Wireshark 101

Wireshark is the most widely used, free, and open-source packet inspection tool in the world. It makes it easy to find and fix network problems. The project, which originally started as Ethereal, was renamed Wireshark in May 2006. It is suitable for use on all devices with Unix and Windows operating systems. In short, Wireshark is a sniffer application. Sniffer is the general name of software for monitoring the traffic passing over the network.

Wireshark allows the monitoring of traffic within the network via a graphical interface. The connected network traffic can be easily followed on the computer where the application is installed. Examining the data packets provides convenience to the users to observe how the network works and solve the problems that occur. Captured packets can be examined down to detailed protocol information and captured packets can be saved for later review. If there is previously recorded traffic data, these recorded data can be examined later on through the application.

In Wireshark installation, an add-on named WinPcap is automatically installed on Windows devices. The WinPcap plug-in provides instant capture of Ethernet traffic. Using the data from the Wireshark WinPcap plugin provides the opportunity to instantly examine the Ethernet traffic over the graphical interface.

With the use of Wireshark, packet capture is performed on wired and wireless connections. Traffic can be filtered through certain filters. Captured packets can be edited and converted at certain levels. The real added VoIP calls on the network can be detected. It allows not only to monitor the traffic instantly but also to examine, record, and analyze the contents of the packages in detail.

To summarize, Wireshark is a sniffer application. The sniffer software addresses and transmits the copy of the traffic passing through the network cable. Thus, it allows detailed examination of the packages in the traffic. Superficial information about the use of the program is shared below.

About Shortcut Tabs

The most frequently used titles within the tabs are presented below. These headers provide ease of use and several optional functions.

• With the “Export Objects” button in the “File” heading in the tabs, the data in the desired format is expressed on the basis of data type, from which source it belongs, and to which destination. (For example, if HTTP is selected, the visited websites will be displayed based on URL, if TFTP is selected, the server addresses of the data transfers will be displayed. In addition, if there is HTTP or a displayed image (PNG – JPG) in the URL, it is possible to save it to the desktop and view this address / document. )
• Packages can be marked with the “Mark Packets” option in the “Edit” heading in the tabs. If the packages are already marked, the “Mark Packets” option can still be unchecked.
• With the “View” title in the tabs, it is decided how the application and the interface will look. Column dimensions, character size or package details to be displayed are decided here.
• With the “Go” heading in the tabs, it is possible to advance to the previous or next parts of the selected package. In additionally, it provides a shortcut to navigate to the package to inspect the package itself, or to leave the package and return to the beginning.
• The remaining tabs will be covered in more detail in the subject.

About Filter Toolbar

• Bookmarks – Default filters, most used filters are found.
• Filter Input – Expression is entered manually. When the correct expression is entered, the color of the protocol appears.
• Clear – Clears and all packages are displayed.
• Apply – Applies the typed filters.
• Recent – Shows filters written in the past.
• Add Button – Adds a frequently used filter as a shortcut and makes it easy to use.

• A special filter can be created and added to the bookmark with the “Manage Display Filters” option in the “Bookmark” tab.
• Analyze – Display Filter Expressions – It is possible to view detailed codes for any filter from this section. E.g; ” icmp.type == 8 ” is an echp request and ” icmp.type == 0 ” is a display/filter command for an echo reply.

Parentheses are used if there is a priority filter in the filtering phase. In this case, the filter condition in parentheses must be fulfilled first. For example, the DNS data of the specified IP with the filter “(ip.src == 172.16.1.14 and udp.port == 53) or tcp.port == 80” and outputs of all HTTP data are displayed. This gives us the convenience of using multiple filtering operators in the same filtering.

Display Filter Operators

• Equal To: is expressed with “==” or “eq”.
• Or: is expressed with “||” or “or”.
• And: is expressed with “&&” or “and”.
• Greater Than: is expressed with “>” or “gt”.
• Less Than: is expressed with “<” or “lt”.
• Greater Than or Equal To: is expressed with “>=” or “ge”.
• Less Than or Equal To: is expressed with “<=” or “le”.
• Not: is expressed with “!” or “not”.
• Not Equal To: is expressed with “!=” or “ne” .
• Contains: is expressed with “contains”.
• Matches: is expressed with “matches”.
  
  • For example, using the “tcp.port == 80” filter will list all tcp packets with Destination or Source ports 80.
  • If one-way or another package is desired to be specified, an additional filter can be added.
  • For example, with the filter “tcp.port == 80 || tcp.port == 443”, all tcp packets with Destination or Source ports 80 or 443 are listed.
  • For example, with the filter “icmp and ip.ttl = 64”, all ICMP packets with a TTL value of 64 are listed.
  • Thus, we observe that both filter conditions must be met.

NOTE

After clicking on the package, certain marks appear on the far left of the package numbers. These signs provide the display of all packages such as the start and end of the package, related and unrelated packages in between, and acknowledge. Thus, all the details of the shipment of a sent package can be displayed.

