats

Installing Wireshark on Ubuntu 20.04

The Wireshark utility is available on all major desktop platforms, i.e., Linux, Microsoft Windows, FreeBSD, MacOS, Solaris, and many more. Follow the steps below to install Wireshark on Ubuntu 20.04.

Step 1: Update APT

First, as always, update and upgrade your APT through the following command.

$ sudo apt update

$ sudo apt upgrade

Step 2: Download and Install Wireshark

Now that Wireshark’s latest version has been added to the APT, you can download and install it with the following command.

$ sudo apt install wireshark

Step 3: Enable Root Privileges

When Wireshark installs on your system, you will be prompted by the following window. As Wireshark requires superuser/root privileges to operate, this option asks to enable or disable permissions for all every user on the system. Press the “Yes” button to allow other users, or press the “No” button to restrict other users from using Wireshark.

Step 4: (Optional) Reconfigure Permission Settings

If you have selected “No” in the above scenario, then you can change this selection again by executing the following command, which will reconfigure the Wireshark permission settings.

$ sudo dpkq-reconfigure wireshark-common

Select the “Yes” button to change the configuration settings to allow other users access to Wireshark.

You must add a username to the Wireshark group so that this user can use Wireshark. To do this, execute the following command, adding your required username after “wireshark” in the command.

$ sudo usermod -aG wireshark younis

Step 5: Launch Wireshark

In the terminal window, type the following command to start the Wireshark application.

$ wireshark

Figure: Wireshark Welcome screen.

You can also open Wireshark through the Graphical User Interface (GUI) by opening the activities on the Ubuntu desktop, and in the search bar, type “Wireshark,” and click on the application result.

Figure: Search Wireshark in the search bar under the Activities menu.

Conclusion

This article provided a simple, easy tutorial for installing Wireshark. Wireshark is the best tool for network analysis and packet investigation, and is an open-source and freely available network analyzing tool.

How to Install Wireshark Package in Kali Linux 2020.1

Younis Said — Thu, 11 Jun 2020 04:38:55 +0000

The most famous network protocol analyzer is Wireshark. The purpose of this tool is to see what is happening around your network. Wireshark provides all the details about the packets in movement in your network. This is a standard tool in many educational institutes and industries.

Features

Wireshark contains several features; the main features are stated below:

Inspection of thousands of protocols
New features added with every update
Live capturing of protocols
Offline analysis
Three-way handshake
Maximum portability: Solaris, Linux, Windows, MAC OS X, FreeBSD, and other OS
Graphical interface and Terminal mode “tshark utility”
Analyzes VoIP protocols.
Multi-platform data reading: Wi-Fi, Ethernet, HDLC, ATM, USB, Bluetooth, Frame Relay, Token Ring, and more
Save results in CSV, XML, PostScript, and plain text documents
Read and write a wide variety of captured file formats

Figure 1 Wireshark

Wireshark in Kali

By default, Wireshark is included in full images of Kali Linux. However, in minor images, Wireshark must be installed manually. In this tutorial, we will show you a step-by-step method for installing Wireshark in Kali Linux.

Step 1: Update APT

Always update your APT before installing; make it a habit. The term “sudo” stands for root privileges, so the system will ask for the root password. Enter the password, and the update will start.

$ sudo apt update

Step 2: Install Wireshark

$ sudo apt-get install wireshark

Here, you will be asked whether you wish to install Wireshark. Type “y” and hit enter, and the installation will begin.

Step 3: Check Command

Type in the following two commands to check the Wireshark utility in the system.

$ wireshark -h
$ tshark -h

Figure 2 wireshark -h terminal command

Figure 3 tshark -h terminal command

Wireshark GUI

You can also check the graphical interface of Wireshark. Click on the Kali Whisker menu and, in the search bar, type Wireshark and hit enter. You will then be asked for the root password. Enter the password, and the Wireshark window will open. The following snapshots depict this process.

Figure 4 Wireshark GUI in Kali Whisker Menu

Figure 5 Kali GUI interface

Conclusion

I hope you found this an easy and simple tutorial for installing Wireshark. Wireshark is the best tool for network analysis and packet investigation. It is an open-source and freely available network analyzing tool.

How to install Wireshark in Debian

Ivan Vanney — Wed, 25 Dec 2019 07:15:37 +0000

Wireshark is a packet analyzer that allows to configure the network device in promiscuous mode to see all traffic belonging to the scanned network. Wireshark can be used for troubleshooting detecting anomalies in traffic packets, for hacking purposes and protocols development. It is available for Linux, Unix, Mac and Windows.

This tutorial shows how to install Wireshark on Debian 10 Buster and some basic functions but doesn’t go deeper into its usage, yet it is useful for previous Debian versions and based distributions such as Ubuntu and Mint. While Wireshark can be installed from repositories through apt or aptitude it’s sources and versions for different OS (Operating Systems) are available at https://www.wireshark.org/download.html.

Installing Wireshark on Debian 10 Buster

To install Wireshark on Debian 10 Buster or previous Debian versions run:

$ apt install wireshark -y

Wireshark basics

To launch Wireshark, on the terminal just run:

$ wireshark

Note: don’t run Wireshark as root, execute it as unprivileged user only, you don’t need to be root user to capture packages over a network.

The following window will prompt

When launching Wireshark you’ll see two main menus:

And

On the first line you have menus with the following functionalities:

File: additionally to the usual options of any File menu, this one allows to export packets with different options, SSL session keys and objects.

Edit: this menu allows to copy and find specific content, to mark and ignore packets, manage timing options and packet comments. Through this menu you can also setup different configuration profiles and edit preferences such as visual preferences, mac and IP addresses resolutions and more.

View: this menu allows to configure different visual options such as menus, toolbars, zoom, expand and collapse among other estetic options.

Go: this menu contains options to browse packets.

Capture: from this menu you can launch Wireshark and configure options related to the capture of packages such as filters, name resolutions, interfaces and output options.

Analyze: from this menu you can enable and disable protocol dissectors, decode some packets and manage display filters.

Statistics: the Statistics menu allows to display the information in a variety of ways, including or discarding specific information.

Telephony: this menu contains options related to telephony such as VoIP, GSM, Osmux, RTP, SCTP and more.

Wireless: this menu contains options related to bluetooth and wlan.

Tools: here you’ll find options related to stateless firewall and Lua programming language.

Help: this menu contains helpful information on Wireshark.

The graphical menu below the explained above contains:

This button allows to launch Wireshark, it can also be found on the Capture menu described above.

This is the button to stop ongoing Wireshark analysis.

Here you can restart stopped capturing processes.

This button will open the Capture menu explained above.

