Key Features of Wireshark
Before moving on to considering ways to analyze traffic, you need to consider what features the program supports in more detail, what protocols it can work with and what it can do. Here are the main features of the program:
- Capture packets in real time from wired or any other type of network interfaces, as well as read from a file;
- The following capture interfaces are supported: Ethernet, IEEE 802.11, PPP and local virtual interfaces;
- Packets can be filtered based on many parameters using filters;
- All known protocols are highlighted in the list in different colors, for example TCP, HTTP, FTP, DNS, ICMP and so on;
- Support for capturing VoIP call traffic;
- Decryption of HTTPS traffic is supported if a certificate is available;
- Decryption of WEP and WPA traffic of wireless networks with a key and handshake;
- Displaying network load statistics;
- View package contents for all network layers;
- Displays the time of sending and receiving packages.
The program has many other features, but these were the main ones that might interest you.
5 / 5 ( 1 voice )
Ofitsialnaya-versiya.org
Wireshark for the computer has been updated - a free program for analyzing computer network traffic (Ethernet, FDDI, PPP, Token-Ring and others). The Wireshark program differs from other similar applications in the presence of a graphical user interface and greater capabilities for sorting and filtering information.
Official Wireshark can work with a variety of input data formats, and can open data files captured by other programs, which expands its capabilities. The program supports various network protocols, such as DNS, FDDI, ftp, HTTP, ICQ, IPV6, IPX, IRC, MAPI, MOUNT, NETBIOS, NFS, NNTP, POP, PPP, TCP, TELNET, X25 and allows you to thoroughly analyze network packets, displaying the meaning of each protocol field at any level.
Key features of free Wireshark 2020: |
|
|
|
|
|
|
|
|
Details:
The program allows the user to view all network traffic in real time, using the network card in “promiscuous” mode. Russian Wireshark for Windows understands the structure of many network protocols, and therefore allows you to parse a network packet, displaying the value of each field of the protocol at any level.
In addition, thanks to the ability to work with various input data formats, the Wireshark application in Russian can open data files captured by other programs, which expands its functionality.
| You can download Wireshark for free from the links below. We will be glad if you rate the program with stars at the top of the page, write a comment or share the publication with your friends via social networks. We hope to see you among the regular visitors to our site of free programs. |
[collapse]
Changes in the latest version of Wireshark 3.3.0:
| Updated: |
|
|
|
| Corrected: |
|
[collapse]
| Version | Wireshark 3.3.0 |
| Status | For free |
| operating system | Windows 10, 8.1, 8, 7, Vista, XP |
| Interface | Russian |
| Developer | Wireshark Foundation |
| Updated | 16.09.2020 |
| Category | Net |
| Safety | Verified by Virus Total |
download Vereshark
download Wireshark 32 bit from the official website
download Wireshark 64 bit from the official website
download Wireshark Portable from the official website
[collapse]
- VNC Connect 6.7.2
- Linux tutorial for users
- Adobe Photoshop CC 2020
- Linux Mint 19 Rus
How to use Wireshark
I assume that you already have the program installed, but if not, you can install it from the official repositories. To do this, type the command in Ubuntu:
sudo apt install wireshark
After installation, you can find the program in the main menu of the distribution. You need to run Wireshark with superuser rights, because otherwise it will not be able to analyze network packets. This can be done from the main menu or via the terminal using the command for KDE:
kdesu wireshark
And for Gnome/Unity:
gksu wireshark
The main window of the program is divided into three parts: the first column contains a list of network interfaces available for analysis, the second column contains options for opening files, and the third column contains help.
Network traffic analysis
To start analysis, select a network interface, for example eth0, and click the Start button.
After this, the following window will open, already with a stream of packets that pass through the interface. This window is also divided into several parts:
- The top part is the menu and panels with various buttons;
- List of packets —then the stream of network packets that you will analyze is displayed;
- Package contents - just below is the contents of the selected package, it is divided into categories depending on the transport layer;
- Real view - at the very bottom the contents of the package are displayed in real form, as well as in HEX form.
You can click on any package to analyze its contents:
Here we see a DNS request packet to get the site's IP address, in the request itself the domain is sent, and in the response packet we receive our question as well as the answer.
For more convenient viewing, you can open the package in a new window by double-clicking on the entry:
Wireshark filters
Manually going through packages to find the ones you need is very inconvenient, especially with an active thread. Therefore, for this task it is better to use filters. There is a special line under the menu for entering filters. You can click Expression to open the filter designer, but there are a lot of them, so we'll cover the most basic ones:
- ip.dst — target IP address;
- ip.src — sender IP address;
- ip.addr — IP of the sender or recipient;
- ip.proto - protocol;
- tcp.dstport — destination port;
- tcp.srcport — sender port;
- ip.ttl - ttl filter, determines the network distance;
- http.request_uri — requested site address.
To specify the relationship between a field and a value in a filter, you can use the following operators:
- == - equals;
- != - not equal;
- < - less;
- > - more;
- <= - less or equal;
- >= - more or equal;
- matches - regular expression;
- contains - contains.
To combine multiple expressions you can use:
- && - both expressions must be true for the package;
- || - one of the expressions may be true.
Now let's take a closer look at several filters using examples and try to understand all the signs of relationships.
