Navigating Wireshark

    Wireshark is an application that inspects network traffic. It can be utilized in numerous ways to fortify network security and identify points of vulnerability within networks. It is a lot of information to take in along with understanding the way it's displayed to the user

Menu Bar: 

    The user interface can be a lot of information to take in so I've divided it, to better understand it at it's main components. The top menu bar is where you can start capturing network traffic with a start and stop button, you may also manage the interface to your own personal needs here as well. You also are able to open previously saved capture files here as well. There is also a variety of ways you may choose to display information based on your needs such as HTTP, TFTP, IMF etc. Also having the ability to choose a specific packet to download and export in your desired format in order to gather information from it. 

Display Filter: 

Wireshark's display filters are a powerful tool used to show only the packets that meet specific criteria, making it easier to analyze network traffic. You can construct filters by specifying header fields and, optionally, the values they should match. Logical operators can be used to combine multiple expressions. If a packet contains the specified header field or matches the specified value, it will be displayed in the packet list; otherwise, it will not be shown.

Types of Display Filters

1. Basic Field Filtering:

   - To filter packets based on a specific protocol, you can use the protocol name as the filter. 

     - Example: `http` will display only HTTP packets.

   - To filter packets based on specific fields within a protocol, you can specify the field name and value.

     - Example: `ip.src == 192.168.1.1` will show packets where the source IP address is 192.168.1.1.

     - Example: `tcp.port == 80` will show packets where the TCP port is 80.

2. Logical Operators:

   - Logical operators like `and`, `or`, and `not` can combine multiple conditions.

     - Example: `http and ip.src == 192.168.1.1` will display HTTP packets from the source IP address 192.168.1.1.

     - Example: `tcp.port == 80 or tcp.port == 443` will show packets where the TCP port is either 80 or 443.

     - Example: `not arp` will display all packets except ARP packets.

3. Range Filters:

   - You can filter packets within a range of values using comparison operators.

     - Example: `frame.len > 1000` will show packets larger than 1000 bytes.

     - Example: `ip.addr >= 192.168.1.1 and ip.addr <= 192.168.1.100` will display packets with IP addresses in the specified range.

4. Substring and Regular Expression Filters:

   - Filtering packets that contain specific substrings or match regular expressions.

     - Example: `frame contains "HTTP/1.1"` will show packets containing the string "HTTP/1.1".

     - Example: `http.request.uri matches ".login."` will display HTTP request packets with URIs containing "login".

Practical Examples

- Identifying Traffic from a Specific Host:

  - `ip.src == 10.0.0.5` to find all traffic originating from the host with IP address 10.0.0.5.

- Isolating Specific Protocol Traffic:

  - `dns` to display only DNS packets.

- Finding Traffic on Specific Ports:

  - `tcp.port == 22` to show all packets using port 22 (SSH).

- Combining Multiple Filters:

  - `tcp.port == 80 and ip.dst == 192.168.0.10` to display HTTP traffic destined for IP address 192.168.0.10.

- Excluding Certain Traffic:

  - `not icmp` to exclude ICMP traffic from the display.

Using these filters in Wireshark can help you efficiently narrow down the traffic you need to analyze, making your network troubleshooting and forensic investigations much more manageable.

Packet List in Wireshark

The packet list in Wireshark aggregates crucial information about the packets captured during a session, organizing it into columns for easy analysis. This view provides an overview of the network traffic and protocol interactions, making it easier to understand and diagnose network issues.

1. Packet Number:

   - This is a sequential number assigned to each packet as it is captured. The later the packet is captured, the higher its number.

2. Time:

   - This column shows the time each packet was captured relative to the start of the capture session. It helps in understanding the sequence and timing of events in the network traffic.

3. Source and Destination IP Addresses:

   - These columns display the IP addresses of the sender (source) and receiver (destination) of each packet. This information is crucial for identifying communication between specific hosts.

4. Protocol:

   - This column indicates the protocol used by each packet, such as TCP, UDP, HTTP, or DNS. It helps in filtering and analyzing traffic based on the protocol type.

5. Length:

   - The length column shows the size of each packet in bytes. This can be useful for identifying unusually large or small packets that might indicate network issues.

