👉🏻 Guías(Writeups en Inglés)

Sniffing with Wireshark

In this lab we will see the basic use of Wireshark for network packet analysis.

Basic Use of Wireshark

WiresharkWireshark is the most widely used network protocol analyzer in the world. It allows you to see what is happening on the network in detail and is the standard in many commercial and non-profit companies, government agencies, and educational institutions. Wireshark is the continuation of a project started by Gerald Combs in 1998 called Ethereal.

When opening Wireshark we will see a screen similar to the following; below we will review the most important controls that we will use from now on.

  1. Filters: One of the controls we will use most in Wireshark is the filter bar. By using filters we can identify packets that meet one or more filtering criteria. We will see the basics of filters later.

  2. Recent Files: This section (Empty by default when installing Wireshark from scratch) collects the last PCAP files we have opened. It also allows us to open files directly by clicking on the text Open.

  3. Interfaces for Capture: In this section we can see the list of interfaces present on the machine where Wireshark is running. This section varies from machine to machine. You can select a particular interface and start listening to its network traffic by double clicking on the interface name. The graph represents the network activity on each interface.

Coloring Rules in Wireshark

In Wireshark packets are color-coded according to the type of protocol used and errors found in them. To view the color rules for network packets, go to: View -> Coloring Rules.

As we can see, Wireshark presents all the coloring rules that are currently configured.

It is important to keep this color configuration in mind and begin to familiarize ourselves with it, since it is an easy visual way to quickly identify packets and protocols.

Using Filters

There is a large number of filters available in Wireshark that will allow us to refine our searches until we find the network traffic specific to an IP address, MAC Address, Protocol Type, etc. We will not cover all possible filters in this section; we will limit ourselves to those necessary to understand their general operation and we will use them throughout this lab.

Filters in Wireshark use logical operators and comparison operators as in programming languages. By using these operators we can combine our filters to perform refined filtering to find exactly the network traffic we want to capture and view.

Comparison Operators

Comparison operators allow us to compare values in our filter expressions. These operators are the following:

Operator

Usage

eq or ==

Equal to x value.

ne or !=

Not equal to x value.

gt or >

Greater than x value.

lt or <

Less than x value.

ge or >=

Greater than or equal to x value.

le or <=

Less than or equal to x value.

contains

Contains x value.

matches or ~

Matches a regular expression (Perl-Compatible).

bitwise_and or &

Bitwise AND is non-zero.

Logical Operators

The Logical operators allow us to compare filter expressions. These operators are the following:

Operator

Usage

and or &&

Allows us to link conditions; all must be met.

or or ||

Allows us to link conditions; at least one must be met.

xor or ^^

Only one of the conditions must be met.

not or !

Negation; the condition must not be met.

[…​]

Allows selecting a subsequence.

in

Allows us to see if the value is part of a set. For example: tcp.port in {80, 8080}

It is worth noting that in Wireshark filters are classified into two large groups, Capture Filters (Capture Filters) and Display Filters (Display Filters). Let's see a brief detail of each below.

Capture Filters

Capture filters are applied before starting the capture of packets and cannot be altered during the capture. If we pay attention to the initial Wireshark screen, this control also appears as a search bar in the Capture:

This type of filters allows us, for example, to capture traffic from a particular IP range, traffic of a particular protocol type, traffic only of the IPv4 protocol, etc.

It is worth mentioning that these filters are also accessible from the Wireshark menu: Capture -> Options (CTRL + K).

In this window we can also enable/disable Wireshark's promiscuous mode.

Promiscuous mode: When active Wireshark will try to detail every network packet it sees on the interface, whether or not it is addressed to our machine. Non-Promiscuous Mode: In this mode Wireshark will only intercept the network traffic of the selected interface if its source or destination is addressed to our machine.

Usage

Capture Filter

Capture IPv4 traffic, ignoring other protocols such as ARP, etc.

ip

Capture traffic by port, for example port 53 will capture DNS traffic.

port #

Capture traffic from/to the specified IP.

host <IP>

Capture traffic by port range, for example tcp portrange 1200-2112.

tcp portrange

More on Capture filters in the official Wireshark documentation. Click on the following 👉 link.

