WireShark Tut
Summary :
Wireshark is the network Packet Analyzer .Used to Analyize individual packets in an network by filtering the data accumulated by running it.
The main power lies in filtering the packet accumumulated. The Filtering as below:
1. Open Wireshark
2. Select the wireless/wired network
3. CLick Start Capture - Wirestarts starts capturing data in new window
4. Select any packet in the packet list screen . Each packet contains data wrt OSI layer is shown in Packet details window
5. Open the tree in the Packet Details window and select last child and notice the status bar at the bottom gives filter condition which can be use
Eg:If u have selected a packet
Now in the Packet details window , Open Ethernet > Source >Select Address>
Bottom part gives you "eth.addr" which can be used in the filter field.
Basics:
1. Wireshark > Pref >capture > Promiscuous mode (Monitor Mode)
2. protocol:
udp:not reliable,used in chat /vid Conf, Very Fast
tcp:
icmp : ping
3. DNS(tcp /udp): port 53
4. Adding Filter :
udp.port == 53|| tcp.port == 53
ip.src == ip addr
ip.dst == ip addr
tcp.srcport == 53
tcp.dst == xx
tcp.port == xx
udp.prt == xx
ip.addr == 192.168.1.2 && (tcp.port == 53 || udp.port == 53)
5. Filter : http (packet sniffing http: video time 1:40-"The Complete Wireshark Course: Beginner to Network Admin!" )
6. iptables -I OUTPUT -p icmp -j DROP # stop ur PC to reply to pings
7. detect malicious traffic in ur network.
lsof -i :port
kill psd
8.Wireshark Command Mode :
a.tshark -h # help
b.tshark -D # List Interfaces
c.tshark -i wlan1mon #listen on multiple interfaces : tshark -i wlan1mon -i wlan0mon
d.tshark -i wlan1mon -w /tmp/result.pcap #write to file , can be opned only using wireshark
note: Can only be written into temp folder
e.tshark -i wlan1mon -a duraton:10 -w /tmp/duration.pcap #run for 10 secs
f.tshark -i wlan1mon -f "port80 or port 53 or port 443" -b filesize:5 -a files:3 -w /tmp/result.pcap
#filter ports , Max file size is 5kbs ,autostop after 3 files
9.watch -a 1 "ls -la" # Monitor a folder for every second
10. iwconfig # tells the mode of the card
11. ifconfig #ip addrs and mac address of network card
12. lspci #list all pci devices
~~~~~~~~~~~~WireShark Monitor Mode~~~~~~~~~~~~~~~~~~
Wireshark > Pref >capture > Promiscuous mode (Monitor Mode)
1.Activate on Network Card Monitor MOde
#Method 1
ifconfig wlan1 down
iwconfig wlan1 mode monitor
ifconfig wlan1 up
#Method2 (make sure aircrack-ng is installed)
airmon-ng start wlan1
2. airodump-ng wlan1mon #survillance of network traffic
3. airodump-ng --channel channel_no --bssid bssid_no --path/file #saves files in pcap and other formats
4. wireshark path/file # to open file
~~~~~~~~~~~~~~~~~~~~~Nmap with Wireshark -----------
Nmap : Is a Port scanner of a particular server / Machine
#apt-get install namp
#pip install python-nmap
#python
import nmap
n=nmap.PortScanner()
res=n.scan('scanme.nmap.org','22')
print(res)
#Shell
nmap 'scanme.nmap.org' -p 22,80