This button will allow to open Capture files from previous sessions.

This button saves the current capture.

Close the current capture.

Reload a capture.

This button allows you to find packets.

This button allows to browse to the previous packet.

This button allows to browse to the next packet.

This allows to browse to a specific packet.

This button allows to move to the first packet.

This button allows to move to the last packet.

This button allows set automatic scroll to the last packet when Wireshark is working.

This button allows to color packets according to specified rules.

This button allows one to zoom in fonts.

This button allows to zoom out fonts.

This button allows to restore text font to the original size.

This button allows to resize columns to fit the content.

Conclusion:

Wireshark offers a considerable quantity of options to configure filters, timing and output formats, it has a very friendly and intuitive graphical environment but can be used from the command line too through TShark included in the package. It supports Ethernet, PPP, IEEE 802.11 and loopback network types. It can detect VoIP calls and in some cases can decode the content, it also allows to capture USB raw traffic, it allows to create plugins for dissecting new protocols and to filter Wireless connections if connected through a wired router or switch. Some interesting Wireshark alternatives include Ettercap, Kismet, EtherApe, SmartSniff, CloudShark and Omnipeek, additional alternatives can be found online.

How to use Wireshark Basics

Bamdeb Ghosh — Fri, 13 Sep 2019 10:54:50 +0000

What is Wireshark?

Wireshark is an open source and free packet analyzer. It’s a widely used packet capturing tool among others.

How to download Wireshark and install for different OS?

Wireshark can be downloaded freely from the official website.

Here is the link to Download Wireshark. For Windows, MAC an installer will be downloaded and later it can be installed. For Linux, Wireshark can be installed through command also. Here is the command for Ubuntu:

apt-get install Wireshark

Other than these three operating systems there are other Wireshark installer can be found on the official website.

Here is the screenshot for the download page

Intention of this article?

In this article we will understand how to use Wireshark for basic usages. Here we have used Windows 10 and Wireshark version is 3.0.1. So if you are using different Wireshark version then some options may be in different places.

Steps to work with Wireshark:

After Wireshark has been installed, we need to open the Wireshark application. Here is the screenshot for 1^st window of Wireshark with explanation:

Now how to get what are the interfaces?

For windows -> open command line -> run command “ipconfig”

Here is the screenshot for ipconfig command

So the logic is first check ipconfig for active interfaces and then open Wireshark to capture on active interfaces. Follow the above screenshot to know which interface is active. Now as we know that Wi-Fi interface is active then we will capture on that interface. Just double click on that interface to capture packets. Here is the screenshot:

Here is the screenshot for live capturing

Now there are three main portions of Wireshark windows. Here is the screenshot [1, 2, 3]:

Here is the screenshot to show the overview of a clicked packet:

Coloring Rule: Here is the screenshot for default coloring rule for different types of packets:

Here is the screenshot if disable coloring rule:

Now we can customize coloring rule from View -> Coloring Rules. Here is the screenshot:

So now you can modify coloring rule according to your need.

Wireshark column: Here is the screenshot for Wireshark default columns:

Now if we want to add port number as column, we have to follow below steps mentioned in screenshot

There are many settings we can modify under Edit->Preferences. Here is the screenshot:

Here is the screenshot to show the important and useful options from preferences:

Here are some display filters from Wireshark. Analyze -> Display Filters

If you want to change the capturing interface follow below option:

Capture -> Options

Here is the screenshot for changing capturing interface:

After capturing is completed it’s is recommended to save the capture for future analysis. Here is the screenshot for saving a capture:

If you try to capture on an interface where no packets are there you will see below error message after you stop the capture.

And then you will be redirected to main page to select the correct interface.

For capture analysis there is on statistics Here is the screenshot for showing the important sub-menu.

Example: Here is the I/O graph to understand the packet exchanges through graph:

Here is the step to extract HTTP data like image, txt etc from capture:

You can get access to samples capture for your analysis from here: SampleCaptures

To know how to filter by IP check here: Filter By IP
To know how to Filter By Port
To know OSI layer understanding through Wireshark: OSI Network
To know TCP through Wireshark: TCP Protocol
To know HTTP through Wireshark: HTTP Analysis
To know UDP through Wireshark: UDP Wireshark Analysis
To know ARP through Wireshark ARP Packet Analysis
To know ICMP through Wireshark: ICP Packet Analysis

Summary:

There are many options and ways to debug a capture through Wireshark. We have just discussed the basic and commonly used options from Wireshark. One more advantage of Wireshark is that it’s an open source , so you will get solution for each and every issues in internet.

How to Filter By Port in Wireshark

Bamdeb Ghosh — Sat, 07 Sep 2019 07:08:00 +0000

What is port filtering?

Port filtering is the way of filtering packets based on port number. To know more about filter by IP in Wireshark, please follow below link:
https://linuxhint.com/filter_by_ip_wireshark/

Intention of the article:

In this article we will try to understand some well know ports through Wireshark analysis.

What are the important ports?

There are many types of port. Here is the summary:

Ports 0 to 1023 are Well-Known Ports.
Ports 1024 to 49151 are Registered Ports.
Ports 49152 to 65535 are Public Ports.

Analysis in Wireshark:

Before we use filter in Wireshark we should know what port is used for which protocol. Here are some examples:

Protocol [Application]	Port Number
TCP [HTTP]	80
TCP [FTP Data]	20
TCP [FTP Control]	21
TCP/UDP [Telnet]	23
TCP/UDP [DNS]	53
UDP [DHCP]	67,68
TCP [HTTPS]	443

1. Port 80: Port 80 is used by HTTP. Let’s see one HTTP packet capture.

Here 192.168.1.6 is trying to access web server where HTTP server is running. So destination port should be port 80. Now we put “tcp.port == 80” as Wireshark filter and see only packets where port is 80.

Here is the explanation screenshot

2. Port 53: Port 53 is used by DNS. Let’s see one DNS packet capture.

Here 192.168.1.6 is trying to send DNS query. So destination port should be port 53. Now we put “udp.port == 53” as Wireshark filter and see only packets where port is 53.

3. Port 443: Port 443 is used by HTTPS. Let’s see one HTTPS packet capture.

Now we put “tcp.port == 443” as Wireshark filter and see only HTTPS packets.

Here is the explanation with screenshot

4. Public/Registered port:

When we run only UDP through Iperf we can see both source and destination ports are used from registered/public ports.

Here is the screenshot with explanation

5. Port 67, 68: Port 67,68 is used by DHCP. Let’s see one DHCP packet capture.

Now we put “udp.dstport == 67 || udp.dstport == 68” as Wireshark filter and see only DHCP related packets.

