How to capture packets through wireshare and analysis.
Wireshark is an open source tool for profiling network traffic and analyzing packets. Such a tool is often referred to as a network analyzer, network protocol analyzer or sniffer. The latest version of wireshark is version 2.0.
Wireshark, formerly known as Ethereal, can be used to examine the details of traffic at a variety of levels ranging from connection-level information to the bits that make up a single packet. Packet capture can provide a network administrator with information about individual packets such as transmit time, source, destination, protocol type and header data. This information can be useful for evaluating security events and troubleshooting network security device issues.
After downloading and installing Wireshark, you can launch it and click the name of an interface under Interface List to start capturing packets on that interface. For example, if you want to capture traffic on the wireless network, click your wireless interface.
As soon as you click the interface’s name, you’ll see the packets start to appear in real-time. Wireshark captures each packet sent to or from your system. If you’re capturing on a wireless interface and have promiscuous mode enabled in your capture options, you’ll also see the other packets on the network.
◊Write a filter to obtain only genuine http request of the given logs.
What is the Web server name with the IP 18.104.22.168?
What is the packet Identification of the web request to this server
Was the request to obtain favicon.ico successful? Justify
- No, because it did not display any filtering result as we filter the same code for Google.
Write a filter to display only ARP packets
Analyze the ARP packet from 00:0b:86:6e:69:68 to 80:56:f2:25:63:40 and state whether it’s a request or a reply.
- It is a request.
◊How to capture a username and a password through wireshark
- Here the username = aja and password = mis1104
- The server URL is = www.webmail.cmb.ac.lk
Here the password was encrypted while being transferred, therefore it could not be traced.
To display HTTP ,DNS and ICMP traffic
- This can be done by applying the following expressions in the filter section
http || dns || icmp
To display HTTP packets with source or destination IP address equals to <Some IP>
- ip.addr == <some_ip>
*<some_ip> refers to a user desired ip
To display packets with source port equals to 43714 and destination port equals to 53
- tcp.srcport == 43714 && tcp.dstport == 53
To display packets with a TCP SYN flag.
◊How to capture packet through online site
First Wireshark was opened. Then the browser cache was cleared. In the address bar of the browser the site http://www.pagetutor.com/keeper/mystash/secretstuff.html was visited. Then capturing packets in the Wireshark was started by using star packet capture button.
In the browser the username “jimmy” and password “page” was provided and was logged into the web page. Then Wireshark was restored and then capturing the packet was stopped in order to capture the needed packet.
After capturing the packet was filtered using keyword “http” or “tcp”.
To access the user credentials included within the packet, 2 methods can be used. One includes clicking the packet and then by accessing the Authorization -> Credentials, the other is right clicking on the packet and then follow->TCP stream.
- the videos given by the lecture.
S.H.M Lahiru Prabath Balasuriya.