Display Filters

The Display Filters, allow us to perform data filtering directly on the results list and are the ones we will use regularly to locate the network traffic we want to inspect. Wireshark uses this type of filters for the Coloring Rules we saw before and it is one of its main features. It is worth noting that the number of filters that can be used is enormous and it is beyond the scope of this lab to see them in detail. We will mention, however, those we will use in this lab.

According to the 👉 Wireshark Wiki, currently more than 261000 fields of 3000 protocols are supported for use with filters.

Usage

Display Filter

Filter by IP (Destination)

ip.dest == 192.168.1.1

Filter by IP (Source)

ip.src == 192.168.1.2

Filter by IP

ip.addr == 192.168.1.3

Filter by Subnet

ip.addr = 192.168.1.1/24

Filter by port (TCP)

tcp.port == 21

Filter by URL

http.host == "tzero86bits.tk"

Filter by MAC Address

eth.addr == 00:65:C7:16:25:F2

Filter by TimeStamp

frame.time >= "May16, 1986 11:16:00"

More on Display Filters in the Wireshark documentation. Click on the following 👉 link.

Analyzing network packets (FTP Sniffing)

Let's now see how we can capture login credentials to an FTP service by analyzing the network traffic of an interface. It should be noted that this same analysis process can be carried out equally after opening a PCAP/PCAPNG.

For this lab I will use the following:

  • Interface: eth0

  • Port: 21

If you want to do this lab locally, at least the analysis part, you can download the PCAPNG file from the link below 👇

140KB
UTN_CEH_FTP_LOGIN_TZERO86_1.pcapng.gz
Open
PCAPNG FILE FOR THIS LAB

To begin on the main Wireshark screen we will apply a capture filter, selecting only the eth0 interface. For this we can directly double click on the interface name:

After this Wireshark will begin to capture the network traffic of that interface automatically. We leave the capture active and go to the terminal to connect by FTP to our VM and attempt to log in. After this we return to Wireshark and click the red stop button to stop the capture.

We begin by connecting to the FTP server; in this case I used a user recently configured for FTP access.

For this lab I will also use the Server from my local Active Directory Lab. More details in the following 👉 link.

Once the capture process is stopped, we should see something similar to this in Wireshark:

Now let's use different filters that allow us to specifically locate FTP traffic. For example we can filter by traffic on port 21:

tcp.port == 21

And as we can see Wireshark applies the corresponding Display Filter to the results:

Alternatively we can directly filter by the FTP protocol simply by typing:

ftp

We may also be interested in seeing traffic for port 20 (FTP-DATA) together with that of port 21 (FTP):

tcp.port == 20 || tcp.port == 21

Let's filter directly by ftp and right-click on packet number 58 and choose the option Follow -> TCP Stream. In this way we can follow the step-by-step network traffic generated by our login attempt to the Windows Server virtual machine.

Keyboard shortcut for TCP Stream: CTRL + ALT + SHIFT + T

When the TCP Stream opens, we will see the sequence of interaction between the user and the FTP service. We see that the user listed the directory files and downloaded one of them.

As we can see the login credentials were ftpuser:Test123 and the user downloaded the file Executive_Secrets.txt from the FTP server to their machine. Let's see how we can locate this action in the network traffic and extract the contents of that file.

First let's filter by ftp-data:

Then we select the packet 386 where the file transfer is done (RETR), and follow the TCP Stream as we saw before.

Finally we can see the content of the file downloaded by the user during the FTP session. And we can save it to our machine using the options provided by Wireshark.

Wireshark allows us to change the format in which the data is displayed, which is useful if instead of a plain text file we were trying to recover an executable, for example. In that case we can view the content in raw mode and save it as .exe.

So far we have seen how to use the basics of Wireshark and reviewed some of the filters that will be useful when analyzing network traffic. Wireshark has many more options and it is beyond the scope of this lab to cover this tool in depth.

These labs are subject to modifications and corrections; the most up-to-date version is available online at the following link.

PreviousNTFS Stream ManipulationNextSYN Flooding with HPING3

Last updated

Was this helpful?