First, let's filter all packets sent to 194.67.215.125 (losst.ru). Type a string in the filter field and click Apply . For convenience, Wireshark filters can be saved using the Save :
ip.dst == 194.67.215.125
And in order to receive not only sent packets, but also those received in response from this node, you can combine two conditions:
ip.dst == 194.67.215.125 || ip.src == 194.67.215.125
Next, we will select packets with TTL less than 10:
ip.ttl < 10
We can also select transferred large files:
http.content_length > 5000
By filtering the Content-Type, we can select all the pictures that have been uploaded; Let's analyze Wireshark traffic, packets that contain the word image:
http.content_type contains image
To clear the filter, you can click the Clear . It happens that you do not always know all the information necessary for filtering, but just want to explore the network. You can add any field of a package as a column and view its contents in the general window for each package.
For example, I want to display the TTL (time to live) of a packet as a column. To do this, open the package information, find this field in the IP section. Then call the context menu and select the Apply As Column :
Next you will see the desired column after the update:
In the same way, you can create a filter based on any desired field. Select it and bring up the context menu, then click Apply as filter or Prepare as filter , then select Selected to display only the selected values, or Not selected to remove them:
The specified field and its value will be applied or, in the second case, inserted into the filter field:
In this way, you can add a field of any package or column to the filter. There is also this option in the context menu. To filter protocols, you can use simpler conditions. For example, let's analyze Wireshark traffic for the HTTP and DNS protocols:
http || dns
Another interesting feature of the program is the use of Wireshark to track a specific session between the user’s computer and the server. To do this, open the context menu for the package and select Follow TCP stream .
A window will then open in which you will find all the data transferred between the server and the client:
Diagnosing Wireshark problems
You may be wondering how to use Wireshark 2.0 to detect problems on your network. To do this, there is a round button in the lower left corner of the window; when you click on it, the Expet Tools . In it, Wireshark collects all error messages and network problems:
The window is divided into tabs such as Errors, Warnings, Notices, Chats. The program can filter and find many network problems, and here you can see them very quickly. Wireshark filters are also supported here.
Wireshark traffic analysis
You can very easily understand what users downloaded and what files they viewed if the connection was not encrypted. The program does a very good job of extracting content.
To do this, you first need to stop traffic capture using the red square on the panel. Then open the menu File -> Export Objects -> HTTP :
Next, in the window that opens, you will see all available intercepted objects. All you need to do is export them to the file system. You can save both pictures and music.
Then you can analyze the network traffic with Wireshark or immediately open the resulting file with another program, such as a player.
Wireshark - Taming a Shark
Wireshark is a fairly well-known tool for capturing and analyzing network traffic, in fact a standard for both education and troubleshooting.
Wireshark works with the vast majority of known protocols, has a clear and logical graphical interface based on GTK+ and a powerful filter system. Cross-platform, works on operating systems such as Linux, Solaris, FreeBSD, NetBSD, OpenBSD, Mac OS X, and, of course, Windows. Distributed under the GNU GPL v2 license. Available for free at wireshark.org. Installation on a Windows system is trivial - next, next, next. The latest version at the time of writing is 1.10.3, which will be included in the review. Why do we need packet sniffers at all? In order to conduct research into network applications and protocols, as well as to find problems in the operation of the network, and, importantly, find out the causes of these problems. It is quite obvious that in order to make the most of sniffers or traffic analyzers, you need at least a general knowledge and understanding of how networks and network protocols work. Let me also remind you that in many countries, using a sniffer without explicit permission is considered a crime.
To start capturing, just select your network interface and click Start.
After which the capture process will begin, and the arriving packets will appear in real time. In the process of reviewing and studying packages, there are situations when you need to return to the previous package. There are two buttons for this (see screenshot).
And the button following them allows you to quickly navigate to the package by indicating its number. If the columns overlap and creep onto each other, you can right-click on such a column and select “Resize Column”
.
The sizes will be automatically adjusted to the current situation. And besides, there is a button “Resize all Columns”
, which will put all the columns in order.
Using the menu View – Time Display Format
, you can, for example, configure the time countdown not from the beginning of the capture, but from the moment the previous packet was received (
Since Previous Captured Packet
).
The most important thing in each program ( Help – About Wireshark
) will show not only the version and list of authors, but also contains a
Folders
, which will show the paths for placing directories with configurations. Studying the interface, you can select, for example, the http packet, and see that HTTP is encapsulated in TCP (transport layer), TCP is encapsulated in IP (network layer), and IP in turn is encapsulated in Ethernet (it even flashes 802.1Q before that).
And at the very top there is something like a small overview of the collected information about the frame.
We'll talk about filters later, but at this stage, if you need to quickly filter out unnecessary packets, just right-click on the packet and select the menu Apply as Filter – Not selected
and the changes will take effect immediately.
If you need to remove something else, then next time select “and not Selected”
, and the new rule will simply be added to the filter.
Quite often, when working with Wireshark, an IP checksum offload
- an IP packet header checksum error.