Here is the explanation with screenshot

Summary:

For port filtering in Wireshark you should know the port number.

In case there is no fixed port then system uses registered or public ports. Port filter will make your analysis easy to show all packets to the selected port.

UDP Wireshark Analysis

Bamdeb Ghosh — Sat, 07 Sep 2019 06:51:31 +0000

What is UDP?

User datagram protocol is another famous transport layer protocol than TCP.
Below is the picture where UDP resides.

Intention of this article:

Intention of this article is to analysis UDP packet through Wireshark and understand UDP header practically. Difference between TCP and UDP can be read from internet.

Why UDP when we have TCP?

The basic reason is, UDP is a connection less protocol unlike TCP. So this feature makes UDP faster than TCP. But UDP suffers from the strong reliability unlike TCP. So, in conclusion when you can compromise some percentage in reliability but really wanted more speed, UDP is the transport layer protocol you should take.

To understand more on TCP please follow below link:
https://linuxhint.com/tcp_packet_capture_analysis/

UDP header:

UDP header is very simple and only 8 bytes.

Source port: The source port number of the packet. Example: 4444.
Destination port: The destination port number of packet. Example: 51164.
Length: The length of UDP Data + UDP header.
Checksum: Checksum is present to detect error. Unlike TCP, Checksum calculation is not mandatory in UDP. No Error control or flow control is provided by UDP. Hence UDP depends on IP and ICMP for error reporting.

UDP Applications:

There are many protocols that use UDP. Here are some examples:

DNS, DHCP, BOOTP, TFTP, RIP etc.
Real time protocol which cannot tolerate delay.
Used in some multicasting.

Packet Analysis:

Let’s send some UDP date using Iperf network tool. Here is the set up diagram used for generating udp data

Here are the steps:

Step1: Start Wireshark.
Step2: Run Iperf UDP server at 192.168.1.5 system.
Step3: Run Iperf UDP client at 192.168.1.6 system.
Step4: Stop Wireshark.
Step5: Analysis of captured packets

Here is the top level view of UDP packet in Wireshark.

Now let’s see inside UDP data packet. Here are the details of a UDP packet:

Note:
As UDP does not need any transport layer acknowledgement so evenif IPERF server is not running client will able send data unlike TCP.So always check in server side for UDP data.

Summary:

Key points for UDP are:

There is no UDP connection frame exchange for UDP
There is no UDP transport layer ACK for UDP packet.
Depending upon application need one can go for UDP protocol to use.

OSI Network Layer Analysis via Wireshark

Bamdeb Ghosh — Wed, 21 Aug 2019 11:21:10 +0000

OSI model and TCP/IP model:

We all know that OSI (Open Systems Interconnection) is a reference model for how applications communicate over a network.

Here are the 7 layers according to OSI model:

Application Layer [Layer 7]

Presentation Layer [Layer 6]

Session Layer [Layer 5]

Transport Layer [Layer 4]

Network Layer [Layer 3]

Data Link Layer [Layer 2]

Physical Layer [Layer 1]

There is another network model which is TCP/IP.

Here are the 4 layers according to TCP/IP model:

Application Layer [Layer 4]

Transport Layer [Layer 3]

Internet Layer [Layer 2]

Network Access Layer [Layer 1]

Relation OSI and TCP/IP model:

Below is the relation between OSI model and TCP/IP model.

OSI Model	TCP/IP Model
Application Layer	Application Layer
Presentation Layer
Session Layer
Transport Layer	Transport Layer
Network Layer	Internet Layer
Data Link Layer	Network access Layer
Physical Layer	Network access Layer

Now the question comes, in Wireshark what model we should be expecting?

Actually in Wireshark we observe below layers

Application Layer [Layer 5]

Transport Layer [Layer 4]

Network Layer [Layer 3]

Data Link Layer [Layer 2]

Physical Layer [Layer 1]

Now we understand that the above layers are not exactly OSI or TCP/IP but a combination of both models.

Let’s look into Wireshark capture and understand better.

What we see in Wireshark?

We will take some protocols as example and understand the layers through Wireshark. The interesting part is all protocol does not have all the layers.

Note:

As Wireshark decodes packets at Data Link layer so we will not get physical layer information always. In some cases, capturing adapter provides some physical layer information and can be displayed through Wireshark.

So here are the sequence layers seen in Wireshark

Data Link Layer

Network Layer

Transport Layer

Application Layer

Hope you understand that Wireshark is just showing in reverse order. If physical layer information is given to Wireshark then that time we should see physical layer information on top of Data link. See below picture.

Physical Layer

Data Link Layer

Network Layer

Transport Layer

Application Layer

HTTP [It has 4 layers]:

You can follow below link to understand HTTP through Wireshark

https://linuxhint.com/http_wireshark/

Here is the screenshot of a HTTP packet where we can see 4 layers.

We know HTTP is an application layer so we see application layer also.

Now let’s see a transport layer protocol in Wireshark.

TCP [It has 3 layers]:

Here is the screenshot of a TCP packet where we can see 3 layers.

Let’s see ICMP packet.

ICMP [It has 2 layers]:

Here is the screenshot of an ICMP frame where we can see 2 layers.

Now let’s see one wireless TCP frame where we can see physical layer information.

Wireless TCP [It has 4 layers]:

Here is the screenshot of a TCP frame where we can see 4 layers including physical layer.

As TCP is a transport layer protocol so we did not see any application layer protocol.

Now let’s see Wireless capture for HTTP and hope to see all 5 layers including Application layer and physical layer.

Wireless HTTp [It has all 5 layers]:

Here is the screenshot of a HTTP frame where we can see including Application layer and physical layer.

Summary:

In summary we can say that depending on protocol different layers can been seen in Wireshark.

Reference:

If you want to know job of each layer, follow below link

https://en.wikipedia.org/wiki/OSI_model

ARP Packet Analysis with Wireshark

Bamdeb Ghosh — Wed, 21 Aug 2019 11:11:29 +0000

What is ARP?

Address resolution protocol is generally used to find out MAC address. ARP is a link layer protocol but it is used when IPv4 is used over Ethernet.

Why we need ARP?

Let’s understand with a simple example.

We have one computer [PC1] with IP address 192.168.1.6 and we want to ping to another computer [PC2] whose IP address is 192.168.1.1. Now we have PC1 MAC address but we do not know PC2 MAC address and without MAC address we cannot send any packet.

Now let’s see step by step.

Note: Open command in administrative mode.

Step 1: Check existing ARP on PC1. Execute arp –a in command line to see existing ARP entry.

Here is the screenshot

Step 2: Delete ARP entry. Execute arp –d command in command line. And then execute arp –a to make sure ARP entries have been deleted.

