A simple and fast Wireshark tutorial
In this quick and simple tutorial, we’ll be looking at some basic functionalities in Wireshark, through a Kali Linux virtual machine.
Glossary
Kali: Kali Linux is a Debian-derived Linux distribution designed for digital forensics and penetration testing.
Wireshark: Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. It runs on Linux, macOS, BSD, Solaris, some other Unix-like operating systems, and Microsoft Windows.
TCP: The Transmission Control Protocol (TCP) is one of the main protocols of the Internet protocol suite. It originated in the initial network implementation in which it complemented the Internet Protocol (IP). Therefore, the entire suite is commonly referred to as TCP/IP. TCP provides reliable, ordered, and error-checked delivery of a stream of octets (bytes) between applications running on hosts communicating via an IP network. Major internet applications such as the World Wide Web, email, remote administration, and file transfer rely on TCP, which is part of the Transport Layer of the TCP/IP suite. SSL/TLS often runs on top of TCP. TCP is connection-oriented, and a connection between client and server is established before data can be sent. The server must be listening (passive open) for connection requests from clients before a connection is established. Three-way handshake (active open), retransmission, and error-detection adds to reliability but lengthens latency.
IP: An Internet Protocol address (IP address) is a numerical label assigned to each device connected to a computer network that uses the Internet Protocol for communication. An IP address serves two main functions: host or network interface identification and location addressing. IPV4 defines an IP address as a 32-bit number. However, because of the growth of the Internet and the depletion of available IPv4 addresses, a new version of IP (IPv6), using 128 bits for the IP address, was standardized in 1998. IPv6 deployment has been ongoing since the mid-2000s.
IP addresses are written and displayed in human-readable notations, such as 172.16.254.1 in IPv4, and 2001:db8:0:1234:0:567:8:1 in IPv6. The size of the routing prefix of the address is designated in CIDR notation by suffixing the address with the number of significant bits, e.g., 192.168.1.15/24, which is equivalent to the historically used subnet mask 255.255.255.0.
MAC: A media access control address (MAC address) is a unique identifier assigned to a network interface controller (NIC) for use as a network address in communications within a network segment. This use is common in most IEEE 802 networking technologies, including Ethernet, Wi-Fi, and Bluetooth. Within the Open Systems Interconnection (OSI) network model, MAC addresses are used in the medium access control protocol sublayer of the data link layer. As typically represented, MAC addresses are recognizable as six groups of two hexadecimal digits, separated by hyphens, colons, or without a separator.
Here are the pre-requisites:
You just really need Wireshark for this tutorial. I’m using Wireshark on a Kali Virtual Machine, but it’s up to you.
Wireshark: https://www.wireshark.org/#download
How to capture an ethernet interface and start using Wireshark:
Open up Wireshark and you’ll see a screen like the following screenshot. Choose the target ethernet adapter of your choice. We’ll be using eth0.
And welcome to Wireshark’s raw monitoring screen, it’ll look like the following screen during live capture.
You can stop the live capture with the big flashing red button, and then the UI will look like this:
DNS filtering and DNS look-up:
Let’s say you want to capture dns packets and figure out who’s behind specific IPs, just write dns in the filter, like this:
And as you can see, these specific packets will be routed onto Whatsapp. You can then later check more information on these packets. Alternatively, you can plug some of these IPs into DNS-lookup tools and find out exactly who’s behind certain IPs (for example, use this site:https://mxtoolbox.com/DnsLookup.aspx).
Colorizing specific protocols and packet usages:
If the main screen looks really bland and hard to read, you can colorize specific protocols and functions. Click View and then Coloring Rules.
And now you’ll see the settings and different colors for different protocols, functions, and all kinds of things. You can change them as you want.
This way, you can make the packet monitoring screen much more “edible” to process, making it much better to figure out what’s what without looking at the specifics.
Following TCP streams:
Imagine you want to see exactly what you’re connecting to, see if you’ve made the first step of the Three-Way Handshake, like SYN, see if you’ve got a reply back (ACK) and so on. Click a target IP or connection with the right-button of your mouse and then Follow and TCP Stream.
In the following screen. SEQ=0 is the very first request for information to a destination, ACK=1 is the reply to the first request, and SEQ=1,ACK=1 is the final reply from the source to the destination of the Three-Way Handshake.
The data screen for the TCP Stream looks like the following screen. Otherwise, just stay on the main menu with the specific TCP Stream as the filter.
Monitoring abusive usage:
If you want to detect abusive and harmful or excessive usage of your network, you can simply use filters for this.
We’ll be using bittorrent as an example, so just set your filter to bittorrent:
Now, our screen shows only Bittorrent protocol connections. Now, let’s check the Protocol Hierarchy to find out just how much it uses our network. Click Statistics like in the next screen, and then Protocol Hierarchy.
This is the Protocol Hierarchy screen, and you can see the percentage of bytes being used by BitTorrent, and other information.
Now, let’s find out what Endpoints we’re connecting to, through Bittorrent. Click Statistics and then Endpoints.
Now, we can see exactly who we’re connecting to, through Bittorrent.
Filtering Three-Way Handshakes
Let’s go back again to Three-Way Handshakes. Let’s pick a random Handshake and filter it by writing tcp.stream eq XXX (in this case, 1651 is the specific handshake I’m looking for). The following screen is the Handshake connections.
HTTP Filtering
We can filter by http, by just writing http.
If we want to be more specific, we can write http | icmp to check for error messages with HTTP.
Filtering by specific IP:
We can also filter by specific IPs by just writing ip.src==X.X.X.X, whereas the last value is the IP you’re looking for.
TCP Port Filtering
We can also filter by specific TCP ports, by just writing tcp.port==XXXX (in this case, just the port 80, which is HTTP).
Filtering by MAC:
We can also filter by specific MAC addresses, just write eth.addr==XX.XX.XX.XX.XX.XX, whereas the last values are the MAC address you want to monitor.
Extra Function : Exporting Data
We can also export all our monitoring data (including filtered ones) by clicking File and Export Packet Dissections and then choosing Plain Text (for this example).
We’ll be saving as raw plain text for this example.
It’ll look like this on your GUI interface.
And here is a small excerpt of the information that we captured through Wireshark, on a plain text file.