🦈Pcap Analysis

Wireshark

To launch Wireshark: sudo wireshark

Capture filters

Used to define which traffic we want to capture, best to define broad filters to get the correct data.

Display filters

Allows us to focus on a certain protocol, port, IP or all of these.

ip addr == 192.168.199.154

Here we are only selecting FTP traffic on TCP port 21

Following TCP streams

We right click on the packet and then select Follow -> TCP Stream
The reassembled stream is now much easier to read

Tcpdump

A text-based network sniffer. One of the most commonly used command line packet analyzers and is found on most Linux and Unix OS's.

To launch Tcpdump: sudo tcpdump

To read a file add the -r

To skip DNS name lookup add -n

Filtering traffic

We can use filters to inspect the traffic more closely:

  • src host <IP-TO-INSPECT>

  • dst host <IP-TO-INSPECT>

  • port <PORT>

To dump captured traffic we can use -X to print the packet data in both HEX and ASCII format.

TShark

For analysing packets directly in the terminal, without the use of the GUI in Wireshark.

  • tshark -r file.cap : Reads a file and displays a summary of each packet.

  • tshark -r file.cap -Y <QUERY>

    • -Y: Passes in a display filter

      • ex: "dns.qry.type ==1"

    • tshark -r file.cap -Y <QUERY> -T fields -e <fieldname>

      • -T fields -e fieldname: Extract data from the fields and field name switches.

        • ex: tshark -r file.cap -Y "dns.query.type == 1" -T fields -e dns.query.name

    • tshark -r file.cap | wc -l: Count the number of packets in the file

PreviousForensicsNextFile Transfers

Last updated

Was this helpful?