Installing & Configuring Wireshark For Traffic Analysis

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] all right so let's get started with the practical demonstration i'm just going to switch over to my ubuntu virtual machine and we can begin by installing wireshark configuring it and we can take a look at a few examples and essentially get an understanding of how to use it we'll then be exploring or analyzing some malicious or some pcap files with malicious traffic or packets so i'll see you in a couple of seconds all right so i'm back within my ubuntu virtual machine and i'm currently on the wireshark website so i just wanted to highlight this before we actually get started so you know on the website itself you have the ability to download wireshark learn wireshark so i definitely recommend taking a look at the documentation if you're not familiar with something in addition to that wireshark also has its own video series which will explain uh you know how to use wireshark but again we are primarily focused on how to use wireshark uh for you know from the perspective of a blue team operator or a security analyst if you will all right so you can click on download and you know give you a various options based on your platform so again if you click on this latest stable release there we are you can see you have the windows installer the windows portable app you then have the macos dmg images right over here now if you're working on linux which i assume you are then you can download or install wireshark directly from your terminal irregardless of what package manager you're using so on ubuntu ubuntu is is based on debian which means i can install it by through the use of the aptitude package manager so i can say sudo apt get install and wireshark right so that's the name of the package so if you're on arch linux you can say sudo pacman hyphen s wire shock and if you're on centos or fedora you can use the yum package manager and the package name itself is just wireshark now i already have wireshark installed but i'll let's see if we have an update we don't have an update so i'm running the latest version of wireshark now i currently have wireshark pinned to my actual dock here and let me just show you what what happens here so i'm currently running as a standard user so you can see right over here i'm i'm not root this user is part of the sudo group however i just want to show you what happens when you essentially launch wireshark through an unprivileged user or if you launch wireshark without sudo privileges so i'll just open up wireshark here and it's going to take a couple of seconds and there we are so welcome to wireshark now uh on the greeting page or the welcome page uh of wireshark you'll immediately be provided with the capture filter bar right over here that's the text field right over there and you can see that it's going to display all your interfaces now because we didn't start it with sudo or root privileges we don't have the ability to capture packets and that's because uh that's because the ability to capture packets is limited to users with sudo privileges so that means that we need to launch it with sudo or through the root account so what i'm going to do is i'll open up my terminal here and i can say sudo wireshark and i'll hit enter and that's going to start wireshark as root which is perfectly fine and now you can see it's going to list out all your network interfaces now as i said this is running through a virtual machine on a nap network and that means that the connection is essentially a virtualized ethernet connection and the other systems on this network and my interface name is enp0s3 and of course i can confirm that by opening up a new window here and if i type in ifconfig you can see that my my default interface and let me just bring that back here is enp0s3 my ip address or the ip address of the ubuntu of the ubuntu virtual machine is 10 10 10 31 all right so that means that you know we can start capturing traffic from that interface so let me just navigate in there and you know i can immediately just click on it and so if i click on it you can see there's also graph here that highlights the network activity and if you hover over it will tell you your ip address or the ip address associated with that interface now before we get into display filters and capture filters let's just click on the interface alright so if you double click on it it's going to start capturing traffic now as i said this snap network doesn't have uh you know it really doesn't have that much going on in regards to traffic but you can already tell that we've begun uh capturing uh you know a few packets right so this is essentially how wireshark will display all the packets that have been captured and you know the default user interface is going to be split into three panes all right so you have your packet list pane which uh you know as the name suggests will simply display a list of packets that have been captured and the packet list pane has uh you know the following columns now this as i said is the default configuration we're going to be customizing this so by default you're going to have the packet number the time that's essentially when this packet was sent the source ip address so that's where this packet has been sent from and the destination that's where it's being sent to the protocol is nbss in this case so that just tells you what protocol uh is uh you know what um the actual protocol for this particular packet so if it's a tcp packet will tell you there if it's a tls packet you know it'll tell you that there and of course arp so on and so forth you should be familiar with the protocols uh you then have the length that essentially tells you the length of the data contained within a packet and the information which i will get to so these are the default columns here and let's take a look at the top bar but before we do that let's take a look at some of the other panes all right so the second pane is the packet details pane so this is as as the name suggests will display