Wireshark Basics | Complete Guide | TryHackMe Wireshark The Basics & Packet Operations

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
what's going on guys welcome back to this video today we'll be covering wire shark we'll be covering wire shark from a to zed so if you want to learn how to use War shark this video is going to be for you so what we will be covering in this video first thing we're going to cover the GUI navigation items then we will be covering the packet dissection plus we will be covering again the navigation of packets how to navigate through different sorts of packets also we will be talking about the uh data extraction data extraction and Export plus export that the same thing and then we will be covering the most important aspect of warock which is the packet filtering okay so first let's go over the goey interface and talk about the Vari sections of War shark so as a reminder guard this video is part of two rooms the first one is war shark the basics and the other one is Packet operations okay so once we open War shark we see this landing page or we see this uh interface so as you can see guys here we have the menu and then we we have what is called the toolbar so the menu plus this bar both are called the toolbar and the toolbar contains multiple as you can see multiple menus shortcuts for packet sniffing and processing including this button so you can start live packet capture and then we have the display filter this filter is called a display filter here we where where we apply the queries and the filtering we'll be covering this later on and then as you can see guys here we have the recent files that have been opened by wi shark these are represent the packet capture files and then we have the capture filter interfaces this represents the available interfaces and capture points and lastly at the very bottom we have the the status bar the status bar contains the number of packets the profile and tool status okay now let's first start and load a sample packet capture we can do so by using the file menu using the open and then we can navigate to the file we're going to choose the exercise first one and here we can see the packets are loaded all right so as you can see we have the file name called exercise. pcap and this represents the packet list these are the packets that we have here this pane is called the packet list down here on the left we have the packet details and on the right we have the packet pipes okay so the packet list here contains a summary of the packets as you can see we can see the source the signation IP addresses the protocol the length we can of course add columns we're going to see how we add columns to this this later on okay now the packet details on the left pane here we can see detailed protocol breakdown of every single packet whenever we highlight a packet from the packet list we can see the information changes in the packet details we can see that the information uh broken down pays on the protocol now on the right we have the packet bytes spin we can can see the hex and aski representation of the selected packet when we change the packet the representation here changes it contains the details in both hex and aski format now one more thing about W shark is the colors so we can control the coloring of packets from The View menu clicking on view and then we can go to coloring rules we can see the current rules followed by default to color the packets for example uh we have the r packets with this color and we have the TCP reset packets in a red color we can change these colors from here okay now these buttons here represent the uh packet capturing if we click on this shark button the blue button we will start packet capture meaning we will start to sniff the packets on the configured interface Now by default we will see the interface in here so if you click on that as you can see could have run user yeah we need permissions but when this starts we will start capturing the packets let's go back to the exercise and once this starts as you can see we have this red button here when we click on this button we will stop the capture okay let's go back to exercise and then we will go to statistics and we click on capture file properties here we can see all the details about the current capture file we have for example we can extract the number of bites if you go to statistics section we can see the number of bites captured and the page the time span everything there is to see about the current capture file in a brief fashion we can see all of them here from the stats captured file properties now let's take a sample packet and go over the VAR sections on the left pin as an analyst or even as a network administrator you need to understand the meaning of every single section from the packet details list for example let's take a look at this one we have the protocol breakdown first thing we have the frame if we click on the frame and collapse we can see the details on here the frame here will show us the frame or the packet we're looking at and details specific or pertinent to the physical liar of the O model all these information are perent to the physical ler of the O model the physical ler not data link ler we can see information about the frame and then we have the ethernet we click on this and here we can see information pertinent to the data link ler meaning we can see the source and destination Mac addresses of the packet and third one we have the Internet Protocol version 4 here we can see breakdown based on the network liar we can see information about the IP V4 addresses meaning the source and destination ipv IP addresses we can see them from here as you can see this is the source address and this is destination IP address okay and lastly we have information about the transmission control liar here we can see information about the TCP liar such as the port number source and destination port numbers now sometimes if you are examining a packet uh that has uh you know application ler details such as HTTP you will will see additional section in