6. Info:

   - This column provides a summary of the packet’s headers or contents. It includes details like the type of request or response, flags, and other protocol-specific information.

Examples of Analyzing the Packet List

1. Understanding Network Flow:

   - By examining the source and destination IP addresses, you can track the communication flow between different hosts on the network.

2. Identifying Protocol Conversations:

   - The protocol column helps you filter and identify conversations using specific protocols.

     - Example: You might notice a series of DNS packets indicating a DNS query and response conversation.

3. Detecting Anomalies:

   - Analyzing the length and time columns can help in identifying unusual patterns, such as a sudden burst of large packets or delayed responses.

     - Example: A spike in the length column might indicate a large data transfer or a potential network attack.

4. Diagnosing Network Issues:

   - The info column can reveal specific details about errors or unusual behavior in the network traffic.

     - Example: If the info column shows repeated TCP retransmissions, it might indicate network congestion or packet loss.

- Filtering by Protocol:

  - Click on the protocol column header to sort and filter packets by specific protocols, such as HTTP or DNS, to focus on relevant traffic.

- Tracing Conversations:

  - Use the source and destination columns to trace the flow of data between hosts, helping to identify which hosts are communicating and what data is being exchanged.

- Identifying Large Packets:

  - Sort the length column to identify unusually large packets that could be indicative of a file transfer or potential data exfiltration.

- Analyzing Timelines:

  - Use the time column to analyze the sequence and timing of packet captures, helping to correlate events and diagnose timing-related issues.

By effectively utilizing the packet list in Wireshark, you can gain a comprehensive understanding of your network traffic, identify and diagnose issues, and ensure smooth network operation.

Packet Headers in Wireshark

The packet headers section in Wireshark provides detailed information about each individual packet, organizing packet header fields and values into layers. This layered view, presented as easy-to-view drop-down menus, ranges from Layer 1 frame information to Layer 7 protocol contents, enabling in-depth analysis of each packet.

1. Layer 1 - Physical Layer:

   - Frame Information:

     - This layer includes details about the physical properties of the packet, such as the frame number, arrival time, and total length.

     - Example: Frame 1, arrival time 0.000000000 seconds, total length 1514 bytes.

2. Layer 2 - Data Link Layer:

   - Ethernet II:

     - This section provides information about the Ethernet frame, including source and destination MAC addresses and EtherType.

     - Example: Destination: ff:ff:ff:ff:ff:ff, Source: 00:0a:95:9d:68:16, Type: IPv4 (0x0800).

3. Layer 3 - Network Layer:

   - Internet Protocol (IP):

     - This layer details the IP packet information, such as source and destination IP addresses, protocol, and time to live (TTL).

     - Example: Source: 192.168.1.1, Destination: 192.168.1.2, Protocol: TCP (6), TTL: 64.

4. Layer 4 - Transport Layer:

   - Transmission Control Protocol (TCP) / User Datagram Protocol (UDP):

     - This section provides information about the transport layer, including source and destination ports, sequence numbers, and flags.

     - Example (TCP): Source port: 443, Destination port: 51500, Sequence number: 1, Flags: [SYN].

5. Layer 5-7 - Session, Presentation, and Application Layers:

   - HTTP, DNS, SSL/TLS, etc.:

     - These layers provide information about the application protocols, including HTTP requests and responses, DNS queries, and SSL/TLS handshakes.

     - Example (HTTP): GET /index.html HTTP/1.1, Host: www.example.com.

     - Example (DNS): Standard query 0x1234 A www.example.com.

     - Example (SSL/TLS): Client Hello, Version: TLS 1.2.

Practical Usage of Packet Headers

1. Analyzing Network Communication:

   - By examining the various layers, you can understand the entire journey of a packet from the physical layer to the application layer.

     - Example: Analyzing a TCP packet from source IP 192.168.1.1 to destination IP 192.168.1.2 on port 80, and inspecting the HTTP request within.

2. Troubleshooting Network Issues:

   - Detailed header information can help diagnose issues such as incorrect IP addressing, TCP handshake problems, or application-layer errors.

     - Example: Identifying an incorrect destination IP address or mismatched TCP sequence numbers causing connection issues.