Modern network cards are so smart that they calculate the checksum themselves, why do this at the TCP/IP stack level in software, if you can do it in hardware. And Wireshark naturally intercepts packets before they hit the network. And before this amount was calculated and added to the packet header. Accordingly, there are two ways to solve this problem - turn off the offload function in the network card settings or specify in the sniffer settings so that it does not pay attention to this value. Hardware functions are often better than software ones, mainly due to the processing speed (usually higher in hardware), so it is better to change the settings of the sniffer itself. To do this you need to go to the settings ( Edit - Preferences
), then Protocols – IPv4 – and uncheck the
“Validate IPv4 checksum if possible”
.
Before you capture traffic, you need to decide what you actually need to capture. You can place the traffic analyzer in several places:
- Locally on your host;
- Organize traffic mirroring on the switch;
- Connect directly to places of interest;
- or ARP poisoning (even more illegal than passive eavesdropping)
Wireshark contains two types of filters – Capture Filters
and
Display Filters
.
Capture Filters
first .
As you can guess from the name, they serve for filtering even at the stage of traffic capture. But in this case, of course, you can irreversibly lose some of the necessary traffic. A filter is an expression consisting of built-in values that can be combined with logical functions (and, or, not) if necessary. In order to use it, you need to go to the Capture
, then
Options
, and in the
Capture Filter
field type, for example,
host 8.8.8.8
(or, for example,
net 192.168.0.0./24
)
You can also, of course, select a pre-created filter (the Capture Filter button is responsible for this). In any of the options, the filter will appear near the interface, you can press Start.
Now let's move on to Display Filters
. They filter exclusively already captured traffic. What can you filter? - Almost everything - protocols, addresses, specific fields in protocols. Operations that can be used when constructing filters:
| Team | Meaning | Usage example |
| == | equality | ip.dst == 193.168.3.10 |
| != | Not equal | udp.dst != 53 |
| < | less than | ip.ttl < 24 |
| > | more than | frame.len > 10 |
| <= | less or equal | frame.len <= 0x20 |
| >= | more or equal | tcp.analysis.bytes_in_flight >= 1000 |
| matches | regular expressions | frame matches "[Pp][Aa][Ss][Ss]" |
| contains | contains | dns.resp.name contains google |
As you probably noticed, in the table there were various expressions as examples, which were quite understandable and often spoke for themselves. For example, ip.dst is an IP protocol field. To see this field, you can simply look at the package, and at the bottom of the window you can see its value, which can then be applied in any filter. For example, we are interested in how to create a filter where the TTL value will be checked. To do this, open the L3 part and stand on the corresponding field:
And we see that to build a filter, you need to use the expression ip.ttl. If you start typing a filter, a list of possible values will automatically appear after the dot:
To apply a filter, just press enter or the Apply button. The filter input field itself can change color depending on what was typed. Green means everything is ok. Red - an error was made, yellow - an unexpected result was obtained, because there are other options for writing the filter (for example, you can write ip.dst != 8.8.8.8
or
!ip.dst == 8.8.8.8
, it is the second option that is more preferable). Filters can be saved for future use by clicking the Save button, then entering a custom name
and after clicking on the OK button, the filter will appear as a button on the panel.
And if you click on the nearby “Expression...” button, a fairly powerful expression constructor will open, with which you can almost study network protocols. The number of supported protocols is constantly increasing.
As mentioned earlier, you can select any package and select Apply as Filter
and in the submenu select a mode -
selected
or
not selected
and, accordingly, a filter will immediately appear that will show only the selected one or, on the contrary, will remove the selected one from the screen. This way you can flexibly choose what to see on the screen and what not. This could be a specific ip address, ttl, port, dns response and much more. In addition, there are two options for such quick filters - Prepare as Filter and Apply as Filter. As you can guess from the name, the difference is that in the first case the Display Filter will only appear in the input field, but will not be applied (convenient if, for example, you add several filters in this way and then immediately apply the finished result), and in the second - will be applied immediately.
Filters can be combined using logical operations familiar from Boolean algebra: (dns) && (http) logical and
(dns) || (http) is a boolean or
This way you can build large and complex filters like: (tcp.flags.syn==1) && (ip.src == 172.16.10.2) && (ip.dst == 172.16.10.1) Here we see that only TCP SYN is selected segments, only with a specific sender and recipient address. When composing large filters, you need to remember that a filter is essentially a logical expression, and if it is true, then the packet will be displayed on the screen, if it is false, it will not.
It’s a fairly common situation when complaints arise about slow network operation; there can be many reasons for this.
Let's try to figure out what the reason might be and consider two methods. The first is to add a TCP delta
.
Open the package, find the Time since previous frame in this TCP frame
, right-click and select
Apply as Column
.
A new column will appear. You can right-click on it and select a sorting mode, for example, Sort Descending
.
And let's immediately consider the second method. Relatively recently (in version 1.10.0), the tcp.time_delta filter appeared, which, in fact, takes into account the time since the last request.
If a client makes a request and receives a response in 10 milliseconds, and the client says that everything is running slowly for him, then perhaps the client itself has a problem. If the client makes a request and receives a response within 2-3 seconds, then perhaps the problem lies in the network.
If you look at the TCP packet (or segment to be precise), you can see there
Stream index
, which usually starts from zero. The field itself will be called tcp.stream.
You can right-click on it and create a filter.
This way you can filter the connections you need.
Another way is to right-click on the package itself and select Conversation Filter
and create a filter for l2 l3 l4 level accordingly.
As a result, we will again see the interaction of the two hosts.