here as you can see this section is pertinent to the application lar of the O model here you can see information about the protocol belonging to this liar in the O uh model as you can see guys the packet list here details information about every single packet based on the Oz model so if you don't know the O model it's very recommended guys to go back and review it cuz everything mentioned here the protocol breakdown is heavily relied on the o model let's go back to the HTTP lier packet here we can see additional entry detailing the protocol in the application lar if we collapse this we can see information such as the type of the request the host the user agent meaning we can see details about the uh as you can see again the get request whether the whether it is get or post or put or delete we can see information about or details about the application Li protocol from here now we understand the details or the protocol breakdown let's now learn how to navigate through these packets so as you can see guys these are the packets and there is no here meaning these packets are numbered so as you can see it start with 1 2 3 4 5 this makes it easy for us as analog Network administrators to navigate through packets but how so how to navigate through these packets we go to the go menu and select go to packet and as you can see new bar has popped up where we can enter the packet number say I want to navigate with the packet number 50 I enter 50 here and I go to the packet it was 50 so we going to the zero wasn't typed for 5 and directly it takes me to packet 50 as you can see here and from here I can again examine the protocol breakdown of this packet alternatively guys if you want to find the packets in another way in a more detailed fashion you can select the edit menu and then go to find packets so we have now new bar popped up we have packet details and packet pites and packet list we explained these earlier so as a reminder the packet list is here the packet details is this one on the left Pane and packet bites is on the right pane so here we select or we choose where to look what is the uh The View that we want to look in so if you select packet details it's going to look for the packets from here on the left way all right so here we choose the type of search it's going to be are we going to be searching for string are we going to be searching for hix value display filter or regular expression most of the time the searches are conducted using either string or regular EX supression for example let's select search using a string and type here download and click on fight so what does that mean it means w shark now will look for the string packet okay across all packets using the packet details so if there is a match it will show me the patch the match here in the packet details as you can see we have one hit on packet number 31,000 192 and we found the word download in here so it was found under the uh line based Text data in this packet if you look closely at this packet we can see it is a response to a request you can click find one more time and you can see more occurrences of the same word currently we have only one so when we have more than one occurence as you can see the packet number changes meaning now we are examining a different packet that contains the word downlo okay now let's say you are examining a pack a capture such as this one and you found a packet of Interest say you want to analyze this packet but currently you have other things in hand that you are analyzing so if you want to get back to this later what you want to do you want to highlight the packet so you highlight this and click on Mark or unmark this will highlight the packets as you can see with black color again guys you can change the coloring Rules by going back to file uh to was edit no view in View and change the coloring rules if you want this to be if you want to Mark packets to be highlighted using a different color so you're going to change the coloring rules so for now you can highlight the packets as you can see we highlighted them then we can get back to them later for uh future analysis if you want to remove the mark you can simply right click and select unmarked going unmark all the packets another useful feature in war shark is suppose that more than one analyst or more than one network administrator working on the packet capture so you want to see other analyst perspective on a certain packet you can right click here and select the packet comments it's going to show you all the comments if any that have been written by the analysts other analysts if you want to write a a comment for other analysts to examine you can write your own here demo and if you want you can write the date and click on okay now for exam in the packet one one more time you can see we have packet comment new section opened up on the in the details or the packet details where it shows me the um comments written so I wrote the dates here so that analyst know when I typed the comment okay so now we know the basic features here let's say we want to extract a specified packet for further analysis remember that W shark is not the only tool in the market for packet analysis we have t-shark we have TCP dump we have Z we have Bri we talked about all of these in previous videos now let's say we want to export specific packets for further analysis using different tools what we can do here we can select a packet such as this one we can select it with the control and then we go to file and say we want to export specified packets click on that and here we can select to export all packets or selected packets only or we can choose by range using the numbers once we do that we give it a name and we click on save it will export the selected packets in a pea file where you can analyze them later or export them into a different tool alternatively you can export all packets but since you have the packet capture you don't need to go on this option all let's go click on cancel now let's learn how we can extract artifacts from the packets such as images executable files