3. Security Analysis:

   - Packet headers can reveal signs of malicious activity, such as unusual source MAC addresses, spoofed IP addresses, or suspicious application-layer data.

     - Example: Detecting a packet with a source IP address that doesn't match known devices in the network, indicating a potential spoofing attempt.

4. Performance Monitoring:

   - Analyzing the packet headers can provide insights into network performance, such as latency (from the time stamps) and packet loss (from TCP retransmissions).

     - Example: Identifying high latency in a specific part of the network by examining the time differences between packet captures.

Practical Examples

- Examining TCP Flags:

  - Expand the TCP layer to view flags like SYN, ACK, and FIN to understand the state of a TCP connection.

    - Example: SYN flag in a packet indicates the start of a TCP handshake.

- Viewing HTTP Content:

  - Expand the HTTP layer to view request methods, URLs, and response codes.

    - Example: GET /page.html HTTP/1.1 shows an HTTP GET request for the page.html file.

- Inspecting DNS Queries:

  - Expand the DNS layer to see the details of DNS queries and responses, including queried domain names and resolved IP addresses.

    - Example: Standard query response 0x1234 A www.example.com 192.168.1.2.

By utilizing the packet headers section in Wireshark, you can gain a comprehensive understanding of each packet’s journey through the network, diagnose issues, enhance security, and monitor performance effectively.

Hex Dump & ASCII in Wireshark

In Wireshark, the bottom pane displays the hexadecimal and ASCII representation of the entire packet. This detailed view allows for a deeper understanding of the packet structure and contents, providing both hex and human-readable formats.

1. Hexadecimal and ASCII Representation:

   - The hex dump shows the raw data of the packet in hexadecimal format.

   - The ASCII representation displays the corresponding characters, if printable, making it easier to interpret the data.

2. **Interactive Highlighting:**

   - Hovering over the hex dump or ASCII area highlights the corresponding section of the packet.

   - This feature shows the exact field of the packet being highlighted, displayed in the status bar at the bottom.

3. Field Expression Display:

   - When a section is highlighted, the field expression (e.g., `tcp.seq` for TCP sequence number) is displayed.

   - This is particularly useful when constructing display filters and needing the specific Wireshark term for a packet field.

Practical Usage of Hex Dump & ASCII Pane

1. Detailed Packet Analysis:

   - The hex dump and ASCII pane provide a byte-by-byte breakdown of the packet, which is essential for low-level analysis.

   - Example: Inspecting the hex values of a packet to detect anomalies or specific patterns in the data.

2. Constructing Display Filters:

   - By highlighting sections of the packet, you can easily identify the exact Wireshark field names needed for display filters.

   - Example: Highlighting the TCP sequence number to find the expression `tcp.seq`, which can then be used to filter packets with specific sequence numbers.

3. Understanding Protocol Data:

   - The ASCII representation helps in reading human-readable data within packets, such as HTTP requests or DNS queries.

   - Example: Viewing the content of an HTTP GET request directly in the ASCII section to see the requested URL.

4. Learning Packet Structure:

   - The interactive highlighting helps in understanding how different parts of the packet map to the protocol fields.

   - Example: Hovering over the Ethernet, IP, and TCP headers to see their respective positions and fields in the hex dump.

Practical Examples

- Highlighting TCP Sequence Number:

  - When you hover over the TCP sequence number in the hex dump, the field `tcp.seq` is displayed, helping you create a filter like `tcp.seq == 123456789`.

- Viewing HTTP Request Data:

  - The ASCII pane shows the actual HTTP request details, such as `GET /index.html HTTP/1.1`, allowing you to see exactly what data is being requested or sent.

- Analyzing Suspicious Packets:

  - By examining the hex dump, you can identify suspicious patterns or payloads that might indicate malicious activity.

  - Example: Detecting shellcode or encoded commands within the payload of a packet.

The Hex Dump & ASCII pane in Wireshark provides a comprehensive view of packet data in both hex and ASCII formats. This interactive section allows for detailed packet analysis, helps in constructing accurate display filters, and aids in understanding the structure and content of network traffic. By leveraging these features, you can perform in-depth packet inspections, troubleshoot issues, and enhance your overall network analysis capabilities.