And the third option is one of the most interesting features - Follow TCP Stream
.
In order to use it, you need to again right-click on the packet and select “Follow TCP Stream”
. A window will appear where the entire exchange between the two nodes will be clearly demonstrated.
If you go to the menu Statistics – Conversations
, then by selecting bookmarks, you can see statistics on such “conversations” and various sessions, and you can sort them by various columns, for example, by the amount of data transferred.
And right in this window you can right-click the context menu and again apply it as a filter.
After some time spent capturing various traffic, you can notice some kind of spherical button in the lower left corner, which sometimes changes color.
Clicking this button will open the Expert Infos
.
The same result can be achieved by going to the Analyze – Expert Info
.
This window will contain information on the packages found, divided into groups Errors, Warnings, Notes and Chats. The color scheme for these groups is as follows: Errors - red Warnings - yellow Notes - blue-green (cyan) Chat - gray
Wireshark contains a powerful analyzer and can automatically detect a large number of problems that arise on the network. As you may have already noticed, you can use filters literally everywhere and Expert Info is no exception. In order to create such a filter, you need to use the expert.severity
.
For example, expert.severity==error
.
Is it possible to find out what was downloaded using Wireshark? Yes, you can. And now we will see it. First, let's take HTTP traffic. Let's right-click on the HTTP package - Protocol Preferences
- and we see a lot of options here that directly affect the extraction of files from web traffic.
In order to see what can be extracted from the current dump, you need to go to the menu File – Export Objects – HTTP
. A window will appear that will show all captured http objects - text files, pictures, etc. In order to extract any file from this list, simply select it and click Save As.
As you can see, the drawing was extracted without any problems.
In the same way, you can extract streaming video/audio.
But Wireshark's capabilities don't end there! It can also extract files from the FTP protocol. To do this, you can use the already familiar Follow TCP Stream. As a result, only the FTP exchange will be displayed, in which you will need to find the RETR line, which actually means file transfer.
Then we go down further, find the packets directly with the file (FTP-DATA) and again select Follow TCP Stream, see the contents of the file, click Save As and save.
Wireshark has several built-in features to work with this technology.
It supports a lot of voice protocols - SIP, SDP, RTSP, H.323, RTCP, SRTP and others. And, of course, it can intercept and save voice traffic for further listening. This functionality is ideal for troubleshooting in Voice over IP networks. The Statistics - Flow Graph
menu will show a clear picture of how the entire packet exchange took place.
In general, the whole Telephony
reserved for working with voice traffic.
For example, Telephony – RTP – Show All Streams
will show in detail what happened with RTP, in particular jitter (a parameter that is probably the most important in the voice), which sometimes immediately indicates the presence of problems.
By clicking on the “Analyze” button, you can open the RTP stream Analysis
– and by selecting a stream there, you can even play it using the player button. First, a player window will open, in which you first need to set the appropriate jitter value and use the decode button.
Something similar to a spectrum analyzer will appear, in which you can mark the desired conversation, and then the Play button will become active.
There is also another way to listen to voice calls - you can go to the Telephony menu – VoIP Calls
.
A window will open with a list of completed calls, where again you can press the player button, cancel the necessary conversations with the checkboxes and press play. In order to achieve acceptable sound quality, you will need to play with the value of the jitter buffer field, changing its value.
Some time ago, the website CloudShark.org appeared.
This is the same Wireshark sniffer, but implemented as an online service. Obviously, it will not be possible to capture network traffic with its help, but it is quite possible to analyze a traffic dump. By uploading a PCAP file there for analysis through the form, you can get a clear sequence of packets in which all data will be divided into understandable fields depending on the protocol. In general, the same Wireshark, but a little lighter and accessible from any browser.
Finally, let’s look at what port scanning looks like. We look at the dump and see that first an ARP request occurs and then the scanning begins directly. Our router address is 192.168.10.11, scanning comes from the address 192.168.10.101
This is the so-called SYN scanning, when SYN packets are sent to a specified range of ports. Since most of the ports are closed, the router responds with RST and ACK packets. Scrolling a little lower we see that telnet is open (tcp 23).
This is indicated by the fact that the router responded with a SYN, ACK packet. By the way, to filter ports in a sniffer, you can use constructs like: tcp.srcport, tcp.dstport and tcp.port. For the UDP protocol, everything is similar - udp.srcport, udp.dstport, udp.port.
We've gone over the most basic parts of the best packet sniffer functionality. It turned out somewhat chaotic, probably because I wanted to touch on as many of its capabilities as possible and not miss anything important. It turned out that the packet analyzer, like a debugger and disassembler, demonstrates the smallest details of the operation of the network and network protocols. Using Wireshark and having the necessary knowledge (which can be gleaned by studying the series of Networks for the Little Ones on the website linkmeup.ru) you can quite effectively find and diagnose various problems that arise on the network.
During the writing process, materials from the site wiki.wireshark.org were used. Traffic dumps were taken from various sources, most of all from the site packetlife.net
conclusions
In this article, we looked at how to use Wireshark 2 to analyze network traffic, as well as examples of solving network problems. This is a very powerful utility that has many functions. It is impossible to cover all its functionality in one article, but the basic information provided here will be enough for you to master everything you need yourself.