Here is the screenshot

Step 3: Open Wireshark and start it on PC1.

Step2: Execute below command on PC1.

ping 192.168.1.1

Step 3: Now ping should be successful.

Here is the screenshot

Step 4: Stop Wireshark.

Now we will check what happens in background when we delete arp entry and ping to a new IP address.

Actually when we ping 192.168.1.1, before sending ICMP request packet there was ARP Request and ARP reply packet exchanges. So PC1 got MAC address of PC2 and able to send ICMP packet.

For more information on ICMP please see here

Analysis on Wireshark:

ARP packets types:

ARP Request.
ARP Reply.

There are other two types RARP Request and RARP Reply but used in specific cases.

Let’s come back to our experiment.

We did ping to 192.168.1.1 so before sending ICMP request , PC1 should send broadcast ARP request and PC2 should send unicast ARP reply.

Here are important fields for ARP Request.

So we understand that the main intention of ARP request to get the MAC address of PC2.

Now let’s see ARP reply in Wireshark.

ARP reply is sent by PC2 after receiving ARP request.

Here are the important fields of ARP reply.

From this ARP reply we go that PC1 got PC2 MAC and updated ARP table.

Now ping should be successful as ARP has been resolved.

Here are the ping packets

Other important ARP packets:

RARP: Its opposite of normal ARP that we have discussed. That means you have MAC address of PC2 but you do not have IP address of PC2. Some specific cases need RARP.

Gratuitous ARP: When a system gets an IP address after that system is free to send a gratuitous ARP informing the network that I have this IP. This is to avoid IP conflict in same network.

Proxy ARP: From the name we can understand that when one device sends an ARP request and gets an ARP reply but not form the actual device. That means somebody sends ARP reply on behave of original device. It’s implemented for security reason.

Summary:

ARP packets are exchanged in background whenever we try to access a new IP address

TCP Packet Capture Analysis

Bamdeb Ghosh — Mon, 19 Aug 2019 17:49:08 +0000

What is TCP?

TCP (Transmission Control Protocol) is a connection oriented transport layer protocol.

Intention of this article:

To understand whole TCP is not an easy task. In this article we will try to understand the basic packets exchanges of TCP through Wireshark. Theory can be read through internet. We will focus more on packet capture analysis.

Why TCP is famous?

There are multiple reasons why TCP is so famous:

TCP is connection orientated protocol so reliability is very high.
TCP can control congestion by itself.
TCP can detect error.
TCP uses flow control protocol.
TCP has delay ACK features.
TCP has selective ACK feature.
TCP has windows calling feature for throughput improvement.

There are so many other features that make TCP so famous.

Analysis of TCP:

We will follow some steps to generate TCP frames.

Step 1: The simple way to generate TCP packets is by accessing any HTTP website. The reason is, HTTP is an application layer protocol and it uses TCP as underlying transport layer protocol.

To know about HTTP follow below link

https://linuxhint.com/http_wireshark/

Step 2: Start Wireshark.

Step 3: Open below link in any browser.

http://gaia.cs.umass.edu/wireshark-labs/alice.txt

Step 4: Stop Wireshark and put TCP as filter.

Step 5: ANALYSIS

Now we should see TCP 3-way handshake packets. Here is the simple diagram.

Frame 1 : SYN [ Synchronaziation ]

SYN is the first packet comes from the client to server. In our case 192.168.1.6 is the client [The system where we opened the browser] and gaia.cs.umass.edu is the server.

Here are some important fields in SYN frame

SYN frame is required to send the capabilities of client to server.

Frame 2 : SYN+ACK [ Synchronaziation + Acknowledgement ]

SYN, ACK is the second packet comes from the server to client.

Here are some important fields in SYN, ACK frame

SYN, ACK frame is required to send the capabilities of server to client.

Now client and server have shared their capabilities.

Frame 3 : ACK [Acknowledgement ]

ACK is the third packet comes from the client to server. This is basically an acknowledgement from client to server and also it’s an acceptance of capabilities sent by server.

Here are the important fields for ACK.

Let’s check the important informations shared between client and server:

Client Server

Receive Window Size: 64240 Bytes Receive Window Size: 29200 Bytes

Maximum segment size: 1460 bytes Maximum segment size: 1412 bytes

SACK Permitted: Yes SACK Permitted: Yes

Window scale: 8 (multiply by 256) Window scale: 7 (multiply by 128)

We have noticed there are differences in values. If client or server accepts other’s capabilities then 3-way handshake is successful.

TCP Header:

Here are the important fields of TCP header:

Source port (16 bits): This is the sending port.

Example: Source Port: 50026 (50026)

Destination port (16 bits): This is the receiving port.

Example: Destination Port: http (80)

Sequence number (32 bits):

If SYN bit is set [1] then this is initial sequence number.
If SYN bit is not set [0] then this is the accumulated sequence number of the first data byte of this segment.

Example: Sequence number: 0 (relative sequence number)

Acknowledgment number (32 bits): If the ACK flag is set then the value of this field is the next sequence number that the sender of the ACK is expecting.

Example: Acknowledgment number: 0

Header Length: Header size may vary from 20 bytes and maximum of 60 bytes.

Example: 1000 .... = Header Length: 32 bytes (8)

Flags (9 bits):

Example:
.... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...0 .... = Acknowledgment: Not set
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..1. = Syn: Set
.... .... ...0 = Fin: Not set

Window size (16 bits): This is the size of receive window in bytes.

Example: Window size value: 64240

Checksum (16 bits):

It’s used error-checking of the header.

Example: Checksum: 0x436f

Urgent pointer (16 bits):

This is an offset from the sequence number indicating the last urgent data byte.

Example : Urgent pointer: 0

Options:

Example:

TCP Option - Maximum segment size: 1460 bytes
TCP Option - No-Operation (NOP)
TCP Option - Window scale: 8 (multiply by 256)
TCP Option - SACK permitted

Observation:

TCP Header size of SYN is 32 Bytes.

TCP Header size of SYN, ACK is 32 Bytes.

TCP Header size of ACK is 20 Bytes as it does not have option fields.

TCP Data:

Here is the screenshot with explanation for TCP data and TCP ACK. Here we can see TCP delay ACK feature. Server has sent three TCP data packets to client and client has sent one delay ACK to tell server that it has received all three TCP data packets. That’s why in TCP ACK [Packet number 96 in screenshot] we see ACK=14121 which means client has received till 14121 bytes.

Reference:

For basic theory of TCP refer

https://en.wikipedia.org/wiki/Transmission_Control_Protocol

Packet Filter Analysis for ICMP in Wireshark

Bamdeb Ghosh — Mon, 12 Aug 2019 07:36:37 +0000

What is ICMP ?