HTML files so on and so forth we can do that using using the export objects feature from here so export objects we click on this we can see we have HTP exporting artifacts from the HTP protocol SB tftp and other protocols if you click on HTTP it will show you all the artifacts that can be extracted from HT packets in the current capture file we can see we have one HTML file another one here and we have what looks like a text file it's a note file and we have also looks like we have images as well we can save all or we can save a selected one by clicking on save so we're going to need to save one of these which is the text file you're going to find the reason later on so this is the note we're going to select this one and save it select desktop let's take a look at the file so this is a note file okay back to W shark one more thing which is useful for Network administrators who troubleshoot network problems is the expert information now expert information can be found by clicking on as you can see the lower left bottom section we click on this and we bring up this menu here now what all of this means so as you can see we have colored uh different colors so every color has different meaning for example packets with red color means we have problems with these packets meaning they are malform packets we can see the explanation using the group here so for every a color we have the number of packets so for red colors we have two as you can see 15 uh 14 sorry 15 packets with red color meaning we have 15 packets or considered as malform packets we have as you can see 1,636 packets highlighted with the yellow color meaning we have warnings like error codes or problem statements and here this color it means that we have events such as application error codes and the blue color is for informational meaning nothing Pro nothing uh wrong with the packets it's just information on usual workflow so we can use these expert information to analyze the packets and see if we have network problems error codes or problem statements now let's talk about filtering packets which is the most important feature in W shark okay when we talk about packet filtering we are talking about narrowing down the search to a different aspect of a single packet or multiple aspects so as you can see every packet has we have Source IP destination IP and we saw the protocol breakdown in the packet details list or the packet details pain now there are different types of filtering there is the first one it is called apply as filter apply as filter is a way of filtering only a specific entity from a packet all right let's say we have this packet with Source IP address that starts with 145 254 160 2 237 say I want to search with this IP address I want to extract all packets or filter all packets with this IP address I can right click and go to apply as filter selected as you can see now everything changed so the number of packets changed the view has changed and we can see in the display filter here bar that war shark has automatically typed the filter for us there is no need for us to know the Syntax for this kind of filter but on the other hand we can see we are searching with only a specific IP address so here we are looking to extract alter packets that has this IP address as a source or destination IP address again if you want to cancel the filter we can click on the x button and this will bring back the original view now there is another sort of filtering called the conversation filter so previously we have we had only one single entity by which we search the packets now if you want to for example use the conversation filter we can go ahead and click on conversation filter and we can choose to look for packets that are similar to this packet or related to this this packet in terms of the IP addresses and port numbers can right click here and select um cation filter and select ipv4 for example so look at the filter now IP address equal to 145 and IP address equal to 65 so why why shark brought up this filter because when we use conversation filter we use more than one entity to look through the packets that's the main difference between calization filter and apply as a filter in apply as a filter we use a single entity from here but with confition Filter we use both entities IP addresses to look for packets uh similar to this one we can also cancel this one and change the way we apply the conver filter can right click here and choose back the conver filter and we search with TCP so what happened here right now we are using the IP addresses and port numbers to find relevant packets or similar packets to this one so here we're looking for relevancy we want to find relevant packets to the selected one um one more thing about the converation filter is the ability to colorize the uh packets for example I can right click here and colorize the conversation select TCP and I can choose a color for this so now the colors have changed accordingly I can right click back and select colorize conversation and choose a different color which this will change the colors okay let's now click on X and choose a different filter now there is the filter that's named color prepared as filter so prepared as filter it is similar to apply as filter we saw previously however the model doesn't apply the filters after the choice meaning let's take an example so we go here and prepared as filter look at this so w shark has as you can see typed automatically typed the filter but didn't apply the filter yet so when we enter we're applying the filter now it is same as apply as filter that's the difference is difference is in prepare as filter we don't apply the filter I mean why shark doesn't automatically apply the filter it just types the filter in the display filter bar now other one is apply as column apply as column is kind of different than the previous filters it's that is that it it adds the relevant uh selected filter as a column for example we can go here to sample packet dns1 select um the user datagram protocol for example and add the source Port here right click