Related posts:
- How to Install Tor Browser on Ubuntu
October 29, 2016
- Linux Program Sandbox
November 18, 2016
- How to install ClamAV on Ubuntu
January 10, 2017
- Encrypting a USB flash drive
August 5, 2017
Traffic interception
As for traffic interception, it can be carried out in various ways. For example, as already mentioned, by listening to a network interface, one of the methods can also be an attack at the network level or at the link level, which redirects traffic to the sniffer and then returns it to the required address. Connecting a specific sniffer to a channel break, for example Wireshark. What does analysis of traffic that has passed through a sniffer tell us? Its first task is to obtain the necessary, private information by intercepting unencrypted, and occasionally encrypted, user traffic. Also, with the help of specially designed sniffers, it is possible to identify malware and “infected” traffic, which causes communication channels to slow down. Another task is to clarify the cause of the network failure.
Wireshark Guide and Cheat Sheet
Even a superficial knowledge of the Wireshark program and its filters will save an order of magnitude of time when troubleshooting network or application level problems. Wireshark is useful for many tasks in the work of a network engineer, security specialist, or system administrator. Here are some examples of use:
Troubleshooting network connection problems
- Visual display of packet loss
- TCP Relay Analysis
- Graph for packets with long response delay
Examination of application layer sessions (even when encrypted using SSL/TLS, see below)
- Complete viewing of HTTP sessions, including all headers and data for requests and responses
- View Telnet sessions, view passwords, entered commands and responses
- View SMTP and POP3 traffic, read emails
Troubleshooting DHCP with Packet Level Data
- Exploring DHCP Broadcasts
- Second step of DHCP exchange (DHCP Offer) with address and parameters
- Client request at the proposed address
- Ack from the server confirming the request
Retrieving files from HTTP sessions
- Export objects from HTTP such as JavaScript, images or even executables
Retrieving files from SMB sessions
- Similar to the HTTP export option, but extracts files transferred over SMB, the file sharing protocol in Windows
Malware detection and scanning
- Detect anomalous behavior that may indicate malware
- Search for unusual domains or destination IPs
- I/O graphs for detecting persistent connections (beacons) to command and control servers
- Filtering out “normal” data and identifying unusual ones
- Extract large DNS responses and other anomalies that may indicate malware
Testing port scans and other types of vulnerability scans
- Understanding what network traffic is coming from scanners
- Analyze vulnerability testing procedures to distinguish between false positives and false negatives
These examples are just the tip of the iceberg. In this guide we will tell you how to use such a powerful tool. Wireshark runs on a variety of operating systems and is easy to install. We will only mention Ubuntu Linux, Centos and Windows.
Installation on Ubuntu or Debian
#apt-get update #apt-get install wireshark tshark
Installation on Fedora or CentOS
#yum install wireshark-gnome
Installation on Windows
The download page contains an executable file for installation. The packet capture driver is also quite easy to install, with the help of which the network card goes into “promiscuous” mode (promiscuous mode allows you to accept all packets regardless of who they are addressed to). With your first capture, you will see the standard template and packet details in the Wireshark interface. Once the HTTP session is captured, stop recording and play with the basic filters and settings of Analyze |
Follow | HTTP Stream .
The names of the filters speak for themselves. Simply enter the appropriate expressions into the filter line (or into the command line if using tshark). The main advantage of filters is to remove noise (traffic that we are not interested in). You can filter traffic by MAC address, IP address, subnet, or protocol. The simplest filter is to enter http so that only HTTP traffic (tcp port 80)
.
Examples of filters by IP addresses
ip.addr == 192.168.0.5 !(ip.addr == 192.168.0.0/24)
Examples of protocol filters
tcp udp tcp.port == 80 || udp.port == 80 http not arp and not (udp.port == 53) Try making a filter combination that shows all outgoing traffic, except HTTP and HTTPS, that is sent outside the local network
.
This is a good way to detect software (even malicious software) that communicates with the Internet using unusual protocols. Once you have captured several HTTP packets, you can use the Analyze |
Follow | HTTP Stream . It will show the entire HTTP session. In this new window, you will see the HTTP request from the browser and the HTTP response from the server.
By default, Wireshark does not resolve network addresses in the console. This can be changed in the settings.
Edit | Preferences | Name Resolution | Enable Network Name Resolution
As with tcpdump, the resolution procedure will slow down the display of packets. It is also important to understand that with live packet capture, DNS queries from your host will become additional traffic that can be intercepted.
If you haven't dabbled with tshark yet, take a look at our tutorial with sample filters.
This program is often ignored, although it is great for capturing sessions on a remote system. Unlike tcpdump, it allows you to capture and view application layer sessions on the fly: Wireshark protocol decoders are also available for tshark. Here's a quick way to create rules from the command line without having to search the Internet for specific syntax. Select the appropriate rule and go to Tools |
Firewall ACL Rules . Various firewalls are supported, such as Cisco IOS, ipfilter, ipfw, iptables, pf and even Windows firewall via netsh.
If Wireshark is compiled with GeoIP support and you have free Maxmind databases, then the program can determine the location of computers by their IP addresses.
Check in About |
Wireshark that the program is compiled with the version you have.
If GeoIP is present in the list, then check the presence of the GeoLite City, Country and ASNum databases on the disk. Specify the location of the bases in the Edit |
Preferences | Name Resolution .
