Wireshark Packet Capturing Basics..

How to capture packets through wireshare and analysis.

Abstract

Wireshark is an open source tool for profiling network traffic and analyzing packets. Such a tool is often referred to as a network analyzer, network protocol analyzer or sniffer. The latest version of wireshark is version 2.0.

Wireshark, formerly known as Ethereal, can be used to examine the details of traffic at a variety of levels ranging from connection-level information to the bits that make up a single packet. Packet capture can provide a network administrator with information about individual packets such as transmit time, source, destination, protocol type and header data. This information can be useful for evaluating security events and troubleshooting network security device issues.

Methodology

After downloading and installing Wireshark, you can launch it and click the name of an interface under Interface List to start capturing packets on that interface. For example, if you want to capture traffic on the wireless network, click your wireless interface. 

As soon as you click the interface’s name, you’ll see the packets start to appear in real-time. Wireshark captures each packet sent to or from your system. If you’re capturing on a wireless interface and have promiscuous mode enabled in your capture options, you’ll also see the other packets on the network.


Write a filter to obtain only genuine http request of the given logs.

1

 What is the Web server name with the IP 192.248.16.176?

2

What is the packet Identification of the web request to this server

3

Was the request to obtain favicon.ico successful? Justify

  • No, because it did not display any filtering result as we filter the same code for Google.

4

Write a filter to display only ARP packets

        5

Analyze the ARP packet from 00:0b:86:6e:69:68 to 80:56:f2:25:63:40 and state whether it’s a request or a reply.

  • It is a request.

6


How to capture a username and a password through wireshark

7

2.8

3.

9

Here the password was encrypted while being transferred, therefore it could not be traced.

10

To display HTTP ,DNS and ICMP traffic

  • This can be done by applying  the following expressions in the filter section

               http || dns || icmp

11

To display HTTP packets with source or destination IP address equals to <Some IP>

  • ip.addr == <some_ip>

  *<some_ip> refers to a user desired ip

12

To display packets with source port equals to 43714 and destination port equals to 53

  • tcp.srcport == 43714 && tcp.dstport == 53

13

To display packets with a TCP SYN flag.

  • tcp.flags.syn

14


How to capture packet through online site

First Wireshark was opened. Then the browser cache was cleared. In the address bar of the browser the site http://www.pagetutor.com/keeper/mystash/secretstuff.html was visited. Then capturing packets in the Wireshark was started by using star packet capture button.

In the browser the username “jimmy” and password “page” was provided and was logged into the web page. Then Wireshark was restored and then capturing the packet was stopped in order to capture the needed packet.

After capturing the packet was filtered using keyword “http” or “tcp”.

15

16

17

To access the user credentials included within the packet, 2 methods can be used. One includes clicking the packet and then by accessing the Authorization -> Credentials, the other is right clicking on the packet and then follow->TCP stream.

18

 

Reference

  1. http://www.howtogeek.com/104278/how-to-use-wireshark-to-capture-filter-and-inspect-packets/
  2. the videos given by the lecture.
  3. http://openmaniak.com/wireshark_filters.php

 

 

S.H.M Lahiru Prabath Balasuriya.

 

 

 

 

 

 

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s