wireshark Flashcards
how to find ip address both way source and destination
ip.addr= xx.xx.xx.xx
ip.src == xx.xx.xx.xx
ip.dst=xx.xx.xx.xx
how to find subnet
ip == xx.xx.xx.0/24
what source and destination network
source is outgoing traffic
destination is incoming traffic
how to find required port and in both ways
tcp.port== xx or udp.port ==xx
tcp.srcport==x or udp.srcport ==xx
tcp.dstport==x or udp.dstport==xx
type of Application Level Protocol Filters
HTTP,HTTPS,DNS,DHCP,SMTP,POP3,IMAP,SNMP,Telent,SSH,RDP,SIP,BGP,LDAP,NFS,SMB,ICMP,MQTT,Kerberos,bootp,rdp,smb or smb2,websocket
HTTP
http
Capture HTTP Requests
http.request.method == “XXX”
we can use POST,GET,PUT,DELETE
Capture Specific HTTP Response Codes
http.response.code ==XXX
how to find hash (sha256,sha1and etc) value of the capture file?
statistics->capture file proprties
how to search for specified string in packet examples(shash)
edit -> find packet
how to find files within capture packet
file -> export objects (option : http,smp,tftp,DICOM,imf)
apply it as a filter in Packet List Pane
select packet -> double click -> apply as filiter
Statistics –> Resolved Addresses
hosts,ports,capture file comment information
Statistic –> Conversations
ethernet, IPv4, IPv6, TCP and UDP.(show conversations event within capture pcap file)
Conversations focus on interactions between them.
Statistics –> Endpoints
Ethernet, IPv4, IPv6, TCP and UDP only endpoints device traffic
Endpoints focus on single devices
statistics ->ipv4 statistics
all ip addressess
destinations and ports
IP protocol type
source and destinations addressess traffic info
statistics -> dns
all DNS packets from the capture file
DNS service’s overall usage, including rcode, opcode, class, query type, service and query stats
statistics -> http
packet counter (count http request,response code)
requests (request by host )
load distribution ()
request sequences
Search a value inside packets explane with question find all apache servers
contains
examples :http.server contains “Apache”
Search a pattern of a regular expression. and examples Find all .php and .html pages.
matches
http.host matches “.(php|html)”
Search a value or field inside of a specific scope and examples :Find all packets that use ports 80, 443 or 8080.
in
tcp.port in {80 443 8080}
upper and lower
for uppercase use upper
lowercase use lower
Convert a non-string value to a string.
Example Find all frames with odd numbers.
string(frame.number) matches “[13579]$”
output:
1
3
5
7
9
11
13
15
…
tcp connect scan in wireshark
tcp.flags.syn==1 and tcp.flags.ack==0 and tcp.window_size > 1024
SYN Scans
tcp.flags.syn==1 and tcp.flags.ack==0 and tcp.window_size <= 1024
udp scan
icmp.type==3 and icmp.code==3
only syn flag
only ack flag
tcp.flags==2(only display syn flags)
tcp.flags==16(only display ack flags)
syn flag is set. The rest of the bits are not important.
ACK flag is set. The rest of the bits are not important.
tcp.flags.syn == 1(display include flags like syn,ack..
tcp.flags.ack == 16
(display include flags like ack.rst,syn.ack..
Only SYN, ACK flags.
tcp.flags == 18
Only RST flag.
tcp.flags == 4
RST flag is set. The rest of the bits are not important.
tcp.flags.reset == 1
(rst.ack
RST and ACK are set. The rest of the bits are not important.
(tcp.flags.reset == 1) and (tcp.flags.ack == 1)
arp requests
arp.opcode==1
arp response
arp.opcode==2
mac address
eth.addr
source MAC and destination MAC address
eth.src
eth.dst
Possible ARP flooding from detection:
((arp) && (arp.opcode == 1)) && (arp.src.hw_mac == xx:xx:xx:xx:xx:xx)
Possible ARP poisoning detection
arp.duplicate-address-detected
dhcp
dhcp or bootp
help assign Ip address in network
dhcp request
dhcp.option.dhcp==3
contain information about hostname
dhcp ack
dhcp.option.dhcp==5
accepted requested to assign Ip address
dhcp nak
dhcp.option.dhcp==6
denied request to assign ip address
to find hostname in dhcp traffic
dhcp.option.hostname contains “host_name “
to find domain name in dhcp traffic
dhcp.option.domain_name contains “keyword”
ftp response code
tp.response.code ==xxx
Information request responses.
211: System status.
212: Directory status.
213: File status
x2x series: Connection messages.
220: Service ready.
227: Entering passive mode.
228: Long passive mode.
229: Extended passive mode
Authentication messages.
230: User login.
231: User logout.
331: Valid username.
430: Invalid username or password
530: No login, invalid password.
to find which use
byb using
ftp.request.command== “user”
we can use “USER”,”PASS”,”CWD”,LIST”
List target username.
(ftp.response.code == 530) and (ftp.response.arg contains “username”)
List targets for a static password.
(ftp.request.command == “PASS” ) and (ftp.request.arg == “password”)
ftp arguments
to find user-agent
http.user_agent contains”chrome”
chrome,namp and etc
how to find Hostname
http.host contains “name”
Connection status.
http.connection == “Keep-Alive”
