[Networking] Packet Analysis using WireShark tool

<aside> πŸ’‘ Packet Analysis/Packet Sniffer/Packet Analyzer/Protocol Analyzer/Network Analyzer - Recording of raw data, bits and bytes of network communication across a network interface.

</aside>

<aside> πŸ’‘ Typically done in a .PCAP file.

</aside>

sudo wireshark <.pcap file location>

(sudo used because, wireshark requires root privileges)

<aside> πŸ’‘ Wireshark has 5 major components, the upper pulldown command menu, the filter section where we specify certain rules to find certain packets, the captured packet section where all sent and received packets are shown, then a detailed info for the selected packet is shown down below and then a section that looks like the Elvin ruins of some ancient city which is just the packet content in hex and ascii.

</aside>

<aside> πŸ’‘ In the Filter section we can filter packets pre capture or capture all the packets and filter the results later. (if the filter syntax wrote is correct the box will highlight in green)

</aside>

<aside> πŸ’‘ To combine multiple filter commands, can use β€œand”. β€œnot” command to not show that commands results and everything else.

</aside>

<aside> πŸ’‘ Filters can be used on protocols like HTTP, FTP, DNS

</aside>

<aside> πŸ’‘ In HTTP protocol, we can use GET and POST methods as filters.

</aside>

<aside> πŸ’‘ GET requests with 200 status code in the results section can help us in finding directories that are present.

</aside>

<aside> πŸ’‘ POST requests can help us find credentials in plain text.

</aside>

<aside> πŸ’‘ DNS, since monke brain can’t remember IP addresses, it maps URLs to actual IP addresses. Works as dns or udp.port==53 in filter.

</aside>

<aside> πŸ’‘ There are types of dns records and an id assigned to them, use the id number in filter section

</aside>

<aside> πŸ’‘ FTP, like http is a clear text protocol. ftp for filter command and to clearly see all FTP commands, by choosing the first FTP result and follow>TCP-Stream.

</aside>

<aside> πŸ’‘ If some data is transmitted over ftp, then ftp-data command for filter and follow TCP stream.

</aside>

Questions :-

really easy, don’t need to spell it out. read the logs carefully