Check the system with a traffic dump by selecting the Statistics | Endpoints | IPv4
. The location and ASN information for the IP address should appear in the columns on the right.
Another feature of GeoIP is to filter traffic by location using the ip.geoip filter. For example, this can exclude traffic from a specific ASN. The below command excludes packets from ASN 63949 (Linode).
ip and not ip.geoip.asnum == 63949 Of course, the same filter can be applied to individual cities and countries. Remove the noise and leave only the really interesting traffic. One way to decrypt SSL/TLS sessions is to use the private key from the server the client is connected to.
Of course, you don't always have access to the private key. But there is another option to simply view SSL/TLS traffic on your local system. If Firefox or Chrome is loaded using a special environment variable, the symmetric keys of individual SSL/TLS sessions are written to a file that Wireshark can read. With these keys, Wireshark will show the fully decrypted session!
Setting an environment variable
Linux / Mac
export SSLKEYLOGFILE=~/sslkeylogfile.log
Windows
On the System Properties tab | Advanced
Click the
Environment Variables
and add the variable name (SSLKEYLOGFILE) and the file path as the value.
Setting up Wireshark
From the drop-down menu, select Edit |
Preferences | Protocols | SSL | (Pre)-Master-Secret Log Filename - Browse , pointing to the file you specified in the environment variable.
Start capturing traffic on the local system.
Restarting Firefox or Chrome
After switching to an HTTPS site, the log file will begin to increase in size as it records the symmetric session keys.
Take a look at a previously running Wireshark session. You should see something similar to the screenshot below with the transcribed sessions. Decrypted packages are on a tab in the bottom panel.
Another way to view the session is through the Analysis | Follow | Stream | SSL
. If the session is successfully decrypted, you will see an option for SSL.
Of course, be careful when writing these keys and packages. If someone else gains access to the log file, they can easily find your passwords and authentication cookies there.
Another option for getting to basic HTTP traffic is to use the Burp Suite tool with the CA certificate loaded in the browser. In this case, the proxy decrypts the connection on the client side and then establishes a new SSL/TLS session on the server. There are many ways to carry out such a MiTM attack on yourself, these are the two simplest.
Files are easily extracted through the export menu.
File | Export Objects | HTTP
All found files will be displayed in a new window. From here you can save individual files or all at once. A similar method is used to retrieve files from SMB sessions. As we already mentioned, this is a Microsoft Server Message Block protocol that is used for file sharing under Windows.
The status bar on the right side of the window allows you to quickly jump to the desired location of the network dump by clicking on the color indicator. For example, packets with errors are marked in red in the status bar. When you first start working with Wireshark, you want to look at some interesting dumps with packets. These can be found on the Wireshark Samples page. There are enough examples with different protocols for several months of analysis; there are even traffic samples of worms and exploits. The default appearance of the console is customizable in every possible way. You can add or remove columns, even adding something as simple as a UTC time column, which immediately increases the information content of the logs when analyzing packet history.
Columns are configured in the Edit | Preferences | Appearance | Columns
. The general template, font and colors also change there.
The video contains useful tips for setting up your environment, including identifying problems using TCP sequence numbers.
Wireshark comes with a handy command line tool called capinfos. This utility generates batch dump statistics, with recording start/end times and other details. With the -T option it produces tab-delimited text - suitable for importing into spreadsheets or analyzing in the console. [email protected] :~$ capinfos test.pcap File name: test.pcap File type: Wireshark/tcpdump/… — pcap File encapsulation: Ethernet File timestamp precision: microseconds (6) Packet size limit: file hdr: 262144 bytes Number of packets: 341 k File size: 449 MB Data size: 444 MB Capture duration: 3673.413779 seconds First packet time: 2018-12-01 11:26:53.521929 Last packet time: 2018-12-01 12:28:06.935708 Data byte rate : 120 kBps Data bit rate: 967 kbps Average packet size: 1300.72 bytes Average packet rate: 93 packets/s SHA256: 989388128d676c329ccdbdec4ed221ab8ecffad81910a16f473ec2c2f54c5d6e RIPEMD160: 0742b6bbc 79735e57904008d6064cce7eb95abc9 SHA1: d725b389bea044d6520470c8dab0de1598b01d89 Strict time order: True Number of interfaces in file: 1 This article was originally published in 2011, then seriously updated. If you have any comments, improvements or tips for the cheat sheet, please email me. Wireshark is one of those indispensable tools that many people use, but few master perfectly. Here you can go deeper and deeper.
Improvising with HTTP traffic
Application protocols, in particular HTTP, are an “eternal” topic in the context of sniffing. To be fair, it must be said that a lot of specialized software tools have been created to study web traffic. But such a universal tool as Wireshark, with its flexible filtering system, is not at all superfluous in this field.
First, let's collect some web traffic by going to the first site that comes to mind. Now let’s look for mentions of our favorite Internet resource in messages of the TCP protocol, which serves as a transport for HTTP:
tcp contains "xakep.ru"
The contains operator checks for the presence of a substring in a given field. There is also a matches operator, which can use Perl-compatible regular expressions.
