Wireshark¶
Shortcuts¶
Shortcut |
Description |
---|---|
ctrl+k |
Capture dialog |
ctrl+e |
Start / stop capture |
alt+a |
Analyze menu |
alt+s |
Statistics menu |
ctrl+. |
Next packet in conversation |
ctrl+, |
Previous packet in conversation |
ctrl+m |
Mark packet |
shift+ctrl+n |
Next marked packet |
shift+ctrl+b |
Previous marked packet |
TCP stuff¶
Show tcp problems
tcp.analysis.flags
Show tcp buffering problems
tcp.analysis.window_full
Out-of-Orders indicate packet loss on the remote side
TCP retransmission occurs when the server retransmits a packet
TCP Dup ACK occurs when the client retransmits a packet
Wifi¶
View -> Wireless Toolbar
hide beacons
wlan.fc.subtype != 8
filter by ssid
wlan_mgt.ssid == "Spatula City"
filter by channel (e.g. channel 11)
radiotap.channel.freq == 2462
only sniff data frames
wlan.fc.subtype == 2
sniff probe request / response
wlan.fc.subtype==4 or wlan.fc.subtype==5
retransmissions
wlan.fc.retry == 1
WEP / WPA¶
Decrypt WEP / WPA traffic with existing key
Preferences -> Protocols -> IEEE 802.11 -> Enable decryption + Add decryption keys
SSL¶
Edit preferences -> protocols -> SSL
Put the following into RSA key list
192.168.x.x,443,http,/path/to/keyfile.pem;
One could also specify 0.0.0.0 as ip, 0 as port and data as protocol
Afterwards right click on packet and choose Follow SSL Stream
Filter SSL handshake
ssl.record.content_type==22
Decrypt and display data from dump file
tshark -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list:,443,http,rsa_private.key" -o "ssl.debug_file:rsa_private.log" -r all.pcap -R "(tcp.port eq 443)" -V
Detect ARP storms¶
Preferences -> Protocols -> ARP -> Detect ARP request storms
Grep through payload¶
Use filter tcp contains what_you_like_to_grep
Macros¶
With Analyze -> Display Filter Macros you can give complex display filter strings an easy name and even use parameters
E.g. ICMP redirection not from gateway ip and save it under name icmp_redir
icmp.type == 5 and ip.src != $1
$1 will get replace by specified ip
To use it type the following display filter
${icmp_redir:192.168.1.1}
Macros are stored in ~/.wireshark/profiles/$profile/dfilter_macros
"arp_req","arp.opcode == 0x0001"
"arp_rep","arp.opcode == 0x0002"
"echo_req","icmp.type == 8"
"echo_rep","icmp.type == 0"
"ssl_handshake","ssl.record.content_type==22"
"nobeacons","wlan.fc.subtype != 8"
"ssid","wlan_mgt.ssid == \x22$1\x22"
"probes","wlan.fc.subtype==4 or wlan.fc.subtype==5"
"dns_req","dns.flags.response == 0"
"dns_res","dns.flags.response == 1"
"dns_error","dns.flags.rcode != 0"
"icmp_redir","icmp.type == 5 and ip.src != $1"
Frame filter¶
You can filter on frame arravile time
frame.time == "Jan 01, 2013 00:00:00"
Or on frames that took more than 1 second to the previous frame
frame.time_delta > 1
GeoIP¶
Make a new dir called geoip
Download http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz and unzip it to that dir
Add the dir to Preferences -> Name Resolution -> GeoIP database directories
Restart wireshark
Statistics -> Endpoints -> IPv4 -> Map
Edit preferences -> protocols -> ipv4 -> enable geoip (optional to filter on geoip)
To filter on geoip information use
ip.geoip.country == "China"
HTTP¶
Display filter
http.response.code
http.request.method
http.host
http.user_agent
http.referer contains
http.content_type
http.cookie
http contains "password"
Export html pages (File -> Export -> Objects -> HTTP)
Tshark¶
Display get requests, dont do dns, dump all packets with payload to all.pcap
-f “capture filter”
-R “display filter”
-s snaplen
-S decode payload
-V Display complete packet
-a <auto-stop-condition>
-t a (display absolute time)
-o “tcp.relative_sequence_numbers:FALSE” for displaying absolute sequence numbers
tshark -S -n -t a -o "tcp.relative_sequence_numbers:FALSE" -f "port 80"
Show http get requests
tshark -S -n -w all.pcap -f "host www.datenterrorist.de" -R "http.request.method==GET"
Capture traffic for 10 seconds, display traffic analysis for all ips
tshark -q -a duration:10 -z conv,ip
Sniff cookies
tshark -T fields -e http.cookie -R "http.cookie" port 80
FTP logins
tshark -R 'ftp.request.command == "USER" || ftp.request.command == "PASS"'
Detect FTP bounce attack
tshark -R 'ftp.request.command == "PORT"'
POP logins
tshark -R 'pop.request.command == "USER" || pop.request.command == "PASS"'