the details for a packet that you have selected so i currently selected the first packet that we captured if i select another one you can see that it essentially displays the details for that individual packet this is known as packet dissection so what wireshark is is doing for you here is it's providing you with the ability to select a packet that you'd like to analyze and then within the actual packet details pane you can essentially identify or view the various layers of the osi model so you know you have your data link layer and then of course you have your network layer your transport layer uh session layer and then of you know you you have your application layer and then your presentation layer so based on the type of packet you select you're then going to be provided with details regarding that package so you can see this starts off from the frame so you know we have the data link layer and then of course we have the network layer where we have ip that's the actual protocol so if it's udp that will also be highlighted there so you can see you have udp there as well and you know and that's because the protocol in this case is dhcp if we click on the tcp packet you know that is highlighted correctly there um so yeah you have the ability to essentially go through all the layers of the osi model and you can then you know click on the individual uh you can click on each of these layers and identify the data or you know the various uh um yeah the various pieces of data associated with that layer and you know really from our perspective what we're interested in or the two layers we're going to be interested in is going to be the uh internet protocol uh or you know this layer right over here and then of course we are uh you know we also be we're also going to be exploring the protocols so just to summarize uh from the top you have your data link layer which again uh you know you typically associate with ethernet so this is where you have your frames you then have your network layer right which is where you have ip right or icmp it could be ipsec or igmp right you then have your transport layer which is where you'd have protocols like tcp or udp so the transport layer is typically used for end-to-end connections if there is a session layer that will also be displayed if there is a presentation layer for protocols like uh you know like ssh ftp etc that'll also be displayed and of course you have your application layer which will display protocols like http uh ssh dns uh and uh yeah so this will make sense as we progress and the final pane is right over here uh this is the one at the bottom here that's going to be your packet bytes pane which essentially displays the actual you know data or content uh you know within a particular layer in ascii and you also have your um it's essentially sorted by default uh as hex right so you know you can also display it as ax as ascii or you can just show the text based on the packet by right clicking on it you can also you know display it as a hex stream if you wanted to uh and in this case we'll just stay with the defaults as i said this might be a little bit confusing at this point but it'll start making sense all right so that is essentially the interface here now let's take a look at the top bar so we've already started the the actual capture and if this button is grayed out that means that it's still capturing packets so if you scroll all the way to the bottom this is the latest packet that was captured right you have the ability to stop the live uh traffic capture or packet capture so i can stop that there and now you can see i have the ability to resume or to start a new packet capture again now i can also restart the current cap uh the the run the current packet capture if i wanted to and this little cog wheel right over here allows me to essentially specify the capture options where i have the ability to specify the interface i would like to essentially capture with and if you take a look at the actual column here let me just resize that and reorganize it you can see that we have the interface name the link layer header so that tells you the type of connection if it's a wireless connection it'll tell you that there and promiscuous mode right so if this is checked then that means you can essentially intercept or capture traffic that is being sent on the network for other devices which is exactly what we were able to do when we ran the actual live packet capture and if you're capturing on a wireless network then monitor mode will be enabled if your traffic if your network adapter supports it right and then it'll also tell you whether a capture filter a capture filter has been applied uh right over here and you can also you also have the ability to enable promiscuous mode uh on all interfaces right so as it says you probably want to enable this usually a network card will only capture the traffic sent to its own network address if you want to capture all traffic that the network card can see mark this option and you can see the faq section for uh some more details regarding you know the actual promiscuous mode you then have the output options where you can essentially capture to a pcap file immediately and the output format that you're provided with is p p cap next generation or pcapp the standard pcap format which is what i recommend in our case we really don't want to be saving to a file unless you know unless we have identified some important information and we would like to uh we would like to export that traffic into a pcap file you then have the options here again um you know this essentially allows you to resolve mac addresses resolve network names which i would recommend you enable and you can also show the capture information during a live capture i would recommend leaving that unchecked you can leave all of the other options as they are you also have the ability to stop you know capture after you know a specified number of packets a specified number of files uh you know when the actual capture reaches a specific size or are at a fixed duration