Rice. 6. Modifying the display filter on the fly
The “Filter Expressions” window, of course, is a good helper, but sometimes scrolling through a long list in search of the desired field is very tedious. There is an easier way to create/modify display filters: using the context menu when viewing packages. To do this, you just need to right-click on the field of interest and select one of the sub-items of the “Apply As Filter” item or the “Prepare a Filter” item. In the first case, the changes will immediately take effect, and in the second, it will be possible to correct the expression. “Selected” means that the field value will become a new filter, “Not Selected” means the same thing, only with a negation. Clauses starting with "..." add the field value to an existing expression, subject to Boolean operators.
By combining various Wireshark graphical interface tools and knowledge of the HTTP protocol, you can easily drill down to the desired level of traffic display in the main program window.
For example, to see what images the browser requested from the web server when generating the page, a filter that analyzes the contents of the URI sent to the server will do:
(http.host eq "www.xakep.ru") and ((http.request.uri contains ".jpg") or (http.request.uri contains ".png"))
The same thing, but using matches:
(http.host eq "www.xakep.ru") and (http.request.uri matches ".jpg|.png")
Of course, message fields from protocols of different levels can be safely mixed in one expression. For example, to find out which pictures this server sent to the client, we use the source address from the IP packet and the “Content-Type” field of the HTTP response:
(ip.src eq 178.248.232.27) and (http.content_type contains "image")
And using the “Referer” HTTP request field, you can find out from which other servers the browser takes content when creating a page for your favorite site:
(http.referer eq “https://www.xakep.ru/”) and (not (ip.dst eq 178.248.232.27))
Let's look at a few more useful filters. To sample HTTP requests made using the GET method from traffic, you can use the following expression:
http.request.method == GET
It is at the application level that display filters manifest themselves in all their beauty and simplicity. For comparison: to, for example, solve this problem using Pcap, you would have to use this three-story structure:
port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420
To find out which www connections were made by a user of the host 192.168.56.8 at a certain time interval (say, during lunch break), we use the frame.time primitive:
tcp.dstport == 80 && frame.time >= “Yan 9, 2013 13:00:00” && frame.time < “Yan 9, 2013 14:00:00” && ip.src == 192.168.56.8
Well, displaying URI requests containing the words “login” and “user”, plus a “reminder” of passwords:
http.request.uri matches "login.*=user" (http contains "password") || (pop contains "PASS")
Rice. 7. Setting up an SSL certificate
Using Wireshark console utilities.
Wireshark is the most advanced and widely used network protocol analyzer in the world. It allows you to see what is happening on your network at a microscopic level, and is the standard for many commercial and non-profit enterprises, government and educational institutions. The structure of the program is completely modular and various utilities are responsible for many functions, united by a GUI - a software shell, which is called Wireshark . This article discusses solving problems related to VoIP from the CLI server console. Why might something like this be needed?
1. Since most telephony servers do not have a GUI and there is no particular need for it, and the ability to pump a dump into another software environment is not always possible.
2. Fast and easy analysis, all analysis functions are available in the toolkit on the server.
3.Post-processing of results, the graphical interface is powerful and interactive, but with fixed functionality. CLI in combination with other tools allows you to work with the received information very flexibly.
4. Automation and scripting significantly speeds up the complex processes of obtaining the necessary information and analyzing it, especially if it is necessary to analyze a huge number of dumps collected per month.
First, let's connect to our station via SSH, for example, through the Windows Putty client.
Enter the server address and port, default is 22.
Login to the server as root.
Most of the utilities used in this article require privileged root or administrator level rights.
The first tool we'll look at today is dumpcap.
Dumpcap is a network traffic sniffing tool. It allows you to capture real-time packet data from the network and record the packets to a file. It would seem that this functionality is also available in Tshark, but there are significant advantages of this utility:
1. It is much faster, the packet is not detected and read, it is simply captured and written to disk, without output.
Less performance impact than even tcpdump can be run on an ongoing basis.
The ring buffer function is an extremely useful function for analyzing intermittent network problems. You no longer need to be afraid that leaving a dump for a long time will run out of space on your hard drive.
Let's take a call dump using dumpcap, the syntax is almost completely similar to tcpdump. First, let's display a list of network interfaces with the command:
# dumpcap –D
The number of the interface we are interested in is 1, you can also specify the name of the interface, these actions are equivalent.
# dumpcap –i 1 –s 0 –w /tmp/call.pcap
Let me remind you –i indicates the interface, -s capture depth, 0 – capture everything, -w path to save the dump file.
And let's look at its contents with the tshark command:
# tshark –r /tmp/call.pcap
To record a permanent circular trace file, use the –b switch, which specifies the dump size filesize:16384 (16 MB) and filesize:1024 specifies the maximum number (1024). If we multiply these indicators, we will see that the ring dump cannot exceed, in this example, 16 GB.
# dumpcap -i 1 –s 0 -b filesize:16384 files:1024 -w /tmp/ring.cap
To enable the dump for a long period of time and return to console control, use the –q key – launch in background application mode.
# dumpcap -i 1 –s 0 -b filesize:16384 files:1024 -w /tmp/ring.cap
Tools_ring.png Removing a ring dump dumpcap, including in the background.
Capinfos is a program that reads one or more trace files and returns some or all of the available statistics (information) of each file in one of two types of output formats: long or table.