and we can select apply as column so now the source Port has been added as a column back here we can add it destination column as well and we have the destination column added here the cool thing is it applies to all the packets so we can see here the source and this is port for all the other packets and we can use them as a search criteria as well additional feature in war shark is viewing the row data of every single packet this feature is tremendously used by security analysts and network administrators while analyzing packet captures for example we can right click a packet here and select follow TCP stream or follow the stream it may differ from TCP you to be depending on the type of packet here it is offering only follow TCP stream so we're going to go to follow TCP stream we can see the r details of the packet so the get request everything in red is request sent by the client and in blue the response sent by the server all right so up until now we have discussed the basic features of wi shark back navigation the filtering now let's go ahead and answer couple questions in The Wire shark room here so tool overview scrolling down read the packet read the capture file comments what is the flag and select stats capture file properties scroll down to the comments and we can see the flag what is the total number of packets we can see total number of packets from here 58,60 using the capture file properties what is the the Sha 256 hash value of the capture file again we can see the hash of the file in the same pain this is the s256 HH okay next packet dissection view packet number 38 let's go to packet number 38 using the go to packet so this is the packet number 38 let's mark the packet so it's here fine which markup language is used under the HTTP protocol so let's go back to the packet we want to see protocol breakdown information we can see it is extensible markup language that's the markup language listed here what is the arrival date of the packet okay so these are these are information that can be found or details that can be found in the packet detail section the arrival date we can scroll down here collapse this and we can highlight the this is the date which is 13 13 May Thursday 2004 what is the TTL value the TTL value is the time to live value and it's a value specific to the Internet Protocol so we're going to select internet version 4 and from here we can see the TTL value scrolling down it is 47 what is the TCP payload size so we're going to look at the payload size in the trans trans Mission Control protocol section TCP payload size can be [Music] found let's see where it is yeah so it is 424 and lastly what is the eag value the eag value can be found in the HTTP details so it is here should be here e tag is here okay packet navigation Now search the R for w string in packet details what's the name of artist one so now we are searching for strings in the packets we're going to uh need to use the analyze the edit and find packet we select packet details as the place where we want to search for the string and here we type the string making sure that string is selected and we click on find okay let's see here so we found one hit here in packet number 33790 and we have one string r4w the question is what is the name of artist one so as you can see we have a value here artists. PHP question mark artist equal 1 and that's the complete name of the artist go to packet 12 okay now this is Packet 12 let's mark the packets and we want to read the comments so packet number 12 as highlighted here indeed has comments section in the packet details pane so we collapse this and we can see that what is the answer okay so we have kind of nonsense comments this is not flag but we have instructions here on how to find the answer so the answer is saying go back to number 39,7 65 look at the packet details Bane right click on the jpg section and Export okay so 39,0 765 so going to this packet indeed we have a JPG section meaning there is an image transferred in this packet going to right click here and we want to export the packet bites meaning we want to export the artifacts or whatever there is in this packet so we're going to select desktop and we're going to need to give this a name let's say test and here we have to select row data all files say row data and here we have an image here and now we're going to open up the command line cd2 desktop md5 sum test and this will give us the answer okay there is a text file inside the packet capture find the file and read it what is the alien's name there is only one text file inside the capture find the file and read it what is the alien name remember guys we did this earlier and I told you there is a reason why I exported this file so we open this and we can see indeed there is an alien and that's the alien name packet Master look at the expert info section what is the number of warnings so again the export section is used to troubleshoot network problems going to go back to W shark and go to Stats and open oh not stats it is in the analyze section the number of warnings remember that the warnings are highlighted with the color yellow and we can see the number of PES sorry the number of packets with warnings they are 1,636 lastly we have the packet filtering so we are required to go to packet number four okay go to packet number four so we have the packet here the question is right click on the hyper text transfer protocol and apply it as a filter look at the filter pane what is the filter quy so we highlight here the HTTP in packet number four so if we select here it's going to apply the destination address okay if we select here it's going to apply the source select here it's going to apply the length of the frame now select the HTTP but it is not popping up it's not allowing me to select it anyway I'm going to write here h HTTP okay look at the filter Bane what is the filter query it's HP what is the number of displayed packets we can see the number of displayed packets remind you guys it can be found at the lower pane from here we have 5 58,60 oh no if we apply