ICMP or Internet Control Message Protocol is Internet or Network layer protocol. In general it is used to check the reachability of a host or router in a network.

Who uses ICMP?

Ping or traceroute uses ICMP as inner protocol. Ping uses ICMP echo request and ICMP echo reply messages to check whether destination host is reachable or not.

Types of ICMP packet?

In general two types of ICMP packet

ICMP echo request messages.
ICMP echo reply messages.

How to get ICMP packet in Wireshark?

Step1: We can use ping tool to get ICMP request and reply.

Step2: Open command line or terminal in Windows or Linux respectively.

Step3: Run Wireshark.

Step4: Run below command

ping www.google.com

Make sure you have internet connection or ping will be failedJ. Here is the snapshot for successful ping to Google. We can see 0% loss. That means ICMP request packets = ICMP reply packets.

Here are the more details:

In this case we ping to Google web site. Instead we can do ping to ip address also.

ping 192.168.1.1 [This is my router IP address]

Here is successful ping to my router

Step5: Stop Wireshark and put “ICMP” as filter in Wireshark.

Analysis on ICMP:

Let’s check what happens in Wireshark when we ping to Google or 192.168.1.1.

Here is the ICMP request and reply packets for Google ping.

Note: We have to put filter ‘icmp’ as we are interested only in ICMP packets.

Number of ICMP request: From capture we can see there are 4 ICMP request packets.

Check the marked packets.

Number of ICMP reply: From capture we can see there are 4 ICMP reply packets.

Check the marked packets.

ICMP Request:

Now select ICMP request packet in Wireshark and look into IPv4 layer.

As this is ICMP request packet so we can see source IP as my system IP address and destination IP as Google’s one IP address. Also IP layer mentioned the protocol as ICMP.

Here is the screenshot

Now for the same packet select ICMP part in Wireshark.

We can see below important fields:

Type: 8 [Means its ICMP request]
Code: 0 [Always 0 for ICMP packets]
Identifier (BE): 1
Identifier (LE): 256
Sequence Number (BE): 6
Sequence Number (LE): 1536
*BE -> Big Endian
*LE -> Little Endian
Data -> Data present in ICMP packet.

Here is the screenshot

ICMP Reply:

Now select ICMP reply packet in Wireshark and look into IPv4 layer.

As this is ICMP reply packet so we can see destination IP as my system IP address and source IP as Google’s one IP address. Also IP layer mentioned the protocol as ICMP.

Here is the screenshot

Now for the same packet select ICMP part in Wireshark.

We can see below important fields:

Type: 0 [Means its ICMP reply]
Code: 0 [Always 0 for ICMP packets]
Identifier (BE): 1
Identifier (LE): 256
Sequence Number (BE): 6
Sequence Number (LE): 1536
*BE -> Big Endian
*LE -> Little Endian
Data -> Data present in ICMP packet.

Here is the screenshot

Now let’s see ICMP request and ICMP reply side by side in a picture.

*Red means it’s different

*Green means it’s same.

Special observation:

Let’s look into the Identification field inside IPv4 .We will see something interesting.

What happens if IP address is not reqachable:

Let’s ping some ip address which is not accessible. So we will see below output.

Here is the snapshot for Wireshark

That means we did not receive any ICMP reply for any ICMP request.

Simple Conclusion:

So if we want to check any IP or website is reachable or not, we can use ping or traceroute which internally use ICMP protocol.

Quick Reference:

If interested to know other types of ICMP, follow below link

https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol

HTTP analysis using Wireshark

Bamdeb Ghosh — Thu, 14 Feb 2019 07:13:29 +0000

What is HTTP?

First is all the full form of HTTP is HyperText Transfer Protocol. HTTP is an application layer protocol in ISO or TCP/IP model. See below picture to find out HTTP which resides under application layer.

HTTP is used by the World Wide Web (w.w.w) and it defines how messages are formatted and transmitted by browser. So HTTP define reules what action should be taken when a browser receives HTTP command. And also HTTP defines rules for transmitting HTTP command to get data from server.

For example, when you enter a url in browser (Internet explorer, Chrome, Firefox, Safari etc) it actually sends an HTTP command to server.And server replies with appropiate command.

HTTP Methods:

There are some set of methods for HTTP/1.1 (This is HTTP version)

GET, HEAD, POST, PUT, DELETE, CONNECT, OPTION and TRACE.

We will not go in details of each method instead we will get to know about the methods which are seen quite often.Such as

GET: GET request asks data from web server. This is a main method used document retrival. We will see one practical example of this method.

POST: POST method is used when it’s required to send some data to server.

HTTP is Wiresahark:

Let’s try something practical to understand how HTTP works ?

So in this example we will download “alice.txt” (Data file present in server) from “gaia.cs.umass.edu” server.

Setps:

Open the URL http://gaia.cs.umass.edu/wireshark-labs/alice.txt [We know the full url for downloading alice.txt] in computer browser.
Now we see the downloaded file in browser. Here is the screenshot

In parallel we have capture the packets in Wireshark.

HTTP packets exchanges in Wireshark:

Before we go into HTTP we should know that HTTP uses port 80 and TCP as transport layer protocol [We will explain TCP in another topic discussion].

Now let’s see what happens in network when we put that URL and press enter in browser.

Here is the screenshot for

TCP 3-way handshake ——-> HTTP OK ——-> TCP Data [content of alice.txt] ——->

HTTP-OK

Now let’s see what’s there inside HTTP GET and HTTP OK packets.

Note: We will explain TCP exchanges in another topic discussion.

HTTP GET:

After TCP 3-way handshake [SYN, SYN+ACK and ACK packets] is done HTTP GET request is sent to the server and here are the important fields in the packet.

1.Request Method: GET ==> The packet is a HTTP GET .

2.Request URI: /wireshark-labs/alice.txt ==> The client is asking for file alice.txt present under /Wireshark-labs

3.Request version: HTTP/1.1 ==> It’s HTTP version 1.1

4.Accept: text/html, application/xhtml+xml, image/jxr, */* ==> Tells server about the type of file it [client side browser] can accept. Here the client is expecting alice.txt which is text type.

5.Accept-Language: en-US ==> Accepted language standard.

6.User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko ==> Client side browser type. Even if we used internet explorer but we see it always/maximum time says Mozilla

7.Accept-Encoding: gzip, deflate ==> Accepted encoding in client side.

8.Host: gaia.cs.umass.edu ==> This is the web server name where client is sending HTTP GET request.

