x32x01

ADMINISTRATOR
Wireshark is the most widely used network protocol analyzer tool formerly known as Ethereal. It is free and open-source. Wireshark is mostly used for network analysis and troubleshooting. It captures network traffics in real time and show them in human readable format.

PicsArt_03-24-09.05.30.jpg

We can use Wireshark to analyze the network traffic in order to find out which information is really flowing through a network. In this detailed tutorial we learn how we can use Wireshark in our Kali Linux system. So hang tight and read this very carefully.

Wireshark is comes preinstalled Kali Linux it can be opened by using wireshark command or from the Sniffing and Spoofing tab in the application menu.

Screenshot_2020-03-23_19-57-35.jpg

After opening the Wireshark we can see it as following screenshot:

Screenshot_2020-03-23_20-04-21.png

Here we can select the interface we want to capture the traffic. We can double click on the interface name to start capturing traffic. We can use the filters to see general packet filtering while capturing the network traffic. For an example tcp.port eq 80 or tcp.port == 80 as shown following:

Screenshot_2020-03-24_08-35-56.jpg

By applying the filter we can see only the traffic on port 80. If we want to view requests only from a selected IP, we can select the request and right click on it. Then, we navigate to "Apply as Filter".

Screenshot_2020-03-24_08-36-28.jpg

Then we see that the filter has been applied.

Screenshot_2020-03-24_08-36-45.jpg

Sometimes, we may want to look at the conversation happening between two hosts at the TCP level. Following the TCP stream is a feature that allow us to view all the traffic from X to Y and Y to X. Let's try to use it. From the menu, we choose "Statistic" and then we click on "Conversations".

Screenshot_2020-03-24_08-37-06.png

In the window that comes up, we switch to the TCP tab. Here we can see a list of IPs and the packets transferred between them. To view the TCP stream, we select one of the IPs and click on "Follow Stream".

Screenshot_2020-03-24_08-37-32.png

Here we can see the data that was transferred via TCP.

Screenshot_2020-03-24_08-38-01.jpg

Capture filters are used to capture traffic specific to the filter applied; for an example, if we only want to capture data from a particular host, we use the host x.x.x.x.

To apply a capture filter, we click on "Capture Options" and in the new window that opens we will see a field named "Capture Options". Here we can enter our filters:

Let suppose we are investigating an exploitation of HeartBleed in the network. We can use the following capture filter to determine if HeartBleed was exploited or not:
tcp src port 443 and (tcp[ ((tcp[12] & 0xF0) >> 4) *4] =0x18) and (tcp[((tcp[12] & 0xF00 >> 4) * 4 + 1] = 0x03) and (tcp[ ((tcp[12] & 0xF0) >> 4) *4 +2] <0x04) and ((ip[2:2] - 4 * (ip[0] & 0x0F) - 4 * ((tcp[12] & 0xF0) >>4) >69) )

There are lots of filters in Wireshark. The following links are very useful, these links contains a list of all filters in Wireshark. We need them when we are performing in-depth packet analysis.
https://wiki.wireshark.org/FrontPage
https://wiki.wireshark.org/CaptureFilters

In this tutorial we learned about Wireshark and it's uses in our Kali Linux. It is the all in tool in network analyze. Read more tutorials in our site and follow us on Twitter for quick updates. If you have anything to say the comment box is below, we always replay.
 
Top