the filter so the display that's total number of packets but the display is 1,89 go to packet number 33790 okay let's do that sir and this is the packet we're going to highlight this so we don't we don't get lost and follow the stream what is the total number of artists so this is the packet for the stream meaning want to see the raw data so I have two streams the TCP and the HTTP which one to follow let's go back to the question there's no specification I'm going to choose HTTP okay what is the total number of artists okay scrolling down to see the response from the server if we search for the word artist so we have the page artist PHP not interested in this also these are okay so here we can see counts artist equal to one meaning we have now one artist seing searching for other occurrences of this word okay we have artist equal to two meaning we have now two artists and artist equal to to three meaning we have now three artists searching for more occurrences and we right now we are brought back to the very beginning which means we have only three artists what is the name of the second artist okay you have to open this back it's going to se search for artist equal to two and the name is blad 3 so that covers the answers for this room okay now having explained the features or the basic features of warar the navigation of the packets the filtering and having answered some questions which demonstrates the Practical side of this uh explanation let's Now cover other aspects of War shark so now assume that you have gone over these buckets analyzed couple couple one of of them and then you want to get information on the bigger picture of this capture file the representation of the protocols the number of the uh packets for each protocol in addition to the end points the queries so all of this statistical information can give you a larger picture of what the capture or what the packet capture represents in terms of the protocols exchanged the number of packets for each protocol and the queries so you want to do that you can go to Stats and you can explore the options let's start with resolved addresses if you click on the resolve addresses we can identify the IP addresses and the DNS name or the host name for every IP address or even ethernet addresses as you can see we can use the all entries and we can click on hosts you can see the IP addresses and the name resolution or the DNS host name for these IP addresses this helps us tremendously if you want to I examine if there is C2 uh servers found here you can find them you can find them from here and also you can search through Ethernet addresses or Mac addresses it will give you the manufacturers take a look here we have as you can see the manufacturer name for every Mac address so here gives us the the DNS resolution for every type of address whether it is host IP address or it is a MAC address now let's take a look at the other option which is protocol hierarchy so here it breaks down all available protocols from the packet capture file and helps us to view the protocols as you can see guys in a three view paste on packet counters the percentages so on and so forth we can see the overall usage of the ports and services and focus on the event of interest for example in the ethernet protocol we can select um the IPv6 and we can see the number of packets exchang in this case we have 38 packets under the IPv6 udb protocol we have one packet I4 we have 8 1,000 and they represent 99% of the packets under ipv4 packets udb and again we have other protocols such net bias SNP transport L security so it is a protocol breakdown uh for each packet and the sorry for protocol breakdown for each protocol and the percentage of packets and the number of packets we can view them from the protocol hierarchy okay now we go back here and we select conversations so the conversation represents the communication or the traffic between the end points whether they are represented by their ethernet address or by I4 address or iv6 address based on the TCP protocol or DB protocol we can see the uh packets Etc between hosts using the um conversations menu okay other one here is the endpoints so endpoints is similar to conversations the only difference here is that this option provides unique information for a single entity for example we're looking at the EET entity we can see the pertinent information or the statistical information for this ethernet host ipv4 same here more detailed information about every single entity on the other hand if we go back to conversations and click on iv4 we can see same thing but with less Focus or less details on other aspects such as the country and the city we cannot see them here but we can see aspects such as you know uh the flow of the packets from from A to B so address a and address B we can see the flow of packets between them but we cannot see details uh for every single one of them right so it's useful to take a look at the conversations uh option here if you want to see the traffic exchange between hosts but you want to focus on every single one of the hosts or the end points you want to take a look at the end points and here in the endpoints we have this thing or feature which is name resolution so this option here is offered if you highlight a single IP address we can select name resolution but it is not enabled so we have to enable it by uh from The Wire shark menu if this is not enabled you have to go to edit okay and then preferences selecting name resolution and we can see the options we can resolve Mac addresses we need to select resolve transport names and resolve Network IP addresses once to click on okay Everything Will Change here so we can see every every IP address that can be resolved we can see the resolution of the IP address here we go back to end points now we click on an IP address now the name resolution feature is enabled click on the name resolution and we can see the name resolutions of every single IP address it resolves to the DNS name of this IP address fine let's go back to edit preferences oops so here name