9.Connection: Keep-Alive ==> Connection controls whether the network connection stays open after the current transaction finishes. Connection type is keep alive.

Here is the screenshot for HTTP-GET packet fields

HTTP OK:

After TCP data [content of alice.txt] is sent successfully HTTP OK is sent to the client and here are the important fields in the packet.
1. Response Version: HTTP/1.1 ==> Here server also in HTTP version 1.1
2.Status Code: 200 ==> Status code sent by server.
3.Response Phrase: OK ==> Response phrase sent by server.

So the from 2 and 3 we get 200 OK which means the request [HTTP GET] has succeeded.

4.Date: Sun, 10 Feb 2019 06:24:19 GMT ==> Current date , time in GMT when HTTP GET was received by server.
5.Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16 mod_perl/2.0.10 Perl/v5.16.3 ==> Server details and configurations versions.
6.Last-Modified: Sat, 21 Aug 2004 14:21:11 GMT ==> Last modified date and time for the file “alice.txt”.
7.ETag: “2524a-3e22aba3a03c0” ==> The ETag indicates the content is not changed to assist caching and improve performance. Or if the content has changed, etags are useful to help prevent simultaneous updates of a resource from overwriting each other.
8. Accept-Ranges: bytes ==> Byte is the unit used in server for content.
9.Content-Length: 152138 ==> This is the total length of the alice.txt in bytes.
10. Keep-Alive: timeout=5, max=100 ==> Keep alive parameters.
11.Connection: Keep-Alive ==> Connection controls whether the network connection stays open after the current transaction finishes. Connection type is keep alive.
12.Content-Type: text/plain; charset=UTF-8 ==> The content [alice.txt] type is text and charset standard is UTF-8.

Here is the screenshot for different fields of HTTP OK packet.

So now we know what happens when we request for any file that is present in web server.

Conclusion:

HTTP is simple application protocol that we use every day in our life. But it’s not secure so HTTPS has been implemented. That “S” stands for secure. That’s why you so maximum web server name start with https://[websitename]. This means all communication between you and server are encrypted. We will have separate discussion on this HTTPS in future.

How to Filter By IP in Wireshark

Bamdeb Ghosh — Fri, 04 Jan 2019 03:55:50 +0000

What is Wireshark?

Wireshark is a networking packet capturing and analyzing tool. It is an open source tool. There are other networking tools but Wireshark is one of the strongest tools among them. Wireshark can be run in Windows, Linux, MAC etc operating system also.

How Wireshark looks like?

Here is the picture of Wireshark version 2.6.3 in Windows10. Wireshark GUI can be changed depending on Wireshark version.

Where to put filter in Wireshark?

Look at the marked place in Wireshark where you can put display filter.

How to put IP addresses Display filter in Wireshark?

There are different ways you can use display IP filter.

Source IP address:

Suppose you are interested in packets from a particular source IP address. So you can use display filter as below.

ip.src == X.X.X.X => ip.src == 192.168.1.199

Then you need to press enter or apply to get the effect of the display filter.

Check the below picture for scenario

Destination IP address :

Suppose you are interested in packets which are destining to a particular IP address. So you can use display filter as below.

ip.dst == X.X.X.X => ip.dst == 192.168.1.199

Then you need to press enter or apply to get the effect of the display filter.

Check the below picture for scenario

Just IP address:

Suppose you are interested in packets which has particular IP address. That IP address is either Source or Destination IP address. So you can use display filter as below.

ip.addr == X.X.X.X => ip.adr == 192.168.1.199

Then you need to press enter or apply [For some older Wireshark version] to get the effect of the display filter.

Check the below picture for scenario

So when you put filter as “ip.addr == 192.168.1.199” then Wireshark will display every packet where Source ip == 192.168.1.199 or Destination ip == 192.168.1.199.

In another way you write filter like below also

ip.src == 192.168.1.199 || ip.dst == 192.168.1.199

See below screenshot for above display filter

Note:

Make sure the display filter background is green when you enter any filter otherwise the filter is invalid.

Here is screenshot of valid filter.

Here is the screenshot for invalid filter.

You can do multiple IP filtering based on logical conditions [ || , && ]

OR condition:

(ip.src == 192.168.1.199 ) || ( ip.dst == 192.168.1.199)

AND condition:

(ip.src == 192.168.1.199) && (ip.dst == 192.168.1.1)

How to put IP addresses capture filter in Wireshark?

Follow below screenshots to put capture filter in Wireshark

Note:

Like display filter capture filter also considered as valid if background is green.
Do remember display filters are different from capture filter in case of syntax.

Follow this link for valid capture filters

https://wiki.wireshark.org/CaptureFilters

What is relation between Capture filter and Display filter?

If capture filter is set and then Wireshark will capture those packets which matches with capture filter.

For example:

Capture filter is set as below and Wireshark is started.

host 192.168.1.199

After Wireshark is stopped we can see only packet from or destined 192.168.1.199 in whole capture. Wireshark did not capture any other packet whose source or destination ip is not 192.168.1.199. Now coming to display filter. Once capturing is completed, we can put display filters to filter out the packets we want to see at that movement.

In another way we can say, Suppose we are asked to buy two types of fruits apple and mango. So here capture filter is mangoes and apples. After you got mangoes [different types] and apples [green, red etc] with you, now you want to see only green apples from all apples. So here green apple is display filter. Now if I ask to you show me orange from the fruits, you cannot show as you did not buy oranges. If you would have bought all types of fruits [Means you would have not put any capture filter] you could have shown me oranges

How to Install and Use Wireshark on Ubuntu

Shahriar Shovon — Sun, 02 Sep 2018 05:21:38 +0000

Wireshark is a network packet analyzer. It captures every packet getting in or out of a network interface and shows them in a nicely formatted text. It is used by Network Engineers all over the world.

Wireshark is cross platform and it is available for Linux, Windows and Mac OS. You get the same user experience in any operating system you use.

To learn more about Wireshark, visit the official website of Wireshark at https://www.wireshark.org

In this article, I will show you how to install Wireshark on Ubuntu and how to use it. I am using Ubuntu 18.04 LTS for the demonstration. But it should work on any LTS version of Ubuntu still supported at the time of this writing. Let’s get started.

Installing Wireshark:

Wireshark is available in the official package repository of Ubuntu 14.04 LTS and later. So it is really easy to install.

First update the APT package repository cache with the following command:

$ sudo apt update

The APT package repository cache should be updated.

Now, Run the following command to install Wireshark on your Ubuntu machine:

$ sudo apt install wireshark

Now press y and then press .

By default, Wireshark must be started as root (can also be done with sudo) privileges in order to work. If you want to run Wireshark without root privileges or without sudo, then select and press .