so you can say after 10 seconds i want you to stop the capture which can be very very useful at the bottom you have your capture filter which allows you to essentially specify a filter and based on that filter that's the only traffic that will be captured now as i said uh this is something that i will be walking you through in a couple of seconds but it's something that you want to avoid whenever you're capturing traffic because ideally you want to capture all the traffic or all the packets that are being sent on a network and not limit this unless you want to do so right that's where you know display filters will come into play display filters essentially allow you to filter through the current capture which again you're going to be capturing all the traffic so you can use a display filter to filter through those packets as opposed to filtering or essentially using a capture filter which will restrict what is being captured based on the filter you specify all right so that's the actual cog wheel there that's capture options you then have the ability to open a capture file or a pcap file you can save this capture file as a pcap so you know for example i can save it on my desktop and i can specify the format as wireshark or tcp dump pcap specify a name save it so on and so forth i can then close this capture file so i can say continue without saving or i have the ability to save it if i hit enter you can see that is displayed i can also reload this file uh you know if i'd made any changes and you know you know if i wanted to go back i can also find a packet go to the go to the previous packet or the next packet i can go to a specified packet and i can also go to the first packet that was captured and of course the last packet you then have uh the ability to automatically scroll to the last packet during a live capture which is very useful and then of course you this is where the actual coloring rules will come into play which i'll get to in a second and of course one of the most important features is the ability to enlarge the main window text here as you can see there and you then have the actual ability to zoom out right so what we're going to do here is let's just stop this capture and i'm just going to go into options and i'm going to disable the resolve network names option there and i'll start that again and that should provide us with the source and destination ip because before that it was essentially providing us with the host name which is not bad but in in our case we really don't need it all right so now that we have an idea as to the default interface let's take a look at how to customize this interface so i'm just going to stop capturing packets there we are that's perfectly fine and let's take a look at how we can customize a couple of aspects in regards to the user interface and the way the actual panes are displayed and we'll also be exploring the coloring rules for packets which again is something that we'll constantly be taking a look at as we progress all right so what i'm going to do is i'm going to start another live packet capture on enp0s3 that's my default interface in your case the name will probably be different it could be ethernet 0 ethernet 1 you get the idea so i'll double click on that and let's head over into edit and into preferences right so this allows you to customize a wire shock and we are primarily interested in the appearance section at this point in time so under columns this is where you can add you know you can add to the current columns here under the packet details of the packet list pane which i'll get to in a second you then have your font and colors which again you can change based on your screen resolution and aspect ratio and i'll get into how to zoom in in a couple of seconds and you can of course change the font and the font size so for example i can make that 11 and i can hit ok and that increases at the actual size there however i do not want that to be italic or italicized so i'll just say want this regular and i can hit okay and there we are fantastic so you can see that that increased the size now you can also zoom in and out based on your own preference which again is very helpful another useful keyboard shortcut is the control shift and plus key which will zoom in so i can zoom in like so and i can also zoom out by using the control and minus key combination so that looks like it is appropriate so i'll just zoom in there we are hopefully that's visible to you now and if we go back i'm just going to stop the packet capture if i go back into edit and preferences and i click on layout you can see that it essentially provides you with a various layouts based on your requirements so based on your screen resolution and the aspect ratio of your monitor you can essentially sort or essentially modify the way or the layout of your panes so you can see that you know on pain one you can specify whether you want a um uh you know you can essentially uh you can essentially specify what pain you want displayed on pain one pain two and pain three so let me just restore the default so you can see on pane one uh that that is the packet list uh that's the packet list pane on pane two we have packet details on paint three we have the packet bytes or rather the actual packet bytes pane now as for the layout i can say i want pane 1 to be displayed on top and i want paint 2 and 3 to be split at the bottom so if i hit ok you can now see that that uh that actually you know just reconfigures the layout here of your panes and as i said based on your screen resolution and aspect ratio and your own personal preference this might work for you and in my case i typically like using this uh in addition to a couple of other ones so you know you can you can play around with this based on your own preference uh you can also have one and two displayed side by side i don't recommend doing that the objective really is to have the packet list pane uh you know to essentially have its own uh wide layout or to have that have that display information without any restriction