resolution bring the settings back to where they were okay back to statistics so we've explored resulted addresses protocol hierarchy conversations end points now let's go over these ipv4 stats and IPv6 stats so here we can see more details pair protocol so ipv4 we can select all addresses and we can see more details about every single address IP address here the count of the bytes we can sort them as well so for example this IP address has exchange 58,5 70 packets we can see the rate and the percentages as well alternatively you can go back here and select like to analyze them using the um destination and destinations and ports or you can focus on source and destination addresses or IP protocol types click on this and we can see now statistics based on the protocol udb or TCP back here again to you can select IPv6 all addresses and we can see statistical information for every single IPv6 address now sometimes we want to focus on protocols let's say we want to select um stats about application Live protocols such as DNS you can click here and take a look at the stats related to the DNS protocol for example we can see here total number of packets is 171 when we focus on this we can see more details such as the number of packets for every DNS query type so we can see have 86 queries and 85 responses and we can see the breakdown every single query we have a query 4 a queries PTR queries as well same applies to http in the HTTP here we can select to view the packet counter or the number of requests the load distribution and the request sequences if you take a look at the requests we can see here all the requests made in the packet capture and we can see their count as well so everything there is to see or to find about this the statistics for the protocols the IP addresses can be found from the stats menu we have just explored okay now we're going to need to go back to the filters remember guys that we have two type of filters we have the capture filter and we have the display filter most probably we're going to need to focus on the display filter that we can use through the display filter bar from here the white one we can apply all sorts of filter to extract insights and events it's worth mentioning that we have operators that we need to keep in mind before we start using the display filters let's go back now to the board and explain these filters open new page so we're going to start first with the operators that we need to learn before we start learning how to write the filters we have first the comparison operators so what are the comparison operator that can be used in the queries so a we have the equal the equal can be represented by two equal signs similar to Zeke similar to brim sorry that we have talked about in the previous video for example we can search an example we can be IP dot address equal 2 10 10 10 1 here we're going to use this query to look for packets containing this IP address so here the that's the equal operator B we have the not equal can be highlighted or used using this expression the same applies here if you apply this here it's can look for packets where this IP address is not found C we have greater than this is simple we have less than and this is also simple that's the expression E and F here we can find greater than and less than or equal greater than or equal this is the expression for this okay these are the comparison operator what about other kind of operators such as the logical operators open a new page here and two we have the logical operators what are The Logical operators or Expressions first one we have the and and we have or and we have the not okay and can be represented by double m%c now now for or two pipes and for not one exclamation mark for example let's say I want to search for the packets containing two IP addresses let's say IP do Source equal to 10 10 10 1 and IP do destination equals 10 10 10 2 here I want to look for packets where the source IP equals to this and the St I be equals to this now the and here will match the condition if both of of both operant here the one on the left and the one on the right are matched or satisfies the condition meaning if one of if if one of them wasn't found in the packets meaning if the IP address here is 101 101 was found in one packet as a source address but the destination address of this packet was different than this one it's not going to give you or it's not going to satisfy the condition hence it's not going to return this packet as a packet that satisfies the condition now for the or the same the or Works differently in that only one of these operan needs to satisfy the condition needs to exist in the packet in order to return the packet as a packet that satisfies the condition and lastly we have the nut an example of nut is for example IP address ip. Source uh not equal to this this will find all the packets where the IP address here is not mentioned now one note about this the use of this is depreciated therefore we cannot use it anymore in newer versions of War shark so what's the alternative instead of using this formula here we can use question mark exclamation mark and here the IP address here it's going to look for ala packets where this IP is nonexistent okay now let's take a look at some filters I have here let's take a look at this one for example this one we show the packets containing the IP address here another one here this one is depreciated so we're going to remove this and use the newer expression here it will look for the packets where the IP address 19216 81 one doesn't exist another one example is here he use the ENT double ENT because we want to show packets containing both IP addresses this one here we look for subnets so all packets containing IP addresses from this subnet let's take look at a one that's different here we look using the source Port using the TCP protocol TCP protocol. Source Port meaning we want to look for packets where the source Port of the TP protocol equals to 1 2 3 4 here we search using the HTP Response Code there are so many wire shark filters depending on the