With Using Mouse Right Click

The package right-clicked on it;

• It can be highlighted by “Mark”.
• It can be made invisible in the relevant area by “Ignore”.
• By “Setting”, the successive capture times of two packages are set to 0 by default, making it easier for inspection.
• By “Comment”, a comment can be added to the package and a note can be viewed among the package contents.
• In the “Edit Name Resolution” section, abbreviations such as -Gateway- or -PC- are given to the IP addresses in the current package and these names are used instead of the IP address. Space from CPU is not preferred.
• All packets belonging to addresses such as MAC or Ethernet etc. of the selected packet can be easily filtered with the “Apply as Filter” button.
• With the “Colorize Conversation” button, it provides the opportunity to view the speech of the devices that are talking to each other under a single color.
• With “Follow – TCP Stream” it offers the possibility to view all the contents of the current TCP packet. The sent and written data is displayed on the screen.
• With the “Copy” button, you can save as txt, copy hexadecimal values, and then open and read these packages individually.

Long Range Trafik Capture

Shark Tap devices are placed between the Router and the Firewall to create an environment suitable for copying and examining the traffic passing over it without creating extra traffic. To do Port Mirroring over a switch or router;

• 1- “monitor session 1 destination interface f0/1”
• 2- “monitor session 1 source interface f0/2”
• 3- “show monitor session 1”

With its commands, the communication between the two devices is transferred to another device and the communication can be followed more easily.

If a user or other switch traffic behind the sniffed switch is desired to be followed, Rspan Config can be done. Or, Rpcap.exe should be installed on the remote computer along with the WinPcap library. So his computer can be positioned as a server and Wireshark as a listener. In this case, the user with the program installed acts as a server over Port2003, and the admin with Wireshark acts as a traffic listener over Port2002. After running the server-side via “rpcapd -n” via cmd, IP and Port information of the remote user is entered with the Capture Options – Manage Interface – Remote Interface button in Wireshark. Thus, the interface is provided and remote traffic can be captured.

Knowing when a Packet Capture will be captured, what packets it will capture, how big it will be, etc., in order to start capturing packets and save them in different ways;

• On the Capture – Output tab, the location and format of the file to be saved is selected.
• If the Create a new file option is selected, it ensures that it is saved as a new file each time a certain limit is reached, depending on the duration or size.
• If the ring buffer option is selected, it saves as many files as the written numerical value.

It will delete and overwrite the first packet as it continues to capture traffic. It will save a maximum of 5 files, even if it proceeds sequentially on a numerical basis. In other words, if the traffic continues to be captured and recorded when the 5 packet limit is set and 5 packets are produced, the 1st packet is deleted and the 6th capture 1 is overwritten.

Command Line Capture

• When cmd is opened, user directory comes open. Type “cd \” to exit here.
• Then, with the “dir” command, all the folders in the C:/ disk are displayed.
• The name of the folder you want to enter is opened with the cd command. For example, the “cd \Wireshark” command is entered into the Wireshark folder.
• With the “dir” command again, the files in this folder are displayed. The name of the application to be used here is “tshark”.
• The “tshark -D” command is used to view the interfaces that can capture traffic under Tshark.
• In this case, this command is as follows; ” C:\Program Files\Wireshark>tshark -D “
• After viewing the active interfaces under Tshark, the packet capture process is started with certain parameters.
• Example command is ” C:\Program Files\Wireshark>tshark -i 9 -f “icmp” -a duration:15 -w TEST.pcap “.
  
  • –i : Which interface is desired to be followed
  • –f : Specifies the type of packet to be captured
  • –a : Allows deciding whether to add capture stop operations such as “duration” or “packetsize” during packet capture.
  • –w : It is the command that decides with which name and extension the captured traffic will be saved.
    
• This captured and saved packet is saved where the program is registered. The current folders / files are also the save location.
• In order to find out what the command means, ” tshark -h ” command (help) displays which command means what in the application.
• When the packet capture process is over, the captured packets are displayed by typing “TEST.pcap” in the left place.
• At this stage, it is sufficient to enter the name and format of the package you want to open.

About Capture Filtering

Filtering is an advantage in order to capture the traffic or the desired places in the traffic more easily and not to fill the storage area unnecessarily. Filters can be added to the desired interfaces from the Capture options section. Additionally, a custom filter can be added. The formula at this stage is ” Primitive = Qualifier + Identifier “.

• Identifier : Decimal, hexadecimal, ascii, port 53, port 443, 192.168, 172.16 etc.
• Qualifier : host, port, destination, source, tcp, udp, arp etc.
• Primitive : destination host host, source host host, destination net 192.168.10.0/24 etc.

For example, ping the gateway and a website www.wireshark.org through the command window. URL and IP can be used when pinging. When selecting the interface before capturing, if “host wwww.wireshark.org” is written in the “Enter a Capture Filter” section displayed, only the packets going to this address will be captured. Traffic forwarded to Wireshark is captured. If the command is written as “source host www.wireshark.org”, only packets from Wireshark as a source are captured.