because a lot of data is being displayed there that is very important during analysis so i typically use this option or this layout here or layout two right and as i said you have the ability to customize what is displayed in pain one paint two and pane three you can also show the packet separator if you want that is going to add a little line here that again is uh you know really cool for visibility uh you know if you are visually imp impaired in any way and yeah so i'll just go into preferences there and i think we can leave that on i pre i really like that and of course you can also show the actual packet number within the status bar but we're just going to leave that as is now the next aspect of appearance that you can customize is the columns now this is going to be very important for the exercises we'll be exploring so you can see that it starts off with column one all the way to the bottom which displays information we want to add a couple of columns to this you can see we have the time uh we also have the source and destination address the protocol the length etc the first customization we want to change is the actual time so you can double click on that there this is going to bring a drop down so we want to have this displayed in utc time so that will provide you with an accurate idea as to uh you know what time that packet was sent because right now it just sends uh you know it just sends the the actual time based on the information it obtained from the packet we want to add another column for the source port so that's the new column there you can click on the title um on the actual title there to change it so we'll say source port and we can then click on the type here and we can then say we're looking for the source port and that is going to be the unresolved option there so src port and we can then add the other column which is going to be the destination port so i'm going to say destination port and of course you can use whatever heading you want or whatever title you want and for the type we are looking for the destination port so uh destination port right over here unresolved and we can then select and drag and drop it in regards to where we want it so i'm just going to have this below the source address so let me just drag it there um hopefully it allows me to add it there we are so source ip address and source port and then destination the destination port can fall under the destination ip address right over here fantastic so uh we can hit ok and now you can see we have a few more columns added there and what you you can also do which is really very helpful is you can resize this based on your own requirements you can see that the time is now being displayed in utc format and we can resize things uh we can resize these columns based on our requirements uh one thing i would recommend doing is aligning the actual source and destination ports so that it displays the information in a much more readable format so you can see that starts uh that starts to make sense and you can also do this for the ip addresses so that you can make sure you can read it i'm just going to get rid of that for the source and destination ip i only like centering the source and destination port option and yeah so this information as i said is going to be very very useful so you can then resize you know this so that everything fits within your screen and again you can always zoom out if you want to so there we are that's how to add custom columns now let's talk a little bit about color coding specific types of packets all right so if i go into edit or rather into view and i click on the actual coloring rules the coloring rules menu item here you can see that the colorize packet list option has been enabled if i disable it which i can also do directly from here you can see that it gets rid of the color coding for the packets now this is something that i don't recommend that you do primarily because color coding is very important and wireshark has its own color coding based on the type of packet so if i go into view and the color rules you can see that for specific types of packets like arp or you know for specific protocols like tcp udp arp smb http it has its own color codes and you know the filter here is this is the actual display filter so for example if an arp packet is captured then it will be color coded as this light orange or creamish color if it's a tcp or udp port you're going to have this light magenta or purple color here and for udp it's blue for smb it's going to be yellow for http it's green so i recommend going through these color codes so you understand what's going on i'll be showing you how to add your own color code and you know why that is useful in a couple of seconds all right so now that we've got an idea as to how to customize the actual panes and you know how to essentially modify the font how to add columns let's get started with you know display and capture filters i just want to take a couple of moments to thank our patreons thank you michael hubbard dustin umpress jerry speds doozy sid saab ryan carr shamir douglas jojo bibi balangos kush kev rs nino boykov and david bricker you guys are really awesome thank you very much for supporting us and you guys make these types of videos possible so we really appreciate it and we look forward to producing even more high quality content [Music] you
Info
Channel: HackerSploit
Views: 32,309
Rating: undefined out of 5
Keywords: hackersploit, hacker exploit, hacking, kali linux, blue team, blue team training, blue team training free, wireshark, wireshark ps4, wireshark tutorials, wireshark 2018, wireshark download, wireshark 101, wireshark android, wireshark basics, wireshark https, wireshark training, wireshark tutorial, wireshark tutorial windows, wireshark tutorial for beginners 2018 playlist, wireshark tutorials 2018, wireshark tutorial kali, wireshark tutorial for beginner
Id: NwY57Wv0yfA
Channel Id: undefined
Length: 25min 7sec (1507 seconds)
Published: Mon May 16 2022
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.