Wireshark should be installed.

Now if you selected in the earlier section to run Wireshark without root access, then run the following command to add your user to the wireshark group:

$ sudo usermod -aG wireshark $(whoami)

Finally, reboot your computer with the following command:

$ sudo reboot

Starting Wireshark:

Now that Wireshark is installed, you can start Wireshark from the Application Menu of Ubuntu.

You can also run the following command to start Wireshark from the Terminal:

$ wireshark

If you did not enable Wireshark to run without root privileges or sudo, then the command should be:

$ sudo wireshark

Wireshark should start.

Capturing Packets Using Wireshark:

When you start Wireshark, you will see a list of interfaces that you can capture packets to and from.

There are many types of interfaces you can monitor using Wireshark, for example, Wired, Wireless, USB and many external devices. You can choose to show specific types of interfaces in the welcome screen from the marked section of the screenshot below.

Here, I listed only the Wired network interfaces.

Now to start capturing packets, just select the interface (in my case interface ens33) and click on the Start capturing packets icon as marked in the screenshot below. You can also double click on the interface that you want to capture packets to and from to start capturing packets on that particular interface.

You can also capture packets to and from multiple interfaces at the same time. Just press and hold and click on the interfaces that you want to capture packets to and from and then click on the Start capturing packets icon as marked in the screenshot below.

Using Wireshark on Ubuntu:

I am capturing packets on the ens33 wired network interface as you can see in the screenshot below. Right now, I have no captured packets.

I pinged google.com from the terminal and as you can see, many packets were captured.

Now you can click on a packet to select it. Selecting a packet would show many information about that packet. As you can see, information about different layers of TCP/IP Protocol is listed.

You can also see the RAW data of that particular packet.

You can also click on the arrows to expand packet data for a particular TCP/IP Protocol Layer.

Filtering Packets Using Wireshark:

On a busy network thousands or millions of packets will be captured each second. So the list will be so long that it will be nearly impossible to scroll through the list and search for certain type of packet.

The good thing is, in Wireshark, you can filter the packets and see only the packets that you need.

To filter packets, you can directly type in the filter expression in the textbox as marked in the screenshot below.

You can also filter packets captured by Wireshark graphically. To do that, click on the Expression… button as marked in the screenshot below.

A new window should open as shown in the screenshot below. From here you can create filter expression to search packets very specifically.

In the Field Name section almost all the networking protocols are listed. The list is huge. You can type in what protocol you’re looking for in the Search textbox and the Field Name section would show the ones that matched.

In this article, I am going to filter out all the DNS packets. So I selected DNS Domain Name System from the Field Name list. You can also click on the arrow on any protocol

And make your selection more specific.

You can also use relational operators to test whether some field is equal to, not equal to, great than or less than some value. I searched for all the DNS IPv4 address which is equal to 192.168.2.1 as you can see in the screenshot below.

The filter expression is also shown in the marked section of the screenshot below. This is a great way to learn how to write filter expression in Wireshark.

Once you’re done, just click on OK.

Now click on the marked icon to Apply the filter.

As you can see, only the DNS protocol packets are shown.

Stopping Packet Capture in Wireshark:

You can click on the red icon as marked in the screenshot below to stop capturing Wireshark packets.

Saving Captured Packets to a File:

You can click on the marked icon to save captured packets to a file for future use.

Now select a destination folder, type in the file name and click on Save.

The file should be saved.

Now you can open and analyze the saved packets anytime. To open the file, go to File > Open from Wireshark or press + o

Then select the file and click on Open.

The captured packets should be loaded from the file.

So that’s how you install and use Wireshark on Ubuntu. Thanks for reading this article.

Wireshark Tutorial

BIMA FAJAR RAMADHAN — Thu, 07 Dec 2017 11:37:59 +0000

Did you ever imagine or have some curiosities about how network traffic look likes ? If you did, you are not alone, I did too. I didn’t know much about networking at that time. As far as I knew, when i was connecting to a Wi-Fi network, first I turned-on Wi-Fi service on my computer to scan available connection/s around me. And then, I tried to connect to target Wi-Fi access point, if it ask for password then input the password. Once it’s connected, now I could surf the internet. But, then I wonder, what is the scenario behind all of this? How could my computer know if there are a lot access points around it? Even I didn’t realize where are the routers placed. And once my computer connected to the router / access point what they are doing when i browsed the Internet? How do these devices (my computer and access point) communicate with each other?

That happened when i first installed my Kali Linux. My goal by installing Kali Linux was to solve any problems and my curiosities related to “some complex-technology stuff or hacking methods scenario and soon”. I love the process, I love the sequence of steps of breaking out the puzzle. I knew the terms proxy, VPN, and other connectivity stuff. But, I need to know the basic idea of how these things (server and client) work and communicate especially on my local network.

The questions above bring me to the topic, network analysis. It is generally, sniffering and analyzing network traffic. Luckily, Kali Linux, and other Linux distros offer the most powerful network analyzer tool, called Wireshark. It is considered as a standard package on Linux systems. Wireshark has rich functionality. The main idea of this tutorial is to do live capturing of the network, save the data into a file for further (offline) analysis process.

STEP 1 : OPEN WIRESHARK

Once we connected to the network, let’s begin by opening the wireshark GUI interface. To run this, simply enter in the terminal:

~# wireshark

You will see the Welcome page of Wireshark window, it is should look like this:

STEP 2 : CHOOSE NETWORK CAPTURE INTERFACE

In this case we connected to an access point through our wireless card interface. Lets go a head and choose WLAN0. To start capturing, click on the Start button (Blue-Shark-Fin icon) located on left-top corner.

STEP 3 : CAPTURING NETWORK TRAFFIC

Now we bring into Live Capture WIndow. You might feel overwhelmed the first time seeing a bunch of data on this window. Don’t worry, i will explain it one by one. In this window, mainly divided into three panes, from the top to the bottom, it is : Packet list, Packet details and Packet Bytes.

1. Packet List Pane
  The first pane displays a list containing packets in the current capture file. Its displayed as a table and the columns contain: the packet number, the time captured, packet source and destination, packet’s protocol, and some general information found in the packet.
2. Packet Details Pane
  The second pane contains a hierarchical display of information about a single packet. Click the “collapsed and expanded” to show all of the information collected about an individual packet.
3. Packet Bytes Pane
  The third pane contain encoded packet data, displays a packet in its raw, unprocessed form.

STEP 4: STOP CAPTURING AND SAVE TO A .PCAP FILE

When you are ready to stop capturing and view the data captured, click Stop button “Red-Square icon” (located right beside the Start button). It is necessary to save file for further analysis process, or to share the captured packets. Once it is stopped, simply save to .pcap file format by hitting File > Save As > fileName.pcap.