protocol and depending on many other factors you can't memorize all of them that's why it's important to understand only the syntax The Operators the comparison operators and The Logical operators here we can as you can see guys we are searching the packets containing the first off we search HTP packets and then we search the ones where the Response Code equal to 200 here we search using the request method here we searching the Response Code similarly we can search using the protocol name SMTP or DNS this one here DNS flags. response equal to zero here we look to show the DNS requests similarly if we want to show the DNS responses we're going to replace zero with one these are the DB for filters if you want to uh filter packets using this protocol you can use these filters Port destination Port Source Port same for or same with udb you can also search using using the DNS records the quity type one means we are looking for to find DNS queries where the record equals to A and here we're looking to find text records it's going to be qu type equals to6 okay now let's talk about Advanced filtering so there are more advanced filters that we need to know in order to use the filters more efficiently and extract more insights from the packets we have this filter filter name is contains let's have an example let's say I write this filter HTTP do server and then the word contains come here and here that's the word I am looking for so what does that mean it means I want to search the HTTP packets first okay where the server section from the packets equals to Apache or contains the word Apache it will list me all the HTP packets where the server name contains the word Apache here it means I'm looking for the packets containing response responses or packets contain to server as Apache another Advanced filter is the match or matches wait let's take an example everything is best the start it with an example so HTTP do host okay matches comes here and then two double codes PHP and then here we have um say HTML okay what does this filter do first again we we list the HTTP packets and then we are instructing warart to look at the host section of the HTTP packets if the host section or the host the value of the host match keywords such as PHP or HTML it's going to return a response and we have another one it is named as in now I use the in operator here to search inside a specific range or uh scope it's very useful if you want to search through a port range an example is TCP do port and here comes in and here we search through a range 80443 8080 so here we list all the TCP packets first okay where the port field have values either eight 443 or 8080 so here as you can see we use the word in to search using ranges it is very similar to for Loops for i n uh 1 2 5 six used in bash scripts it's very similar in concept now let's answer some questions to demonstrate this in a practical fashion investigate the resolved addresses what is the IP address of the host name starts with BBC so go to resolved addresses and from here we can use uh we can search PBC and we can see there is one address that resolves to a name or DNS name that contains the word BBC that's the IP address what is the number of Ip V4 conversations so here we're looking to find or to extract uh information based on the protocol it's going to select the protocol hierarchy you can see the number of packets we want to find out the number of packets for ipv4 protocol you can see they are 81,82 oops nope this is ipv4 ah okay I think I mixed them up it's asking for the conversations not the packets so we're going to go to conversations highlight ipv4 it's very clear that the number is 435 packets hence this is the number how many bytes were transferred from the micro SD Mac address so here we're focusing on a specific endpoint so we're going to go back and select end points ethernet enable name resolution and we're going to search for micro SD let's see here so we have one micr SD and going to see how many bytes were transferred so we have 10,478 packets and the number of bytes is here 74 74k what is the number of IP addresses linked with the Kansas City we are here in the end points are we in the end points yes ipv4 and we want to look for the City information so we can categorize here or sort them and look for cansas the question is how many IP addresses linked with Kansas so 1 2 3 4 which IP address is linked with link as organization and the associate IP address can be found here okay next we're going to answer this the task three questions fine what is the most used ipv4 destination address now we want to dig deeper into the details related to the ipv4 so we going to select ipv4 stats and select destinations and ports what is the most used ipv4 destination we're going to sort them by count there is some lag it's still displaying the data okay so when we sort them we have this IP address with 29,38 packets this is our IP address what is the max service request response time of the TNS packets again details pertinent to a specific protocol we're going to find it by clicking on the protocol itself sort and the max is here 0.4 678 what is the number of HTP requests accomplished by this host so we're going to go back and look at hey HTTP specifically we need to look at the load distribution load distribution here we can see the requests made by the host so rad msn.com as you can see here guys we have these hosts B do r a r a and we have also additional ones we have this as well so one with the ip44 and we have with the IP 231 and with the IP 232 but thing is we need only to count the ones that start with r a so going to ignore the b r a going to count R msn.com 15 going to ignore this one I'm going to count this one so 24 + 15 = to 39 okay now we're going to go to packet filtering what is the number of Ip packets fine let's use the filtering now and use IP to search for the IP packets this will display the number of the IP packets under the displayed the bottom tool bar we have displayed equal to 81,82 what is the number of packets with TTL value less than 100 less