π¦Pcap Analysis
To launch Wireshark: sudo wireshark
Capture filters
Used to define which traffic we want to capture, best to define broad filters to get the correct data.
Display filters
Allows us to focus on a certain protocol, port, IP or all of these.
ip addr == 192.168.199.154
Here we are only selecting FTP traffic on TCP port 21 Following TCP streams
We right click on the packet and then select Follow -> TCP Stream The reassembled stream is now much easier to read A text-based network sniffer. One of the most commonly used command line packet analyzers and is found on most Linux and Unix OS's.
To launch Tcpdump: sudo tcpdump
To read a file add the -r
To skip DNS name lookup add -n
Filtering traffic
We can use filters to inspect the traffic more closely:
To dump captured traffic we can use -X to print the packet data in both HEX and ASCII format.
For analysing packets directly in the terminal, without the use of the GUI in Wireshark.
tshark -r file.cap : Reads a file and displays a summary of each packet.
tshark -r file.cap -Y <QUERY>
-Y: Passes in a display filter
tshark -r file.cap -Y <QUERY> -T fields -e <fieldname>
-T fields -e fieldname: Extract data from the fields and field name switches.
ex: tshark -r file.cap -Y "dns.query.type == 1" -T fields -e dns.query.name
tshark -r file.cap | wc -l: Count the number of packets in the file