In addition, with the “ether” command; When filtering as “ether dst 98-AF-65-30-05-11”, traffic directed to this MAC address (destination) is captured.

There is also a command called “net”. E.g; When filtering as “net 192.168”, traffic from the network with this IP block is captured. You can include this command in the filtering process with IP and Prefix as “net 192.168.1.0/24”.

In addition, with the “not” command, for example, “not ether host 98-AF-65-30-05-11”, all data flowing in traffic can be viewed, except for packets arriving at this MAC address.

In addition, if application-based filtering is desired, traffic can be captured using filters such as “port 53” or “dst port 53”. While querying “A” IPv4 / “AAAA” IPv6 information with the replies after filtering, “PTR” provides sending for Local. To access IP – Server etc information about any website, “nslookup www.wireshark. It is possible to access this information by typing “org”

And-or-not operators are used to combining multiple filters. E.g; “host www.wireshark.org and not port 80” or “host 192.168.1.103 and tcp dst 53” or “host 192.168.1.101 or tcp dst 53”.

• NOT – Have the traffic of a particular section, but not the following section in it.
• AND – Have a particular partition and the following application along with that partition. That is, both at the same time, in the state of intersection.
• OR – Capture traffic in case of a particular section or otherwise. In other words, let the whole set be included for both cases. Let him be caught, whether alone or jointly.

It is possible to manually edit and share ready-made filters outside the application. For this, first of all, enter the Help – Folders – Global Configuration section from the application menu. The “cfilter” file found here, Notepad++ etc. It can be opened and edited with applications, this file can be shared and used with other devices, users, or people.

About The Statistics Tab

Under the Statistics tab, applying a filter based on protocol or communication of two addresses with a right-click.

• With the “Protocol Hierarchy” section on the Statistics tab, which protocols, Layer1 to Layer7, are transmitted in the current traffic, layer by layer, how big and how many are transmitted are displayed.
• The “Conversations” section in the Statistics tab displays which protocol and which devices are communicating for the current traffic.
• In the Statistics tab, with the “Endpoints” section, it records the devices it detects over Layer2 and Layer3 and if it is filtered, only all communication with these devices is displayed.

When you right-click on the protocol-based and click apply as a filter, all packets of the selected protocol among all traffic will be displayed on the screen as filtered.

• In the Statistics tab, it is possible to filter between two devices by specifying the direction of the traffic in transmission.
• With the “Packet Length” section in the Statistics tab, the average size of all packets sent in the current traffic and their averages on this basis are displayed.
• With the “I/O Graphs” section in the Statistics tab, the input and output transmissions in the current traffic are graphically reflected on the screen and followed.
• In the Statistics tab, “Resolved Addresses” section and applying as in the current traffic will apply the filter. If prepare as a filter is selected, the filter content is entered on the search tab, but not executed.

Follow Streams

Stream is the data flow that occurs during the transfer of data and is observed after the layers it passes through. While downloading or uploading a file, transmission with UDP / TCP protocol is displayed on Wireshark. UDP packets in a certain range can be viewed by type after right-clicking and selecting Follow Stream.

1. If packets are transferred with UDP;

• It is an Audio or Video package. If the first letter displayed on the stream is G, it is Graphical, that is, video, and V is Voice, that is, audio.
• The displayed stream content can be saved as “Raw”, ie raw.
• The recorded data can be converted back to an audio or video file via an application such as VLC Player.
• Thus, it is possible to record a Video – Audio file sent or received over traffic.

In addition, if voice traffic is made via an IP phone;
It is possible to run the voice message by selecting the “VoIP” option from the “Telephony” tab on the tabs.

2. If packets are transferred via TCP;

• Capturing images, sounds and files that transmit via TCP can be achieved. For example, data transfer via FTP.
• The first line displayed on the stream shows the extension of the file as “.PNG”.
• It can save the displayed stream content as “Raw”, ie raw.
• Saved data can be converted back to file format via an application. For example, a PNG file can be opened with a photo viewer.
• Thus, it is possible to capture and save a data sent or received over traffic.

3. If an HTTP Stream is to be captured;

• While communicating with the HTTP protocol over the web, requests made by the user and the server and data flow can be followed.
• Right click on “HTTP / GET” that occurs during data flow and select Follow TCP option. Thus, the conversation between Client and Server is displayed in clear-text.
• If this website is HTTPS and not HTTP, it is not possible to display information about the website and communication in this way.
• If this website is desired to be viewed in any way, all details on the web page can be viewed by following the File – Export Objecrt – HTTP options.
• If all are saved as HTML with the Save All button, and the saved “%5c” file is changed to “index.exe”, it is possible to view the entire web page.
• Each view on the page is recorded with a different stream. So if these operations are done for Stream0-1-2-3-4, animation etc. It is also possible to follow the images step by step.

NOTE: At this stage, if one of the information displayed in the package is right-clicked and the “Apply as Column” button is pressed, this option will be added to the main screen as a column.