UNDERSTANDING WIRESHARK CAPTURE FILTERS AND DISPLAY FILTERS

You already know the basic usage of Wireshark, in general, the process is concluded with the above explanation. In order to sort and capture certain information, Wireshark has a filter feature. There are two kinds of filters which each have its own functionality: Capture filter and Display filter.

1. CAPTURE FILTER

Capture filter is used to capture specific data or packets, it is used in “Live Capture Session”, for example you only need to capture single host traffic on 192.168.1.23 . So, input the query to the Capture filter form:

host 192.168.1.23

The main benefit of using Capture filter is that we can reduce the amount of data in the captured file, because instead of capturing any packet or traffic, we specify or limit to certain traffic. Capture filter controls what type of data in traffic will be captured, if no filter is set, it means capture all. To configure capture filter, click Capture Options button, which is located as shown by image in cursor pointing on below.

You will notice Capture Filter Box in the bottom, click on the green icon beside the box and select the filter you want.

2. DISPLAY FILTER

Display filter, in other hand, is used in “Offline Analyzing”. Display filter is more like a search feature of certain packets you want to see on the main window. Display filter controls what is seen from an existing packet capture, but does not influence what traffic is actually captured. You can set display filter during capturing or analyzing. You will notice the Display Filter box in the top of the main window. Actually there are so many filters you can apply, but don’t be overwhelmed. To apply a filter you can either just type a filter expression inside the box, or select from the existing list of available filters, as shown in the image below. Click Expressions.. Button beside Display Filter box.

Then select the available Display Filter argument on a list. And Hit OK button.

Now, you have the idea what is the difference between Capture Filter and Display Filter and you know your way around the basic features and functionality of Wireshark.

Install Wireshark 2.4.0 – Network Protocol Analyzer on Ubuntu

Admin — Mon, 24 Jul 2017 16:30:30 +0000

Wireshark 2.4.0 the most recent stable release, is known to be the world’s most widely used free network protocol analyzer. You can use it to analyze, troubleshoot, as well as monitor your network for packets in the event of a network or system issue. Before we proceed on how to install wireshark on ubuntu, lets take a quick look at its features.

Wireshark Features

Used for deep inspection of neumerous protocols
Can be used to capture live events for offline analysis
Comes with a standard three-pane packet browser
It’s multi-platform hence runs on Windows, Linux, macOS, Solaris, FreeBSD, NetBSD etc
In addition, all captured network datas can be accessed via the GUI, as well as TTY-mode TShark utility
It has the most powerful display filters
Used to analyze Rich VoIP
All captured data can be outputted in various file formats such as tcpdump, Pcap NG, Microsoft Network Monitor, Sniffer Pro, and NetXray, NetScreen snoop, Novell LANalyzer, RADCOM WAN/LAN Analyzer etc
Captured compressed files with gzip can be decompressed with ease
It comes with support for decryption of many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, as well as WPA/WPA2
Offers ability to apply coloring rules to the packet list for quick, as well as intuitive analysis
Results can be exported to XML, PostScript, CSV, as well as plain text

Wireshark 2.4.0 Changelog

There is now experimental 32-bit and 64-bit Windows Installer (.msi) packages
All source packages can now be compressed using xz instead of bzip2
The legacy (GTK+) UI is now disabled by default both in the Windows installers, as well as in the development environment (Autotools and CMake)
SS7 Point Codes now resolves into names with a hosts-like file
There is fullscreen mode to provide more room for packets
TShark now supports export of objects like the other GUI interfaces
When playing RTP streams, you can now choose the desired output device
There is added support for dissectors to include a unit name natively in their hf field
Default profile can now be reset to the default values
In the selection history of the Qt UI, you can now move back and forth
Extcap utilities
- now provide configuration for a GUI interface toolbar to control the extcap utility while capturing
- now validate the capture filter
Added support for TLS 1.3 (draft 21) dissection and decryption
RSA keys dialog for SSL keys feedback improvement made for invalid settings and no longer requires the IP address, Port or Protocol fields to be set in addition to the Key File

See wireshark release notes for more info

How to install Wireshark 2.4.0 on Ubuntu 17.04, Ubuntu 16.10, Ubuntu 16.04, Ubuntu 15.04, Ubuntu 14.04

sudo add-apt-repository ppa:dreibh/ppa

sudo apt-get update && sudo apt-get install wireshark

How to uninstall Wireshark

sudo apt-get remove wireshark

Wireshark – Linux Hint

Using Wireshark to Examine FTP Traffic

FTP

FTP Traffic Analysis

Warning

FTP Password Capture

Conclusion

A Guide to the Wireshark Command Line Interface “tshark”

Selecting Network Interface:

Capture Traffic:

Capture Filter:

Saving Captured Traffic to a File:

Autostop Parameter:

Capture Output Parameter:

Reading .pcap Files:

Selecting Fields to Output:

Capture Encrypted Handshake Data:

Viewing Entire Packet:

Conclusion:

Decrypting SSL/TLS Traffic with Wireshark

What are SSL, HTTPS, and TLS?

Make Linux set up for SSL packet description

Wireshark Analysis

Conclusion

WireShark in-depth Tutorial

Wireshark Filters

Capture Filter

Display Filter

Network Layers in Wireshark

Physical Layer

Data Link Layer

Network Layer

Transport Layer

Application Layer

Traffic Analysis

ICMP Traffic Analysis

HTTP Traffic Analysis

TCP Three-Way-Handshake

HTTP Packet Analysis

Conclusion

Why does Wireshark say no interfaces found

No Interfaces are listed in Wireshark:

Command sequences: 1. Close Wireshark and enter “exit” to come out from the root.

Capturing Test:

Conclusion

How to change time format in Wireshark

Where is time in Wireshark capture?

Where is “Time Display Format” in Wireshark capture?

Meaning of each option:

Option 1:

Option 2:

Option 3:

Option 4:

Option 5:

Option 6:

Option 7:

Option 8:

Option 9:

Option 10:

Option 1:

Option 2:

Option 3:

Option 4:

Option 5:

Option 6:

Option 7:

Check Box

Try one random combination:

Output [Look at Day Time column]:

Conclusion:

How to Use Wireshark to Search for a String in Packets

Step 1: Open Saved Capture

Step 2: Open Search Option

Step 3: Label Options

Step 4: Examples

Conclusion

How to Capture Wi-Fi Traffic Using Wireshark

Setup Check

Wi-Fi Interface

Support for Monitor Mode

Command sequences:

1. Close Wireshark and enter “exit” to come out from the root.