Long output is more human readable. Let's use it to look at our call dump.
# capinfos /tmp/call.pcap
Table output is useful for creating a report that can be easily imported into a spreadsheet or database.
# capinfos –T /tmp/call.pcap
A very convenient program for searching for a dump in a folder with a bunch of different dumps; in order not to open each one separately, we use capinfos.
For example, we will display only the capture time of the dumps we created. Adding the –a switches Displays the start time of the capture and –e the end time of the capture.
# capinfos –ae /tmp/*.pcap
Editcap is a program that reads all or some of the captured packets from a dump file, can transform them in various ways, and writes the resulting capture packets to an output file. By default, it reads all packets from the input and writes them to the output in pcap format.
Used to:
1.From a large dump file, extract the required part using a template.
For example, let’s extract from the call dump file only frames 1-10 and 20-30. The –r key reads the dump located along the path to the tmp.pcap file and indicates the frame numbers.
# editcap –r /tmp/call.pcap /tmp/tmp.pcap 1-10 20-30
Let's look at its contents:
# tshark –r /tmp/tmp.pcap
Also, we know from the Asterisk log the time of a specific call. Let's set it as an editcap saving template and the output will be a dump containing mostly only useful information.
Keys –A and –B save time range of captured packets.
# editcap –A “2018-12-2 20:35:00” –B “2018-12-2 20:35:30” /tmp/call.pcap /tmp/tmp.pcap
2. Dividing a huge dump file into smaller ones, for example, with sniffing segments of 60 seconds each. or split into 1000 packets each.
The dump is divided into 1000 packets using the following command with the –c 1000 switch. Having previously created a folder for the divided dumps, so as not to get confused, we display information about the number of packets.
# mkdir /tmp/call_pieces # editcap -c 1000 /tmp/call.pcap /call_pieces/call.pcap # ls /tmp/call_pieces # capinfos /call_pieces/call*.pcap
Now, similarly, we will split the dump into 10 second recording intervals using the –I 60 parameter (60 seconds each).
# mkdir /tmp/call_10sec # editcap -i 10 /tmp/call.pcap /tmp/call_10sec/call.pcap # ls /tmp/call_10sec # capinfos /tmp/call_10sec/call*.pcap
You can also use this utility to remove duplicate packages, usually synchronization packages.
# editcap -d /tmp/call.pcap /tmp/nodup.pcap
We can change the depth of packet capture –s 96 (surface capture). The dump was taken with full s0 capture. You can change this parameter in an already taken dump with the command:
# editcap -s 96 /tmp/call.pcap /tmp/s96.pcap # capinfos /tmp/call.pcap # /tmp/s96.pcap
You can easily change timestamps, used to combine dumps taken at different times. The key responsible for this is –t
Note that after the –t switch, -3600 is subtracting 3600 seconds from the timestamps. Similarly, you can add, for example –t +3600. Also, the time increment can be set with high precision; the adjustment is specified as [-] seconds [.fractional seconds]. For example, -t -0.25 decreases the timestamp on selected packets by a quarter of a second
# editcap -t -3600 /tmp/call.pcap /tmp/timestramp.pcap # capinfos /tmp/call.pcap # capinfos /tmp/timestramp.pcap
In order to convert the dump format to any supported Wireshark, there is also the command –F <trace output file format>
# editcap -t -3600 /tmp/call.pcap /tmp/timestramp.pcap
Mergecap is a utility with the opposite functionality to the previous one; it combines several saved capture files into one output file.
You can combine packages from multiple files based on their timestamps with the –w switch.
When merging dumps, the path of the output dump is indicated first, the source dumps second and third; you can list as many of them as you like or use a mask.
# mergecap -w /tmp/call12.pcap /tmp/call1.pcap /tmp/call2.pcap
Or by adding the -a switch, simply merge the packets from each file into a common dump, ignoring timestamps, respectively, first the packets from the first source are included in the new dump, then from the second, etc.
# mergecap -w –a /tmp/call12.pcap /tmp/call1.pcap /tmp/call2.pcap
Conclusion:
Working with dumps without using an interface is less convenient and requires additional skill and knowledge compared to working with dumps through the Wireshark GUI, but it is extremely convenient for optimizing packet trace dumps before uploading or automating analysis tasks.
Capture, read and store packets
When launched without parameters, Tshark, like tcpdump, will begin to intercept all network traffic on all interfaces.
#tshark
If your machine has multiple interfaces, you may need to specify which one should be used. To get a list of available interfaces, specify the -D option:
tshark -D
Having selected the desired interface, specify its name or number using the -i option, for example:
tshark -i eth0 tshark -i 1
Now that we have learned how to capture packets, we may want to save them for further study. To do this, use the -w option. The following command will capture packets from the eth0 interface and save them to the /tmp/traffic.pcap file:
tshark -i eth0 -w /tmp/traffic.pcap
To analyze packets from a previously saved file, instead of intercepting them from the interface, specify the file name with the -r option. You do not need superuser privileges to read from files.
tshark -r /tmp/traffic.pcap
It should be noted that the utility also reads and analyzes files captured by tcpdump.
By default, Tshark performs name resolution. To better understand where the package came from and where it was sent, you can disable it using the -n option. Then, instead of domain names, the traffic dump will contain IP addresses.
tshark -n