than 10 so how to conduct this search TTL is part of the IP packet so going to keep here the same IP keyword do TTL going to be less than 10 this will give us the number of packets where TTL is less than 10 they are 66 packets okay what is the number of packets which uses TCP Port 44 44 so TCP do TCP Port equal 4444 and the number of packets is 632 what is the number of HTTP get requests sent to Port 80 so we're going to first list the HTP C requests okay where the method is get and then we're going to satisfy another condition these requests need to be sent over Port 80 not uh htps because get request can also be sent over https or Port 443 so here we're going to write the first condition HTTP request method needs to to equal to get that's the first one and then the next condition is TCP Port equal to 80 and now we have 527 Pockets what is the number of type a DNS queries what is the number of type a DNS queries okay so we covered this here so type A we have to type this query so now we are retrieving the type a DNS queries but here this covers the request and response as you can see bottom here the display number of packet is 106 but the answer is way lower than this so so why because here we want to search for the queries so we have to specify whether it is uh uh request or response so you're going to search with let's go back to the filter and grab this query this represents the requests going and so you're looking for DNS type A queries and in the request so when the query or the record type is a it comes as a response so here this needs to be changed to one to represent DNS responses and now the number matches 51 buckets now to advance filtering questions okay find all Microsoft I servers okay let's first find the Microsoft is servers in the HTTP going to need to search in HTP packets do server and then the advanced operant is contains the word IIs that's the first one now we found all the packets where the server is I next what is the number of packets that did not originate from Port 80 meaning the source Port was not 80 so how to write this TCP do Source Port okay not equal to 80 but we have a problem here because as you can see the display bar is red meaning there is a problem because we're using a depreciated term operant we're going need to change this so let's say becomes like this equal to 80 and then between two parentheses we're going to do it like this still not resolved Source Port equal to 80 and HTTP server contains okay so here we have the condition needs to be and and now it worked so this query is we want to look for the packets where the server contains the word I meaning we're looking for servers uh that use the I software to serve the web pages and the source Port needs to be not equal to 80 let's see here how many packets we have that satisfy this condition and we have 21 packets find all Microsoft I servers what is the number of packets that have version 7.5 okay now let's go sometimes we cannot find the exact query we want to use or the exact attribute that we need to use here we want to use the attribute an attribute that response to a version let's take a look at a sampled packet here and see if there is um yeah so as you can see in the server attribute here of the packet it contains version information so we can use this attribute in the query to filter for the required version the required version needs to 7.5 so the query here becomes like this we're going to move this part or keep the end and here HTTP do server using the server attribute from here and then the C attribute matches matches 7.5 how many packets we have 71 indeed we have 71 what is the total number of packets that use ports or that use these Sports here we're going to use the operant in because we're looking to find packets uh in a Range that say that satisfy a range so here we're going to say TCB port in and type in our Range four threes separated by a space not by a comma four fours and four nines we have 2 2235 packets what is the number of packets with even TTL numbers okay now here we can again use the um word string or the keyword string the string keyword here would convert whatever it comes between the parenthesis okay we'll convert into a string here we're looking to convert a TTL value okay into a string so ip. TTL okay that's the first part of the string or or the filter and then we're going to use matches now for even numbers and then then we have to write 02 4 6 8 this will correspond to even numbers for odd numbers let's see where is the formula for the odd numbers now this is for as you can see this is for even numbers for odd numbers we can use this okay what is the number of buckets answer this change the profile to check some control what is the number of bad TCB check some packets in order to change the current profile we going to have to go to edit configuration profiles and select the checkm profile now we loaded up the checkm profiles which will show us all the packets that failed the checksums we want we want to filter for the bad check sums in order to do that we're going to write a specific or custom query that corresponds to TCB do check sum okay status equal to zero which will show us all the packets that failed the uh check sum they are 34,1 185 and the last question here about advanced filter is use the existing profile use the existing filtering button to filter the traffic okay this is the filter button by the way what is the number of displayed packets so we're going to click on this button and show the displayed packets number and they are 261 okay guys that was it for wire shark now in the next video we're going to take live examples by analyzing different sorts of traffic this video was a complete guide for uh those who want to get started in the next video we're going to take examples of different sorts of traffic and security scenarios
Info
Channel: Motasem Hamdan
Views: 1,013
Rating: undefined out of 5
Keywords:
Id: 8mSeMBeSaUk
Channel Id: undefined
Length: 77min 13sec (4633 seconds)
Published: Mon Jan 22 2024
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.